Presentation is loading. Please wait.

Presentation is loading. Please wait.

 BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American.

Published byAshlie Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: " BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American."— Presentation transcript:

1  BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American Bankers Association Webcast Briefing August 14, 2001

2  BITS 2001 2 BITS IT Service Provider Working Group Outsourcing of IT-related services to IT Service Providers is on the rise in the financial services industry. Outsourcing services are evolving from customer/supplier to partnerships. Regulators have recently issued guidelines that outline financial institutions’ responsibilities to manage and monitor outsourced functions.

3  BITS 2001 3 Issues Due diligence in selecting and managing IT Service Providers must include a thorough evaluation of control, privacy and security risks. Service level agreements must be based upon current and required standards. Tracking downstream outsourced relationships is difficult. Independent auditor reports are scoped by the auditors and the IT Service Provider. Interoperability among multiple Service Provider relationships is difficult.

4  BITS 2001 4 BITS Working Group Strategic Goals Work with representatives of the financial services industry, outsourcers, and regulators to establish an industry framework for managing IT Service Provider relationships. Provide a consistent, manageable outline for IT Service Providers to become “educated” about control, privacy and security requirements for financial institutions. Reduce costs to each financial institution through a consistent process. Create a common data exchange standard.

5  BITS 2001 5 Working Group Participants  Fortis, Inc.  Frost Bank  Goldman Sachs  Hibernia National Bank  IBJ Whitehall  ICBA  Mellon Financial Corporation  Mercantile Bankshares, Inc.  Metavante Corporation  NACHA  Nationwide Insurance  PNC  Regions Financial Corporation  State Farm Mutual Insurance  Synovus Financial Corp.  Wells Fargo & Company  Wachovia Corporation  ABN AMRO  Allfirst Financial, In.c.  ACB  ABA  Bank of America Corporation  BB&TCorporation  Capital One Financial Corporation  Centura Banks, Inc.  Charles Schwab Corp.  City National Bank  Comerica Incorporated  CUNA  Fidelity Investments  First National Nebraska, Inc.  First Tennessee Corporation  First Union Corporation  FleetBoston Financial  Ford Financial Corporation

6  BITS 2001 6 What Is the Framework? An industry approach to risk management strategies for IT Service Providers. Intended for use as a guiding document and set of criteria against which IT Service Provider relationships can be effectively evaluated and managed. Intended to complement regulatory guidance and resources. Intended to supplement financial services company’s technology risk management practices.

7  BITS 2001 7 Framework: Elements Framework Application and Flow Chart Business Decision to Outsource RFP Considerations Due Diligence Considerations Contractual, Service Level and Insurance Considerations Procedures Supporting Specific Controls Implementation and Conversion Plan Ongoing Relationship Management

8  BITS 2001 8 IT Guidelines Flow Chart Diagram

9  BITS 2001 9 Section 1: Framework Application Provides framework overview of the steps a financial institution would take in evaluating a decision to outsource IT services. Clarifies that the Framework is not an audit checklist but rather a guidance for selecting and managing IT Service Provider relationships. Supplements the financial services company’s risk assessment, risk management and due diligence processes. Use of the Framework will be driven by the specific outsourcing activity under consideration.

10  BITS 2001 10 Section 2: Business Decision to Outsource Provides guidance on which factors to consider in defining objectives and making the business decision to outsource. Defines the application, systems or services to be provided and the associated level of risk. Details a cost analysis for comparing internal vs. external sourcing.

11  BITS 2001 11 Section 3: RFP Considerations Provides guidance on and defines factors to consider in developing the Request for Proposal (RFP). Helps to identify a set of qualified vendors with the skills required to meet the business objectives. Defines the specifics of what is required to ensure the integrity of information and transactions.

12  BITS 2001 12 Section 4: Due Diligence Considerations Verifies how the Service Provider will deliver the requirements specified in the RFP. Provides assurance that the Service Provider has a well-developed plan and adequate resources to deliver acceptable service. Identifies Service Provider’s reputation, experience, financial condition, and reliance on other third party Service Providers. Ensures that the extent of due diligence is commensurate with the risk of the outsourced service.

13  BITS 2001 13 Section 5: Contractual, Service Level Agreements and Insurance Contractual considerations will be driven by the specific outsourcing activity. Contractual considerations in the Framework are intended to supplement those developed by Legal Counsel at each institution. Service Arrangements should be reflective of contractual considerations associated with regulatory requirements (e.g., Interagency Guidelines, Section 501b of Gramm-Leach-Bliley, etc.)

14  BITS 2001 14 Section 6: Procedures Supporting Specific Controls The Receiver Company retains responsibility for ensuring sound risk management practices. To ensure successful operations and a sound risk management program it is essential to document: –Technology Control Procedures –Responsibilities of both Receiver and Provider Companies The Receiver Company must consider the level of risk associated with the outsourced service in order that the cost of the control process not exceed a reasonable risk/return formula.

15  BITS 2001 15 Section 7: Implementation and Conversion Plan Highlights the need for a detailed conversion/implementation plan. Details transition planning issues and implementation activities. Outlines implementation risk management activities. Identifies the need for a post-implementation review.

16  BITS 2001 16 Section 8: Ongoing Relationship Management Highlights the importance of ongoing management of an outsourced service. Describes business and technological changes. Emphasizes the need for technology risk management process.

17  BITS 2001 17 Next Steps: Framework Submit revised draft to BITS Advisory Group, BITS Council and FI Working Group for approval. Request endorsement of the Framework at the September 14th BITS and FSR Board Meetings. Roll-out the Framework to all stakeholders. Develop a venue for ongoing discussions of outsourcing issues between all stakeholders.

18  BITS 2001 18 Next Steps: BITS Working Group Subgroups Interoperability Working Group –Working with BITS Standards Working Group to evaluate the issues. Education/Communication Working Group to discuss roll-out of the final document –Develop communications marketing plan. –Target financial and service provider associations. –Review small company requirements. Applications Working Group to discuss the ability and risks for using the Framework to standardize RFP questions, evaluate compliance with industry requirements, etc. AICPA involvement

19  BITS 2001 19 For Additional Information Contact: Faith Boettger, BITS Senior Consultant Faith@FSRound.org 202-289-4322 or Ben Stafford, BITS Project Manager Ben@FSRound.org 202-289-4322

Download ppt " BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American."

Similar presentations

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Campus Improvement Plans

Campus Improvement Plans
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
B-BBEE VERIFICATION FRAMEWORK.  The BEE Verification process evolved since the release of the B- BBEE strategy in 2003  The dti was requested to provide.

B-BBEE VERIFICATION FRAMEWORK.  The BEE Verification process evolved since the release of the B- BBEE strategy in 2003  The dti was requested to provide.
1 Risk-Focused Surveillance Framework Enterprise Risk Management Symposium Chicago, Illinois April 26, 2004 Terri Vaughan, Iowa Insurance Commissioner.

1 Risk-Focused Surveillance Framework Enterprise Risk Management Symposium Chicago, Illinois April 26, 2004 Terri Vaughan, Iowa Insurance Commissioner.
Strategy 2022: A Holistic View Tony Hayes International President ISACA 2013-2014 © 2012, ISACA. All rights reserved.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
1 Vendor Evaluation: Selecting for Success Dana McCormick Wells Fargo Home Mortgage Delivery Services Baltimore PCC Education Seminar April 27, 2007.

1 Vendor Evaluation: Selecting for Success Dana McCormick Wells Fargo Home Mortgage Delivery Services Baltimore PCC Education Seminar April 27, 2007.
Performing a Fiduciary Review of Trust Administration FIRMA April 2009 Independent Fiduciary Services ® Independent Fiduciary Services, Inc.  805 15 th.

Performing a Fiduciary Review of Trust Administration FIRMA April 2009 Independent Fiduciary Services ® Independent Fiduciary Services, Inc.  th.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
EMS Auditing Definitions

EMS Auditing Definitions
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control and Internal Audit

Internal Control and Internal Audit
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
Purpose of the Standards

Purpose of the Standards
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential

Similar presentations

Ads by Google