Board and Management Responsibilities
The financial institution's board and senior management should establish and approve risk-based policies to govern the outsourcing process. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to the size and complexity of the institution.
The responsibility for properly overseeing outsourced relationships lies with the institution's board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue. An effective outsourcing oversight program should provide the framework for management to identify, measure, monitor, and control the risks associated with outsourcing. The board and senior management should develop and implement enterprise-wide policies to govern the outsourcing process consistently. These policies should address outsourced relationships from an end-to-end perspective, including establishing servicing requirements and strategies; selecting a provider; negotiating the contract; and monitoring, changing, and discontinuing the outsourced relationship.
Factors institutions should consider include:
- Ensuring each outsourcing relationship supports the institution's overall requirements and strategic plans;
- Ensuring the institution has sufficient expertise to oversee and manage the relationship;
- Evaluating prospective providers based on the scope and criticality of outsourced services;
- Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services; and
- Notifying its primary regulator regarding outsourced relationships, when required by that regulator.Institutions may find advantages in contracting for services for three or more years because of the costs of en-tering into the contract, the costs of changing service providers, and favorable price breaks that may be offered by the vendor for longer terms. Contract flexibility is necessary under these circumstances because of the rapid changes occurring in an IT environment. Contract flexibility should allow for changes in service levels; increase or decrease in the scope of the process, service, or system due to changing institutional goals or objectives; and the retargeting of all relational elements on an annual basis. See Contract Inducement Concerns section in this booklet for further issues to be considered in entering into long-term contracts.
The time and resources devoted to managing outsourcing relationships should be based on the risk the relationship presents to the institution. To illustrate, outsourcing processing of a small credit card portfolio will require a different level of oversight than outsourcing processing of all loan applications. Additionally, smaller and less complex institutions may have less flexibility than larger institutions in negotiating for services that meet their specific needs and in monitoring their service providers.