Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships:
- Effective Practices for Selecting a Service Provider
- Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
- Techniques for Managing Multiple Service Providers
What struck me about this re-release, and the fact that they were released without modification of any kind, suggests that not only have expectations changed very little over the past 12 years, but also (and more significantly) that regulators expect that you are already adhering to them. But are you?
First of all, this guidance (and indeed the guidance released last year by the OCC and the Federal Reserve) makes it clear that there is no meaningful distinction between service provider, vendor, subcontractor, and outsourcer…they are all the same as far as regulatory expectations are concerned.
SO just in case the realities of your vendor management activities have fallen short of those expectations, here are just a few things regulators expect:
- The vendor management process actually starts before the vendor becomes a vendor, indeed it begins even prior to identifying prospective vendors. It actually starts when management identifies the need for outsourcing, and identifies how outsourcing will support the institutions objectives and strategic plans.
- Even when only one provider has been identified, you must still evaluate their expertise, technical controls, financial condition and management.
- Although not a strict requirement, an RFP, RFQ and/or RFI can greatly contribute to the selection process by making sure the deliverables match your expectations.
- If an RFP was used to solicit proposals, those documents can be incorporated into the contract.
- The contract remains the single most important vendor management control, and regulators believe the Service Level Agreement (SLA) is a key component in a structuring a successful outsourcing contract.
One final thought on this re-release; between this and the OCC and Federal Reserve issuing updated guidance on outsourcing late last year, and the fact that almost all of the recent updates to FFIEC IT Examination Handbooks dealt either directly or indirectly with vendor management, all lead me to believe even more strongly than ever that this will be a regulator hot-button in the immediate (and foreseeable) future.