Outsourcing Technology Services

FFIEC IT Examination Handbook - Outsourcing Booklet

Completion Progress0 / 21 Controls

Track your third-party risk management program

Overall Completion0%

Board & Management Oversight

0 of 4 controls verified

Complete

Board-approved outsourcing policy and risk management framework

High Risk

Management designated to oversee third-party relationships

High Risk

Risk assessment process for evaluating outsourcing arrangements

High Risk

Regular reporting to board on third-party risk and performance

Medium Risk

Service Provider Selection

0 of 5 controls verified

Complete

Formal RFP process documenting requirements and evaluation criteria

High Risk

Due diligence includes financial stability, reputation, and capability assessment

High Risk

Security and compliance capabilities evaluated

High Risk

References checked and site visits conducted for critical vendors

Medium Risk

Vendor concentration risk assessed

Medium Risk

Contract Management

0 of 7 controls verified

Complete

Contracts include service level agreements (SLAs) with measurable performance metrics

High Risk

Right-to-audit and regulatory access clauses included

High Risk

Data ownership, security, and confidentiality requirements specified

High Risk

Business continuity and disaster recovery obligations defined

High Risk

Termination provisions include data return and transition assistance

High Risk

Liability limitations and indemnification clauses reviewed

Medium Risk

Subcontracting restrictions and notification requirements included

Medium Risk

Ongoing Monitoring

0 of 5 controls verified

Complete

Regular SLA performance reviews and scorecards maintained

High Risk

SOC reports, audit results, and security assessments reviewed annually

High Risk

Financial condition monitoring for critical vendors

High Risk

Incident notification and escalation procedures tested

Medium Risk

Vendor relationship reviews conducted with senior management

Medium Risk

Examiner Expectations

Third-Party Risk Assessment

Risk-based approach to vendor management with heightened due diligence for critical vendors. Must include inherent risk assessment before vendor selection.

Contract Provisions

Contracts must protect institution interests including right-to-audit, data ownership, security requirements, and adequate termination provisions with transition assistance.

Ongoing Monitoring

Continuous monitoring proportional to risk, including SOC report reviews, financial monitoring, and SLA performance tracking. Document all vendor reviews and remediation actions.