Presentation exploring the key risks of outsourcing IT in the banking and financial sectors. Understanding these risks will help your organisation mitigate against them and ensure your IT outsourcing requirement is delivered with the minimum risk to business.

1. 6 Risks To Address
When Outsourcing IT In
The Banking Sector6 Risks To Address When Outsourcing
IT
In The Banking Sector

2. It is vital that before outsourcing IT all parties
understand the potential risks involved, specifically
in the banking sector.
With this understanding client and provider can take
precautions to mitigate against any risk.
ASSESSING RISK AND MITIGATING
AGAINST IT

3. Risk Assessment
The working group on Information Security, Electronic Banking, Technology Risk
Management and Cyber Frauds has suggested the following three steps to mitigate
risks:
• Identification of the role of outsourcing in the overall business strategy and objectives
aligned with corporate strategic goals.
• Comprehensive due diligence on the nature, scope and complexity of the outsourcing
to identify the key risks and risk mitigation strategies – such as security practices and
environment control of the service provider.
• Analysis of the impact of such arrangement on the overall risk profile of the bank and
whether adequate internal expertise and resources exist to mitigate the risks
identified.
RISK ASSESSMENT

4. Risk Assessment
Risk #1 – STRATEGIC RISK
Business conduct of the service provider can be
against the strategic goals of the bank.
Solution: assess the IT Outsource Service Provider for the following:
• Business reputation and culture, compliance, complaints
and outstanding or potential litigations,
• External factors like political, economic, social and legal
environment of jurisdiction in which the service provider
operates and other events that may impact on the strategic
goals of the bank.

5. Risk Assessment
Risk #2 – REPUTATION RISK
Poor services of the service provider could be
harmful for the reputation of bank and will
harm customer relationships.
Solution: assess the IT Outsource Service Provider for the following:
• Past experience and competence to implement and support
proposed activities over the contractual period,
• Financial soundness and ability to service commitments
even under adverse condition,
• Employee training, knowledge transfer,
• Reliance on and ability to deal with sub-contractors.

6. Risk Assessment
Risk #3 – OPERATIONAL RISK
Technology failure, inadequate infrastructure or
any error in providing IT services by the service
provider.
Solution: assess the IT Outsource Service Provider for the following:
• Past experience and competence to implement and support proposed
activities over the contractual period,
• Security and internal control, audit coverage reporting and monitoring
environment, business continuity management,
• Risk management, framework, alignment to applicable international
standards on quality / security / environment, etc., may be considered,
• Secure infrastructure facilities.

7. Risk Assessment
Risk #4 – LEGAL RISK
Potential for a case of non-compliance with the
privacy, consumer and prudential law.
Solution: assess the IT Outsource Service Provider for the following:
• Business reputation and culture, compliance, complaints and
outstanding or potential litigations,
• Security and internal control, audit coverage reporting and monitoring
environment, business continuity management,
• Due diligence for sub-service providers,
• Risk management, framework, alignment to applicable international
standards on quality / security / environment, etc.

8. Risk Assessment
Risk #5 – COUNTRY RISK
Due to political, social climate in the country in
which service is outsourced.
Solution: assess the IT Outsource Service Provider for the following:
• External factors like political, economic, social and legal
environment of jurisdiction in which the service provider
operates and other events that may impact service
performance,
• Secure infrastructure facilities,
• Employee training, knowledge transfer,
• Reliance on and ability to deal with sub-contractors.

9. Risk Assessment
Risk #6 – CONTRACTUAL RISK
Risks related to compliance with the terms of
the contract between service provider and the
bank.
Solution: assess the IT Outsource Service Provider for the following:
• Financial soundness and ability to service commitments even under
adverse condition,
• Security and internal control, audit coverage reporting and monitoring
environment, business continuity management,
• Due diligence for sub-service providers,
• Employee training, knowledge transfer,
• Reliance on and ability to deal with sub-contractors.

10. Risk Assessment
Proposals submitted by service providers should be evaluated in
the light of the organisation’s needs, and any differences in the
service provider proposals as compared to the solicitation should
be analysed carefully.
To access the capability of the service provider to comply with the
outsourcing agreement, it is important to carry out due diligence.
Due diligence should involve an evaluation of all information
about the service provider including qualitative, quantitative,
financial, operational and reputational factors.
DUE DILIGENCE

11. While there are clear benefits in outsourcing IT services to an
external provider, risk evaluation is fundamental and you should
expect any IT service provider to be focussed on this.
With the right IT service provider a bank can enhance its efficiencies
in operations, by increasing the ability to acquire and support current
technology; and allow management to focus on key management
functions – such as better customer service and other core services.
Are you ready to outsource your IT requirement?

12. Follow us