Risk Assessment and Requirements
- Assess the risk from outsourcing;
- Involve stakeholders in creating risk-based written requirements to control an outsourcing action; and
- Use the written requirements to guide and manage the remainder of the outsourcing process.
Outsourced IT services can contribute to operational risks (also referred to as transaction risks). Operational risk may arise from fraud, error, or the inability to deliver products or services, maintain a competitive position, or manage information. It exists in each process involved in the delivery of the financial institutions' products or services. Operational risk not only includes operations and transaction processing, but also areas such as customer service, systems development and support, internal control processes, and capacity and contingency planning. Operational risk also may affect other risks such as interest rate, compliance, liquidity, price, strategic, or reputation risk as described below.
- Reputation risk-Errors, delays, or omissions in information technology that become public knowledge or directly affect customers can significantly affect the reputation of the serviced financial institutions. For example, a TSP's failure to maintain adequate business resumption plans and facilities for key processes may impair the ability of serviced financial institutions to provide critical services to their customers.
- Strategic risk-Inadequate management experience and expertise can lead to a lack of understanding and control of key risks. Additionally, inaccurate information from TSPs can cause the management of serviced financial institutions to make poor strategic decisions.
- Compliance (legal) risk-Outsourced activities that fail to comply with legal or regulatory requirements can subject the institution to legal sanctions. For example, inaccurate or untimely consumer compliance disclosures or unauthorized disclosure of confidential customer information could expose the institution to civil money penalties or litigation. TSPs often agree to comply with banking regulations, but their failure to track regulatory changes could increase compliance risk for their serviced financial institutions.
- Interest rate, liquidity, and price (market) risk-Processing errors related to investment income or repayment assumptions could lead to unwise investment or liquidity decisions thereby increasing market risks.
Quantity of Risk Considerations