1BITS 2001

BITS Framework for Managing IT Service

Provider Relationships

Sharon O’Bryan, ABN AMRO

Technology Outsourcing and Due Diligence

American Bankers Association Webcast BriefingAugust 14, 2001

2BITS 2001

BITS IT Service Provider Working Group

• Outsourcing of IT-related services to IT Service Providers is on the rise in the financial services industry.

• Outsourcing services are evolving from customer/supplier to partnerships.

• Regulators have recently issued guidelines that outline financial institutions’ responsibilities to manage and monitor outsourced functions.

3BITS 2001

Issues

• Due diligence in selecting and managing IT Service Providers must include a thorough evaluation of control, privacy and security risks.

• Service level agreements must be based upon current and required standards.

• Tracking downstream outsourced relationships is difficult.

• Independent auditor reports are scoped by the auditors and the IT Service Provider.

• Interoperability among multiple Service Provider relationships is difficult.

4BITS 2001

BITS Working Group Strategic Goals

• Work with representatives of the financial services industry, outsourcers, and regulators to establish an industry framework for managing IT Service Provider relationships.

• Provide a consistent, manageable outline for IT Service Providers to become “educated” about control, privacy and security requirements for financial institutions.

• Reduce costs to each financial institution through a consistent process.

• Create a common data exchange standard.

5BITS 2001

Working Group Participants Fortis, Inc. Frost Bank Goldman Sachs Hibernia National Bank IBJ Whitehall ICBA Mellon Financial Corporation Mercantile Bankshares, Inc. Metavante Corporation NACHA Nationwide Insurance PNC Regions Financial Corporation State Farm Mutual Insurance Synovus Financial Corp. Wells Fargo & Company Wachovia Corporation

ABN AMRO Allfirst Financial, In.c. ACB ABA Bank of America Corporation BB&T Corporation Capital One Financial

Corporation Centura Banks, Inc. Charles Schwab Corp. City National Bank Comerica Incorporated CUNA Fidelity Investments First National Nebraska, Inc. First Tennessee Corporation First Union Corporation FleetBoston Financial Ford Financial Corporation

6BITS 2001

What Is the Framework?

• An industry approach to risk management strategies for IT Service Providers.

• Intended for use as a guiding document and set of criteria against which IT Service Provider relationships can be effectively evaluated and managed.

• Intended to complement regulatory guidance and resources.

• Intended to supplement financial services company’s technology risk management practices.

7BITS 2001

Framework: Elements

• Framework Application and Flow Chart • Business Decision to Outsource• RFP Considerations• Due Diligence Considerations• Contractual, Service Level and

Insurance Considerations• Procedures Supporting Specific Controls• Implementation and Conversion Plan• Ongoing Relationship Management

8BITS 2001

IT Guidelines Flow Chart Diagram

RF

PD

ue D

illig

nece

Impl

em

ent

atio

nDefine businessobjective(1)

Define/Reviewbusinessrequirements (2)

Determine the technology necessary to deliver the business requirements (3)

Perform risk assessment to baseline control requirements (classification) (4)

Perform analysis and document business decision to outsource (5)

Define specific control requirements and responsibilities using the end-to-end process flow (6)

Perform due diligence in selecting service provider (7)

Validate evidence of general controls verification (8)

Validate evidence of controls verification and recovery capability of specific components according to end-to-end process flow (9)

Define contractual, service level, and insurance agreements (10)

Document procedures supporting specific control requirements and responsibilities (11)

Execute implementation and conversion transition plan (12)

Define relationship management requirements, ongoing oversight, and verification process (13)

Section 2 Section 3

Section 4

Section 5 Section 6 Section 7 Section 8

9BITS 2001

Section 1: Framework Application

• Provides framework overview of the steps a financial institution would take in evaluating a decision to outsource IT services.

• Clarifies that the Framework is not an audit checklist but rather a guidance for selecting and managing IT Service Provider relationships.

• Supplements the financial services company’s risk assessment, risk management and due diligence processes.

• Use of the Framework will be driven by the specific outsourcing activity under consideration.

10BITS 2001

Section 2: Business Decision to Outsource

• Provides guidance on which factors to consider in defining objectives and making the business decision to outsource.

• Defines the application, systems or services to be provided and the associated level of risk.

• Details a cost analysis for comparing internal vs. external sourcing.

11BITS 2001

Section 3: RFP Considerations

• Provides guidance on and defines factors to consider in developing the Request for Proposal (RFP).

• Helps to identify a set of qualified vendors with the skills required to meet the business objectives.

• Defines the specifics of what is required to ensure the integrity of information and transactions.

12BITS 2001

Section 4: Due Diligence Considerations

• Verifies how the Service Provider will deliver the requirements specified in the RFP.

• Provides assurance that the Service Provider has a well-developed plan and adequate resources to deliver acceptable service.

• Identifies Service Provider’s reputation, experience, financial condition, and reliance on other third party Service Providers.

• Ensures that the extent of due diligence is commensurate with the risk of the outsourced service.

13BITS 2001

Section 5: Contractual, Service Level Agreements and Insurance

• Contractual considerations will be driven by the specific outsourcing activity.

• Contractual considerations in the Framework are intended to supplement those developed by Legal Counsel at each institution.

• Service Arrangements should be reflective of contractual considerations associated with regulatory requirements (e.g., Interagency Guidelines, Section 501b of Gramm-Leach-Bliley, etc.)

14BITS 2001

Section 6: Procedures Supporting Specific Controls

• The Receiver Company retains responsibility for ensuring sound risk management practices.

• To ensure successful operations and a sound risk management program it is essential to document: – Technology Control Procedures – Responsibilities of both Receiver and Provider

Companies

• The Receiver Company must consider the level of risk associated with the outsourced service in order that the cost of the control process not exceed a reasonable risk/return formula.

15BITS 2001

Section 7: Implementation and Conversion Plan

• Highlights the need for a detailed conversion/implementation plan.

• Details transition planning issues and implementation activities.

• Outlines implementation risk management activities.

• Identifies the need for a post-implementation review.

16BITS 2001

Section 8: Ongoing Relationship Management

• Highlights the importance of ongoing management of an outsourced service.

• Describes business and technological changes.

• Emphasizes the need for technology risk management process.

17BITS 2001

Next Steps: Framework

• Submit revised draft to BITS Advisory Group, BITS Council and FI Working Group for approval.

• Request endorsement of the Framework at the September 14th BITS and FSR Board Meetings.

• Roll-out the Framework to all stakeholders.

• Develop a venue for ongoing discussions of outsourcing issues between all stakeholders.

18BITS 2001

Next Steps: BITS Working Group Subgroups

• Interoperability Working Group – Working with BITS Standards Working Group to

evaluate the issues.

• Education/Communication Working Group to discuss roll-out of the final document– Develop communications marketing plan.– Target financial and service provider associations.– Review small company requirements.

• Applications Working Group to discuss the ability and risks for using the Framework to standardize RFP questions, evaluate compliance with industry requirements, etc.

• AICPA involvement

19BITS 2001

For Additional Information Contact:

Faith Boettger, BITSSenior Consultant

Faith@FSRound.org202-289-4322

orBen Stafford, BITSProject Manager

Ben@FSRound.org202-289-4322