Planning and contract negotiation for third party relationships
On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. As banks continue to increase the number and complexity of third-party relationships, the OCC is concerned that the quality of risk management in the relationship may not be commensurate with the level of inherent risk.
Prior to entering into a third-party relationship, management should develop a plan establishing the goal of the relationship and the scope of the contract. This enables the bank to discuss inherent risks and evaluate how the contracted activity relates to the bank’s overall strategic goals, objectives and risk appetite—what impact would such a relationship have?
Banks are also encouraged to perform a cost-benefit analysis at this stage to determine if the potential benefit (e.g., cost reductions, expanded bank operations, increased efficiency, heightened expertise) outweighs the estimated cost (e.g., integration and subscription fees, training, additional staffing, interruption to existing programs) and how it might impact information security. A detailed process as to how the bank will select, assess and oversee the third party must be presented to and approved by the bank’s board of directors when contracting critical activities.
Once the board of directors has approved the third party relationship, management will likely negotiate or review a contract detailing the responsibilities of each party. Contracts should fully describe compensation, fees and the circumstances under which the cost structure may be changed. Moreover, contracts need to specify what constitutes default and stipulate the conditions for termination. Banks should also re-visit existing contracts to ensure they comply with risk controls and legal protections.
The contract should also cover performance expectations, and it’s recommended for a bank to use industry standards to evaluate the contract’s service level agreement. For software, these standards might measure service availability, responsiveness of support requests, and/or updates or enhancement timelines.
Again, senior management will need to get approval from the board on all contracts, prior to execution, when critical activities are involved.
For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships.