Difference between revisions of "IT Outsourcing Risk"

Definition

IT Outsourcing Risk is the risk that engaging a third party, or another Group entity (intra-group outsourcing), to provide IT systems or related services adversely impacts the institution’s performance and risk management^[1]

IT Outsourcing Risk is a specific type of Outsourcing Risk, which is in turn a specific type of Third Party Risk

Risk Sub-types

Inadequate resilience of third party or another Group entity services

The non-availability of critical outsourced IT services, telecommunication services and utilities. Loss or corruption of critical/sensitive data entrusted to the service provider

Examples:

• Unavailability of core services as a result of failures in suppliers (outsourced) ICT systems or applications.
• Disruption of telecommunication links.
• Power supply shortage.

Inadequate outsourcing governance

Major service degradation or failures due to inefficient preparedness or control processes of the outsourced service provider. Ineffective outsourcing governance may result in a lack of appropriate skills and capabilities to fully identify, assess, mitigate and monitor the IT risks and can limit institutions’ operational capabilities.

Examples:

• Poor incident handling procedures, contractual control mechanisms and guarantees built into the service provider agreement that increase key man dependency on third parties and vendors.
• Inappropriate change management controls concerning the service provider IT environment can cause major service degradation or failure.

Inadequate security of third party or another Group entity

Hacking of the third party service providers’ IT systems, with a direct impact on the outsourced services or critical/confidential data stored at the service provider. Service provider staff gaining unauthorised access to critical/sensitive data stored at the service provider

Examples:

• Hacking of service providers by criminals or terrorists, as an entry point into the institutions’ IT systems or to access /destroy critical or sensitive data stored at the service provider.
• Malicious insiders at the side of the service provider try to steal and sell sensitive data.

Factors

• the key risk factor is whether the institution has outsourced IT services or IT systems within or outside the group

Controls

Controls and control environment in place for mitigating risks related to material outsourced IT services:

• an assessment of the impact of the IT outsourcing on the risk management of the institution related to the use of service providers (e.g. cloud service providers) and their services during the procurement process that is documented and is taken into account by senior management or the management body for the decision to outsource the services or not. The institution should review the IT risk management policies and the IT controls and control environment of the service provider to ensure that they meet the institution’s internal risk management objectives and risk appetite. This review should be periodically updated during the contractual outsourcing period, taking into account the characteristics of the outsourced services
• a monitoring of the IT risks of the outsourced services during the contractual outsourcing period as part of the institution’s risk management, that feeds into the institution’s IT risk management reporting (e.g. business continuity reporting, security reporting);
• a monitoring and comparison of the received service levels with the contractually agreed upon service levels which should form part of the outsourcing contract or service level agreement (SLA);
• adequate staff, resources and competences to monitor and manage the IT risks from the outsourced services.

See Also

• Requirements of the CEBS outsourcing Guidelines (2006)

References