The definition of business requirements sets the stage for all outsourcing actions and forms the basis for subsequent management of the outsourced activity. The requirements are developed through a process that identifies the functions or activities to be outsourced, assesses the risk of outsourcing those functions or activities, and establishes a baseline from which appropriate control measures can be identified. These requirements provide a basis for an understanding between the financial institution and the service provider as to what the risks are and how they will be managed and controlled.
Sound practices for the development of requirements include:
- Stakeholder involvement-All organizational groups who will be directly involved with the service provider or in using the contracted service should be represented in the development of product and service requirements.
- Integration-The development should result in requirements that support the subsequent steps of solicitation, selection, contracting, and monitoring.
- Documentation-Documentation will greatly assist in ensuring that the service contracted and delivered meets the institution's requirements. Documentation will also allow for subsequent reviews of the processes' adequacy and integrity.
The requirements definition phase should result in a detailed document containing descriptions of the institution's expectations relative to the outsourced service. The requirements document may consider, but is not limited by, the following high level topical components:
- Scope and nature
- Service description;
- Technology; and
- Customer support.
- Standards and service levels
- Availability and performance;
- Change management;
- Financial reporting;
- Quality of service;
- Security; and
- Business continuity.
- Minimum acceptable service provider characteristics
- Industry experience;
- Management experience;
- Technology and systems architecture;
- Process controls;
- Financial condition;
- Reputation, including references;
- Degree of reliance on third parties, subcontractors, or partners;
- Legal, regulatory, and compliance history; and
- Ability to meet future needs.
- Monitoring and reporting
- Measurements and reporting criteria;
- Right to audit;
- Third-party reports; and
- Coordination of responses to security events.
- Transition requirements
- Initial migration of data to the service provider;
- Implementation of necessary communications mechanisms;
- Migration of data from the service provider at termination of contract; and
- Staff training.
- Contract duration, termination, and assignment
- Start and term;
- Conditions and right to cancel;
- Ownership of data;
- Timely return of data in machine-readable format;
- Costs of transition;
- Limitations, as appropriate, governing assignment to third party;
- Dispute resolution; and
- Confidentiality of institution data.
- Contractual protections against liability
- Limitation of liability; and
When outsourcing to a subsidiary or affiliate is considered, management must assure that the components outlined above evidence an arms-length transaction. An arrangement between a financial institution and an affiliate or subsidiary should be on terms that are substantially the same, or at least as favorable to the institution, as those prevailing at the time for comparable transactions with a non-affiliated third party.
Quantity of Risk Considerations
Service Provider Selection