Service Provider Management

Norges Bank Investment Management procures a range of services from service providers as an alternative to retaining internal expertise and capacity to support the delivery of these services. Both initial and ongoing cost benefit analysis and due diligence must support the chosen sourcing strategy.

7 December 2010

Issued 7 December 2010
Last updated 15 December 2017

Purpose

The purpose of this policy is to outline the principles for management of third party entities delivering services (“Service Providers”) to Norges Bank Investment Management (NBIM). The objective is to ensure high quality service deliveries and reduce overall risk related to Service Providers through onboarding and continuous monitoring.

This policy covers all providers with the exception of External Fund Managers which are regulated in a separate policy.

Policy

The level of Service Provider Management shall be based on the providers criticality and risk level. NBIM strategy shall guide when to outsource, in-source, and when to procure systems or services. Service Provider management activities shall be further detailed in internal guidelines, and adhered to by all employees.

Classifications

  • All Service Providers shall be rated based on criticality and risk.
  • Criticality rating shall take into account the strategic importance of the delivery.
  • Risk rating shall reflect compliance and regulatory risk, and include an assessment of the country risk where the delivery originates.

Onboarding

NBIM shall communicate and inform Service Providers of the Conduct of Business Code for Providers of Goods and Services.

Outsourcing

NBIM shall throughout the duration of an outsourcing agreement, retain sufficient competence and capacity in-house to be able to effectively monitor and control the external service.

Monitoring

  • NBIM shall maintain an overview of all selected Service Providers.
  • All Service Providers shall be assigned a relationship owner. The relationship owner shall retain responsibility for risks and controls related to the service delivery, and manage the risk according to Operational Risk Management Policy.
  • Operational review, due diligence and security reviews shall be conducted during onboarding and otherwise in accordance with the risk and criticality classification.

Download the policy (PDF)