Quantity of Risk Considerations
The quantity of risk associated with an outsourced IT service is subject to the function outsourced, the service provider, and the technology used by the service provider. Management should consider the following factors in evaluating the quantity of risk at the inception of an outsourcing decision.
- Risks pertaining to the function outsourced include:
- Sensitivity of data accessed, protected, or controlled by the service provider;
- Volume of transactions; and
- Criticality to the financial institution's business.
- Risks pertaining to the service provider include:
- Strength of financial condition;
- Turnover of management and employees;
- Ability to maintain business continuity;
- Ability to provide accurate, relevant, and timely Management Information Systems (MIS);
- Experience with the function outsourced;
- Reliance on subcontractors;
- Location, particularly if cross-border (See Appendix C, Foreign-Based Third-Party Service Providers); and
- Redundancy and reliability of communication lines.
- Risks pertaining to the technology used include:
- Security; and
- Scalability to accommodate growth.
Risk Assessment and Requirements