Outsourcing and compliance risk: do more for less

-

This posting is a follow up on this post and this post and describes at a very high level how the operational cost related to managing outsource risk can be reduced. Not just by decreasing all budgets by 10%, but by a targeted effort. I came up with this approach during my work for a large international bank (more elaborately described in some articles) and it aims to rationalise the way risk managers/officers should approach their work.

The core of the approach requires (senior) risk officers (e.g. operational, compliance) to approach assurance and monitoring more from a financial perspective. The typical risk officer is not used to incorporate the (in)direct costs (operational cost) and potential lost in revenue (opportunity cost) into their considerations when proposing new controls. This results often in expensive assurance mechanisms, like using SAS 70 type II reports for area’s of low risk. By defining a more balanced control strategy which aligns the control requirements with the risk level of an object, the same assurance can be achieved, but cheaper.

The approach is based on the following two key ingredients:

  1. The risk officer responsible to manage the strategic, operational and compliance risks of an outsource contract needs to have a detailed understanding of the contract. The level of understanding has to be such that it can define objective and measurable parameters that influence the risk profile of this engagement. The so-called ´risk drivers´. These risk drivers should ideally be applicable not only for a single contract but for a portfolio of similar contracts. This to allow the application of portfolio management techniques to prioritise the use of resources dedicated to identify and mitigate risks.
  2. With the application of portfolio management, the risk profile and (financial) value of contracts (e.g. NPV) are plotted which creates insight into their relative position towards each other (see figure). This trade-off between risk and return drives then the amount of money that the company should spend on control/assurance and the time (thus money) a risk officer should spends on monitoring an outsource contract.

The usage of portfolio management techniques is already common for market and credit risk, but is rarely used to manage other types of risk. I believe however that other risk disciplines can also benefit greatly from techniques used by colleagues from other risk disciplines.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

The importance to innovate as a supplier

-
Image
I spoke recently with a senior executive of a small external service provider. A service provider with a staff of 350+ in the year 2000 and some 75 today. So one of the main topics we discussed was how this happened. The founders of the company identified some twenty years ago a software niche in supply chain management. In this period manufacturers and their up-and downstream partners in the supply chain were looking for solutions to exchange information to optimize their logistics processes and stock levels. The founders came up with some very clever concepts and for many years the sky was the limit. What the founders and subsequent managers overlooked however is that every (software) product goes through a lifecycle. And at the end of the lifecycle the software product has become obsolete. It may become obsolete because of not anticipating on evolving functionalities, technologies (e.g. Cobol) or because business models. Functionalities. In the past many software vendor
Read more