For example, systems development has been sourced from outside through application packages or software houses for many years. The revised instructions are termed as framework for risk management in outsourcing arrangement by financial institutions. The information technology examination handbook infobase concept was developed by the task force on examiner education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. The longterm goal of the infobase is to provide justintime training for new regulations and for other topics of. The framework suggests, for example, that outsourcing of information systems central to business strategy may be a dangerous diversion, especially if it operations are already efficient. While outsourcing is associated with significant benefits, it can also be a risky endeavour. A framework for critical information infrastructure risk management 5 draft working document introduction critical infrastructures cis provide essential services that enable modern societies and economies, making their protection an important national and international policy concern. As a result, the australian defence risk management framework drmf was established. The proposed conceptualization of risk is then applied to the specific context of it outsourcing using previous research on it outsourcing as well as transaction cost and agency theory as a point of departure. Pdf a framework for information technology outsourcing. Framework issued for risk management in outsourcing. The paper analyses the outsourcing process in a supply chain management environment. Information technology outsourcing, 2nd edition previously gtag 7 june 2012.
The authors validated this framework by distributing a set of questionnaires to. Companies can outsource information technologies it information. Suzanne rivard database for advances in information systems. This working paper on risk management within an outsourcing governance framework presents our best current thinking on the topic and is intended to provide insight and encourage discussion internally and externally. The committee of sponsoring organizations of the treadway commission coso is completing its evaluation of public exposure comments regarding an update to the 2004 enterprise risk management integrated framework, one of the most widely recognized and applied risk management frameworks in the world. Bits framework for managing technology risk in it service provider relationships9. Pdf this paper takes stock from several studies on information. Framework for risk management in outsourcing arrangements. It allows you to externalise many of the resources previously managed. This definition draws on and extends a risk assessment framework that is widely used in engineering. Large facilities management contracts in the late 1980s signaled a timely convergence of supply and demand factors.
This size may be considered small for our statistical analysis. The risk management framework is a united states federal government policy and standards to help secure information systems computers and networks developed by national institute of standards and technology the two main publications that cover the details of rmf are nist special publication 80037, guide for applying the risk management framework to federal. Domestic and offshore outsourcing of personal information in. Therefore, it risk management is one of the important issues facing information systems is executives today 3. The federal reserve is issuing the attached guidance on managing outsourcing risk to assist financial institutions 1 in understanding and managing the risks associated with outsourcing a bank activity to a service provider to perform that activity. Risk it provides an endtoend, comprehensive view of all risks related to the use of information technology it and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues risk it was published in 2009 by isaca. Outsourcing technology services ffiec it examination.
Risk management of outsourced technology services november 28, 2000 purpose and background this statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. Technology and tools change management location management tax. A framework for information technology outsourcing risk. Audit, business continuity planning, development and acquisition, ebanking, fedline, information security, management, operations, outsourcing technology services, retail payment systems, supervision of technology service providers, wholesale payment systems. This federal reserve guidance builds upon the ffiec outsourcing technology services booklet 2004 that addresses outsourced. Information technology risk assessment refers to the evaluation of potential for technology system failures and the organizations return on information technology investments. Further, this guidance applies to all service provider relationships. Outsourcing risk management globalization and competitive pressures are forcing businesses to outsource information technology it services and functions, as well as many other business processing functions that are itenabled. Specifically, we develop a statistical analysis framework to model client behavior at each stage of the outsourcing lifecycle, including. The following it topics are available via this infobase.
This paper takes stock from several studies on information technology outsourcing risk. Pdf information technology outsourcing risks researchgate. Risk it framework complements isacas cobit, which provides a comprehensive framework for the control and governance of businessdriven informationtechnologybased itbased solutions and services. Based on the constraints of inherently governmental functions, the framework incorporates the committees twostep threshold for identifying ownership functions, which should be performed by inhouse staff, and. The framework includes a comprehensive set of leading practices that serve as a guide for program managers to use when developing or enhancing.
As specific objects we can identify determining advantages and disadvantages of outsourcing, influence factors on outsourcing success or failure and analysing the outsourcing life cycle. Many firms have adopted outsourcing in recent years as a means of governing their information technology it operations. The guide should be used for the management of information technology projects. Framework for risk management in outsourcing arrangements by financial institutions banking policy and regulations department of the state bank of pakistan central bank releases its framework for risk management in outsourcing arrangements by financial institutions, an annexure. A five process model provides a framework within which technology management activities can be understood. Framework for risk management in outsourcing arrangements by. Increasingly, this work, known as itobpo it outsourcing business process outsourcing, is going offshore. These days, executives recognize enterprise risk management erm as a muchneeded core competency that helps organizations deliver and increase stakeholder value over time. That will decrease the time needed to complete tasks and minimize the chance of redo process. Results show that an active risk management approach can reduce risk. Guidance on managing outsourcing risk federal reserve.
After providing a conceptual definition of risk, the paper proposes a risk management framework. Critical for organizational success, 3rd edition previously gtag 2 february 2020 management of it auditing, 2nd edition previously gtag 4 january 20. Outsourcing risk management internet security alliance. For that reason, a conceptual framework on information security risk management in it outsourcing isrmito will be introduced throughout this paper. A framework for managing fraud risks in federal programs 1 gao15593sp foreword i am pleased to present gaos fraud risk management framework the framework. Risk management is the process of identifying, measuring, monitoring, and managing risk. In this context, operational risk management process, technology, people, and external event risk is a relatively new subject of supervisory focus. Compliance risk management needs to become more efficient to meet future demands.
Increasingly, this work, known as itobpo it outsourcingbusiness process outsourcing, is going offshore. International banking is now in the process of developing and rolling out new systems for assessing and managing operational risk, driven by the new basel capital accord. The fed supervisory letter sr 19 ca 21 on guidance. Frequently asked questions on mas guidelines on outsourcing. Cloud risk decision framework 3 doing nothing may pose the greatest risk of all risk management is the effect of uncertainty on objectives many organisations are embracing cloud computing for substantial cost reductions, performance improvements and greater scalability. A framework for information technology outsourcing risk management article pdf available in acm sigmis database 364. A comparative study executive summary in early 2002, the secretary of defence and the chief of defence force endorsed a topdown, organisationwide, systematic approach to risk management in defence. Senior management is also responsible for regularly reporting to the board of directors on adherence to policies governing outsourcing arrangements. They developed a framework including a gametheoretical model for peer. The framework covers the key steps for managing outsourcing risk in banks. A framework for information technology outsourcing risk management. Technology risk management framework and role of senior management and the board 20 key requirements what you need to consider senior management involvement in the it decisionmaking process implementation of a robust risk management framework effective risk register be maintained and risks to be assessed and treated.
Pdf a framework for information technology outsourcing risk. National institute of standards and technology 4 key standards and guidelines fips publication 199 security categorization fips publication 200 minimum security controls nist special publication 80018 security planning nist special publication 80030 risk assessment nist special publication 80037 system risk management framework. A risk analysis framework for information technology outsourcing. This gtag describes how members of governing bodies, executives, it professionals, and internal auditors address significant itrelated risk and control issues as well as presents relevant frameworks for assessing it risk and controls. The two main publications that cover the details of rmf are nist special publication 80037, guide for applying the risk management. Risk management of outsourced technology services november 28, 2000 purpose and background this statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with.
Information technology risk and controls, 2nd edition previously gtag 1 march 2012 new. A proposal framework for evaluating risks of information. Ffiec it examination handbook infobase risk management. It project management practices guide page 1 of 83 asu, hsc, ttu, ttus. Mrcs risk management outsourcing professionals have the experience and expertise required to help organizations streamline risk management activities. Introduction outsourcing is viewed as one of the most important management strategies of our time. A framework for critical information infrastructure risk management 5 draft working document introduction critical infrastructures cis provide essential services that enable modern societies and economies, making their protection. Gao15593sp, a framework for managing fraud risks in federal. Limitations since information technology and also risk management are still areas which need to improve in some iranian companies, we couldnat consider them in our analysis.
Information systems, information technology, outsourcing, risk management, off shoring 1. Regardless of which alternative they choose, management is responsible for managing risk in all outsourcing relationships. Sound management of information and technology requires the same framework utilized for l risk al management identify, measure, monitor, control, and report on information technology it risks. Development of a risk assessment model for global information. This paper proposes a framework for the management of it outsourcing risk, and assesses the usefulness of the framework using two cases of system development outsourcing. Outsourcing risk management and information transparency. While cobit sets good practices for the means of risk management by providing a set of controls to mitigate it risk, risk it sets good practices. National institute of standards and technology 3 risk management framework security life cycle. Itis outsourcing in large companies motivations and risks.
The it project management practices guide guide contains a repeatable, institutionwide approach for the management of application development andor software procurement and deployment projects. Outsourcing risk management combing technology, public. The use of information technology in risk management author tom patterson, cpa complex solutions executive ibm corporation executive summary. Abstract the 14th international management conference. While risk management around outsourcing is traditionally perceived as preventing bad things from happening, this paper extends this view to align it closer to the board and executive leadership strategic agenda, enabling them to consider the full spectrum of potential opportunities that outsourcing could create for their organizations. This chapter provides a decision framework for federal agencies considering outsourcing management functions for facility acquisitions. Technology risk management guidelines trmg have been enhanced to help financial institutions improve oversight of technology risk management and security practices. Global information technology it outsourcing has been recognized to have. This assessment would consider such factors as processing capacity, access control, data protection, and cyber crime. The guide to information technology security services, special publication 80035, provides assistance with the selection, implementation, and management of it security services by guiding organizations through the various phases of the it security services life cycle. Outsourcing information technology operations of a company can allow to regain control over their internal department. Extending organizational boundaries through outsourcing. Especially in the area of it, where projects have a long history of failing, there is a great deal of interest in the effects of risk management 4. It is the result of a work group composed by industry experts and some academics of different nations, coming from.
State bank of pakistan sbp earlier introduced the guidelines on. In writing this guidance we built on a the guidance on managing outsourcing risk by the board of governors of the us. A definition of risk is offered, and an illustration from five case studies is. A framework for critical information infrastructure risk. While outsourcing it has been a trend in the 1990s, it is not a new phenomenon. Outsourcing it operations is a topic that has gained popularity since kodak first.
When an outsourcing company is hired by an organization, it is crucial to protect the organizations important data and intellectual property. Management of information and the supporting technology critical to the performance is and success of each regulated entity and the office of finance. The risk management framework used by the institution to evaluate the risks and materiality of such outsourcing arrangement should be approved by the institutions board of directors, or a committee delegated by the board of directors. On the other hand, due to questionnaire limitation, the studyas sample size is 64 plants. A framework for information technology outsourcing risk management benoit a aubert. A catalog of information systems outsourcing risks. The impact of information technology on risk management. A logistic regression framework for information technology. The attached guidance addresses the characteristics, governance, and operational effectiveness of a financial institutions service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services. Tafti 2005 provided a framework for risk assessment of offshore it outsourcing, and. Gao15593sp, a framework for managing fraud risks in. Conceptual framework on information security risk management. Risk management of outsourced technology services november. The risk management framework is a united states federal government policy and standards to help secure information systems computers and networks developed by national institute of standards and technology.
A definition of risk is offered, and an illustration from five case studies is used to show how risk can be managed. Followup processes should be implemented so that compliance deviations are addressed and remedied on a timely basis. It project management practices guide page 1 of 83 asu, hsc, ttu, ttus it project management practices guide. Process management banks must have a robust and properly implemented policy, processes and control elements surrounding outsourcing. In our experience, organisations will almost certainly the outsourcing handbook a.
472 1351 1217 1169 1033 1576 1326 1369 988 1324 486 1005 386 893 1253 1550 1302 435 838 717 855 1602 172 643 1573 377 763 1479 1074 1336 1466 854 766 8 503 1026 1226 368 10