Sourcing and service provider management
The purpose of this policy is to outline principles and specific requirements for sourcing including procurement, outsourcing and service provider management activities. This is to ensure that Norges Bank Investment Management (NBIM), through using robust procedures and practices, obtain strategically fit and cost-effective solutions by selecting the most economically advantageous tender and ensure high quality service deliveries from service providers and reduce overall risk from service providers through on-boarding and continuous monitoring. This policy covers all providers except for External Fund Managers which are regulated in a separate policy.
Issued 22 June 2011
Last updated 7 June 2022
Sourcing and service provider management in NBIM must comply with the Norwegian Act on Public Procurement (Act) and its regulations (Regulations). All providers shall be treated equally and with predictability and transparency. Procurements are subject to competition and contracts shall be awarded on the basis of objective and non-discriminatory criteria.
- All purchases of goods and services are subject to the Act and its Regulations, and increasingly detailed procedural requirements apply as the value of the contract exceeds certain threshold values.
- Procurement competition shall be conducted in a manner proportionate to the value and complexity of the contract.
- The procurement process shall be competitive and transparent.
- All purchases shall as a general rule be initiated through raising a business case.
- The business case forms the basis for justification of purchase in relation to budget and strategic needs.
- Award of contracts shall be based on objective criteria relating to the delivery.
- Written records of the procurement processes, including the main award assessments and protocol (where required), shall be maintained in accordance with archiving requirements.
- All procurements shall be documented in writing through legally binding contracts. All contracts shall comply with Policy on Safeguarding of Legal Interest.
- All awarded providers shall be subject to risk based due diligence.
- The estimated contract value of all procurements shall be accurately and reasonably estimated in accordance with the specific rules that apply under the Act and Regulations, and the appropriate procedure shall be used.
- Providers shall be allowed access to the same type of information, be given equal deadlines, and be assessed according to the same notified and appropriate award criteria.
- Relevant and legitimate qualification criteria and award criteria shall be used with relative weighting or priority ascribed.
- Outsourcing should only be used when consistent with NBIM strategy and awarded to service providers who are able to perform the service on an ongoing basis.
- A financial, operational and risk based due diligence analysis shall be performed prior to outsourcing of processes and shall be approved by executive management.
- Privacy protection and data handling requirements shall be considered for suppliers of IT systems and solutions.
- NBIM shall throughout the duration of an outsourcing agreement, retain sufficient competence and capacity in-house to be able to effectively monitor and control the external service.
Service provider risk management
- NBIM shall communicate and inform service providers of the Conduct of Business Code for Providers of Goods and Services.
- All service providers shall be rated based on criticality and risk. This rating shall take into account the strategic importance of the delivery.
- Risk rating shall reflect compliance and regulatory risk and include an assessment of the country risk where the delivery originates.
- Operational review, due diligence and security reviews shall be conducted when engaging with new service providers and otherwise in accordance with the set risk and criticality classification.
Service provider monitoring
- NBIM shall maintain an overview of all selected service providers and related services.
- All service providers shall be assigned a relationship owner. The relationship owner shall retain responsibility for risks and controls related to the service delivery.
- All service providers shall be monitored at regular intervals for any changes to compliance and regulatory risk level.