Management should monitor service provider performance and potential changes in institution requirements throughout the life of the contract. Monitoring should encompass:
- Key service level agreements (SLAs) and contract provisions;
- Financial condition of the service provider;
- General control environment of the service provider through the receipt and review of audit reports and other internal control reviews; and
- Potential changes due to the external environment.
Financial institutions should have an oversight program to ensure service providers deliver the quantity and quality of services required by the contract. The monitoring program should target the key aspects of the contracting relationship with effective monitoring techniques. The program should monitor the service provider environment including its security controls, financial strength, and the impact of any external events. The resources to support this program will vary depending on the criticality and complexity of the system, process, or service being outsourced.
To increase monitoring effectiveness, management should periodically rank service provider relationships according to risk to determine which service providers require closer monitoring. Management should base the rankings on the residual risk of the relationship after analyzing the quantity of risk relative to the controls over those risks. Relationships with higher risk ratings should receive more frequent and stringent monitoring for due diligence, performance (financial and/or operational), and independent control validation reviews. Personnel responsible for provider oversight should have the necessary expertise to assess the risks and should maintain suitable documentation. Management should use the oversight documentation when renegotiating contracts as well as developing contingency planning requirements.
User groups are another mechanism financial institutions can use to monitor and influence their service provider. User groups can participate and influence service provider testing (i.e., security, disaster recovery, and systems) as well as promote client issues. Independent user groups can monitor and influence a service provider better than its individual clients. Collectively, the group will constitute a significant portion of the service provider's business.
Contract Inducement Concerns
Key Service Level Agreements and Contract Provisions