Risk management is the process of identifying, measuring, monitoring, and managing risk. Risk exists whether the institution maintains information and technology services internally or elects to outsource them. Regardless of which alternative they choose, management is responsible for managing risk in all outsourcing relationships. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing all outsourced operations.
An effective risk management process involves several key factors:
- Establishing senior management and board awareness of the risks associated with outsourcing agreements in order to ensure effective risk management practices;
- Ensuring that an outsourcing arrangement is prudent from a risk perspective and consistent with the business objectives of the institution;
- Systematically assessing needs while establishing risk-based requirements;
- Implementing effective controls to address identified risks;
- Performing ongoing monitoring to identify and evaluate changes in risk from the initial assessment; and
- Documenting procedures, roles/responsibilities, and reporting mechanisms.
Typically, this process incorporates the following activities:
- Risk assessment and requirements definition;
- Due diligence in selecting a service provider;
- Contract negotiation and implementation; and
- Ongoing monitoring.
The preceding comments focus on risk elements specifically associated with outsourcing. For a broader perspective on IT transactional and operational risk, refer to the IT Handbook's "Supervision of Technology Service Providers (TSP) Booklet," which addresses outsourcing risk from the service provider perspective.
Board and Management Responsibilities
Risk Assessment and Requirements