Barclays Bank has made improvements to the way it manages the risks of outsourcing IT and business processes to third-party suppliers after creating a specialist audit unit.
The bank, which has relationships with 50 key suppliers and spends more than £4bn a year on services, created the unit 18 months ago to help it improve the way it controls and manages risk.
The unit, made up of nine audit staff, is helping the bank to identify potential risks in the way it manages suppliers, which in turn is helping the bank to get more from its outsourcing contracts, said Chris Spackman, head of third party audit at Barclays.
"We look at the management of key IT suppliers, how we manage the exposure of the group to a particular supplier, and the direct benefits from the arrangements.
"Often firms do a deal but do not then receive the full benefits. We want to ensure there are controls, actions and people in place to make sure we get the benefit of the arrangement," he said.
The unit has improved understanding among bank IT staff of the potential risks of outsourcing work to third parties and has helped them ensure that contracts contain clauses that enable the bank to better manage risks.
"Where we have dependency on key software suppliers, such as a small supplier responsible for a critical product, I would expect to have some very strong exit provisions, exit planning and an understanding of what you can do if the supplier fails," said Spackman.
The audit process ensuresBarclays has a plan for how to respond if a key supplier goes into liquidation or is unable to maintain critical software - for example, by agreeing escrow arrangements to give the bank access to code and documentation.
"Other controls are about driving value for money and looking at how we manage the risk of poor performance," said Spackman.
"Contract terms can be missing that allow you to address poor performance, and even if they are present their management might not be using them to manage the supplier."
The bank is also extending the auditing process to ensure that managers have an end-to-end view of the risks in the IT supply chain.
"It is important people do not look at auditing a supplier in isolation but at the whole supply chain," said Spackman.
"If you look at demand and capacity planning, it is important we think about end-to-end capacity and demand, so we do not pay more than we need for capacity."
Spackman added that the other side of the coin was to ensure that when extra IT capacity is needed this is communicated down the supply chain so that suppliers have the capacity to deliver it.