CIOs of financial institutions are constantly on the lookout to reduce costs and outsourcing is one way to quickly go about it. There was a time when the decision to outsource was a fairly simple decision. A need was identified, a vendor was approached who could fulfil the need, the contract was inked and the transaction began. The decision making process is no more that simple as a large number of factors come into play. There is much more increased scrutiny of companies for regulatory reasons.
The most common and serious risks associated with outsourcing are the risks affecting operations and transactions, the confidentiality of information and regulatory compliance.
Operational and transaction risk
When it comes to mitigating operational and transaction risk, it is important to understand what the process flow for a particular transaction looks like. Once you get a good idea about the process flow, then you have to get an understanding of where in that process flow something could go wrong and those steps are outsourced. Getting an understanding of this will allow you to understand the role of suppliers, if a failure occurs. One important thing that you need to understand is that every risk cannot be managed so you will have to work to the best of your ability with whatever tools you have got. Be strategic and focus on the risks that have a high probability of occurring.
Risks to the confidentiality of information
CIOs should prioritise identifying the service providers that either store or transmit confidential information. It is important that CIOs consider the volume and type of data handled by third parties. If a third party is handling high volumes of sensitive data, then the risk of a breach in data confidentiality increases greatly. One way to minimise those risks includes CIOs conducting occasional site visits to suppliers, especially those who are deemed as high risk, in order to evaluate their security and data protection controls. CIOs can also demand the service provider to show their SSAE16/SOC (formerly known as SAS 70) reports. These reports are generated by an external auditor who describes, evaluates, and issues an opinion on the service provider’s security and data protection controls.
Any federally regulated entity should always review the outsourcing arrangements in order to ensure compliance with its outsourcing risk policies and procedures and with the expectations of this guideline. The company is expected to periodically review the outsourcing arrangements either by using an internal audit department or through another independent review function that has the appropriate knowledge and skill. The organization’s board of directors, or the chief agent or principal officer will always retain overall accountability for the outsourcing arrangement. The purpose of these reviews are to:
- Make sure that the needed risk-management policies and procedures for outsourcing are being enforced and followed;
- Ensure that effective management controls over outsourcing activities are being implemented;
- Verify the adequacy and accuracy of management information reports;
- Ensure that personnel involved in risk-management for outsourcing are aware of the organisation’s risk-management policies and have the expertise required to make effective decisions consistent with those policies.
Outsourcing brings an array of legal hassles along, as there is always a risk of breach if the third party being appointed is not well equipped to deal with sensitive data. To get an even more in depth knowledge about outsourcing risks and its legal implications, get in touch with us.
Image Credit: freedigitalphotos.net