Previous Document IconPrevious Info Memo

Next Document IconNext Info MemoExam Manual Table of Contents IconList of Info Memos

Informational Memorandum
Subject:Risk Management of Outsourcing
Date of Memorandum:10/25/2000
Expiration Date:
Signed By:Smith, Roland
FCA Contact Person:Glenn, Thomas
Contact Phone:703-883-4412
List of Attachments:

October 25, 2000

To: The Chief Executive Officer
All Farm Credit System Institutions

From: Roland E. Smith, Director
Office of Examination

Subject: Risk Management of Outsourcing

Farm Credit System (FCS) institutions increasingly rely on services provided by other entities to support a variety of functions. Outsourcing the daily operation and support of services, whether to affiliated or nonaffiliated entities, can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services. The board of directors and senior management are responsible for understanding the key risks associated with the use of outsourcing arrangements and ensuring that effective risk management practices are in place. Four key phases of the risk management process are discussed in this Informational Memorandum: risk assessment, due diligence in selecting a service provider, contract issues, and oversight of service providers.

Risk Assessment

The board and management should approach outsourcing relationships in a manner that is consistent with the institution’s short- and long-term strategic goals. This approach should include an assessment of how the entity’s products or services support board and management objectives and how the service provider relationship will be managed.

Outsourcing of information and transaction processing and settlement activities involves similar operational risks that arise when these functions are performed internally. Risks include threats to security and resources, availability of informational systems, confidentiality of information, regulatory compliance, and the integrity of management information systems. In addition, the nature of the service provided may result in entities initiating transactions on behalf of the institution (such as collection or disbursement of funds) that can increase the levels of credit, liquidity, and transaction risks.

Services involving the use of the Internet provide new types of risks. The Internet’s broad geographic reach, ease of access, and anonymity require close attention to maintaining secure electronic systems, intrusion detection, and customer authentication, verification, and authorization. Institutions should also remain sensitive to the issue that potential risks introduced are a function of an electronic system’s structure, design, and controls and not necessarily the volume of activity.

The board and management should ensure appropriate controls and oversight are implemented to effectively manage the identified risks. In conducting the risk assessment, the following should be considered:

strategic goals and objectives of the institution
staff’s ability to evaluate and oversee outsourcing relationships
importance of the services to the institution
contractual obligations and requirements for the service provider
contingency plans, including availability of alternative service providers, costs and resources required to switch service providers
necessary controls and reporting processes

Due Diligence in Selecting a Service Provider

Once the risk assessment is completed, management should evaluate service providers to identify those that can help achieve the institution’s goals and objectives. Management should determine the service provider’s competence and stability, both operationally and financially, to meet the institution’s needs.

The institution should use strategic and technological plans as a basis for selecting service providers. Management should convey their specific needs, objectives, and controls to the potential service provider, as well as contractual provisions required. This will assist both the institution and the service provider in developing realistic expectations. Depending on the services being outsourced and the level of in-house expertise, institutions may want to consider the assistance of an independent technical consultant familiar with outsourcing arrangements to help in determining the scope of services needed and in evaluating the qualifications of the prospective service providers.

Contract Issues

Contracts between the institution and service provider should take into account key risk factors identified during the risk assessment and due diligence phases. Management should negotiate a written contract that provides assurances for performance, reliability, security, confidentiality, and reporting. The contract should also be flexible enough to allow for changes in technology and the institution's operations. Finally, contracts should be reviewed by legal counsel prior to execution by your institution.

Oversight of Service Providers

Although services may be outsourced to achieve certain benefits, the responsibility for outsourced activities remains with FCS institutions. It is essential that institutions implement an oversight program to monitor each service provider’s controls and performance. Specific personnel should be assigned responsibility for monitoring and managing the service provider relationship. The number of institution personnel assigned and the amount of time devoted to oversight activities will depend in part on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.

If you have any questions about this document, please call Tom Glenn, Special Examination and Supervision Division, Office of Examination, at (703) 883-4412, or write to him on the Internet at e-mail address