Outsourcing Policy and Procedures PDF

Preview

Summary

Download Outsourcing Policy and Procedures PDF

Description

INTRODUCTION 1.1.1

This policy applies to the outsourcing of a Material Business Activity.

1.1.2

Outsourcing involves entering into an agreement with another party (including a related body corporate) to perform, on a continuing basis, a business activity which currently is, or could be, undertaken by ourselves.

1.1.3

A Material Business Activity is defined as one that has the potential, if disrupted, to impact significantly on our business operations, reputation or profitability and the ongoing provision of fair and efficient Financial Services to our clients.

1.1.4

Material Business Activities do not include contractor type relationships, where there are numerous providers in the marketplace and contracts that are short term or where switching contractors can be done quickly and easily.

1.1.5

Material Business Activities would usually include:  Employment / Personnel services  Comprehensive and broad management services covering supply of items such as staff, premises, IT etc.

1.1.6

The following services are not considered Material Business Activities:  Computer hardware and network maintenance,  Book keeping, accounting and financial management services,  Receipting and banking functions – e.g. Macquarie DEFT.  Legal and tax advice  Audit services.  Product assessment and analysis.  Miscellaneous and ad hoc business services.  Industry standard software programs – e.g. Broking Software, Client Software etc.

1.1.7

Our Responsible Manager(s) are the only staff authorised to make decisions on the selection of providers for outsourcing of a Material Business Activity.

1.1.8

Outsourcing has the potential to transfer risk management and compliance to Third Parties who are not regulated. This raises the issue of how we can be confident that we remain in charge of our business and in control of our business risks and meeting our regulatory responsibilities.

1.1.9

Outsourced Services are subject to the same management disciplines that would apply as if the service was not outsourced. It is important for us to recognise that outsourcing a business activity does not transfer all of the risks associated with that activity to the Service Provider.

1.1.10

Outsourced Services should ideally be the subject of documented agreements that include service level agreements, review processes, period of service, details of service, limitations on outsourcer activities, risk management requirements, financial and capacity issues, termination, insurance and dispute processes etc.

1.1.11

However it is recognised that in most situations we will be forced, due to commercial expedience, to accept the service terms and conditions of the supplier rather than imposing our own requirements on the supplier.

1.1.12

These Policy and Procedures have been developed in line with the requirements that APRA have detailed for the outsourcing of services.

UPDATES 1.1.13

These Policy and Procedures are updated on a regular basis. Any material changes to these Policy and Procedures will be advised by management either via Email or at our regular Staff meetings.

1.1.14

This document and associated forms etc. are accessible in soft copy via our computer network. We do not store these documents in hard copy. All information can be immediately accessed on the computer network and will be guaranteed to be up to date at all times.

1.1.15

When you see an opportunity to improve a procedure kindly make the suggestion known to your manager/supervisor as we all have a responsibility to improve our standards, individually and as a Company.

OUTSOURCING PRINCIPLES 1.2

POLICY

1.2.1

This policy provides a guide in assessing whether and how an activity can be appropriately outsourced.

1.3

RISK MANAGEMENT

1.3.1

We have incorporated the risks associated with outsourcing activities and the relationship with the Service Provider within our Risk Management program and this policy.

1.4

REGULATORY IMPACT ASSESSMENT

1.4.1

We must ensure that outsourcing arrangements neither diminish our ability to fulfill our obligations to customers or regulators, nor impede effective supervision by our regulators.

1.5

DUE DILIGENCE

1.5.1

Appropriate due diligence as outlined above must be used when considering the outsourcing of an activity and selecting third party service providers.

1.6

WRITTEN CONTRACTS

1.6.1

Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.

1.7

CONTINGENCY PLANS

1.7.1

We should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of back up facilities. These have been implemented in our Information Technology Policy and Procedures, Disaster Recover Policy and Procedures.

1.8

CONFIDENTIALITY

1.8.1

We must take steps to ensure that service providers protect confidential information of both ourselves and our clients from intentional or inadvertent disclosure to unauthorized persons. This is addressed in our Privacy Policy and Procedures.

OUTSOURCING SELECTION CRITERIA 1.8.2

The selection of providers for Outsourced Services will be based on the following criteria:  Length of experience and depth of expertise in services being offered.  Requesting and assessing samples or other evidence of any previous work.  Checking ASIC registers for any misconduct by directors (as required)  Requesting Police, ITAS, Credit and Reference checks (as required)  References from existing users of similar services.  Checking membership of a professional body or bodies.  Value for money.  Emphasis on service guarantees and deliverables.  Contractual arrangements consistent with this Outsourcing Policy and Procedures.

OUTSOURCING REVIEW PROCESSES 1.8.3

The providers of Outsourced Services will be reviewed annually as part of the Business Planning Process. Such a review will include an assessment of the performance of the provider against the following criteria:  Timeliness of service delivery.  Responsiveness developments

and

understanding

of

trends

and

industry

 Communications standards including ability to advise in layman’s terms  Demonstrated level of expertise and quality of work provided  Pricing and market competitiveness  Possible conflicts of interest  Dispute resolution performance  Disaster recovery performance  Changes in the business focus

 Overall delivery compared to expectations  Possible impact on regulators assessment of control and risk factors.

OUTSOURCING ARRANGEMENTS 1.9

IDENTIFICATION

AND

DOCUMENTATION

1.9.1

All Outsourced Services will be clearly shown on our Organisation Chart.

1.9.2

Each Outsourced Service may have a Position Description created for it in the same way as if the service was being performed internally. The Position Description is filed with other documentation pertaining to the Service Provider.

1.9.3

Outsourced providers should be required to complete our Outsource Agreement Template (Outsource Agreement Template) where commercially practical to impose.

1.9.4

A PowerPoint training resource is available for all new staff explaining Outsourcing (Outsourcing Overview)

CONFLICT OF INTEREST 1.10 INTRODUCTION 1.10.1

1.10.2

Conflicts of Interest are circumstances where some or all of the supplier’s interests are inconsistent with or divergent from our interests. These include conflicts that are actual or potential, and present and future. As a business we will use the concepts of Control, Disclosure and Avoidance to manage such risks. For further guidance please refer to our Conflicts of Interest Policy and Procedures (Conflict Of Interest Policy and Procedures). Key processes involved in the control of conflict are:

 Identify conflicts of interest  Assess and evaluate conflicts of interest  Decide on and implement a response to the conflict  Ensure our services to our clients are not significantly compromised.

1.11 CONTROLLING CONFLICTS 1.11.1

We must ensure that that our Financial Services are provided with fairness, honesty and professionalism. The quality of our Financial Services should not be significantly compromised by conflicts of interest created by the outsourcing of material business processes.

1.12 DISCLOSING CONFLICTS 1.12.1

We must ensure that all businesses engaged to provide services to us advise us of any conflicts of interest that may arise in relation to the provision of services to us.

1.13 AVOIDING CONFLICTS 1.13.1

Some conflicts of interest with suppliers may have the potential to have such a serious impact on us that they need to be avoided. In such cases control or disclosure will not adequately manage the conflict.

1.14 MANAGING CONFLICTS 1.14.1

All contractors engaged by the business regardless of their level of involvement in business activities should be asked to sign our Contractor Confidentiality Agreement (Contractor Confidentiality Agreement) to protect the business from potential conflicts.

RESOLVING DISPUTES AND BREACHES 1.14.2

It is expected from time to time that we will encounter issues with our outsourced activities that may lead to disputes or breaches. It is important that such matters are promptly addressed and rectified.

1.14.3

The critical priority in resolving such disputes or breaches is to ensure that they do not lead to:  A failure of the business to provide fair, efficient and professional services to our clients,  A failure of the business to meet its legislative and code requirements.  The business suffering significant financial or operational losses.

1.14.4

Where a dispute or a breach of contract arises with an Outsourced supplier they are to be immediately referred to a Responsible Manager to settle.

1.14.5

The Responsible Manager will use their business skills and expertise to try and rectify the matter with the supplier. It is expected that 9 out 10 issues with suppliers will be settled quickly and amicably in this fashion.

1.14.6

If the Responsible Manager is unable to rectify the matter satisfactorily with the supplier within 14 days then, depending on the nature and seriousness of the matter the Responsible Manager will select one or more of the following alternatives:  Accept the failure / breach of the supplier.  Refer the matter to relevant alternative dispute resolution facilitators.  Refer the matter to our legal advisers.  Recommend termination of the supply contract or agreement to the Board for their consideration.  Recommend to the board supply of replacement services from an alternative supplier.

POLICY AXIOMS 1.14.7

The commercial benefits of outsourcing non-core business functions must be balanced against the commercial and information security risks.

1.14.8

The risks associated with outsourcing must be managed through the imposition of suitable controls, comprising a combination of legal, physical, logical, procedural and managerial controls.

POLICY STATEMENTS 1.15 CHOOSING 1.15.1

AN OUTSOURCER

Criteria for selecting an outsourcer shall be defined and documented, taking into account the:

 company’s reputation and history;  quality of services provided to other customers;  number and competence of staff and managers;  financial stability of the company and commercial record;  retention rates of the company’s employees;  quality assurance and security management standards currently followed by the company (e.g. certified compliance with ISO 9000 and ISO/IEC 27001). 1.15.2

Further information security criteria may be defined as the result of the risk assessment (see next section).

10.2 ASSESSING 1.15.3

1.15.4

OUTSOURCING RISKS Management shall nominate a suitable owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using ’s standard risk assessment processes. In relation to outsourcing, specifically, the risk assessment shall take due account of the:

a) nature of logical and physical access to information assets and facilities required by the outsourcer to fulfill the contract; b) sensitivity, volume and value of any information assets involved; c) commercial risks such as the possibility of the outsourcer’s business failing completely, or of them failing to meet agreed service levels or providing services to ’s competitors where this might create conflicts of interest;and d) security and commercial controls known to be currently employed by and/or by the outsourcer. 1.15.5

The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. Management shall decide if will benefitoverall by outsourcing the function to the outsourcer, taking into account both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced.

10.3

CONTRACTS

AND CONFIDENTIALITY AGREEMENTS A formal contract between and the outsourcer shall exist to protect both parties. The contract shall clearly define the types of information exchanged and the purpose for so doing.

1.15.6

1.15.7

If the information being exchanged is sensitive, a binding confidentiality agreement shall be in place between and the outsourcer, whether as part of the outsource contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated).

1.15.8

Information shall be classified and controlled in according with policy.

1.15.9

Any information received by from the outsourcer which is bound by the contract or confidentiality agreement shall be protected by appropriate classification and labeling.

1.15.10

Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract.

1.15.11

All contracts shall be submitted to the Legal for accurate content, language and presentation.

1.15.12

The contract shall clearly define each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided(e.g. defined service levels), liabilities, limitations on use of sub-contractors and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as:

 Legal, regulatory and other third party obligations such as data protection/privacy laws, money laundering etc.*;  Information security obligations and controlssuch as: o Information security policies, procedures, standards and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001; o Background checks on employees or third parties working on the contract ; o Access controls to restrict unauthorized disclosure, modification or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating and revoking access to systems, data and facilitiesetc o Information security incident management procedures includingmandatory incident reporting; o Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is nolonger required to support the outsourced activity; * * In the case of “offshore” outsourcing, special consideration must be given to the ramifications of transferring information between countries or jurisdictions, particularly where privacy and similar laws may conflict. Take qualified legal advice as a matter of course.

o Copyright, patents and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract; o Specification, design, development, testing, implementation, configuration, management, maintenance, support and use of security controls within or associated with IT systems, plus source code escrow; o Anti-malware, anti-spam and similar controls; o IT change and configuration management, including vulnerability management, patching and verification of system security controls prior to their connection to production networks;  The right of to monitor all access to and use of facilities, networks, systems etc., and to audit the outsourcer’s compliance with the contract, or to employ a mutually agreed independent third party auditor for this purpose;  Business continuity arrangements including crisis and incident management, resilience, backups and IT Disaster Recovery. 1.15.13

Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for to verify security controls that are essential to address ’s specific security requirements, typically by auditing them.

10.4

HIRING AND TRAINING OF EMPLOYEES Outsource employees, contractors and consultants working on behalf of shall be subjected to background checks equivalent to those performed on employees. Such screening shall take into consideration the level of trust and responsibility associated with the position and (where permitted by local laws):

1.15.14

 Proof of the person’s identity (e.g. passport);    

Proof of their academic qualifications (e.g. certificates); Proof of their work experience (e.g. résumé/CV and references); Criminal record check; Credit check.

1.15.15

10.4.2 Companies providing contractors/consultantsdirectly to or to outsourcers used by shall perform at least the same standard of background checks as those indicated above.

1.15.16

10.4.3 Suitable information security awareness, training and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to information security policies, standards, procedures and guidelines (e.g. privacy policy, acceptable use policy, procedure for reporting information security incidents etc.) and all relevant obligations defined in the contract.

ACCESS

CONTROLS 1.15.17 In order to prevent unauthorized access to ’s information assets by the outsourcer or sub-contractors, suitable security controls are required as outlined in this section. The details depend on the nature of the information assets and the associated risks, implying the need to assess the risks and design a suitable controls architecture. 1.15.18...