System and method for managing risks associated with outside service providers

US 7,809,595 B2
Filed: 09/17/2003
Issued: 10/05/2010
Est. Priority Date: 09/17/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for an enterprise to assess risks associated with an outside service provider, the method comprising:

identifying, via an user interface, outside service provider information that describes the outside service provider;

storing the outside service provider information in a database;

identifying, via the user interface, resource information that describes resources of the enterprise associated with services provided by the outside service provider;

storing the resource information in the database;

assessing, via computer server, a risk on the enterprise from a degradation of the services from the outside service provider, wherein assessing the risk on the enterprise comprises assessing a business risk on the enterprise and assessing a country risk on the enterprise,wherein assessing the business risk on the enterprise further comprises;

assessing an impact on external customers of the enterprise resulting from the degradation of the services from the outside service provider;

assessing an impact on internal customers of the enterprise resulting from the degradation of the services from the outside service provider, wherein the internal customers of the enterprise include at least a customer implementing one or more internal applications of the enterprise;

assessing a financial impact resulting from the degradation of the services from the outside service provider;

assessing an allowable time period that the degradation of the services from the outside service provider can last; and

assessing an impact on regulatory obligations resulting from the degradation of the services from the outside service provider, wherein the impact on regulatory obligation includes a financial penalty;

storing the assessment in the database;

automatically determining, via the server, a criticality of the outside service provider in response to the assessment;

storing the criticality in the database; and

providing, via the user interface, status data from the database, wherein the status data comprises at least one of a status of;

the resource information;

the assessment; and

the criticality.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for assessing the risk associated with Outside Service Providers. A decision engine is provided to assess monitor and manage key issues around the risk management capabilities of the OSP. The system creates a core repository that manages, monitors and measures all OSP assessments across an institution (e.g., a corporation). The system and method employs automated questionnaires that require responses from the user (preferably the manager of the OSP relationship). The responses are tracked in order to evaluate the progress of the assessment and the status of the OSP with respect to compliance with the enterprise'"'"'s requirements for OSPs. Once a questionnaire has been completed, the OSP can be given an overall rating of exposure to various forms of risk. Areas of risk can be acknowledged, prompting a sensitivity rating, such as severe, negligible and so forth. Once risk is acknowledged, a plan for reducing the risk or bringing the OSP into compliance can be formulated, and progress towards compliance can be tracked. Alternatively, an identified exposure to risk can be disclaimed through the system, which requires sign off by various higher level managers and administrators.

1015 Citations

28 Claims

1. A computer-implemented method for an enterprise to assess risks associated with an outside service provider, the method comprising:
- identifying, via an user interface, outside service provider information that describes the outside service provider;
  
  storing the outside service provider information in a database;
  
  identifying, via the user interface, resource information that describes resources of the enterprise associated with services provided by the outside service provider;
  
  storing the resource information in the database;
  
  assessing, via computer server, a risk on the enterprise from a degradation of the services from the outside service provider, wherein assessing the risk on the enterprise comprises assessing a business risk on the enterprise and assessing a country risk on the enterprise,wherein assessing the business risk on the enterprise further comprises;
  
  assessing an impact on external customers of the enterprise resulting from the degradation of the services from the outside service provider;
  
  assessing an impact on internal customers of the enterprise resulting from the degradation of the services from the outside service provider, wherein the internal customers of the enterprise include at least a customer implementing one or more internal applications of the enterprise;
  
  assessing a financial impact resulting from the degradation of the services from the outside service provider;
  
  assessing an allowable time period that the degradation of the services from the outside service provider can last; and
  
  assessing an impact on regulatory obligations resulting from the degradation of the services from the outside service provider, wherein the impact on regulatory obligation includes a financial penalty;
  
  storing the assessment in the database;
  
  automatically determining, via the server, a criticality of the outside service provider in response to the assessment;
  
  storing the criticality in the database; and
  
  providing, via the user interface, status data from the database, wherein the status data comprises at least one of a status of;
  
  the resource information;
  
  the assessment; and
  
  the criticality.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the step of assessing the country risk on the enterprise further comprises:
    - identifying countries in which the outside service provider operates; and
      
      determining a country impact risk associated with the identified countries, wherein the step of automatically determining the criticality is also in response to the country impact risk.
  - 3. The method according to claim 2, wherein the step of determining a country impact risk associated with the identified country further comprises:
    - collecting economic condition information with respect to the identified country;
      
      storing the economic condition information in the database;
      
      collecting social condition information with respect to the identified country;
      
      storing the social condition information in the database;
      
      collecting political condition information with respect to the identified country;
      
      add storing the political condition information in the database.
  - 4. The method according to claim 1, wherein at least one of the resources of the enterprise includes at least one software application employed by the enterprise.
  - 5. The method according to claim 1, further comprising:
    - assigning specific people to fulfill roles with respect to management of a relationship with the outside service provider, wherein the roles include at least one of information owner and information risk manager.
  - 6. The method according to claim 5, further comprising:
    - receiving acknowledgements of the acceptances of the assignments from the specific people.
  - 7. The method according to claim 5, further comprising:
    - assigning alternate people to fulfill the roles.
  - 8. The method according to claim 5, wherein the role of the information owner comprises at least one of:
    - obtaining from the outside service provider copies of financial and non-financial audit reports;
      
      obtaining documentation describing the outside service providers procedural, physical access, logical access and business recovery controls;
      
      requiring notification by the outside service provider of any organization, security-related and other changes affecting the availability, confidentiality, or integrity of the services provided by the outside service provider; and
      
      initiating a risk assessment process.
  - 9. The method according to claim 5, wherein the role of information risk manager comprises at least one of:
    - maintaining an updated list of outside service providers used by the enterprise; and
      
      allocating resources for the outside service provider assessment process.
  - 10. The method according to claim 1, wherein all of the steps of the method are facilitated using a software application, the method further comprising:
    - generating data input screens for accepting input from a user; and
      
      providing drop down boxes on the data input screens in order to facilitate selection of predefined information.
  - 11. The method according to claim 1, further comprising assessing a recovery plan of the outside service provider.
  - 12. The method according to claim 11, wherein the assessment of the outside service provider recovery plan further comprises:
    - questioning a developer of the recovery plan as to whether it has required elements; and
      
      developing a corrective action plan to address missing required elements.
  - 13. The method according to claim 12, wherein the required elements include:
    - an alternate site for providing the services; and
      
      a business continuity plan for resumption of the services at the alternate site.
  - 14. The method according to claim 1, wherein the step of providing status data further comprises:
    - providing status data on the enterprise level;
      
      providing status data on a line of business level; and
      
      providing status data on a department level.
  - 15. The method according to claim 1, wherein the enterprise has policies and procedures for protecting an integrity of provision of services, the method further comprising assessing a compliance of the outside service provider to the policies and procedures.
  - 16. The method according to claim 15, further comprising developing a corrective action plan if the outside service provider is not in compliance, the corrective action plan containing steps required to bring the outside service provider into compliance.
  - 17. The method according to claim 16, further comprising obtaining an acknowledgement by management of the enterprise of risk associated with the non-compliance of the outside service provider.

18. A system for an enterprise to assess risks associated with an outside service provider comprising:
- a user interface for interfacing with users of the system;
  
  at least one computer database server and at least one computer application server coupled to the user interface; and
  
  at least one database and at least one application respectively coupled to the computer database server and the computer application server;
  
  wherein the system is programmed to;
  
  accept outside service provider information that describes the outside service provider;
  
  store the outside service provider information in a database;
  
  accept resource information that describes resources of the enterprise associated with services provided by the outside service provider;
  
  store the resource information in the database;
  
  assess an impact risk on the enterprise from a degradation of the services from the outside service provider, wherein assess the risk on the enterprise comprises assessing a business risk on the enterprise and assess a country impact risk on the enterprise,wherein assessing the business risk on the enterprise comprises;
  
  an assessment of an impact on external customers of the enterprise resulting from the degradation of the services from the outside service provider;
  
  an assessment of an impact on internal customers of the enterprise resulting from the degradation of the services from the outside service provider wherein the internal customers of the enterprise include at least a customer implementing one or more internal applications of the enterprise;
  
  an assessment of a financial impact resulting from the degradation of the services from the outside service provider;
  
  an assessment of an allowable time period that the degradation of the services from the outside service provider can last; and
  
  an assessment of an impact on regulatory obligations resulting from the degradation of the services from the outside service provider, wherein the impact on regulatory obligation includes a financial penalty;
  
  store the assessment in the database;
  
  automatically determine a criticality of the outside service provider in response to the assessment;
  
  store the criticality in the database; and
  
  provide status data from the database, wherein the status data comprises at least one of a status of the resource information, the assessment, and the criticality.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The system of claim 18, wherein the assessment of the country impact risk on the enterprise further comprises:
    - accept countries in which the outside service provider operates; and
      
      determine a country impact risk associated with the countries, wherein the step of automatically determining the criticality is also in response to the country impact risk.
  - 20. The system according to claim 18, wherein at least one of the resources of the enterprise includes at least one software application employed by the enterprise.
  - 21. The system according to claim 18, wherein the database further includes:
    - an assignment of specific people to fulfill roles with respect to management of a relationship with the outside service provider, wherein the roles include at least one of information owner and information risk manager.
  - 22. The system according to claim 21, wherein the database further includes:
    - acknowledgements of the acceptances of the assignments from the specific people.
  - 23. The system according to claim 21, wherein the database further includes:
    - an assignment of alternate people to fulfill the roles.
  - 24. The system according to claim 18, wherein the system is further programmed to assess a recovery plan of the outside service provider.
  - 25. The system according to claim 24, wherein the user interface is used to collect responses from the developer of the recovery plan as to whether it has required elements, and to collect a corrective action plan to address missing required elements.
  - 26. The system according to claim 25, wherein the required elements include:
    - an alternate site for providing the services; and
      
      a business continuity plan for resumption of the services at the alternate site.
  - 27. The system according to claim 18, wherein the status data further comprises:
    - status data on the enterprise level;
      
      status data on a line of business level; and
      
      status data on a department level.
  - 28. The system according to claim 18, wherein the user interface further comprises:
    - data input screens for accepting input from a user; and
      
      drop down boxes on the data input screens in order to facilitate selection of predefined information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Breslin, Jodi, Borgia, Evelyn, de Gottal, Graham
Primary Examiner(s)
Sterrett; Jonathan G.
Assistant Examiner(s)
MANSFIELD, THOMAS L

Application Number

US10/664,283
Publication Number

US 20040128186A1
Time in Patent Office

2,575 Days
Field of Search

705/7, 705/11
US Class Current

705/7.28
CPC Class Codes

G06Q 10/06311   Scheduling, planning or tas...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 10/10   Office automation; Time man...

G06Q 40/08   Insurance

System and method for managing risks associated with outside service providers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1015 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

System and method for managing risks associated with outside service providers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1015 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others