Barclays Bank has made improvements to the way it
manages the risks of outsourcing IT and business processes to
third-party suppliers after creating a specialist audit
unit.
The bank, which has relationships with 50 key suppliers and
spends more than £4bn a year on services, created the unit 18
months ago to help it improve the way it controls and manages
risk.
The unit, made up of nine audit staff, is helping the bank to
identify potential risks in the way it manages suppliers, which in
turn is helping the bank to get more from its outsourcing
contracts, said Chris Spackman, head of third party audit at
Barclays.
"We look at the management of key IT suppliers, how we manage
the exposure of the group to a particular supplier, and the direct
benefits from the arrangements.
"Often firms do a deal but do not then receive the full
benefits. We want to ensure there are controls, actions and people
in place to make sure we get the benefit of the arrangement," he
said.
The unit has improved understanding among bank IT staff of the
potential risks of outsourcing work to third parties and has helped
them ensure that contracts contain clauses that enable the bank to
better manage risks.
"Where we have dependency on key software suppliers, such as a
small supplier responsible for a critical product, I would expect
to have some very strong exit provisions, exit planning and an
understanding of what you can do if the supplier fails," said
Spackman.
The audit process ensuresBarclays has a plan for how to respond
if a key supplier goes into liquidation or is unable to maintain
critical software - for example, by agreeing escrow arrangements to
give the bank access to code and documentation.
"Other controls are about driving value for money and looking at
how we manage the risk of poor performance," said Spackman.
"Contract terms can be missing that allow you to address poor
performance, and even if they are present their management might
not be using them to manage the supplier."
The bank is also extending the auditing process to ensure that
managers have an end-to-end view of the risks in the IT supply
chain.
"It is important people do not look at auditing a supplier in
isolation but at the whole supply chain," said Spackman.
"If you look at demand and capacity planning, it is important we
think about end-to-end capacity and demand, so we do not pay more
than we need for capacity."
Spackman added that the other side of the coin was to ensure
that when extra IT capacity is needed this is communicated down the
supply chain so that suppliers have the capacity to deliver it.