In daily work, all kinds of early warning of outsourcing risks will be shown. The key is not to find it in time, not to correct it immediately, or to find the problem paralyzed, and the mistake will become a case, causing losses and paying a high price for correction. Therefore, it is the focus of risk control to nip risks in the bud.
1. Develop IT outsourcing strategy. The Guidelines on Information Technology Risk Management of Banks and Guidelines on Outsourcing Risk Management of Commercial Banks issued by the China Banking Regulatory Commission put forward requirements for outsourcing business, focusing on the fact that IT outsourcing can promote the development of the company's technology business, the safe operation of information systems and the management level of technology business, closely cooperate with the company's business development plan, comprehensively weigh the benefits and risks of outsourcing, decide which IT business to outsource, and formulate the IT outsourcing strategic plan.
2. Establish IT business risk and safety management system. The system should have a unified framework, unified standards, unified measures, unified supervision and management, and the contents should include information technology business risk and safety management strategies, management systems and norms, technical standards, guidelines, processes, operation manuals, etc. By establishing a risk and safety management system, guide the development of the company's IT business risk and safety management, and make it conform to relevant international and domestic safety standards and China laws and regulations; Form an information technology risk and safety management mechanism within the company to ensure the implementation and protection of all information technology resources and assets of the company; Clear information system protection, detection and emergency recovery of information technology risks and safety management indicators, principles and measures to deal with violations; Put forward relevant security constraints on cooperative organizations, business partners, contractors and service providers. Project manager alliance
3. Do a good job in IT business risk and safety awareness and training. By holding training courses, seminars, sending emails, giving away newspapers and periodicals, etc. We will provide the company's scientific and technical personnel and business personnel with knowledge of IT business risks and security. Through continuous training and learning, master the company's IT business risk and security management system and norms, improve the awareness of all employees' risk and security prevention, actively participate in information technology risk and security prevention, and form a risk management culture in which all employees participate in information technology security management.
4. Establish IT outsourcing supplier information management system and design a scientific and comprehensive risk index evaluation system. Sima has a famous saying: what kind of indicators there are, what kind of results there are. Establishing a scientific evaluation index system for IT outsourcing suppliers is conducive to unifying the IT business development goals of suppliers and banks. The index system needs to start from the aspects of quality, cost, delivery, service, technology, assets, process, etc., and determine the key contents of outsourcing suppliers, such as establishment and listing time, industry experience, scale, safety, manpower, finance, problem response time, product insurance, corporate culture, various certifications, etc., and design 3K(KCS, KCSA, KRI) indicators in detail, and each indicator should be given a corresponding score. Through the establishment of outsourcing supplier information management system, the designed evaluation indicators are incorporated into the system, and all aspects of outsourcing suppliers and their supply chains are recorded in detail. Through systematic statistical analysis, the service ability of outsourcing suppliers can be scientifically and effectively evaluated.
(2) Things are under control.
The bank signed a contract with the outsourcing partner, and the project officially entered the stage of cooperative operation. In the daily operation of IT projects, banks, as Party A, should do the following work well.
1, seriously implement the system and constantly improve the system.
From the analysis of risks, security and criminal cases of bank computer systems, most of them are caused by non-compliance with rules, regulations and business processes, which requires banks to strengthen the serious management of system implementation, and violators will be investigated, otherwise the various system norms formulated will be ineffective. At the same time, we should also pay attention to the standardized construction of risk and safety management system of IT outsourcing suppliers, as well as the synchronous planning, construction and management of information systems, which can be adjusted, revised and supplemented in time according to the development of bank information technology business, the change of environment, the replacement and innovation of central work.
2. Choose a suitable outsourcing supplier and sign a cooperation contract.
Signing a contract is an inevitable risk of IT outsourcing. Therefore, IT is necessary to find qualified IT service providers, make inquiries and quotations, establish suppliers suitable for the company's technology and business development through bidding, and cooperate with the legal department to formulate and sign the outsourcing contract text, so as to reasonably avoid and prevent the occurrence of contract risks.
3. Strengthen cooperation and communication with outsourcing suppliers.
Once the project is signed and started, the bank, as Party A, should provide office conditions for project research and development, let the outsourcer come to work in the bank as soon as possible, and give necessary help to relevant parties like colleagues. At the same time, the bank's scientific and technical personnel and business personnel should participate in the project construction, which can not only make their own technical and business personnel familiar with and master the technical performance and business functions of the products, but also facilitate the communication of problems in the project research and development process, and can also track the progress and quality of the project throughout, so as to complete the software project research and development and put into production with high quality within the specified time and satisfy the project stakeholders.
4. Establish a service evaluation system for outsourced suppliers.
Because outsourcing and subcontracting are common in many outsourcing companies, especially multinational companies, it reduces the transparency and traceability of the supply chain, intentionally or unintentionally forms loopholes and increases the risks of the supply chain. Therefore, it is necessary to adopt the methods of daily performance tracking and regular evaluation to get a deeper understanding of outsourcing suppliers and their supply chains, avoid information asymmetry and facilitate the establishment of outsourcing supplier information management system. According to the tracking records of relevant performance, the performance of suppliers is comprehensively evaluated to comprehensively and correctly evaluate the work of outsourcers.
5. Plan and control project construction.
In order to avoid frequent personnel changes, project delays, incomplete technical documents and backward support services after the system goes online. The Bank's scientific and technical personnel are required to establish a communication mechanism for project progress and quality control with the outsourcing project manager and project team members (such as weekly meeting, weekly project report and problem tracking management report, etc.). ), regularly monitor and measure the project progress, identify whether there is any deviation from the plan, find problems in time, feedback problems, understand the reasons, solve problems, and ensure the realization of project objectives.
6. Establish an emergency management mechanism to maintain business continuity.
You can't guard against every risk, but you can find problems quickly, think about solutions in advance, and mobilize all options. This is the essence of risk and safety management. Banks should formulate feasible emergency management plans for outsourcing suppliers. Project outsourcing will make banks rely on outsourcing suppliers. If the outsourcing supplier fails to fulfill the contract as scheduled, the consequences caused by the interruption of banking business must be highly valued. This requires banks to strictly review the implementation plans provided by outsourcing suppliers and formulate emergency plans for outsourcing suppliers who fail to perform contracts or have emergencies.
(3) post supervision
After the completion of the outsourcing project, the relevant functional departments of the bank shall inspect and audit the whole process of the outsourcing project from project establishment, bidding, construction and commissioning, mainly including the following aspects.
1, combined with the improvement of rules and regulations, realize the institutionalization of all work.
In the process of post-event supervision, we should strengthen the inspection of whether the IT outsourcing system is sound, scientific and effective, and in line with the actual work, and constantly improve the rules and regulations to make the outsourcing work rule-based and institutionalized.
2. Combine rewards and punishments to maintain the seriousness of laws and regulations.
Appropriate punishment can promote the responsible person to correct mistakes, strengthen the concept of laws and regulations, and better promote the work. According to the established IT outsourcing risk and safety management system, check whether all the work in the project outsourcing process is carried out according to the system. In view of the problems found, find out the reasons, punish those who violate the rules, commend those who do well, and make clear the rewards and punishments, so as to maintain the seriousness of the system.
3, combined with internal audit, formulate external audit strategy.
While doing a good job of internal audit, we can also invite external audit institutions to conduct a comprehensive assessment of the risk and safety management capabilities of external contractors and companies in the outsourcing supply chain.
4, combined with standardized management, to achieve business operation procedures.
Post-event supervision should go deep into the front line of science and technology business, conscientiously implement standardized operation procedures, start with details, find out deficiencies, plug loopholes, and promote the institutionalization, proceduralization and standardization of outsourcing supplier management.
5, combined with the content of IT services, do a good job of supervision and management of multi-outsourcers.
Regularly supervise and re-evaluate outsourcing risks, and incorporate the collected information and evaluation results into the management of outsourcing supplier information system. Manage suppliers through contracts and SLA agreements, pay attention to regularly reviewing outsourcing contracts, and timely modify contracts and re-establish outsourcing service standards according to the needs of the environment and banking business development.
Generally speaking, it outsourcing should be carried out within the scope of national laws and regulations and the company's system norms. It is necessary to establish and improve the information disclosure, inspection, supervision and assessment mechanism in the process of information technology outsourcing, and establish a fully functional outsourcing supplier information management system to effectively prevent information technology outsourcing risks and ensure information security.
References:
/news/details.php? id= 132