Risk, opportunity, and the service organization

Information technology services providers play a substantial role in regulated fields such as the finance industry. These specialist companies make their living by developing information-based solutions with expertise, speed, and cost efficiency that their clients simply can’t match. Technology providers can have strategic significance as regulated organizations look for cutting edge solutions that allow them to differentiate themselves and improve their own products and services.

Regulators, auditors, and corporate boards are becoming more aware of the legal, compliance, financial, and information risks posed when regulated firms share operations and information management duties with service providers (e.g. the 2014 IIROC regulation on outsourcing). This propels regulators to establish risk management guidance on technology service arrangements that set the bar for service providers at the same level as the regulated firms themselves (e.g. OSFI’s “B-10” guideline on outsourcing).

In their drive for improved risk management practices, the regulators don’t just want to see a service provider perform along a single axis such as information security. As the Basel Committee on Banking Supervision put it in the executive summary for a 2005 paper:

Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm’s management from fulfilling its regulatory responsibilities are of concern to regulators. The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences.

This propels regulators to establish risk management guidance on outsourcing arrangements that set the bar for service organizations at the same level as the regulated firms themselves. Regulated firms effectively come to download portions of their regulator-mandated enterprise risk management regimes to the technology service organizations that serve them.

In turn, service organizations — even small-scale operations — are adopting annual external audits to provide evidence of effective enterprise risk management. For service organizations to adapt to the new requirements and thrive in their regulated market place, a solution exists in adopting enterprise risk management through an initiative for risk-centric process improvement.

And I believe that this allows enterprise risk management practices to unlock new opportunities for service organizations. First, a look at what’s involved.

What

For a technology service organization to obtain a clean third-party audit, it must meet or exceed standards in several areas, for example:

• Executive: setting and communicating objectives; monitoring performance, and directing improvements; establishing service level agreements; business continuity planning; and risk-aware strategy planning.
• Human Resources: background checks; hiring, management, and termination policies; code of conduct; and site security.
• Production management: the software development life cycle; the service desk function; and identity and asset entitlements management.
• Data management: information classification; data aging & disposal; data & data processing integrity.
• IT: disaster recovery; technology standards; information security management; systems availability, capacity, and performance management; version & package management; entitlements custody management.
• Project management: scheduling and resource planning; program management; modeling for uncertainty.
• Internal control: internal audit; operational risk management; policy management.

It’s a broad list, but also deep. Regulators are directly referencing complex and prescriptive guidance such as the AICPA/CICA “trust services principles”, which outline hundreds of controls for a service organization.

Who

The skill-set required to effect these changes isn’t necessarily the same skill-set already possessed by a service organization’s management team; in addition to the daunting scope and complexity, an outside change leader may be required.

How

Complicating matters, the field is currently in flux. Some evolving trends include:

• The establishment of new standards in third-party audit reports (e.g. SOC-2) for demonstrating competence in operational and information risk management.
• Greater reliance on legal remedies as a means of resolving disputes.
• Changes to standards in information systems management (e.g. COBIT 5), information security (e.g. ISO 27001:2013), and risk management (e.g. ISO 31000:2009).

And after all the effort, expense, and change imposed, after adopting new standards of performance and a perpetual cycle of audit-and-remediation, there is no guarantee of success. The auditors will be the ones to decide when their requirements are met.

So it’s worth looking at the opportunity that lies on the far side of all of this work. What are the payoffs?

And finally, the most important question: why

Speaking from my experience in the field, integrating risk-centric business practice improvements into a business strategy can:

• Improve customer satisfaction and improve reputation,
• Free up executives’ time by minimizing decision-making during regular processes,
• Speed up the sales cycle

Here’s how I believe it works. Initially, a process improvement initiative exposes the differences in expectations, assumptions, and interpretations behind existing process. Elimination of those differences allows the firm to adopt a unified way of thinking and a unified level of consistent behavior. It allows the firm to adopt a culture of excellence, and allows the firm to find a competitive advantage based on processes that are not merely improved but (in the words of Michael Porter) that “fit” and are hard-to-copy.

Without the sort of demonstrable excellence that’s behind an audit report, a sales journey within a regulated firm can include a series of gatekeepers similar to that in the image below. But a service organization armed with an audit that’s backed by genuine internal excellence and a unified vision can bypass the gatekeepers and engage the client’s decision-makers in the sort conversation that really matter.

Simply having the auditor’s report conveys to your prospects that you’re speaking their language. But meeting their needs at every level earns and keeps a client’s trust and builds “brand” with every interaction. A focus on the customer is the most powerful way of winning and keeping that customer. This sounds like a marketing talk on purpose; marketing experts understand the importance of a consistent message of excellent results. And what is an audit but proof of consistency?