Management should monitor service provider performance and potential changes in institution requirements throughout the life of the contract. Monitoring should encompass:
■ Key service level agreements (SLAs) and contract provisions;
■ Financial condition of the service provider;
■ General control environment of the service provider through the receipt and review of audit reports and other internal control reviews; and
■ Potential changes due to the external environment.
Financial institutions should have an oversight program to ensure service providers deliver the quantity and quality of services required by the contract. The monitoring program should target the key aspects of the contracting relationship with effective monitoring techniques. Tire program should monitor the service provider environment including its security controls, financial strength, and the impact of any external events. The resources to support this program will vary depending on the criticality and complexity of the system, process, or service being outsourced. To increase monitoring effectiveness, management should periodically rank service provider relationships according to risk to determine which service providers require closer monitoring. Management should base the rankings on the residual risk of the relationship after analyzing the quantity of risk relative to the controls over those risks. Relationships with higher risk ratings should receive more frequent and stringent monitoring for due diligence, performance (financial and/or operational), and independent control validation reviews. Personnel responsible for provider oversight should have the necessary expertise to assess the risks and should maintain suitable documentation. Management should use the oversight documentation when renegotiating contracts as well as developing contingency planning requirements.
User groups are another mechanism financial institutions can use to monitor and influence their service provider. User groups can participate and influence service provider testing (i.e., security, disaster recovery, and systems) as well as promote client issues. Independent user groups can monitor and influence a service provider better than its individual clients. Collectively, the group will constitute a significant portion of the service provider’s business.
Key Service Level Agreements and Contract Provisions
Management should include SLAs in its outsourcing contracts to specify and clarify performance expectations, as well as establish accountability. These SLAs formalize the performance criteria against which the quantity and quality of service should be measured. Management should closely monitor the service provider’s compliance with key service level agreements. To ensure an effective oversight program, the institution should develop:
■ A formal policy that defines the SLA program;
■ An SLA monitoring process;
■ A recourse process for non-performance;
■ An escalation process;
■ A dispute resolution process; and
■ A termination process.
Financial Condition of Service Providers
Institutions should have on-going monitoring of the financial condition of their provider(s). To fulfill its fiduciary responsibility, an institution involved in an outsourcing arrangement should determine the financial viability of its provider(s) on an annual basis. However, if the financial condition of the provider is declining or unstable, more frequent financial reviews are warranted. Once the financial review is complete, management should report the results to the board of directors or to a designated committee. At a minimum, management’s review should contain a careful analysis of the provider’s annual financial statement. Institution management may also use other forms of information to determine a provider’s condition, such as independent auditor reports. These reports may contain information that can be vital in determining a provider’s financial condition. Managers also can use information provided by public media (trade magazines, newspapers, television, etc.).
If the institution becomes aware that the provider’s financial condition is unstable or deteriorating, the institution should implement its contingency plan. Even if the provider remains in operation, its financial problems may jeopardize the quality of its service and possibly the integrity of the data in its possession. Institutions should consider a provider’s failure to provide adequate financial data as a potential red flag that there may be serious financial stability issues.
Termination of services due to the bankruptcy of the service provider can have a devastating effect on a serviced institution’s operations. There may not be sufficient advance notice of termination, an effective contingency plan, or adequate access to provider personnel. In such a situation, the serviced institution is put into the position of having to find an alternate processing site with little advance notice.
At this point, a serviced institution has several alternatives including:
■ Paying off the servicer’s creditors) and hiring outside specialists to operate the center;
■ Obtaining required equipment and software for in-house processing; and
■ Transferring data files to another provider.
Most options are costly and may cause harmful operating delays.
In some instances, the provider owns the programs and documentation required to process the institution’s files. Unless the contract contains an escrow agreement for source code, the program and documentation are unavailable to the institution. These programs are often the TSPs only significant assets. Therefore, a creditor of a bankrupt TSP, in an attempt to recover outstanding debts, might seek to attach those assets and further limit their availability to institutions. The bankruptcy court may provide remedies to the institution, but only after adjudicating substantive matters.