bits 2001 1 bits framework for managing it service provider relationships sharon o’bryan, abn amro...
TRANSCRIPT
![Page 1: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/1.jpg)
1BITS 2001
BITS Framework for Managing IT Service
Provider Relationships
Sharon O’Bryan, ABN AMRO
Technology Outsourcing and Due Diligence
American Bankers Association Webcast BriefingAugust 14, 2001
![Page 2: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/2.jpg)
2BITS 2001
BITS IT Service Provider Working Group
• Outsourcing of IT-related services to IT Service Providers is on the rise in the financial services industry.
• Outsourcing services are evolving from customer/supplier to partnerships.
• Regulators have recently issued guidelines that outline financial institutions’ responsibilities to manage and monitor outsourced functions.
![Page 3: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/3.jpg)
3BITS 2001
Issues
• Due diligence in selecting and managing IT Service Providers must include a thorough evaluation of control, privacy and security risks.
• Service level agreements must be based upon current and required standards.
• Tracking downstream outsourced relationships is difficult.
• Independent auditor reports are scoped by the auditors and the IT Service Provider.
• Interoperability among multiple Service Provider relationships is difficult.
![Page 4: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/4.jpg)
4BITS 2001
BITS Working Group Strategic Goals
• Work with representatives of the financial services industry, outsourcers, and regulators to establish an industry framework for managing IT Service Provider relationships.
• Provide a consistent, manageable outline for IT Service Providers to become “educated” about control, privacy and security requirements for financial institutions.
• Reduce costs to each financial institution through a consistent process.
• Create a common data exchange standard.
![Page 5: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/5.jpg)
5BITS 2001
Working Group Participants Fortis, Inc. Frost Bank Goldman Sachs Hibernia National Bank IBJ Whitehall ICBA Mellon Financial Corporation Mercantile Bankshares, Inc. Metavante Corporation NACHA Nationwide Insurance PNC Regions Financial Corporation State Farm Mutual Insurance Synovus Financial Corp. Wells Fargo & Company Wachovia Corporation
ABN AMRO Allfirst Financial, In.c. ACB ABA Bank of America Corporation BB&T Corporation Capital One Financial
Corporation Centura Banks, Inc. Charles Schwab Corp. City National Bank Comerica Incorporated CUNA Fidelity Investments First National Nebraska, Inc. First Tennessee Corporation First Union Corporation FleetBoston Financial Ford Financial Corporation
![Page 6: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/6.jpg)
6BITS 2001
What Is the Framework?
• An industry approach to risk management strategies for IT Service Providers.
• Intended for use as a guiding document and set of criteria against which IT Service Provider relationships can be effectively evaluated and managed.
• Intended to complement regulatory guidance and resources.
• Intended to supplement financial services company’s technology risk management practices.
![Page 7: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/7.jpg)
7BITS 2001
Framework: Elements
• Framework Application and Flow Chart • Business Decision to Outsource• RFP Considerations• Due Diligence Considerations• Contractual, Service Level and
Insurance Considerations• Procedures Supporting Specific Controls• Implementation and Conversion Plan• Ongoing Relationship Management
![Page 8: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/8.jpg)
8BITS 2001
IT Guidelines Flow Chart Diagram
RF
PD
ue D
illig
nece
Impl
em
ent
atio
nDefine businessobjective(1)
Define/Reviewbusinessrequirements (2)
Determine the technology necessary to deliver the business requirements (3)
Perform risk assessment to baseline control requirements (classification) (4)
Perform analysis and document business decision to outsource (5)
Define specific control requirements and responsibilities using the end-to-end process flow (6)
Perform due diligence in selecting service provider (7)
Validate evidence of general controls verification (8)
Validate evidence of controls verification and recovery capability of specific components according to end-to-end process flow (9)
Define contractual, service level, and insurance agreements (10)
Document procedures supporting specific control requirements and responsibilities (11)
Execute implementation and conversion transition plan (12)
Define relationship management requirements, ongoing oversight, and verification process (13)
Section 2 Section 3
Section 4
Section 5 Section 6 Section 7 Section 8
![Page 9: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/9.jpg)
9BITS 2001
Section 1: Framework Application
• Provides framework overview of the steps a financial institution would take in evaluating a decision to outsource IT services.
• Clarifies that the Framework is not an audit checklist but rather a guidance for selecting and managing IT Service Provider relationships.
• Supplements the financial services company’s risk assessment, risk management and due diligence processes.
• Use of the Framework will be driven by the specific outsourcing activity under consideration.
![Page 10: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/10.jpg)
10BITS 2001
Section 2: Business Decision to Outsource
• Provides guidance on which factors to consider in defining objectives and making the business decision to outsource.
• Defines the application, systems or services to be provided and the associated level of risk.
• Details a cost analysis for comparing internal vs. external sourcing.
![Page 11: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/11.jpg)
11BITS 2001
Section 3: RFP Considerations
• Provides guidance on and defines factors to consider in developing the Request for Proposal (RFP).
• Helps to identify a set of qualified vendors with the skills required to meet the business objectives.
• Defines the specifics of what is required to ensure the integrity of information and transactions.
![Page 12: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/12.jpg)
12BITS 2001
Section 4: Due Diligence Considerations
• Verifies how the Service Provider will deliver the requirements specified in the RFP.
• Provides assurance that the Service Provider has a well-developed plan and adequate resources to deliver acceptable service.
• Identifies Service Provider’s reputation, experience, financial condition, and reliance on other third party Service Providers.
• Ensures that the extent of due diligence is commensurate with the risk of the outsourced service.
![Page 13: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/13.jpg)
13BITS 2001
Section 5: Contractual, Service Level Agreements and Insurance
• Contractual considerations will be driven by the specific outsourcing activity.
• Contractual considerations in the Framework are intended to supplement those developed by Legal Counsel at each institution.
• Service Arrangements should be reflective of contractual considerations associated with regulatory requirements (e.g., Interagency Guidelines, Section 501b of Gramm-Leach-Bliley, etc.)
![Page 14: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/14.jpg)
14BITS 2001
Section 6: Procedures Supporting Specific Controls
• The Receiver Company retains responsibility for ensuring sound risk management practices.
• To ensure successful operations and a sound risk management program it is essential to document: – Technology Control Procedures – Responsibilities of both Receiver and Provider
Companies
• The Receiver Company must consider the level of risk associated with the outsourced service in order that the cost of the control process not exceed a reasonable risk/return formula.
![Page 15: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/15.jpg)
15BITS 2001
Section 7: Implementation and Conversion Plan
• Highlights the need for a detailed conversion/implementation plan.
• Details transition planning issues and implementation activities.
• Outlines implementation risk management activities.
• Identifies the need for a post-implementation review.
![Page 16: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/16.jpg)
16BITS 2001
Section 8: Ongoing Relationship Management
• Highlights the importance of ongoing management of an outsourced service.
• Describes business and technological changes.
• Emphasizes the need for technology risk management process.
![Page 17: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/17.jpg)
17BITS 2001
Next Steps: Framework
• Submit revised draft to BITS Advisory Group, BITS Council and FI Working Group for approval.
• Request endorsement of the Framework at the September 14th BITS and FSR Board Meetings.
• Roll-out the Framework to all stakeholders.
• Develop a venue for ongoing discussions of outsourcing issues between all stakeholders.
![Page 18: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/18.jpg)
18BITS 2001
Next Steps: BITS Working Group Subgroups
• Interoperability Working Group – Working with BITS Standards Working Group to
evaluate the issues.
• Education/Communication Working Group to discuss roll-out of the final document– Develop communications marketing plan.– Target financial and service provider associations.– Review small company requirements.
• Applications Working Group to discuss the ability and risks for using the Framework to standardize RFP questions, evaluate compliance with industry requirements, etc.
• AICPA involvement
![Page 19: BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American](https://reader036.vdocuments.site/reader036/viewer/2022071705/56649ce35503460f949af5de/html5/thumbnails/19.jpg)
19BITS 2001
For Additional Information Contact:
Faith Boettger, BITSSenior Consultant
orBen Stafford, BITSProject Manager