This document is intended to serve as a resource for banks in addressing specific challenges relating to technology outsourcing. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.
Introduction
As community banks become more involved in technology outsourcing, they face significant challenges in managing the risks associated with reliance on third party technology service providers1. Outsourcing has become more complex with many banks using vendors for key business functions and relying on multiple providers. This brochure suggests techniques that can facilitate the process by which financial institutions conduct due diligence and select the best service provider.
Objectives of the Selection Process
The objective of the selection process is simple: identify the best-qualified service provider and negotiate a contract that meets the needs of the financial institution. The selection process also should be cost effective, efficient, and appropriate for the nature of activities that the bank is seeking to outsource. Of course, the processes that the bank uses to select a provider or team of providers will depend on the criticality and complexity of the service to be outsourced. In addition, the degree of process formality may depend on the nature of the outsourced service and the bank’s familiarity with the prospective providers. Also, banks may wish to consider using consultants to provide expertise and assistance throughout the selection process.
Identification of Qualified Providers
Prior to identifying prospective service providers, it is essential that bank management have a clear understanding of the requirements and expectations that they are seeking to meet. As discussed in the FFIEC Guidance, "Risk Management of Outsourced Technology Services," a comprehensive risk assessment should consider how the outsourcing arrangement will support the institution's objectives and strategic plans and how the relationship with the service provider will be managed. The next step in the process involves conducting due diligence to evaluate service providers and determine their ability, both operationally and financially, to meet the institution's needs.
In some situations, the bank will either already know or quickly be able to determine a "short list" of provider candidates. This may occur when a specialized service is offered by a small number of providers, when size or geographic location is important, or when existing relationships with other providers (e.g., the bank’s core data processor) are critical factors. If the bank has already identified possible providers and does not seek to expand the pool of candidates, management can proceed to evaluation and contract negotiation.
However, when the bank seeks to create or expand a list of possible service providers, it may be helpful to use tools and techniques such as Requests for Proposal (RFP), Requests for Information (RFI), and Requests for Quote (RFQ). These are ways to obtain specific information about a service provider’s ability to meet the bank’s requirements and the fees that they charge for the service. In an RFP, the bank outlines its business objectives and technical requirements and solicits responses from service providers that describe their ability to meet these needs and related prices. A more detailed discussion of the RFP process is provided in the Appendix. The RFI and RFQ are respectively targeted at obtaining specific information about the technical solutions that are available and prices charged for a particular service.
In initial communications with service provider candidates, the bank should want to make clear that: (1) the service provider cannot disclose any information about the bank’s systems or its business plans to others outside the candidate’s team; (2) the service provider expects that commitments made during the selection process will be binding in any final agreement; and (3) the service provider identify all subcontractors, consultants, or third parties on which it is relying to provide services to the bank.
Evaluation and Selection
Once the bank has identified a prospective provider or list of candidates, the evaluation and selection process can commence. Even in situations where only one provider is identified, it is important that the institution still evaluate their technical expertise, operating controls, financial condition, and management. When a larger group of candidates is being considered, the evaluations can be quantified and ranked to facilitate selection of a small number of the best-qualified providers.
The evaluation criteria are essential to the selection process and allow the financial institution to methodically review the candidates’ proposals. The overriding objective is to select the most qualified provider. Utilizing standard evaluation criteria assists in this selection effort. Some suggested evaluation criteria are:
- Compatibility of the service provider’s vision/value proposition with that of the bank.
- Ability to execute the vision/value proposition.
- Functionality of the service or system proposed. (Do the functional features meet the stated requirements?)
- Technology in terms of type, power, modularity, and ability to upgrade/refresh or scale.
- Service and support in terms of maintenance hours, response time, resolution time, security, disaster planning, and other service levels.
- Cost/Price.
- Financial stability of the vendor.
Depending on the situation and the outsourced activity, each of the above criteria may be given greater or less weight in the overall evaluation. Other criteria may be considered, as appropriate. In addition, bank management may consider on-site visits, reference checks, and inquiries with industry groups and peer institutions.
The following represent suggested practices that can facilitate the evaluation process:
Be specific in all requests for information from candidates. Prioritize the requested information and indicate minimums and maximums for the length of response. A useful rule of thumb is that "You get what you ask for."
Consider using numerical scores based on quality ranking factors. By using consistent scoring systems or metrics, objective evaluation standards can be applied. Make sure the quality ranking factors are aimed at achieving the bank’s goal.
Determine minimum acceptable scores for the criteria used before rating the bids. Narrow the list of proposals by eliminating bids that do not meet the required minimums.
Document the evaluation process and methodology used to score the respective proposals. It is generally a good practice to document requirements and priorities before starting the evaluation stage of a project.
Consider conducting meetings and/or oral presentations where service providers can respond to questions and provide additional information.
Consider ways to keep the process manageable. Depending on the complexity of the outsourced activity, the evaluation process can be time consuming and resource intensive.
When working with a larger list of prospective candidates, narrow the group to a small number (e.g., two or three) to solicit "best and final" offers.
Negotiating the Contract
Communication with prospective providers can commence at various points in the evaluation and selection processes. For example, clarifications or requests for additional information may be needed to fully evaluate a proposal. Meetings and oral presentations may be useful to engage the provider in more detailed discussions. Informational meetings may also be useful to determine a provider’s willingness to depart from their original proposal in terms of price or services offered. Banks may also choose to engage multiple candidates in discussions concurrently to compare their responses.
After the selection process has narrowed the choice to one or a small number of strong candidates, negotiations with the provider(s) can help the bank finalize the terms of the contract. The negotiation process can help the bank establish terms that are agreeable to all parties and confirm that there is common understanding of the roles and responsibilities. Direct communication with the provider may help to determine whether organizational cultures are compatible and may provide an opportunity to interact with personnel who will play a key role in the future relationship.
Negotiating a contract is the final step in the procurement process. If a Request for Proposal was used or a Statement of Work was provided to the candidates to solicit their proposals, these documents can be directly incorporated into the contract. Key terms and conditions, as well as technical solutions and pricing, are generally established based on the proposal responses and final offers. A few points that might be useful in the contract negotiation and approval phases follow:
- As a general industry practice, information technology contracts are commonly set for a three- to five-year term. The shorter term enables the institution to reflect the pace of change in the technology industry.
- Prices indicated in the contract and service provider’s proposal can be more effectively considered when they are broken down by each category of service (workspace, network services, etc.) and for the technology services by platform group.
- It is useful to explicitly state all charges as part of the invoicing procedures, occupancy policy, communication protocols, additional test time, and annual increases. Specifying each additional increment of cost is important in order to minimize the financial risk of increased prices for additional or reduced workload.
- Many contracts contain exit clauses that allow the institution to cancel the contract for reasons such as a failure to perform.
- Service level agreements should be stated in the contract. (Further information on service level agreements is provided in a separate FDIC document on technology outsourcing.)
- Having a clear understanding of the current and anticipated future requirements of the outsourced service can allow the bank to obtain a long-term solution rather than a quick fix.
- Set a realistic time line for completing the contract negotiation process.
- Obtain a list of all key personnel and a list of any subcontractors, consultants, or third parties on which service delivery depends.
Summary
Selection of a competent and qualified service provider is perhaps the most critical part of the outsourcing process. The process of selecting a vendor and determining their qualifications may vary in its formality and requirements for time and resources. Key determinants of the process will be the bank’s foreknowledge of qualified providers and the number of candidates under consideration. Criteria for selection should be determined in advance to facilitate the evaluation process. Once a single or handful of qualified providers has been identified, further negotiations can help to finalize an agreement that is mutually beneficial.
The final outcome of the process should be the selection of a viable service provider that meets the procurement needs and objectives of the bank. Undertaking this commitment can provide significant benefits for complex information technology services or projects. Benefits include, but are not limited to, focusing the bank on the objective and strategic fit of the procurement, as well as facilitating due diligence in the selection of a service provider.
APPENDIX
Requests for Proposal (RFP) - Definition and Overview
A Request for Proposal is a tool that can be used to facilitate the selection of a qualified service provider and assist with the contracting process. The RFP can help a financial institution identify the best service provider(s) for their specific requirements by inviting competition, as service providers respond with a solution or combination of solutions, and the institution selects the most viable provider. The RFP can be particularly useful when bank management is seeking to create or expand a list of potential service providers or when projects are complex and represent a strategic or long-term enterprise investment.
The Process
The RFP process consists of a set of tasks that can be grouped into three major categories: development of a baseline, proposal preparation, and selection activities. The following are some of the many tasks that are generally part of the RFP and vendor selection process. The list is not intended to be all-inclusive, and the steps may either be expanded or contracted to meet the needs of any particular situation.
Development of a Baseline:
- Determine the purpose and goal of the procurement.
- Assign a proposal project team and an evaluation team.
- Plan the outsourcing project in terms of cost schedule, functional requirements, and resource requirements.
- Develop a "baseline" that represents a current "as is" description of the affected environment in terms of current cost, inventory of systems, and services.
- Develop a "needs assessment" which describes management’s assumptions on how to more effectively serve its customers.
- Determine the future requirements by analyzing anticipated needs and project objectives.
- Determine the disparity between the current environment and the future requirements in order to identify the gaps that need to be filled to get from the current environment to the desired environment.
The various tasks that comprise the baseline activity are designed to establish a clear picture of the goal and objective of the procurement. In addition, a detailed understanding of the current environment is typically established in order to determine if there is a gap between the current environment and future needs. Finally, this baseline understanding of cost and service levels is useful in conducting a cost/benefit or return on investment analysis.
Proposal Preparation:
- Develop the Statement of Work, a technical document that outlines basic requirements.
- Draft the RFP based on the contents of the Statement of Work.
Proposal preparation tasks are focused on defining the requirements, which are then presented in the form of a Statement of Work or similar document. The Statement of Work indicates desired services, the roles and responsibilities of each party, and the required service levels or performance standards.
A Typical RFP Format Includes the Following:
- Executive summary.
- Introduction:
- Background on the financial institution and/or business division
- Scope of services being requested, (e.g., web hosting, infrastructure outsourcing, disaster recovery, etc.).
- Background on the business process, including current status, existing roles, and responsibilities of the people who will be working with the vendor.
- Statement on the confidentiality of information.
- Overview:
- Statement of mission/vision of the financial institution.
- Statement of business objectives the institution wants to achieve.
- Statement of scope in terms of which business functions, business units, applications, packages, geographies, and technology platforms are being covered by the RFP.
- Role of the service provider.
- Project schedule:
- Service provider RFP question deadline.
- Service provider analysis meeting (optional).
- Proposal due date. (Generally, according to industry practices, service providers need four weeks to respond comprehensively to anything other than simple configurations. Less time may result in poorer, less innovative and probably costlier solutions.)
- Service provider demonstration day.
- Contract negotiation.
- Final decision.
- Proposed implementation start date.
- Statement of Work:
- Detailed technical requirements, describing the required business applications and their functionality, as well as the hardware and infrastructure platform and communications requirements for each outsourced area and operational configuration.
- Transition, implementation, training, start-up, maintenance, and security requirements.
- Performance criteria for success of solution.
- Project management and service level reporting requirements.
- Indication of performance/service level incentives and penalties.
1 | Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. |
Return to Introduction | Return to Bank Technology Bulletins