Reducing the cost of regulatory compliance for outsource contracts, part 2

-

In the previous post on this topic I wrote that the control framework created by compliance functions within financial institutions for outsource contracts are often inadequate and too expensive.

The main reasons for these observations are that compliance officers often do not understand enough the scope and dynamics of the contract in order to create a lean but adequate compliance chart. By requiring all regulations to be in-scope they hope not to miss out on anything. Furthermore are compliance officers not trained well enough in translating an internal control framework into an external one. This often results in either requiring the vendor to copy the internal control framework of the bank (very expensive option as the bank does not leverage on the best practises of the vendor) or they just resort to letting the vendor sign a yearly ‘in contol’ statement (too simple as the vendor mostly does not know what it signs for). My third reason for the initial statement was that compliance officers are not used to look at their professional from a financial perspective (other than cost). They are too often not capable of having a discussion on this topic with the business managers on the risk versus return.

Now picking up the story again where I left it last time.

Sub objective one: look beyond risk and regulation; look at the value
The risk profile is one of the two dimensions that should determine how much money is spent on controlling regulatory compliance risk. The second, and currently mostly absent, dimension is the (financial) value the regulated object represents. Determining whether a product, activity, market or outsourcing contract represents a percent of the sales or margin or ten percent is necessary to be able to make a more nuanced consideration between costs and return. In some cases, the costs related to compliance can be so high that they will make a business case unfeasible.

An example is an organization active in the field of payment traffic which wanted to outsource part of its IT because the initial business case predicted lower costs. However, the requirements the supplier had to comply with regarding, amongst others, security were so costly that the entire outsourcing was cancelled two weeks before the planned sign date. In this case too, the compliance department was involved very late in the project, causing the expensive bunny to come out of the hat only just before the planned signing date.

On the one hand, this example is an argument to involve the compliance function in outsourcing, product development (and in other complex projects) at an early stage, while at the same time it also underlines the necessity for compliance officers to become better informed in the financial implications of compliance. Understanding it to such an extent that that compliance officer is able to:

  • Determine the financial value the regulated object (e.g. outsource contract) represents to the organisation;
  • Communicate with the responsible business managers on risk versus return

To enable the compliance office to get a more sophisticated view on its area of work portfolio management is introduced. For some regulated objects, like an investment product or an outsourcing contract, it is relatively easy to determine the financial value it represents, while for others it is more difficult. Important conditions for effectively using the found answers are applying a uniform valuation basis and taking into account the future value development.

An outsource contract can have a high compliance risk and a low financial value but the situation can be completely difference in two years time. This is illustrated in the figure in which object 1 currently has an unacceptable risk-value distribution (the object is above the red line). For example by increasing the volume of the contract and/or lowering the compliance risk, the ratio between risk and value can shift to an acceptable level.
 The green line in the figure represents the optimal distribution the financial institution has defined for compliance risk versus the related value/return. Based on the position in the portfolio the best improvement strategy for a outsource contract can be determined: lowering the risk profile (object 2), raising the value of cancelling the contract (object 3).

Looking at outsource contracts in this way originates from the portfolio management theory. This is a structured method for categorizing, evaluating and prioritizing objects based on an acceptable balance between risk and value. The objects in the portfolio (for example all outsource contracts) are scored by comparing them to each other and the location within the portfolio directs the amount of resources to be spent on compliance activities.

In the customer example that was discussed earlier, the existing portfolio of outsourcing contracts was analyzed and the contracts with the maximum score (high risk and value) were the first to be assigned to compliance officers. The goal was determining if the existing control and monitoring strategy was in balance with the contract. Amongst others, this entailed determining if the (gross/inherent) risk already had been reduced to an acceptable level (´residual risk´ lower or equal to the risk appetite). If not, which additional control and monitoring activities could accomplish this in the most efficient manner.

How one can translate the risk/value ratio of an outsource contract into the optimum control strategy will be discussed in the third and last post on this topic.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

Beyond Two-Speed IT – Part 1

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. This blog is the first in a series covering the third principle of the Digital Manifesto.   When in New York, searching for a restaurant on your mobile yields those nearest to your current location. If your search history indicates you like Chinese food, the results will highlight those. To create this kind of personalized experience, Google Now, Cortana and Siri combine several data sources, such as location and past usage patterns, to deliver a personalized experience. The capability to show the restaurants in New York instead of Moscow reduces the ‘search stress’ faced by customers and the saved time is a source of customer benefits. The business has a similar expectation. When requesting a new IT solution, the context, such as stable versus emerging market, or having little or intense competition, is at least as rel
Read more