Risk Management in the age of outsourcing April, 2011 JDalal Associates, LLC Outsourcing Strategy, Implementation, Results

Risk Management in the age of outsourcing April, 2011 JDalal Associates, LLC Outsourcing – Strategy, Implementation, Results™ 0 © 2002-2011 JDalal A...
Author: Denis Norman
4 downloads 0 Views 2MB Size
Risk Management in the age of outsourcing April, 2011

JDalal Associates, LLC Outsourcing – Strategy, Implementation, Results™

0 © 2002-2011 JDalal Associates LLC, All rights reserved

Outline

Outsourcing

• Setting the context (definitions)

Risk Management • Financial industry and RM and Outsourcing • Lessons Learned Risk Management • Risk management model • RM and outsourcing governance Framework Compliance and Audit

• Audit practices

1 © 2002-2011 JDalal Associates LLC, All rights reserved

Outline

Outsourcing

• Setting the context (definitions)

Risk Management • Financial industry and RM and Outsourcing • Lessons Learned Risk Management • Risk management model • RM and outsourcing governance Framework Compliance and Audit

• Audit practices

2 © 2002-2011 JDalal Associates LLC, All rights reserved

Outsourcing - a change agenda

Drivers

Cause for Action

Change Agenda

IAOP definition: Outsourcing is a long-term, results-oriented business relationship with a specialized 3rd party services provider. Risk based definition: When a business believes that managing a function in house is “riskier” than asking someone to run it for you (who is experienced in that field), the business will consider outsourcing 3 © 2002-2011 JDalal Associates LLC, All rights reserved

Outsourcing – risk/value view

     

Strategic decision making Operational underperformance Transactional difficulties Security challenges Compliance and controls weakness Reputation and goodwill

     

Reduce operating costs Refocus management attention Leverage capital assets Obtain predictable results Access to difficult skills Look for innovation

4 © 2002-2011 JDalal Associates LLC, All rights reserved

Outline

Outsourcing

• Setting the context (definitions)

Risk Management • Financial industry and RM and Outsourcing • Lessons Learned Risk Management • Risk management model • RM and outsourcing governance Framework Compliance and Audit

• Audit practices

5 © 2002-2011 JDalal Associates LLC, All rights reserved

Outsourcing risk management in Financial Industry E&Y Risk survey indicates: 









Regulatory pressure on risk management

Closing the gaps – 42% of companies believe that key risks are not formally managed Enabling business strategy – Four in ten companies globally do not formally link risk management to business strategy Risk management spending set to rise – 66% of companies plan increased investment over next three years Establishing lines of defense Significant challenge to maintain accountabilities for risk and control, and to establish consistency in risk management and internal control activities. Mis-alignment – Better alignment is needed between risk management functions and business unit management









“maintain effective oversight and control throughout the arrangement, assess risk of these arrangements through ongoing monitoring and controls” (OTS) “have a comprehensive outsourcing risk management process to govern service provider relationships; process should include risk assessment, selection, contract review, and monitoring of service providers; periodically rank vendors according to risk and to determine level of monitoring required” (FFIEC) “designate, in writing, the employee(s) to coordinate the vendor governance program” (SEC) “define policies and procedures to assess risk and establish controls” (FDIC)

“Outsourcing does not diminish an FI’s responsibilities” FDIC - June 2008 Guidance on Managing Third-Party Risk © 2002-2011 JDalal Associates LLC, All rights reserved

Lessons learned – risk management and outsourcing  

  



Risk management is an “after-thought” for outsourcing engagement – often left to contract developers No single point of risk management responsibility is established in the organization and held accountable for the life of the outsourcing agreement No clear definition of risk management framework is established and utilized for vendor selection or on going governance Risk factors are identified based on anecdotal or historical perspectives only and not prospective Financial analysis of risk factors and implications are not included in business case for outsourcing Governance process does not include a formal risk management and audit activities

7 © 2002-2011 JDalal Associates LLC, All rights reserved

Outline Outsourcing Risk Management and Outsourcing Risk Management Framework Compliance and Audit

• Setting the context (definitions)

• Financial industry and RM • Lessons Learned

• Risk management model • RM and outsourcing governance

• Audit practices

8 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk management framework Strategy • Developing Risk Management Model • Creating “comfort zone” • Identifying risk parameters and tolerances

Implementation • Developing Risk-Avoidance-Mitigation Plan • Conducting due diligence • Contracting for risk management

Results (Governance) • Using governance program for risk management

9 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk Management Model (RMM)© Risk Categorization

Risk Policy

Risk Avoidance – Mitigation Plan

Risk Identification Scenario based

Risk Comfort Zone Analysis

Risk Management Plan

Contract Risk Audit and Adjustment Risk Governance / Controls Checklist © 2002-2011 JDalal Associates LLC, All rights reserved

10

Risk Management Model (RMM)©

Strategy

Risk Categorization

Risk Policy

Risk Avoidance – Mitigation Plan

Risk Identification Scenario based

Risk Comfort Zone Analysis

Risk Management Plan

Contract Risk Audit and Adjustment Risk Governance / Controls Checklist 11 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk Management Model (RMM)© Risk Parameters (for Exposure)

Low Risky Zone

Strategic Risks   

Reputation Selection (process, vendor) Changed business drivers and environment

Performance Risks  

Delivery Disruption

Risk Management Capability Comfort Zone High Low

High

Risk Exposure

12 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk Management Policy – an example • •

Defines Third-party Relationships and restrictions Defines the “comfort zone” based on various risk profiles (management ability and exposure): • • • • • • • • •

• •

Strategic Reputation Operational Technology Credit Compliance Privacy Security Foreign Entity

Establishes contractual framework and boundary conditions Frames the risk management aspects of governance 13

© 2002-2011 JDalal Associates LLC, All rights reserved

Risk Management Model (RMM)©

Implementation

Risk Categorization

Risk Policy

Risk Avoidance – Mitigation Plan

Risk Identification Scenario based

Risk Comfort Zone Analysis

Risk Management Plan

Contract Risk Audit and Adjustment Risk Governance / Controls Checklist 14 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk Management Categories – an example SYSTEM SECURITY Unauthorized access to computer resources such as programs, hardware, systems software, and data held for a business function. Entry points that present risk are employee interfaces, system interfaces, networks, vendors, or third-party providers.

Decentralized Security vs. Centralized Host based vs. ClientServer components Data Confidentialit y Single Layer vs. Multiple Layers of Security

© 2002-2011 JDalal Associates LLC, All rights reserved

GENERIC INFORMATION TECHNOLOGY RISKS Technology Risk Categories DATA CONTROL PRODUCT AVAILABILITY ADMINISTRATIVE RISK SUPPORT RISK RISK (M ANAGERIAL) RISK System System integrity Computer Evident when processes do is impacted by resources or breakdowns not ensure that inadequately information occur in data in a managed is not organizational system changes to available structure, correctly programmed and fully training, represents the procedures functional for communication business through faulty customers & monitoring, activities, design, testing, and etc. Ineffective transactions implementation employees planning and and events. and approvals. to perform organization Irrelevant or their impact the unreliable data Also, business other risk impacts proper inconsistently activities in a categories. Strategic Risk business applied versions timely decisions. of production manner. arises from an programs and incompatibility data files of an increases risk. organization’s strategic goals and the underlying technology processes INHERENT RISK FACTORS Complexity of Degree of Degree of Size of File Structure Program system organizational Changes availability structure Number of required to supported. Degree of Interfaces support New ventures business Data Ownership business objective vs. Definitions objectives changes incremental Customer upgrades Advanced or impact of new Degree that unavailabili technology system ty complexity supports strategic System initiatives. Environment New delivery Complexity channel or Vendor vs. inuses existing house channel(s) Software Uses existing Host based vs. client based network or software adds to the network. Organization structure is conducive to

FUNCTIONALITY RISK The risk arising from the IT systems ability to perform the functions that it needs to accomplish. These risks are especially apparent in those systems that support or pass data to other systems.

Other systems’ dependency on the integrity of the data processed. Rapidly changing business rules or direction. Significantly changing business organization structure or roles. Technology architecture standards significantly change. Business

15

Risk Management Plan – an example Inherent Risk Level

Risk Description Physical access to the Customer ODC is compromised because of inadequate campus parameter, facility, and ODC physical security practices.

Risk Management Strategy for Controlling Exposures (Control Standards) Contract Terms - Schedule 9 Physical Security 1. Vendor shall perform at least every six months a risk assessment of its physical security and an evaluation of the practices implemented to mitigate risk, and the assessment reports shall be provided to Customer. Vendor shall implement controls and practices to mitigate significant risks. 2. Vendor shall as part of the Security Plan have a written physical security policy and program in effect which designates specific individual(s) responsible for supervision of the security program and defines physical security standards. 3. Vendor Project Managers and staff shall have documented training on the security program and policies. 4. Vendor shall have a sufficient number of staff dedicated to the physical security function. This staff shall be trained and should be of sufficient number to ensure the safety and security of the site, Vendor employees and Customer assets at all times. 5. Vendor shall have an electronic access system in place capable of managing, tracking, controlling and recording the passage and movement of personnel into, out of, and within Vendor Facilities and Customer Designated Areas. Any individual who does not have electronic access rights for entry into these facilities shall be required to sign a manual log of his or her passage and movements. 6. Vendor shall have a closed circuit television system in place capable of monitoring the ingress and egress of the main entrance of the Vendor Facilities where any of the Services are being performed. Images from this system shall be stored and made available to Customer upon request. 7. Vendor shall maintain a log of any disruption of recording capabilities for electronic access and closed circuit television systems. The log shall reflect the exact times, dates and locations that equipment was off-line and how soon backup equipment and/or fail-safes were implemented. 8. Movements and transactions recorded by the electronic access system shall be kept for a period of not less then ninety (90) days and available to Customer upon request.

Tests of Controls 1. Evaluate how Provider manages physical security from a strategy, organizational and implementation perspective. 2. Obtain Provider most recent risk assessment of its physical security risks and practices. 3. Evaluate Provider’s implementation of campus parameter security including fences, walls, bollards and/or other protective devices that effectively prevent access to Vendor Equipment and Vendor Facilities by unauthorized persons or vehicles.. 4. Evaluate Provider’s implementation of facility physical security. 5. Evaluate Provider’s implementation of facility physical security for the Customer ODC. 6. Evaluate Provider’s implementation of electronic access system to manage, track, control and record the passage and movement of personnel into, out of, and within Vendor Facilities and Customer Designated Areas. a) Review listing of individuals that have been granted access to the Customer ODC and verify that it is consistent with the individuals assigned to the Customer account. b) Review logs of access to the Customer ODC and verify only individuals assigned to the Customer account are accessing the Customer ODC. 7. Evaluate Provider’s utilization of manual sign-in log for any individual that do not have electronic access rights for entry into these facilities. Review entries on the manual logs for appropriateness. 8. Evaluate Provider’s use of closed circuit television system to monitor the ingress and egress of the main entrance of the facilities where services are being performed. Evaluate the storage and retention of Images from this system and Provider’s ability make images available to Customer upon request.

16 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk Management Model (RMM)©

Results

Risk Categorization

Risk Policy

Risk Avoidance – Mitigation Plan

Risk Identification Scenario based

Risk Comfort Zone Analysis

Risk Management Plan

Contract Risk Audit and Adjustment Risk Governance / Controls Checklist 17 © 2002-2011 JDalal Associates LLC, All rights reserved

Governance model ©

Management Commitment

Relationship Foundation

Operational Delivery

Commitment Compliance

Risk Manag ement



  

Metrics Audit Assessment Adjustment

Relentless Discipline Contact Jag Dalal ([email protected]) for a copy of an article on governance describing this framework – including risk management

18 © 2002-2011 JDalal Associates LLC, All rights reserved

Risk Controls Checklist – an example Evaluation Control Objective

1.

2.

Outsourced employees’ access to systems information and physical locations within the facility are on an ‘as-needed’ basis.

All outsourced functions are monitored for effectiveness of meeting contract objectives, including price and performance.

Risk Assessment



Unauthorized access to company equipment and confidential information



Inside, confidential information ‘leaked’



Negative impact on stock price



Financial loss to Company



Deteriorating customer service levels



Regulatory fines if compliance is in question

Possible Control Procedures



The department’s outsourcing business liaison determines what systems access and building access is needed. This is written into the outsourcing contract or supplementary agreement.



Identification badges indicate the employee is a contractor or consultant.



Each quarter, outsourced employees’ system and building access is reviewed for appropriateness.



A due diligence program is completed before an outsourcing firm is hired. This due diligence would include performance measures against JH and an industry standard. These measures ensure quality assurance and customer service levels are maintained



A Customer business liaison is designated to monitor the outsourced employees’ activities.



Both JH and the outsourced firm sign the contract. In addition, both parties monitor their performance to ensure they are complying with the contract requirements.



The outsourced firm is evaluated each quarter against department and industry standards. Yearly, the outsourced firm must meet with the department and discuss its performance, including compliance with regulatory requirements, if applicable.

Control Designed Effectively?

Control Operating Effectively?

19 © 2002-2011 JDalal Associates LLC, All rights reserved

Outline

Outsourcing

• Setting the context (definitions)

Risk Management • Financial industry and RM and Outsourcing • Lessons Learned Risk Management • Risk management model • RM and outsourcing governance Framework Compliance and Audit

• Audit practices

20 © 2002-2011 JDalal Associates LLC, All rights reserved

Audit principles

 



Define the audit requirements and process Assign consequences and remedial requirements and implementation plan (contractually bound) Form the basis for measuring management commitment and organizational discipline in implementing actions

21 © 2002-2011 JDalal Associates LLC, All rights reserved

Example: Shared Assessments Program Shared Assessments Program (Formerly Financial Institutions Shared Assessments Program) Standard Information Gathering (SIG) Agreed Upon Procedures (AUP) Easy to use and understand Maps to ISO27002, PCI-DSS, CObIT, FFIEC, NIST, HIPAA/HITECH Allows service providers to supply one report to a virtually unlimited number of clients.

22 © 2002-2011 JDalal Associates LLC, All rights reserved

An auditor’s perspective on the process

23 © 2002-2011 JDalal Associates LLC, All rights reserved

Example – case study (CDI ITS as an auditor)

Action

Results

Auditor documented critical policies, standards and procedure documentation to meet a compliance roadmap based on an internal deadline.

Closed critical gaps

Auditor developed a functional organization, IT Security service catalog, organizational framework and gap analysis of tasks, components and functions leveraging the ITIL framework and industry best-practices

Implemented PCI, SOX and MICS compliant policies, standards and processes

© 2002-2011 JDalal Associates LLC, All rights reserved

Fully documented organizational charts, job descriptions

Working with client on longer-term strategic IT risk management roadmap

Jagdish Dalal JDalal Associates LLC

Outsourcing – Strategy, Implementation, Results (860) 693- – 0464 Office (860) 614 –- 1404 Cell [email protected]

PO Box 15 Unionville, CT 06085

Please support my 2011 3-Day 60 mile walk for Breast Cancer: http://www.the3day.org/goto/Jag_Arizona_2011

25 © 2002-2011 JDalal Associates LLC, All rights reserved