Value chain-based sourcing of IT, part 2

In the first part of this post I stated that the continuous drive to reduce IT cost by standardization will come to a point where the reduced IT cost are outstripped by the ‘damage’ it causes to the business. The drive for standardisation is further increased by the commonly used method to scope outsourcing contracts. In this post I provide an scoping approach which I believe will gain substantially in the coming years: selective sourcing contracts with a scope derived from differentiated business demands.

The importance of accountability towards the Business regarding the quantitative and qualitative added value of IT will only increase more and more. The Business demands to know how IT supports the opportunities and risks the Business faces due to increasing complexity, competition, globalization and other trends. It is up to the Business to provide insight in the opportunities and risks it faces, while the IT organization is responsible to translate them into IT value and risk drivers. These drivers guide the IT organizational change, investment decisions and sourcing strategy.

One should look more from a business perspective towards the IT value chain and subsequently provides concrete adjustments which allow for sustainable improvement (including definition of the sourcing strategy). This is the first step leading to a fully transparent business IT alignment (see illustration).

The transparency of Business IT alignment is the foundation to connect the performance of the IT organization with the actual demand of the business processes. The results of this approach: more added value for the Business and a more cost-effective IT organization, which invests in innovations which really count. Tomorrow’s IT organization is able to demonstrate accountability over its performance as an integral contribution to the overall performance of the company. An example:

The IT department of a high tech company thought it could reduce cost by applying the same service levels for both R&D and Manufacturing. By doing this they overlooked the elemental differences in demands of both functions. The R&D departments got higher availability service levels than required, but were not able to get access to the latest state-of-the-art hardware to design and test their new products.

In this example the R&D departments were supplied with higher than required service levels at the cost of the capability to innovate, outsourcing was the catalyst. By the introduction of generic IT services it would be easier to find a suitable vendor, allowing the IT organization to meet its cost saving target. The negative impact on the business however, was estimated as being zilch until it was too late.

Outsourcing without making an adequate assessment of its impact on the organization as a whole, opens the door to a disappointment. For this reason one should look from the initial start beyond a superficial business case. It necessary to benefit as an organization as a whole in terms of more value and a lower or equal risk profile. Only then an outsourcing contract can be truly successful. A concrete example is the usage of Real Options for assessing sourcing scenario’s. Real Options allow the dynamics of both Business and IT to be quantified, providing a more realistic estimation of the potential value of the business case. Balancing IT value and Business value is depicted schematically in the illustration below.

Value chain-based sourcing of IT, part 1

As pointed out in the post below this one is the scope of IT outsourcing contracts typically driven by the IT internal focus to cut cost. Cutting cost can be achieved by economies of scale and standardization of similar activities and assets. This means that the scope of typically outsource contracts is defined in terms of infrastructure support, network support, datacenter facility management, application development or application support.

This ‘horizontal’ orientation his however not aligned with the requirements of the business processes (see illustration). Their needs cut through the horizontal IT service and process stacks. Business managers which see themselves confronted with a supply that does not match their needs triggers unhappy faces towards the IT department and the start of a creative process to get the IT services they want. The result is that business managers will work their way around the standard service catalogue by hiring their own IT staff or getting (additional) services from other vendors. I have seen it happening with a Business Unit of a large Dutch bank/insurer where the central IT department got so sluggish and unresponsive to any request that was not in the standard catalogue that the BU built its own datacenter. So far for IT efficiency by centralisation/outsourcing…

Standardisation is good, but I believe that it has gone too far in many situations. Being tied to a long term contract with an external service provider which allows only for flexibility when the client pays serious $$ is not the way to go. The market requires companies to act faster and more agile as ever before and I think that we are at the top of the ‘standard’ outsource and shared service cycle. Large companies with experience in IT outsourcing will move more towards selective sourcing arrangements. These companies can generate economies of scale by themselves and don’t need an external service provider anymore. AEGON is an example of a company which decided to insource their infrastructure services again after having EDS/HP taking care of it for more than a decade. I guess that EDS/HP has optimized as best as they could and now AEGON wants to be fully in control again by itself.

This company can achieve enough economies of scale by itself and has learned from EDS/HP everything there is to learn about managing infrastructure for operational excellence. Insourcing after outsourcing allows AEGON to combine the low cost experience and setup of their infrastructure with the advantages of being in full control again.

Full outsourcing of infrastructure, application development and the like will however continue (at least for a while). There are enough companies which have a smaller IT department or are new to IT outsourcing. They are the customers of tomorrow, but as said before do I expect a shift from large scale ‘horizontal’ scope outsourcing to selective scope contracts which balance better the needs/objectives of both the IT department and business units/processes.

To define the scope of selective sourcing contracts and services which can be standardised without hurting the business, principles of value-based management and risk management can be used. The approach allows the IT organisation improve its accountability towards the business by aligning its IT services with the opportunities and risks the business managers face every day. I will describe this approach in the second part of this post.

IT sourcing practises damage business IT alignment

IT-organisations are more than ever before under pressure to cut their cost. Many business managers see IT as a cost centre which adds limited value. And activities with a limited perceived value are the ones which get the highest cost reduction targets.

In reality does IT add a lot of value, but the typical IT organisation is not able to sell that message. It starts with the subjects IT talks about with the business. In 9 out of 10 cases is IT uses to automate manual activities resulting in a cheaper and faster business process. So using IT using to reduce cost.

The IT organisation increases this perception by organising itself into functional silo’s in an attempt to increase internal efficiency. So all network engineers in one department and all application developers in another. To improve standardisation and efficiency even further best practises and models like Cobit (IT governance), BiSL (information management), ASL (development), CMMi (development), ITIL (operations) and ISO20000 (operations) are implemented to standardise processes and control.

This ‘horizontal’ design allows for maximum efficiency from an internal IT perspective. It is therefor not more than logical that this approacg is also reflected within the sourcing strategy: the network infrastructure or application development is being outsourced, again to optimize the IT budget (typically forgetting the trade off between positive effect on IT value versus negative effect on business value).

The IT value created from a business perspective cuts vertically through the horizontal IT ‘ stacks’ and process models (from information mgt to development to operations). One can however seriously doubt whether the actual business demand will survive a collision with all the standard process models and best practises. I have seen change management procedures which have 15 control and decision making steps. Nothing moves anymore within such organisations and IT people are keeping each other and the business busy with procedures and templates. In the mean while is the business getting more and more frustrated with the IT.

By the continuing increase of standardisation, among other driven by outsourcing, get the real demands of the business forgotten, damaging the perception of IT as a value centre. In many cases do the business managers trying to sell the product in the front office (KPIs: flexibility, time-to-market) the same IT service as the business manager running the back office (KPIs: low cost, high volume). The result is a vicious cycle of business managers getting unhappier with the IT services delivered, leading to even more pressure to cut cost (the balance shifts too far to the right in the illustration below).

I expect myself that the whole trend of standardisation might be at the top of its cycle and that business units will soon start demanding more tailor made IT services again. Either the centralised/shared IT organisation starts to break down some of its walls are the decentralised business units will start building their own IT organisation again to compensate the mismatch between demand and supply.

This also means that IT organisations have to rethink their current sourcing practises as outsourcing per horizontal stack limits the ability to align its value chain to the business value chain.

From procurement function to sourcing function

Procurement as a business discipline has matured over the past few decades. The times are over of procurement as an intermediary functions that records agreements with suppliers and supervises their fulfilment. That is too limited a view in today’s business environment, where management is confronted with a multitude of issues impacting on the role and responsibilities of procurement.

 It has been recognised that an effective and efficient procurement function can significantly contribute to business’ bottom line: competitive financial result. What’s more, many organisations feel the need to improve their relationships with suppliers in order to be better able to reduce costs, improve quality, increase flexibility and boost innovation in order to survive.

Especially in these challenging economic times where outsourcing is used as a means to cut cost quickly is it necessary to move away from the traditional role of procurement as an intermediary functions that records agreements with suppliers and supervises their fulfilment. That is too limited a view in today’s business environment, where management is confronted with a multitude of issues impacting on the role and responsibilities of procurement.

Procurement looks traditionally at sourcing as buying services and products from a ratter limited perspective by defining a objective (e.g. less 20% cost), input (e.g. an existing supply contract), process (e.g. renegotiation) and output (e.g. a new supply contract). This is called the system theory and pays little or no attention to the effects of (irrational) human behaviour from those who are involved in the process.

A strategic sourcing function adds various elements to the system theory by incorporating various ‘soft’ elements including conflict management, principles of game theory and decision making theories. As a result is the focus of sourcing in contrast to purchasing more on the inherent conflicts of interests between buyer and seller and their dilemma’s.

Furthermore does (strategic) sourcing include the following elements into the decision making process:

• entry and exit from supplier markets, 
• capacity development, 
• selection and management of sources of supply, 
• innovation and, 
• cost development over a long term.

To evolve from a procurement officer into a sourcing officer it is thus required to develop both interpersonal skills as the engagements are typically more complex and have a higher Value at Risk (VaR) than typical procurement engagements. And also here may adjustments to the bonus structure may ensure that the strategic and long term nature of sourcing engagements is reflected in the decision making process. The lowest bid does not necessarily mean the lowest TCO, while typical procurement officers get their bonus on negotiating the lowest price for the initial contract.

Will offshoring harm Western service economies?

"Restoring American Competitiveness" is an article from Gary Pisano and Willy Shih in the juli/august issue of Harvard Business Review. The article points out that, against the general consensus, American companies will be unable to develop the next generation high tech products due to underestimating the impact of sending their manufacturing offshore. If this is true, can similar effects be expected for the service industry? In other words: will Western countries not only have to fight an uphill battle in manufacturing, but soon also in services?

The article in HBR uses the value chain of personal computers and laptops as an example. Where American companies like HP, Dell and Compaq outsourced initially only their manufacturing to low cost offshore destinations, is now almost the whole industry based in Asia. Every laptop sold by an American brand, with the exception of Apple, is today designed, developed and manufactured outside the U.S.. The same applies to most phones and other mobile devices.

 With manufacturing leaving its shores, developed countries tend to focus on creating economic growth through designing and producing services. I wonder however whether the following quote from the article is also applicable to the service industry (p119): One [myth] is the popular belief that an advanced economy like the United States no longer needs to manufacture and can thrive exclusively as a hub for high-value-added design and innovation. In reality, there are relatively few high-tech industries where the manufacturing process is not a factor in developing new - especially, radically new - products."

In other words, are we in Europe and United States still able to develop new high added value IT services if the graduates leaving the universities today start working in an environment where the developers and support engineers can only be reach by telephone and video conferencing?

Today there are still plenty of employees available in American and European companies who were used to sit behind ‘produce’ the service themselves (e.g. develop software, process mortgages). They will however retire in the coming decades leaves employees which have to manage and instruct offshore suppliers based on theoretical experience only. It is already difficult as an experienced hands-on manager to get the services delivered from an offshore vendor, let alone a situation where all the hard core knowledge of creating and delivering services is overseas.

The argument of the authors that an intact value chain is important for future innovation conflicts thus with the message within Thomas Friedman’s in “The World is Flat”. Friedman believes that geographies lost their importance due to the ability to communicate anytime, anywhere to anybody in the world. Also Amar Bhide’s book "The Venturesome Economy" (2008) argues that innovations will find their way to the customer, regardless of the country it was invented.

Personally I believe that this last argument is flawed. An economy can grow only if it produces products and services which customers want to buy. As soon as all the innovations have to be imported the trade balance will become uneven (in the case of the US: collapse completely as there is already a considerable deficit) which in the end will result in a society which gets poorer instead of richer. I think that, regardless of which author is right, we have to be careful that Europe and America don’t end up being locations where everybody is a ‘managers’ and nobody doing any actual value added work anymore.

CMMi for aquisitions versus eSCM, ISPL and other standards, part 2

In the previous post related to this topic I wrote some of my thoughts on CMMi for acquisitions and ISO/IEC 12207.These two plus ISPL are models which can be used to structure an outsourcing process. The aim of these models in a nutshell is providing the client organisation with:

• the right service/product,
• for the best price,
• at the desired quality levels,
• from the best vendor,
• at or within the risk appetite of the company.

The three models mentioned in these posts scratch only the surface of (proprietary) models which can be used to structure an outsource process.

For those situations where these models are too complex, ISO 9001:2008 could be of help as purchasing is one of the processes addressed. The purchase process described consists of three sub-processes: supplier evaluation (section 7.4.1), purchase orders (section 7.4.2) and goods receipts checks (7.4.3).

CMMi for acquisitions and ISO/IEC 12207 were addressed in the previous post, but not ISPL. ISPL stands for Information Services Procurement Library (ISPL) and is a best practice library for the management of Information Technology related sourcing (only ISO9001 is generic, all other models discussed in these two posts have an IT peregrine). The creation of the model was sponsored by the European Community and it aims to help both the customer and supplier organization to structure the sourcing/acquisition process. It provides guidelines and examples to structure a RfX, construct the contract and delivery plan. It can be used regardless of sourcing application development services or application/infrastructure support.

Like with CMMi for acquisitions and ISO/IEC 12207 provides ISPL a very thorough approach and supports the establishment of a structured and risk conscious sourcing process. I found especially the elements regarding risk management useful to deploy during my own engagements. Applying the best practice as a whole is however not something I would do easily as it would require a whole forest of trees to be cut down for paper. It can, as with CMMi for acquisitions and ISO/IEC 12207 be quiet bureaucratic and should thus be used only for very complex and risky engagements. I would typically expect for example the military to fully deploy it when they request some innovative and complex software solution.

Managing demand and supply
The models discussed until now focused on managing the process from sourcing strategy (make-buy decision) up to the signing of the contract. They also spend some attention to the delivery and monitoring of the contract, but it is not their primary focus.

Aligning demand and supply is however an important, if not determining, factor in the success of outsourcing relationships. An organization must be equipped for the task of managing its relationships with external suppliers as effectively as possible. As expressed by Earl (Earl 1996): “If the decision is to outsource, good management remains a necessity, so that the organization can function as an informed buyer and a demanding client”. Studies from research bureau’s including Gartner reveal that after outsourcing the client company must possess a "high number of very skilled and qualified people who understand the business, as well as relationship and vendor management” (Terdiman, 1999).

Various sourcing advisory firms and universities have in the meantime jumped into this gap and created best practices/standards/models to guide the retained organization. Some are proprietary (ISLite from Gartner) and some are open (eSCM, Carnegie Mellon University).

eSCM (e-Sourcing Capability Model) shares many similarities with CMMi for acquisitions as it also incorporates a maturity model. The client version of eSCM consists of 95 practices which are distributed along three dimensions: sourcing life-cycle, capability area and capability level. There are not one or two capability areas, but 17. The sourcing lifecycle consists of four stages and there are five maturity levels.

I expect the information provided on eSCM allows for stating that, yes this is also a very well constructed and elaborate standard/model, but like with all the other models does the user have to cherry pick the useful items. Deploying the full suite is likely to create a retained organization which will consume all projected outsourcing benefits.

Regardless of which model or standard you wish to use to manage demand-supply, just make sure you make sure it is able to:

• Consolidate demands to ensure lower supply cost;
• Purchase from few suppliers to increase in volume and thus lower cost;
• Active quality monitoring of the services, taking into consideration the intentions expressed in the contract;
• Continuous improve the professionalization of the retained organization resulting in lower overhead cost for managing demand and supply.

Which Chinese Service Providers are out there?

In this post I wrote on the rise of the Chinese IT service providers which could be the new kids on the block and give established Indian service providers a run for their money. Here I want to provide some insights on the Chinese supplier market of IT services. Feel free to add any comments if you feel that I missed out some vital information.

One way established service providers deal with the Chinese ‘treat’ is partnering with them, like Yucheng Technologies and Convergys. Yucheng is a China-based IT solution provider and Convergys a U.S. based provider of customer and employee relationship management solutions. As per the agreement, Yucheng Technologies will sell Convergys' Intervoice Edify Voice Interaction Platform (EVIP) and Convergys Dynamic Decisioning Solutions in the Chinese market.

I wonder however whether this is a smart move in the long term. Like with the car industry did Chinese companies learn how to make cars by partnering with Western car manufacturers. Especially American car manufacturers outsourced part of their manufacturing to countries like China to leverage on its lower cost levels. This however allowed local players to learn the art of car building, resulting in American car manufacturers now having to compete with Chinese car manufacturers they used to partner with. This is no problem if it was a deliberate strategy, but I doubt very much whether those American senior managers looked beyond the short term cost saving. That outsourcing of production activities to low cost countries may harm is confirmed by Gary Pisano en Willy Shih from Harvard Business School (more here).

I do not try to state here that Western and Indian service providers should not partner with Chinese competitors, but that one should look beyond the short term benefits. A partnership should be beneficial for all parties involved, both in short and long term

Infosys, a tier 1 Indian service provider, sees China both as a delivery and client location. Where Infosys focussed for the last six years on delivering services from China to oversees clients, does the company see China now also as a potential client market. It generates now some one third of its Chinese revenue from local clients, but is seeking to expand that. Beside Infosys did companies like IBM and Hewlett-Packard also built a strong presence in China. That China is becoming a serious destination for IT outsourcing show the following figures:

• Value of IT outsourcing market in 2003 was just US$0.4 billion
• Value of IT outsourcing market in 2008 was around US$2.5 billion (based on Gartner Research annual growth figures of 44%)

To support local and oversees vendors, Chinese government has been providing stanch support for the industry by accelerating infrastructure programs and promoting the country to global business community. Some more figures indicating that China is not to be underestimated as a (future) destination for offshoring ITO and BPO services:

• In China some 600,000 engineers graduate annually
• In India some 400,000 engineers graduate annually
• In the US some 70,000 engineers graduate annually
• In Europe some 100,000 engineers graduate annually

The sheer numbers of university graduates provides a furtile ground for local and oversees service providers. An overview with Chinese ITO and BPO service providers can be found here. It demonstrates that there are not just one or two Chinese ITO and BPO service providers out there, but a whole list with potential competitors for European, American and Indian suppliers.

Tata Consultancy Services (TCS) is like Infosys also seeing China as more than a delivery destination. Its global accounts are still growing faster than regional and domestic business, but the gap is closing slowly. Indian service providers see China however still as a location for low-end coding and service work and let more sophisticated work be executed by Indian workers. I hope however that Western and Indian service providers are aware that Chinese are fast learners and will give Indian workers a run for their money pretty soon.

Reducing the cost of regulatory compliance for outsource contracts, part 3

This post is the third in a row in which I write on a methodology I created to improve the effectiveness and efficiency of managing regulatory risk when outsourcing. The first two posts are here and here. Below I write on translating the risk/value ratio’s of the outsource contracts into the optimum control strategy.

The starting point is the contract portfolio in which the value and compliance risk of the outsource contracts are plotted. The position drives among others the resources spend by the compliance function on monitoring a contract. The control and monitor activities are typically described in a so called Compliance Program which is the overarching framework that encompasses the different activities and responsibilities performed by the compliance function.

Compliance cost can be reduced further by applying only a ´golden´ control and monitoring approach when it is really necessary (for example at high risk and value) and select a ´silver´ or ´bronze´ approach elsewhere (see figure).

By strengthening the collaboration of the so called ‘three lines of defence’ and other risk disciplines (for example, operational and information risk departments) even more efficiency gains may be achieved. For example, the department Operational Risk Management (ORM) is usually responsible for controlling the risk related to business and IT continuity. Within the Dutch banking regulation Wft, requirements are stated regarding IT continuity. To comply with this regulation the compliance department may choose to come up with new controls or look into existing assurance measures and add where necessary.

The desired end result is a cooperation in which the lines of defence and risk disciplines make use of a shared set of procedures, risk-control matrices, control measures, reports etc. However, this requires the willingness to put the needs of the group above ones own.

In the figure, the translation is made from the position a regulated object has within a portfolio (see figure in second post) to the corresponding control and monitor strategy. The strategy can be defined in terms of the lines of defence that are involved in the monitoring. This way, the choice can be made only to have the first and second line monitoring in case of a ´bronze´ control and to only give the third line a prominent role in case of a ´silver´ and ´gold´ control.

Removing the discrepancy between the current and desired control maturity can be done by means of an improvement plan or by including actions in the monitoring plan. Optimize the expenses by first of all implementing those improvement actions that have the highest risk reducing effect at the lowest (in)direct costs.

What are the results that can be achieved?
At the compliance department which implemented this methodology a minimum base set has been defined consisting of requirements to which external suppliers have to comply and future suppliers will tested against during the due diligence process. Besides that, together with the retained organization (which acts on behalf of the business as the first line of defence) and existing suppliers, there are talks on creating control frameworks in which a balance is sought between the best practises of the supplier and the requirements and wishes of the bank. Among others, this is a way to try to limit the check related to compliance the supplier submits each month.

In principle all objects (for example products, markets and activities) that are regulated and over which the financial institution runs a reputation risk, can profit from the described approach. The compliance program can be designed both more effective and more efficient than is currently often the case and besides that, by means of continues documenting the steps, a risk-based ´compliance dossier´ for regulated objects is being constructed.

This dossier can be used to indicate to internal and external stakeholders that the organization is ´in control´ and that the organization is acting not only within the law but also in the spirit of the law. Eventually (also in the law) it is about adequately controlling the risk underlying the requirements demanded by the legislator.

The most added value however, is the insight that is gained between the financial value of, for example, a pension product, the compliance risk an organization has and the money that is spent on compliance. This insight will enable management to make a well-informed decision based on possible scenarios that can further optimize the relation between risk and value. No one is waiting for the situation ABN Amro found itself in during 2005 when it had to pay $80 million to the US government because of involvement in money transactions to Iranian and Libyan entities.

Outsourcing risk and Madoff

One of the key issues of the financial crisis was banks not knowing the value of their assets. This lack of insight has numerous reasons, but to me the main ones are: too much focus on short term profit, not being able to understand your own financial products anymore and inadequate control over your back-end business partners. In this post I want to put some of my thoughts on this last topic: the importance of monitoring the ‘health’ of the other financial institutions the bank does business with. Banks got hit by Madoff and Leman Brothers because they did not appreciate the risk they ‘imported’ by extending their value chain beyond their own borders.

This issue was broad to my attention again in n a recent interview of Z24 (Dutch internet news channel) with the Chief Risk Officer of Fortis Bank Netherlands (3 billion revenue 2008, 184 billion in assets. In this interview the risk management practises of the bank were discussed and the CRO stated that the board is closely involved with all new product introductions, and determines how new products fit into the risk profile of the bank.

If so much attention goes into risk analysis, even at board level, how can it be that Madoff and Lehman Brothers were not detected earlier? As said in the beginning of this post play a lack of insight in de risk profile of the whole value chain and an underestimation of the ‘risk dynamics’ an important role. And looking at the value chain also means outsourcing as the times are long gone that banks ‘produced’ all their financial products and services themselves.

The term ‘outsourcing’ is however typically used for situations were internal employees and assets are transferred/sold to an external party. This means that outsourcing is not the perfect term in this situation, but looking from a risk management perspective is it not that relevant whether your relationship with the business partner is based on acquiring, purchasing or outsourcing. In all cases does the bank ‘import’ risk by dealing with an external vendor.

The point I want to make is that banks pay a fair amount of attention to new product introductions and selecting a new business partner to outsource internal activities to or buy services & products from. This means that most banks will have done some kind of due diligence before signing contracts with Madoff and Lehman Brothers. What many banks failed to do is to monitor these partners adequately and adjust their risk profile and control strategy accordingly (and in case of Madoff do a proper due diligence at all as it was a Ponzi scheme from the start). Financial institutions have been outsourcing various back office activities and buying complex products and services from others and lost in many cases the overview of the risks within their value chain.

Even though some financial institutions have business relationships with hundreds of partners is the control strategy of most banks still very much oriented towards the internal activities. This despite that in some cases more risk is ‘imported’ than produced by the financial institution itself. This immaturity is reflected in the control strategy for external partners. Most organisations do not get much further than a ‘right to audit’ and (miss-)using SAS70 statements to get some insight in the control maturity of its partners (more on SAS70 here and here). To make matters worse are the education curriculum’s for risk managers and auditors also paying inadequate attention to the ‘financial supply chain’. Risk and audit managers learn how to control the internal organisation and learning how to exercise control over external partners is dealt with in maybe 10-15% of the course time.

I expect this to change soon however as financial institutions and their clients are not waiting for a Madoff 2.0.

Reducing the cost of regulatory compliance for outsource contracts, part 2

In the previous post on this topic I wrote that the control framework created by compliance functions within financial institutions for outsource contracts are often inadequate and too expensive.

The main reasons for these observations are that compliance officers often do not understand enough the scope and dynamics of the contract in order to create a lean but adequate compliance chart. By requiring all regulations to be in-scope they hope not to miss out on anything. Furthermore are compliance officers not trained well enough in translating an internal control framework into an external one. This often results in either requiring the vendor to copy the internal control framework of the bank (very expensive option as the bank does not leverage on the best practises of the vendor) or they just resort to letting the vendor sign a yearly ‘in contol’ statement (too simple as the vendor mostly does not know what it signs for). My third reason for the initial statement was that compliance officers are not used to look at their professional from a financial perspective (other than cost). They are too often not capable of having a discussion on this topic with the business managers on the risk versus return.

Now picking up the story again where I left it last time.

Sub objective one: look beyond risk and regulation; look at the value
The risk profile is one of the two dimensions that should determine how much money is spent on controlling regulatory compliance risk. The second, and currently mostly absent, dimension is the (financial) value the regulated object represents. Determining whether a product, activity, market or outsourcing contract represents a percent of the sales or margin or ten percent is necessary to be able to make a more nuanced consideration between costs and return. In some cases, the costs related to compliance can be so high that they will make a business case unfeasible.

An example is an organization active in the field of payment traffic which wanted to outsource part of its IT because the initial business case predicted lower costs. However, the requirements the supplier had to comply with regarding, amongst others, security were so costly that the entire outsourcing was cancelled two weeks before the planned sign date. In this case too, the compliance department was involved very late in the project, causing the expensive bunny to come out of the hat only just before the planned signing date.

On the one hand, this example is an argument to involve the compliance function in outsourcing, product development (and in other complex projects) at an early stage, while at the same time it also underlines the necessity for compliance officers to become better informed in the financial implications of compliance. Understanding it to such an extent that that compliance officer is able to:

• Determine the financial value the regulated object (e.g. outsource contract) represents to the organisation;
• Communicate with the responsible business managers on risk versus return

To enable the compliance office to get a more sophisticated view on its area of work portfolio management is introduced. For some regulated objects, like an investment product or an outsourcing contract, it is relatively easy to determine the financial value it represents, while for others it is more difficult. Important conditions for effectively using the found answers are applying a uniform valuation basis and taking into account the future value development.

An outsource contract can have a high compliance risk and a low financial value but the situation can be completely difference in two years time. This is illustrated in the figure in which object 1 currently has an unacceptable risk-value distribution (the object is above the red line). For example by increasing the volume of the contract and/or lowering the compliance risk, the ratio between risk and value can shift to an acceptable level.
The green line in the figure represents the optimal distribution the financial institution has defined for compliance risk versus the related value/return. Based on the position in the portfolio the best improvement strategy for a outsource contract can be determined: lowering the risk profile (object 2), raising the value of cancelling the contract (object 3).

Looking at outsource contracts in this way originates from the portfolio management theory. This is a structured method for categorizing, evaluating and prioritizing objects based on an acceptable balance between risk and value. The objects in the portfolio (for example all outsource contracts) are scored by comparing them to each other and the location within the portfolio directs the amount of resources to be spent on compliance activities.

In the customer example that was discussed earlier, the existing portfolio of outsourcing contracts was analyzed and the contracts with the maximum score (high risk and value) were the first to be assigned to compliance officers. The goal was determining if the existing control and monitoring strategy was in balance with the contract. Amongst others, this entailed determining if the (gross/inherent) risk already had been reduced to an acceptable level (´residual risk´ lower or equal to the risk appetite). If not, which additional control and monitoring activities could accomplish this in the most efficient manner.

How one can translate the risk/value ratio of an outsource contract into the optimum control strategy will be discussed in the third and last post on this topic.