Credit unions and mutuals are increasingly outsourcing non-core specialist functions. APRA recognises the risks associated with outsourcing material activities and gave guidance to ADI's in APS 231 in respect of the outsourcing agreement itself.
Risks
Outsourcing, or the contracting out of a business activity, does not transfer all of the risks associated with that activity to the service provider. The services remain the responsibility of the organisation, which must ensure that all risks associated with the business activity are addressed in the same way as if the activity was performed by the organisation.
The organisation must agree with the service provider on the processes that will be in place for the monitoring, reporting and reviewing of services provided to the organisation.
The organisation must ensure that the service provider adheres to the organisation’s relevant policies and procedures. The organisation must also ensure that the service provider has staff who are sufficiently trained and competent to provide the services.
Materiality
The degree of risk can be assessed in light of the materiality of the services and the impact of the services on the business activities of the organisation.
Generally, a material business activity is defined as one that has the potential, if disrupted, to impact significantly on the business operations, reputation or profitability of the organisation. Factors to be considered when making this assessment include:
- The impact on the organisation financially and on its reputation caused by a failure by the service provider to perform over a given period of time (depending on the importance of the business activity, this may be measured in hours or days or percentage of income lost);
- The cost of the arrangement as a percentage of total costs;
- The degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity “in-house”; and
- The ability of the organisation to meet regulatory requirements if there were problems with the service provider.
As a guide, a material business activity may include a significant part of the organisation’s core business functions including computing/information technology, transactional, internal audit, data processing, custodial or administration arrangements, research, general management, compliance monitoring and administration.
A material business activity would not usually include contractor type relationships, where there are numerous providers in the marketplace, the contract is relatively short term and the cost and inconvenience of switching between providers is low. Examples would normally include utility services (such as cleaning, maintenance, mail and telephone services), legal and accounting services, printing, software licensing, call centre, postal distribution, Human Resources management, marketing, research and training.
Board and Management Responsibility
The Board and Audit and Compliance Committee should be actively involved in assessing the processes involved in outsourcing all material business activities. This includes involvement in the decision to outsource, the due diligence process, the evaluation and selection of potential service providers, transition arrangements, and ensuring that appropriate exit strategies are in place. The Board should also be kept informed on a regular basis on the performance of the service provider (including any significant issues that may arise)
The organisation’s Board and/or Audit and Compliance Committee may wish to impose certain conditions on the services to be provided and require that provisions minimising the organisation’s risk be incorporated into the agreement. The person authorised by the organisation to act on its behalf has a duty to the organisation to ensure that any conditions imposed by the Board are satisfied before executing the agreement or allowing the services to commence.
Risk Management Framework for Outsourcing
At a minimum, the risk management framework for outsourcing and contracting services should require the following to be addressed in each case of outsourcing:
Probity. Are there procedures to identify and address conflicts of interest?;
Business case for outsourcing a business activity. A business case for outsourcing or contracting with service providers should be developed;
The tender process. The organisation should determine the means for acquiring the services and whether a public or private tender process shall be used, or if a key service provider is to be contacted concerning the provision of the services;
Approval of the agreement. The process for review and authorisation to execute the agreement should be identified as a step-by-step process of entering into the agreement;
Procedures for monitoring performance. The agreement should have levels or standards for the provision of the services. Will contract management software be used?
The organisation should also address renewal arrangements and how these will be conducted to ensure that it has appropriately managed its risks for the future. How will expiration dates be monitored?
The outsourcing agreement
Outsourcing or service arrangements should be undertaken using a written document which contains all necessary terms and conditions of the agreement.
At a minimum, the agreement should address the following:
Service levels and performance requirements. The agreement must clearly define the service levels and performance requirements of the organisation;
Audit and monitoring procedures. The more important the services to the organisation’s core business the higher the risk of failure of the services and degree of monitoring required. There should also be provision for regular review of these services at periods depending on the services provided. The agreement should also permit review of breaches where service levels/standards have not been achieved.
Default arrangements and termination provisions.An immediate right to terminate the agreement should exist in the event of breach of relevant Laws (eg Corporations Act, Privacy Act and Trade Practices Act) or if the service provider loses an essential licence;
Pricing and fee structure. The agreement should provide for a clear and concise pricing and fee structure;
Dispute resolution arrangements. There must be a mechanism for resolution of disputes between the parties. ;
Liability and indemnity. Depending on the nature of the services to be provided the organisation should require that the service provider hold professional adequate indemnity insurance;
Confidentiality, privacy and security of member information. The organisation must ensure that there are provisions requiring the service provider to hold all customer information confidential. There should also be a provision that the service provider hold information in accordance with the Privacy Act 1988 (Cth) and not provide customer information to another party without the consent of the customer and will keep this information secret. The organisation should also ensure there is provision that all confidential and customer information be returned to the organisation at the end of the agreement (either following termination or expiry of the term) with no copies of the customer information being retained;
Protection of intellectual property. The organisation should also protect its intellectual property (eg name, logo, website address, operational and documented systems and other intellectual property). If the intellectual property is to be used by the service provider then it must be done so under licence and be capable of being terminated under the same terms as the agreement. The organisation should also ensure there is provision that intellectual property information be returned to the organisation at the end of the agreement (either following termination or expiry of the term) with no copies of the property being retained;
Business continuity plans. A plan should exist for a contingency in the event the services are no longer provided. The organisation must be able to take appropriate and immediate steps to continue to provide services if the service provider is no longer able to provide the services. The organisation must also be able to provide services from an alternate location and to access a computer back-up of all files in the event of disaster;
The organisation should refer all agreements concerning the provision of services in connection with or outsourcing a material business activity to its legal adviser for review.
Regulator’s Access to Service Provider
In addition to the above principles, an outsourcing agreement governing the provision of core business functions should include a clause permitting a relevant industry regulator (such as APRA) access to documentation related to the outsourcing arrangement and the right to conduct on-site visits to the service provider if the regulator considers this necessary.
Monitoring the Relationship and Reporting to Management and the Board
The organisation should devote sufficient resources to managing and monitoring outsourcing and services relationships. At a minimum, this would include:
(a) maintaining appropriate levels of regular contact with the service provider. This would range from daily operational contact, to regular senior management involvement where appropriate in monitoring the services;
(b) a process for regular monitoring of performance under the agreement, including meeting criteria set out in the service level agreements; and
(c) dealing with issues as they arise and elevating them to senior management – or the Board – as appropriate.
Termination
Just as entering the outsourcing arrangement has risks, so does terminating it. The appropriate persons in the organisation (and relevant regulators) should be notified of any intended termination or approaching expiry.