1. Moving Operations to Managed Services Provider [MSP] :
1. Define Board and Management Responsibility: [ExpandwithrespecttoITIL
framework].
Ensuringeach MSP relationshipsupportsthe institution’soverall requirementsandstrategic
plans;
Ensuringthe institutionhassufficientexpertise tooversee andmanage the relationship;
Evaluatingprospectiveprovidersbasedonthe scope andcriticalityof managed services;
Tailoringthe enterprise-wide,service providermonitoringprogrambasedon initialandongoing
riskassessmentsof managedservices;
Notifyingitsprimaryregulator[HAAD] regardingmanaged relationships,whenrequiredby
regulator
Here if Healthcare FacilityProviders[HFP] decidestooutsource itsITservicestomanaged
service provider[MSP] thenitmayhave tocheck regulationsprovidedbyHAAD
2. Risk Management :
Establishingseniormanagementandboardawarenessof the risksassociatedwith Managed
Service agreements [MSA] inordertoensure effective riskmanagementpractices;
Ensuringthat an managedService arrangementisprudentfromariskperspective and
consistentwiththe businessobjectivesof the institution;
Systematicallyassessingneedswhile establishingrisk-basedrequirements;
Implementingeffective controlstoaddressidentifiedrisks;
Performingongoingmonitoringtoidentifyandevaluatechangesinriskfromthe initial
assessment;
Documentingprocedures,roles/responsibilities,andreportingmechanisms
a. AccessRisk
Assessthe riskfrommanagedservice;Involve stakeholdersincreatingrisk-based
writtenrequirementstocontrol andmanage service action;
Use the writtenrequirementstoguide andmanage the remainderof the manage
service process.
DocumentRisksassociatedwith:
ReputationRisk:Errors,delays,oromissionsininformationtechnology.
StrategicRisk:—Inadequate managementexperience andexpertisecanleadtoa lackof
understandingandcontrol of keyrisks,inaccurate informationfromTSPscancause the
managementof servicedfinancialinstitutionstomake poorstrategicdecisions.
Compliance (legal)risk:Outsourcedactivitiesthatfail tocomplywithlegal orregulatory
requirementscansubjectthe institutiontolegal actions.[incase of HFPcan leadto
sanctionsor cancellationof license]
Healthcare financing:Processingerrorsrelatedtoinvestmentincome orrepayment
assumptionscouldleadtounwise investmentorliquiditydecisionstherebyincreasing
marketrisks.
2. b. QuantifyRiskConsideration
Riskspertainingtothe functionof managedservice include:
- Sensitivityof dataaccessed,protected,orcontrolledbythe service provider;
- Volume of transactions;and
- Criticalitytothe financial institution’sbusiness.
Riskspertainingtothe service providerinclude:
- Strengthof financial condition;
- Turnoverof managementandemployees;
- Abilitytomaintainbusinesscontinuity;
- Abilitytoprovide accurate,relevant,andtimely ManagementInformationSystems
(MIS);
- Experience withthe functionoutsourced;
- Reliance onsubcontractors;
- Location,particularlyif cross-border(See Appendix C,Foreign-BasedThird-Party
Service Providers);and
- Redundancyandreliabilityof communicationlines.Riskspertainingtothe technology
usedinclude:
- Reliability;
- Security;and
- Scalabilitytoaccommodate growth
c. RequirementDefinitionof Risk
Stakeholderinvolvement—All organizationalgroupswhowill be directlyinvolvedwith
the service providerorinusingthe contractedservice shouldbe representedinthe
developmentof productandservice requirements.
Integration—Thedevelopmentshouldresultinrequirementsthatsupportthe
subsequentstepsof solicitation,selection,contracting,andmonitoring.
Documentation—Documentationwill greatlyassistinensuringthatthe service
contractedand deliveredmeetsthe institution’srequirements.Documentationwill also
allowforsubsequentreviewsof the processes’adequacyandintegrity.
3. ServicesToBe OutsourcedtomanagedService Provider
a. Define scope andnature of
Service description;
Technology
Customersupport.
b. Standardsand service levels
Availabilityandperformance;Change management;Financialreporting; Qualityof
service; Security;andBusinesscontinuity.
c. Minimumacceptable service providercharacteristics
Industryexperience; Managementexperience; Technologyandsystemsarchitecture;
Processcontrols; Financial condition; Reputation,includingreferences;Degreeof
reliance onthirdparties,subcontractors,orpartners; Legal,regulatory,andcompliance
history;and Abilitytomeetfuture needs.
3. d. Monitoringandreporting
Measurementsandreportingcriteria; Righttoaudit;Third-partyreports;and
Coordinationof responsestosecurityevents.
e. Transitionrequirements
Initial migrationof datato the service provider; Implementationof necessary
communicationsmechanisms; Migrationof data fromthe service providerat
terminationof contract;and Staff training
f. Contract duration,termination,andassignment
Start and term; Conditionsandrightto cancel; Ownershipof data;Timelyreturnof
data inmachine-readable format; Costsof transition; Limitations,asappropriate,
governingassignmenttothirdparty; Dispute resolution;and Confidentialityof
institutiondata.
g. Contractual protectionsagainstliability
Indemnification; Limitationof liability;and Insurance.
4. Service ProviderSelection
a. RequestForProposal
Evaluate service providerproposalsinlightof the institution’sneeds,includingany
differencesbetweenthe institution’ssolicitationandthe service providerproposal;
b. Due Diligence
Performdue diligence onthe prospective service providers;
Ensure that selectionof affiliatedpartiesasservice providersisdone atarmslengthin
accordance withregulationsandguidance issuedbythe institution’sprimaryregulator;
and Evaluate foreign-basedthird-partyservice providersinlightof the guidance found
inthissection
and inAppendix C,Foreign-BasedThird-PartyService Providers.
c. Due Diligence aboutManagedService ProviderHistory
Existence andcorporate history;Qualifications,backgrounds,andreputationsof
companyprincipals,includingcriminal backgroundcheckswhere appropriate; Other
companiesusingsimilarservicesfromthe providerthatmaybe contactedfor reference;
Financial status,includingreviewsof auditedfinancial statements;Strategyand
reputation; Service deliverycapability,status,andeffectiveness; Technologyand
systemsarchitecture; Internal controlsenvironment,securityhistory,andaudit
coverage; Legal and regulatorycomplianceincludinganycomplaints,litigation,or
regulatoryactions; Reliance onandsuccessindealingwiththirdpartyservice providers;
Insurance coverage;and Abilitytomeetdisasterrecoveryandbusinesscontinuity
requirements
5. Resolve andImplementContracts
Ensure the contract clearlydefinesthe rightsandresponsibilitiesof bothparties; Ensure the
contract containsadequate andmeasurable service levelagreements;Ensure contracts with
affiliatesclearlyreflectanarms-lengthrelationshipandcostsand servicesare atleastas
favorable tothe institutionasthose available fromanon-affiliatedprovider; Choose the most
appropriate pricingmethodforthe financial institution’s needs; Ensure the contract doesnot
4. containprovisionsorinducementsthatmayhave a significant,adverse affectonthe institution;
Engage legal counsel toreviewthe contract;andEvaluate foreign-basedthird-partyservice
providersinlightof the guidance foundinthissection
a. Verifythe accuracyof the descriptionof the outsourcingrelationshipinthe contract;
b. Ensure the contract is clearlywrittenandcontainssufficientdetailtodefine the rights
and responsibilitiesof eachpartycomprehensively.
c. Engage legal counsel earlyinthe processtohelpprepare andreview the proposed
contract.
d. Scope of Service.The contractshouldclearlydescribethe rightsandresponsibilitiesof
the partiesto the contract.
Considerationsshouldinclude:
i. Descriptionsof requiredactivities,timeframesfortheirimplementation,and
assignmentof responsibilities.Implementationprovisionsshouldtake into
considerationotherexistingsystemsorinterrelatedsystemstobe developedby
differentservice providers(e.g.,anInternetbankingsystembeingintegrated
withexistingcore applicationsorsystemscustomization).
ii. Obligationsof,andservicestobe performedby,the service providerincluding
software supportandmaintenance,trainingof employees,orcustomer service.
iii. Obligationsof the financialinstitution.
iv. The contracting parties’rightsinmodifyingexistingservicesperformedunder
the contract.
v. Guidelinesforaddingnew ordifferentservicesandforcontract renegotiation.
e. Performance Standards.
Institutionsshouldinclude performance standardsthatdefine minimumservice level
requirementsandremediesforfailuretomeetstandardsinthe contract.For example,
commonservice levelmetricsinclude percentsystemuptime,deadlinesforcompleting
batch processing,ornumberof processingerrors.Industrystandardsforservice levels
may provide areference point.The institutionshouldperiodicallyreview overall
performance standardstoensure consistencywithitsgoalsandobjectives.
f. Securityand Confidentiality
g. Controls.
Service providerinternal controls; Compliance withapplicable regulatoryrequirements;
Recordmaintenance requirementsforthe service provider; Accesstothe records by
the institution; Notificationrequirementsandapproval rightsforanymaterial changes
to services,systems,controls,keyprojectpersonnel,andservice locations; Settingand
monitoringparametersforfinancial functionsincludingpaymentsprocessingor
extensionsof creditonbehalf of the institution;andInsurance coverage maintainedby
the service provider.
h. Audit.:The institutionshouldincludeinthe contractthe typesof auditreportsitis
entitledtoreceive(e.g.,financial,internal control,andsecurityreviews).
5. i. Reports.:Contractual termsshouldincludethe frequencyandtype of reportsthe
institutionwill receive(e.g.,performance reports,control audits,financial statements,
security,andbusinessresumptiontestingreports).
j. BusinessResumptionandContingencyPlans.
The contract should addressthe service provider’sresponsibilityforbackupandrecord
protection,includingequipment,programanddata files,andmaintenance of disaster
recoveryandcontingencyplans.
k. Sub-contractingandMultiple Service ProviderRelationships.
Some service providersmaycontractwiththirdpartiesinprovidingservicestothe
healthinstitution.Institutionsshouldbe aware of andapprove all subcontractors.To
provide accountability,the financial institutionshoulddesignate the primarycontracting
service providerinthe contract.The contract shouldalsospecifythatthe primary
contractingservice providerisresponsible forthe servicesoutlinedinthe contract
regardlessof whichentityactuallyconductsthe operations.The institutionshouldalso
considerincludingnotificationandapproval requirementsregardingchangestothe
service provider’ssignificantsubcontractors.
l. Define Pricingmethods
The contract shouldfullydescribe the calculationof feesforbase services,includingany
development, conversion,andrecurringservices,aswell asanychargesbasedupon
volume of activityorfor special requests.Contractsshouldalsoaddressthe
responsibilityandadditional costforpurchasingandmaintaininghardware and
software.Anyconditionsunderwhichthe coststructure maybe changedshouldbe
addressedindetail includinglimitsonanycost increases.
m. Bundling
n. Contract induce concerns
o. OwnershipandLicense: contractshouldaddressthe ownership,rightsto,andallowable
use of the institution’sdata,equipment/hardware,systemdocumentation,systemand
applicationsoftware,andotherintellectual propertyrights.
p. Duration.: shouldconsiderthe appropriate lengthof time requiredtonotifythe service
providerof the institutions’intentnot torenew the contractprior to expiration.
Institutionsshouldconsidercoordinatingthe expirationdatesof contractsforinter-
relatedservices(e.g.,website,telecommunications,programming,networksupport)so
that theycoincide,where practical.Suchcoordinationcanminimize the riskof
terminatingacontract earlyandincurringpenaltiesasaresultof necessarytermination
of anotherrelatedservicecontract
q. Dispute Resolution: The institutionshouldconsiderincludingaprovisionforadispute
resolutionprocessthatattemptstoresolve problemsinanexpeditiousmanneraswell
as a provisionforcontinuationof servicesduringthe dispute resolutionperiod.
r. Indemnification: Indemnificationprovisionsshouldrequirethe service providertohold
the financial institutionharmlessfromliabilityforthe negligence of the serviceprovider.
s. Limitationof Liability:If the institutionisconsideringsuchacontract, management
shouldassesswhetherthe damage limitationbearsanadequate relationship tothe
6. amountof lossthe financial institutionmightreasonablyexperience asaresultof the
service provider’sfailure toperformitsobligations
t. Termination.:Managementshouldassessthe timelinessandexpense of contract
terminationprovisions.
u. Assignment:The institutionshouldconsidercontractprovisionsthatprohibit
assignmentof the contractto a thirdparty withoutthe institution’sconsent.
v. Foreign-basedservice providers
w. Institutionsenteringintocontractswithforeign-basedservice providersshouldconsider
a numberof additional contractissuesandprovisions.
x. RegulatoryCompliance.: Financial institutionsshouldensure thatcontractswithservice
providersincludeanagreementthatthe service provideranditsserviceswill comply
withapplicable regulatoryguidanceandrequirements
6. Service Level AgreementSLA
a. Availabilityandtimelinessof services;
b. Confidentialityandintegrityof data;
c. Change control;
d. Securitystandardscompliance,includingvulnerabilityandpenetrationmanagement;
Businesscontinuitycompliance;and
e. Helpdesksupport.
7. Pricingmethods:
Cost plus,Fixedprice,variableprice,unitprice,incentive basedpricing.
Bundling:
The providermayentice the institutiontopurchase more thanone system, process,orservice
for a single price –referredtoas “bundling.”
8. Contract InducementConcerns:
The service providerpurchasescertainassets(e.g.,computerequipmentorforeclosedreal
estate) atbookvalue (whichexceedsmarketvalue) orpurchasescapital stockfromthe
institution. The service providerofferscashbonusestothe institutionuponcompletionof the
conversion.The service provideroffersup-frontcashtothe institution.The providerstatesthat
the institutionacquiresthe righttofuture cost savingsorprofitenhancementsthatwill accrue
to the institutionbecauseof greateroperational efficiencies.These improvementsare usually
withoutmeasurable benchmarks. The institutiondefersexpensesforconversioncostsor
processingfeesunderthe termsof the contract. Low installationandconversioncostsin
exchange forhigherfuture systemssupportandmaintenance costs.
9. OngoingMonitoring
a. KeyService Level Agreementsand contractprovisions
A formal policythatdefinesthe SLA program; AnSLA monitoringprocess;A recourse
processfor non-performance;Anescalationprocess; A dispute resolutionprocess;and
A terminationprocess.
b. Financial conditionstoService Providers
Payingoff the servicer’screditor(s) andhiringoutside specialiststooperate the center;
7. Obtainingrequiredequipmentandsoftware forin-house processing;and Transferring
data filestoanotherprovider.
c. General Control Environmentof the Service Provider
The practicalityof the service providerhavinganinternal auditor,andthe auditor'slevel
of trainingandexperience; The service providersexternal auditors’trainingand
background;and Internal ITaudittechniquesof the service provider.
d. Potential Changesdue toExternal Environment
10. Businesscontinuityplanning:
Regularlyreviewthe businesscontinuityplansof the service providerorvendortoensure any
servicesconsidered“missioncritical”forthe financial institutioncouldbe restoredwithinan
acceptable timeframe. Review the service provider’sprogramforcontingencyplantesting.For
critical services,annual ormore frequenttestsof the contingencyplanare required. Assess
service provider/vendorinterdependenciesformission critical servicesandapplications.
a. Outsourcingthe businesscontinuityFunction
i. Staffing—Theprovidershouldhave sufficientandknowledgeable staff available
to provide appropriate onsite technical supporttoensure timelyresumptionof
operationsatthe recoverysite.
ii. ProcessingTime Availability—The providershouldallocate sufficientprocessing
time,resources,andsecuritycontrolstoaccommodate the potentialfor
multiple clients.The institutionshouldensure itcouldprocessnormal volumes
of workwithinappropriate timerequirements.
iii. AccessRights—The providershoulddiscloseanyaccesslimitations.The provider
shouldguarantee the institution’srighttouse the site incase of an emergency.
Alternatively,the institutionshouldunderstandany priorityarrangements.For
example,some sitesoperateonafirst-come,first-serve basisuntilthe site isat
full capacity,butothershave pre-arrangedprioritiesbasedoncontractual
agreements.
iv. Hardware and Software—The recoverysite shouldhave compatiblehardware
and software.The institutionshouldmonitorthe compatibilityof the site to
handle itsspecificcomputerhardware andsoftware requirements.Tofacilitate
the monitoring,the providershouldbe requiredbycontractto notifythe
institutionof anychangesinthe hardware,software,and equipmentatthe
recoverysite.
v. SecurityControls—Theinstitutionshouldensureitcanmaintainadequate
physical andlogical securitycontrolsatthe recoverysite.
vi. Testing—The service providercontractshouldaddressaccesstothe recovery
site forperiodictesting.Ataminimum, the institutionneedssufficientaccessto
performat leastone full-scale testof the recoverysite annually,including
verificationof telecommunicationscapabilities
vii. Confidentialityof Data—The institutionshouldensurethe providercanmaintain
the confidentialityof itsbusinessandcustomerdata.
8. viii. Telecommunications—The institutionshouldreviewtelecommunications
redundancyandcapacityat the recoverysite,includinghow communications
fromthe institutionstothe recoverysite willbe established
ix. Reciprocal Agreements—Financial institutionscontractingwithanother
institutionforarecoverysite shouldconsiderthe above issuesof staffing,
processingavailability,accessrightsforrecoveryortesting,compatibility,
security,capacity,etc
x. Space—The recoverysite shouldhave adequate space toaccommodate the
affectedinstitution'srecoverystaff.
xi. PrintingCapacity/Capability—The recoverysite shouldmaintainadequate
printingcapacityto meetthe demandof the affectedinstitutionunder
acceptable levelsof service
xii. Contacts—Institutionmanagementshouldknow the proceduresfordeclaringa
disasterincludingwhohasthe authoritytodeclare a disasterandinitiate use of
the recoverysite.
11. InformationSecurityandsafeguards
12. Multiple service Providerrelationship
13. OutsourcingToforeignService Provider
a. RiskManagement:Country,compliance risk
b. Due Diligence: Contracts(Security,ConfidentialityandOwnershipof Data)
c. RegulatoryAuthorityof othercountry.
d. Choice of Law
APENDIX:
USE ITIL For Movingto ManagedServices:
1. Define Standardsusedtomanage Service ProviderandITIL.
2. Create Service strategytomove towardsManagedServicesModel.
3. Fix Service DesignToMove towardsmanagedServices.
4. Use Service transitioningdefine :
transitionplanning,serviceassetsandconfigurationmanagement,ChangeManagement,
Service ValidationandTesting,reduceresolutiontime populating Knowledgemanagement,
Define deploymentstrategyandinfrastructure,Evaluatereproductionto3rd
party provider.
5. Use OperationModule todefine supportstructure replicatingHAADrequirements.
define followingfor3rd
party to maintainforoperationsstandards:
Service Desk,IncidentManagement(thingslikeescalationmatrix),EventManagement,Request
Fullfillment,Problemmanagement,AccessManagementfrom3rd
party, Application
management,ITOperationManagement,Technical Management.
6. Continual Management:forQualitymanagedat3rd
party site.
Define QualityStandardsneededtomaintainedat3rd
party
Service Management
Service Reporting