Its my contention that Effective Outsourcing & Offshoring actually mitigates operational risk. Please read further if you are a practitioner /student of Information Technology Applications in Financial Services.
1. Introduction. 1
2. Why outsource. 2
3. Operational Risk & Basel II 3
4. Frameworks governing Operational Risk in Outsourcing. 4
5. How does Outsourcing impact Operational Risk?. 5
6. Measurement of Operational Risk in Outsourcing. 8
7. Minimize Operational Risk in Outsourcing. 9
7.1 Internal Readiness 9
7.2 Choice of vendor 9
7.3 Tools and processes for comprehensive management control 10
7.4 Benchmarking and frequent audits 11
8. Mitigation Plan. 12
9. Does Outsourcing decrease overall Operational Risk?. 13
10. Conclusion. 14
1. Introduction
Outsourcing of business functions to specialist providers is common practice, and nowhere is it more so than in the financial services industry. The mandate is clear for the top banking and financial service firms around the world that they either be competitive or perish. This has forced most of them to renew their focus on their bottom-line cost strategy, of which outsourcing has become a vital component. It has become pretty obvious that most US and European banks, if they have to remain competitive in the globalize economy, they have to follow the laws of economics and look at outsourcing maximum activities to places which are much cheaper and sometimes more competent. The banks are increasingly aware that non-core activities, which do not create immediate tangible value for the organization, can be very well done by outside experts at a fraction of existing costs. Outsourcing, especially offshore seems to offer significant benefits in terms of cost savings and conversion of fixed costs into variable costs. It seems all the more attractive to financial institutions and banks as significant effort is involved in back office processing, which by nature is technology intensive and is a strong case for outsourcing. Thus despite a lot of press reaction and people opposition, outsourcing is only growing stronger day by day. Most of the big banks round the world have begun outsourcing significant parts of their business to countries like India which offer better bang for the dollar. Some of the better-known names include Citi, World Bank, Bank Of America, Merrill Lynch, Lehman Brothers, Deutsche Bank etc and all of them have transferred a bulk of back-office operations and new system development to India. Some of them have even outsourced high value and risk sensitive work like trend analysis for both derivatives and equity markets and are reaping the benefits of continued cost advantages and equally – if not superior – qualified technically and functionally competent personnel.
This does not mean that outsourcing does not have its own problems. Many of the Banks and Financial service organizations that were part of the first outsourcing wave started without adequate research and preparation have had a bad experience or two. Even today clients are finding it difficult to co-ordinate, monitor and control performance of their vendors effectively. Still the value proposition of these offshore vendors is so strong, these issues have not distracted people from going ahead.
It has been estimated that 47% of losses in Capital Markets and Banking is due to systemic process and systems failures. In this paper, lets try and understand the impacts of this outsourcing of business processes, new technology development and existing system maintenance by external vendors and/or by subsidiaries of the Firms in a geographically disparate location on the overall Operational Risk and whether it is possible for an arithmetic correlation between the two.
2. Why outsource
Outsourcing has significant advantages in cost reduction, increase in operational efficiency, decrease in operational costs and better management of quality human resources. PwC’s Paul Halpin said - "Many people think that operational risk inevitably increases when processes are outsourced. However the introduction of more effective controls and better management of risk, by an outsource provider, can often reduce operational risk". High profile accountancy scandals, systemic failures and lack of BCP/DRS systems in conjunction with the proposals contained in Basel II and the EU Credit Directive are increasing the awareness of operational risk. As the financial markets move towards further statutory regulation, operational risk is something that the market makers and executives need to be considering. Outsourcing providers can play a key part in their clients’ operational risk strategies.
There have been several instances of significant quality improvement at the Firm due to better processes at vendor site. Very often vendors, especially software development companies in places like India; are world-leaders in processes for software development life cycles and many of them actually enable the Firms to improve on existing operational and process efficiencies by two-way knowledge transfer.
Outsourcing a range of functions to third party vendors is an attractive risk mitigation option. Outsourcing allows better alignment between cost structure and revenues, greater flexibility to introduce new products, more innovative investment structures, access to new technology, rapid integration of the same into the company’s systems and greater ability to keep pace with changing regulations and markets.
Given the complex and global nature of investment management and the varying functions that can be outsourced, identifying and developing the right model is often difficult. A four-step assessment can help recognize the appropriate outsourcing model – inshore, nearshore, offshore or combination/mix of the three. First, the divisional managers should identify why they want to outsource a particular function. Second, they need to isolate potential issues with outsourcing. Third, they should determine what to outsource. Finally, they need to understand their current and projected cost and revenue structures well enough to align those in an outsourced relationship.
As with any business activity, outsourcing has risks. Such risks depend on several factors, but are most clearly measured by the size, nature and criticality of the outsourced activity. If managed appropriately, outsourcing can be an efficient operational risk mitigation tool. Regardless of the EC disposition on operational risk capital charges, it is likely that more investment managers will turn to outsourcing as a source of flexibility in developing their businesses, reducing cost, and aligning their core competencies and risks with their value added.
3. Operational Risk & Basel II
There are various risks associated while outsourcing. The predominant amongst them is the 'fear of the unknown'. Customer many a time feels outsourcing and 'off-shoring' could be a black-hole. The only way to mitigate this risk apart from top-management commitment is to involve the customer at every stage in the delivery process.
In the January 2001 Basel II Consultative Package, operational risk was defined as: "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events". The January 2001 paper went on to clarify that this definition included legal risk, but that strategic and reputational risks were not included in this definition for the purpose of a minimum regulatory operational risk capital charge. However in this paper for the purpose of better understanding, we shall also look at the possible impact of such risk on the overall portfolio of risks and ways to minimize the probability of such occurrences.
This focus on operational risk has been generally welcomed by the banking and financial services community, although concerns were expressed about the exact meaning of `direct and indirect loss'. As mentioned above, for the purposes of the Basel II Pillar 1 capital charge, strategic and reputational risks are not included, and neither is it the intention for the capital charge to cover all indirect losses or opportunity costs. As a result, reference to `direct and indirect' in the overall definition has been dropped. By directly defining the types of loss events that should be recorded in internal loss data, the RMG can give much clearer guidance on which losses are relevant for regulatory capital purposes. This leads to a slightly revised definition, as follows: "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events". The RMG confirms that this definition does not include systemic risk and the operational risk charge will be calibrated accordingly.
It is important to note that this definition is based on the underlying causes of operational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors. This very basic definition, and more detailed specifications of it, is particularly useful for managing operational risk within institutions. However, for the purpose of operational risk loss quantification and the pooling of loss data across banks, it is necessary to rely on definitions that are measurable and comparable. Thus several banks and supervisors make distinctions between operational risk causes, actual measurable events (which may be due to a number of causes, many of which may not be fully understood), and the P&L effects (costs) of those events.
The most significant issue facing banks in relation to Basel II is aligning and upgrading data and existing IT systems infrastructure for completeness, consistency and integrity across the organization. The systems to comply with Basel II requirements under the advanced approach for market, credit and operational risk must be compatible with the existing IT architecture and provide suitable reporting facilities and analytics. The second driver is governance and buy-in. The role and responsibilities of each individual and department must be clearly defined to avoid confusion, especially with regard to operational risk. The third is a clear risk awareness culture. Outsourcing of IT functions can free up several divisions inside the IT divisions and Management for risk measurement and mitigation measures.
4. Frameworks governing Operational Risk in Outsourcing
89% of lenders surveyed at a recent industry briefing hosted by mortgage outsourcing firm Marlborough Stirling Mortgage Services (MSMS), said they do not think lenders are as aware of operational risk as they should be. In such a scenario, its vital that available regulations and their impact on the total VaR needs to be studied as it will have a direct impact on the capital adequacy ratio.
The U.K. Financial Services Authority's proposed guidance on operational risk recognizes that while outsourcing may reduce a company's level of risk, careful management is required to yield benefits. The Policy Statement on Prudential Risks, Systems and Controls issued in October by the FSA is an example of the action being taken by regulators to ensure that risks are kept to a minimum in outsourcing contracts. The FSA points out that this statement forms part of the Integrated Prudential Sourcebook it is developing as part of its regulation of financial activities in the UK. The system is due to be complete for all regulated firms, except banks, by the end of next year. Banks will be covered by the Basel II Capital Accord, which is being finalized over the coming months and is expected to be implemented by several Regulatory bodies the world over from 2007. The statement includes new guidance on outsourcing. It is wide-ranging because the FSA makes clear that, although the guidance is designed primarily to cover outsourcing arrangements, firms should consider its applicability to all firms of dependency on third parties. Among the issues covered are:
- Effect of the outsourcing arrangement on a firm’s operational risk profile.
- Desirable controls over the outsourcing supplier’s employees and subcontractors.
- The customer’s business continuity requirements
- Due diligence requirements
- Appropriate performance measures.
- Service management
- Special audit rights
- Change management procedures.
- Confidentiality and security
- Rights relating to the termination of the arrangement.
- Offshore outsourcing
- Outsourcing of a controlled function
- Risk profile of the vendor
The consultation paper pointed out that a firm’s operational risk profile might vary through the life of an outsourcing arrangement. But the policy statement amplifies this by pointing out that operational risk may vary, for example, when the decision to outsource is made during the negotiation phase, during the implementation and maintenance, and on termination of the contract – some issues may even be pertinent to well after the contract including IPR protection etc. The statement also stresses that outsourcing may reduce operational risk and that in such circumstances a suitably proportionate approach to the application of the guidance may be appropriate.
Another development relates to control over outsourced suppliers. The consultation paper suggested that firms consider imposing upon suppliers far-reaching controls over the employees involved in providing the outsourced services. The policy statement goes further through stressing that it may even be necessary for the firm to review and consider the adequacy of the staffing arrangements and policies of a service provider. The statement also calls on firms to look beyond the specifics of the outsourcing arrangements to consider the extent to which they support their business strategies. They should also review this when changing the arrangements. However, even with these additions, firms should not consider the statement as covering all circumstances.
5. How does Outsourcing impact Operational Risk?
So does it mean that Firms that are involved in off shoring have to necessarily bear more operational risks than others that do not? Not necessarily so in most cases. Some times outsourcing allows rapid upgrade of technology and process for example as vendors are IT-specialist and are most times well ahead of the Firms on the technology curve.
This can translate into more efficient processes and systems which bring down the risk co-efficient and carry out operations more efficiently. The Firms also able to pass off some of the risks to vendors, whose financial terms are determined by service levels. Mature vendors bring with themselves the wealth of information that they have gained working with best of the breed organizations and these best practices can be shared with other organizations as well. Besides most of the concerns that we raised can be mitigated easily if the firms are aware of them and follow a methodical risk management approach.
In the next few lines, we discuss the impact of Outsourcing on the four basic premises of Operational Risk – People, Process, Technology & non-predictive events.
People Risk –
People risks generally come about due to a variety of reasons ranging from potential loss of jobs at the parent site to attrition issues at the client/offshore site.
Loss of jobs – there is a very real risk arising due to perceived and actual loss of jobs at the Firm’s principle location due to outsourcing of services to vendors or to offshore geographies. This leads to employee dissatisfaction, security lapses due to laid-off employees and technology or process risks due to attrition arising out of a potentially unstable environment.
Culture issue – the culture disparity issue is less understood and not given the attention it deserves. Different cultures and different approaches to problem resolution gives rise to systemic risks and processes risk increasing probability of operational defaults.
Knowledge transfer gaps - Typically any outsourcing engagement starts with the knowledge transition process, where the vendor staff visits the Firm locations & the reverse for a thorough de-briefing process. The effectiveness of Knowledge transition process is one of the critical success factors to the success of overall engagement. Very often it has been noticed that lack of domain knowledge severely limits understanding of the fundamental concerns of the business users. This can lead to significant increase in operational risks faced by the banks as these contracted vendor employees might take actions or decisions not appropriate to situation.
Strategic alignment – Vendors typically focus on day-to-day operations, which meets agreed SLAs but lack of strategic thinking & alignment with the Firm’s goals what might or might not be beneficial for organization in the long run. This can result in either inadequate or in-appropriate systems and processes.
Attrition - Significant percentage of vendor employees might not stay with the same assignment for long durations – this actually is one of the major issues facing companies now with the ever-increasing opportunities in the burgeoning job market. This means that Firms have to share proprietary process knowledge with larger set of external people who may not be on their project(s) after sometime, there is also the issue of personnel movement between projects for two clients. Besides the obvious issues of potential security lapses, there is also the added risk of additional knowledge transfer.
Process Risk -
Maturity of process - In outsourcing engagements the vendor essentially becomes an extended arm of the Firm and vendor processes and performance directly impact service or product quality. If these processes are not robust and do not conform to quality standards, it can lead to unpleasant surprises for the Firm, e.g. lack of a constantly monitored & effective knowledge management process can make vendors heavily dependent on certain key people, who are perhaps anyway the most hunted employees in business, and hence if they change organizations, retraining and process knowledge might not be very smooth, resulting in immediate performance issues
Response time - Because of the complicated engagement structure and onsite-offshore co-ordination issues, decision-making process and escalation process often slow down at least initially. In unexpected critical situations people due to lack of authority might not be able to respond adequately and be mere spectators of potential harbingers of disaster.
Alignment of objectives & processes - the Firm and the vendor need to be closely aligned with their expectations and goals. For example, an existing vendor might not be able to scale up the processes if suddenly required by the Firm due to lack of funds, capability or choice; as it might not be in his best interest. On the other hand it is also possible that vendor might invest significantly in processes, which might not be very critical for a particular Firms but significant to others and vice-versa.
Management and reporting
BCP & DRS - Most of IT offshore vendors would claim to have robust Business continuity and Disaster recovery process, but the Firm would need to thoroughly whet these initiatives with regard to the practicality and robustness of the defined processes.
Physical Security - Access to vendor facilities can never be as closely monitored as the Firm’s own facilities. Even the vendor’s own employees might be a threat as reference checks and authorization checks in vendor countries might not be as stringent. Internal leaks are a very real threat.
Continuous Process improvements – Vendor’s interest would generally conflict with the interest of the Firm as far as quality levels are concerned which may cause differences in generic operational processes
Regulatory processes – certain risks may arise out of government regulations especially relating to people processes which may significantly impact the associated VaR models. For example under Indian law it is not possible for compensation for breach of contract paid in India to be repatriated to a non-Indian company by virtue of India's foreign exchange control regime.
Technology Risk
The U.K. Financial Services Authority noted, "The increasing automation of systems and our reliance on IT has the potential to transform risks from minor manual processing errors to major systematic failures." That's particularly true in the banking industry, where for example, the outsourcing of check processing is a widespread practice. A major failure in the information technology process would bring a bank to its knees in just a few minutes.
· A recent Gartner report shows that 2 out of 5 enterprises that suffer a disaster go out of business within 12 months.
· According to Computer Economics, computer viruses and worm attacks cost business $17.1 billion in 2000 compared to $12.1 billion in 1999.
· In the 2001 Computer Crime and Security Survey, conducted annually by the Computer Security Institute (CSI) and FBI, eighty five percent of the respondents reported unauthorized use of their computer systems. The study also found that of sixty four percent of respondents reporting their organizations suffered direct financial loss because of security breaches; only thirty five percent could accurately determine how much was lost.
· The CERT Coordination Center (CERT/CC) at Carnegie Mellon, a federally funded research and development center that studies Internet security vulnerabilities, recently issued their vulnerability statistics for the first two Quarters of 2001. The current data suggests a dramatic increase in digital risk activity - almost 70% increase in the number of security incidents in 2001 over 2000.
While traditional risks like fire and flood are relatively containable in the physical world with good communication and continuity systems, network security breaches can inflict damage and losses on others linked to a Firm network through the Internet at an uncontrollable rate and with an unprecedented reach. Any organization connected to the Internet for Back office processing or Software development at a remote location, regardless of how they use that connection, must be concerned with several potential points of compromise, such as:
· Data theft - involves unauthorized insiders or outsiders stealing sensitive information and intellectual property
· "Island hopping" - attackers can gain access to an insecure computer network and use it to launch attacks on the other networks. By compromising security weaknesses at multiple points, attackers can use victim hosts as "zombies" to target denial-of-service assaults that are traceable back to the victim's IP address.
· E-mail compromise - places companies at risk of unknowingly spreading a virus or Trojan horse and harboring legally sensitive unprotected e-mail content.
· Web site exposures - occur when a site becomes unavailable or is maliciously altered to include erroneous information.
Thus operational risks associated with technology failures, obsolescence or data can be broadly classified as
· Risks associated with Information sensitivity/Information availability and data Security
· Risks associated with performance of technology systems
· Risks associated with Transaction
· Risks arising due to non-availability of BCP& Disaster Recovery Systems
· Risks arising due to Technology obsolescence
· Risks due to Virus and malicious attacks
Non-Predictive / Other risks
Country Risks – Some of the risks associated with countries of operation would include -
· Macro-economic evaluation of the domestic economy;
· Extent to which government policies are conducive to competitiveness;
· Extent to which enterprises are performing in an innovative, profitable and responsible manner; and
· Extent to which basic, technological, scientific and human resources meet the needs of business.
Reputation Risk & Legal Risk
Though strictly not a part of Operational Risk, the sheer potential for disaster & the impact on operation these events can have makes it imperative to be considered as part of potential Operational Risks in Outsourcing.
Perhaps the greatest risk of all in the e-business world is the harm to reputation and the catastrophic, unlimited financial consequences that could stem from liability claims by damaged stakeholders (customers, suppliers, shareholders, etc). As the Internet continues to evolve as a business tool, stakeholder accountability will be the prime motivator and in certain events a possibility for criminal action.
Some of the horror stories could come true if –
· Firm secrets are stolen by a competitor and used against the Firms
· Productivity loss due to system crashes throughout the interconnected supply chain
· Public display of intimate & sensitive information by a hacker
· Loss of employee morale when internal hackers gain access to private human resource records
· Failure to fulfill SLA and impact on existing customer and vendor relationships
· Liability claims that result from digital risk exposures inherited from Firm acquisitions and outsourcing
Force Majeure events
This is one area where outsourcing can significantly decrease operational risks as the probability of disasters occurring due to natural causes at two separate places at the same time is extremely low. A case to point is the natural calamity of the collapse of the Standard Chartered Bank data center in Mumbai a decade back or the man-made 9/11 attacks – in both cases, presence of significant outsourcing of data and processes played a major part in systems running within hours. An attack of the magnitude that World Bank suffered during 9/11 would have been far worse if operations were not on parallel at Chennai, India and other places.
6. Measurement of Operational Risk in Outsourcing
Why measure? Simple, anything that cannot be measured cannot be improved. Unlike credit risk and market risk, Operational Risk is not very well researched and there are no one size fit all software programs available for procedure definition, measurement and mitigation. Outsourcing as a concept is only a few years old and very often there are lots of horror stories which tend to skew the historical loss event data availability leading to erroneous results. Overall, outsourcing presents a risk that must be managed within the ambit of the Operational Risk component of Basel II. As with all Operational Risk the measurement of risk for the purpose of regulatory capital allocation uses the Value At Risk measurement. Operational Risk VAR is the amount that represents the maximum likely loss a bank or other institution is exposed to over a given time, with a specific level of confidence. This figure, which many banks allocate at the level of 15% of regulatory capital, is based on experience of operational failures over a given historical period.
As with all risk measurement techniques, the first step is to identify and draw out a laundry list of possible causes of failure. Having identified the potential sources of failure and thus potential risks, the second step is to measure the probability and impact of these risks. Also newer operational risks are identified and such non-predictable events occur all the time and thus there needs to be a clear policy of including newly identified risks and measurement policies for their likely impact on the overall VaR.
There are no off-the-self tools or processes that can enable a Firm to measure such risks with any degree of accuracy. Thus there needs to be a clear defined process for identification of stress points, impact analysis of such stress areas, loss given data for Probability of Occurrence etc to enable a measurement guideline for operational risk in such business cases. Also, this approach makes practical sense, as most of these risks are very specific to organizations and outsourcing deals that they enter into and with the vendor parties – thus there may be different stress points for different business practices outsourced and with different vendors operating in different geographies across different time lines.
However, in addition to this figure the Accord will require Banks to track losses such as: legal costs, loss of reputation and unrealized profits. Banks can approach Operational Risk from "Top Down" - which consists of seeking an overall measure, e.g. a percentage of gross income or a multiple of certain costs, without identifying specific risk events suffered by the Bank. But for any organization that moves onto the more advanced bases of measurement for Basel, an approached on "Bottom Up" assessment of actual risks will be required.
The matrix can look something like this -
Business Area
Possible operational risks
Functional effect
In-house
Outsourced
Probability of Occurrence
Impact
Singular VaR
Trade reconciliation
Data not updated
Trade failure
Medium (Quantify by using pat data)
Medium (Adjust SLA to achieve business objective)
Virus attack at partner site
Customer loss, inaccurate data, perhaps transaction losses
Entire outsourcing operation will be affected
High
Very High
Attrition of critical manpower
Customer losses, trade secrets may be let out, key information non-availability
High
High – maybe a bit less than In-house occurrence
7. Minimize Operational Risk in Outsourcing
Operational risk is generally a result of process failure and people related issues and thus can be minimized by systematically identifying stress points and mitigating risk issues if any.
7.1 Internal Readiness
The first question to be asked - is the enterprise ready for an offshore outsourcing initiative? In order to ensure readiness, there are certain steps that need to be taken that include developing communication plans & channels, getting senior executive sponsorship, assessing the portfolio of technologies and processes, preparing for remote management, taking the decision to outsource to another vendor or start a subsidiary, training for cultural differences, lay-off plan, re-training, re-skilling and re-deploying plan, etc. Some of the critical events could be tabulated as
· Build vs buy decision
· Investment decision – huge investments generally required
· Clear understanding of what can be outsourced
· Start small, increase gradually, volumes & complexity
One of the key aspects is not to try and outsource very sensitive high-end customer service calls or call involving involved significant interaction with front office traders and institutional customers before vendor offshore centers or subsidiary offshore operations have achieved sufficient maturity in terms of processes, knowledge transfer and people maturity.
One of the rules outsourcing is that if it can be codified, it can be done remotely and supported by IT. If it is still tacit and requires a lot of unstructured discussion, then it has to stay in the geography of operation.
7.2 Choice of vendor
One of the most common traps for large Firms that start outsourcing is to go for the equivalent large 3 or 4 companies in the outsourcing/IT/ITES space. The problem with that is though they may posses a great of experience in generic outsourcing but may or may not necessarily have the right domain knowledge for the specialized part of the business identified for the outsourcing function or have the adaptability to make the necessary changes as required by the Firm. Thus it sometimes makes sense to actually locate smaller firms with definable functional skill elements and with the required credibility to manage processes including legal issues. Also smaller ones typically can be more easily molded to suit specialized processes and cultures. Some of the key parameters in choosing the right vendor include –
Location of vendor
Geopolitical Risk - border unrest, religious strife, political processes, government policies (taxes, duties, regulatory hurdles), and relations between countries, war, legal frameworks and probability of terrorist related incidents.
Socioeconomic Risks - Are the shareholders and the local community willing to accept the significant socio-economic gaps or will they see this as job loss to a lower cost sweatshop?
Vendor Landscape - Many offshore vendors lack maturity and focus and there is a great disparity in quality and processes. Sometimes, the number of suppliers (and locations) in the market also adds to the difficulty in evaluating vendors.
Cultural Differences - Cultural differences need to be managed on both sides of the value chain and often across oceans. There needs to be a defined process of knowledge management on both sides and clear understanding of cultural differences initially which needs to be decreased over a period of time.
Legal/Contractual – some of the key questions need to be answered include –
- How can companies ensure that key industry regulations and standards are designed into the offshore solution?
- How can companies monitor and manage offshore compliance?
- What are the legal protections given to IPR related clauses?
- What are the legal consequences arising out of security breaches?
Internal Policies of vendor
Human Resource Policies – this is the key to the success or failure of any offshore vendor – how well the company manages its people, its attrition rate and quality of employees.
Knowledge Transfer - What is the best way to manage the transitioning of knowledge and key resources? Should a phased strategy be used to mitigate risk and manage productivity?
Change Management - Offshore deals require significant change management within the enterprise. How can companies effectively communicate and work with impacted employees in understanding and supporting the use of offshore resources? How should personnel and issues be managed to minimize the potential for disruption?
Communication channels – the vendor needs to have clear process of communication both internally & with the Firm, which needs to be geared for time –based, schedule based and event based impacts.
BCP/DRS - How can companies ensure they maintain flexibility and responsiveness in meeting customer demand? How do they maintain data security? What steps need to be taken to formalize offshore security and data privacy plans that comply with International standards like ISO17799 / BS7799, CoBIT, Safe Harbor etc.?
Pricing - How should companies manage currency and project scope risk? Should companies choose fixed pricing or time and materials? What are the key factors to include in arriving at fixed pricing?
Treasury - For long-term offshore engagement, treasury issues can be either a competitive advantage or a risk to the financial viability of the model. Companies need to build exchange rate fluctuations, inflation rates, interest rates and other treasury issues into their financial models. This technically is part of Market Risk but the country’s rating will have an effect on the forex rates which becomes part of Operational Risk.
Exit Planning - What happens if the offshore engagement does not work? What happens next? Companies need to invest time in building an exit plan to include answers to questions beyond IP issues. There needs to be clear financial models for exit, knowledge and/or resource transition plans, timing, who is involved, etc.
Domain knowledge and skill sets of the vendor
Offshore vendors are often lacking in domain expertise, industry-specific expertise and the ability to support multiple applications and/or business processes.
7.3 Tools and processes for comprehensive management control
Communication tools
One of the key areas of investment is in a good industry standard communication tools which can lend a collaborative work place for instant decision taking ability, video conferencing tools can increase productivity besides controlling potential risk factors and a constantly followed communication protocol will ensure unpleasant surprises are kept to a minimum.
Software Tools
Partners need good CRM which listens to customers carefully and records and analyzes complaints to track early symptoms. Also, MIS tools need to be used to constantly track performance, process tools for schedule variance etc and near-real time risk tools, which assist top management in having a good snapshot of risk status and performance of various departments would be essential for minimizing operational risk probabilities.
Measurement of deliverables versus expectations
Specialized risk managers need to be involved and part of teams that evaluate performance of vendors with respect to deliverables to provide the risk perspective to the outsourcing business function. Its imperative to have a powerful MIS tool in place, which tracks any deviation from normal and data collation needs to be a constant exercise. Collection of relevant data over a period of time might look costly and redundant initially but later can be a very powerful and sophisticated tool, not only to measure risk and comply with regulations but as competitive advantage in terms of process efficiency and decision-making. These metrics should not be vendor specific but job/process specific.
7.4 Benchmarking and frequent audits
Setting operational process benchmarks for errors & complaints and incorporating them in the SLAs is an essential task for monitoring the performance of the vendor. Some external benchmarks like the CMMi levels for process definition or the P-CMM levels for Human resource performance can be a benchmark for the same, most of the certifications need frequent audits too for sustained process maturity.
7.5 Service Level Agreements
Some of the critical issues in a SLA involved understanding what the financial institution requires from their vendors and how to ensure that the minimum levels are met X% of the time. Next is how the processes and deliverables are built on a constant improvement cycle.
The key points could be
- Understanding needs - Minimum expected levels of service
- Protecting data and processes
- Insuring worst case scenarios
- Reward programs linked to achievement of certain base level agreements and bonuses based on the degree of performance above the base benchmark
- Penalties needs to be clearly incorporated
- Continuous improvements on a defined time scale
8. Mitigation Plan
Though Outsourcing, especially offshore seems to offer significant benefits in terms of cost savings and conversion of fixed costs into variable costs to banks and financial institutions, it is not without its own problems. Risk management is not free and frequently regarded a considerable cost center. Just as managing one financial portfolio requires extra research, trading commissions and time, the creation of an outsourcing portfolio that balances risks and tracks return on investment requires data, analysis, constant monitoring and planning. Typically, companies pursue two strategies: engage multiple vendors, or engage a single vendor with an inventory of outsourcing facilities deployed in several geographies. To extend the financial analogy, just as many of us prefer a single, highly diversified mutual fund for our investments, Firms could consider using a single vendor with a broad geographic footprint with clear and demonstrable processes and risk mitigation mechanisms. That footprint addresses the geographic risk issue while the single management structure at the vendor & at the client helps to maintain lower risk management costs, allowing companies to continue to achieve the high returns from outsourcing.
Understand – the first step is to understand the nature of operational risks involved and realize the probability of various risk types impacting the outsourced project or process. In Section 7, we have begun what could be an infinite possibility of risks and risk types. Firm will need to start building their own with varying degrees of probability and potential impacts.
Measure – an arithmetic measure is the easiest and earliest indication that things are fine or going wrong somewhere. Financial Institutions may use various VaR calculations as they may chose and track them effectively for even minor changes – they can use an advanced measurement approach, internal rating approach or any simplistic formulae for tracking risk areas and monitoring expected impacts. In order to benefit from reduction in regulatory capital, banks and other financial institutions have to demonstrate to risk managers that there is an effective decrease in operational risk in outsourcing and major impact areas are identified and back-up plans are in place.
Loss event database building – Its imperative to have access to a good loss event database to build an initial understanding of the total operational risk and risk appetite of the Bank/Financial Institution towards the outsourcing process. This data needs to be constantly updated for further event types and event losses, also the same may be configured for changes in impact effectiveness due to changes in processes, external factors or relevance.
Report, Monitor, Manage & Improve – base risk elements need to be determined and base levels constantly monitored for either fall in delivery quality or defined parameters like
· Increase in Attrition
· Increase in end-product or mid-project errors
· Increased Fault tolerance to errors
· Training schedule variances
· Increase in Communication link failures
· Decrease in communication frequency
· Increased absenteeism
Reporting is an essential element as it ensures the top management are kept abreast of the risk appetite and risk level of the financial institution
Insure – essential to protect worst-case scenarios
9. Does Outsourcing decrease overall Operational Risk?
Outsourcing in the financial services market may finally be coming of age. Financial services organizations continue to struggle with capital adequacy, operational costs, and the need to improve shareholder return. Most industry analysts are predicting strong double-digit growth in outsourcing over the next few years in the sector as a result, particularly for business process outsourcing (BPO). As recent contract awards have shown, companies that may have thought long and hard in the past about turning over the management of just small parts their IT operation to services vendors are now outsourcing whole back office and customer facing processes. And those that aren't yet doing so are at least seriously considering this as an option, even where processes previously considered core functions are involved.
Some of the areas where one can see a significant reduction in operational risk due to effective outsourcing could include -
Lower risk probabilities due to better processes at the vendor site
Benefits to the Firm due to process & operations improvement due to value-additions from vendors
Risk alerts are more closely watched as the vendor is more liable than the Firms in some cases
BCP & DRS at geographically disparate sites
Knowledge transfer & wider availability of knowledge due to deployment of specialist personnel in the training function
24X7 – extended enterprises so better response time
Improvement in technology has meant that systems can be maintained offshore making them less liable to failure on account of more personnel, better processes & 24X7 support
People related security risks are minimized by good security policies
Less probability of geographical risks & losses due to natural calamities due to several centers across the world
Regardless of the adequacy of checks and balances in vendor selection process, the FSA CP142 implies that effective risk management of any outsourcing to an operationally lower cost will “help to reduce direct losses to consumers arising from operational failures at firms” and mitigates the “frequency and impact of operational losses that may deplete a firm’s financial resources” that may possibly arise from potential loss of control over outsourcing arrangements. Therefore, any subsequent offshore operating model must be sufficiently robust to support integrated, end-to-end process execution with appropriate controls in place for compliance and manage business risks.
Companies can shift their geo-political risks as part of the overall Operational Risk Portfolio within lower risk tolerance levels while continuing to generate cost savings by performing a risk portfolio assessment and using the results to change their offshore outsourcing strategy. Using multiple service delivery centers in different geographies creates options and enables a company to transfer application development and support to parallel unaffected geographies in the event of an emergency. Operating different global support locations leads to the existence of more than one support center with knowledge of the in-scope applications and access to the associated data.
10. Conclusion
Case studies on failed outsourcing agreements are few and far. While this is generally understandable, as they demonstrate failure by both parties and neither party would wish to publicize failures in public for case study for any other purpose, its also because to a large extent outsourcing is bringing about significant cost and quality benefits to both the Firm and vendor companies. The overwhelming majority of outsourcing deals would appear to be driven by the desire to deliver short- to medium-term savings by the outsourcing party and in consequence, the economies of scale and length of the duration of the contract do not play enough part to ensure more than just medium term cost saving. Outsourcing contracts when long, properly framed and have a long term committed management buy in from both parties can deliver significant results not only in improved bottom line performance but also in reducing overall operational risks associated with all BFSI operations.
Such deals will then tend to place more priority and focus on improved quality of delivery and service, future upgrades and developments and less on immediate cost benefits to the parties. Thus the vendor will need to have the commitment to respond adequately to the ever-changing business environment, technology needs and functional demands of the Firms. The way forward could be a mix of outsourcing to different geographies to a mix of vendors to mitigate some aspects of operational risk associated with geographies, vendor performance and IP protection.
In the final analysis, it is probably only through offshore outsourcing deals which provide services in an economies with a substantially lower cost base and mature processes, that substantial cost saving outsourcing deals can be conducted to mutual satisfaction. One clear example of such an economy is India with its armies of software professionals working in Software giants many of whom are certified at CMMi Level 4 & 5, inherent strengths in a terms of an English based education system and a vibrant democracy which calls for free and fair legal system.
In many outsourcing deals the senior management involvement decreases when it moves to the operational mode. Cultural issues are more likely to be addressed and resolved through active participation in the operational aspects of the agreement. Senior management's active participation in the conduct of the operational processes, not merely the review and oversight of the conduct of the operational aspects, would identify risk and relationship issues earlier.
‘Outsourcing arrangements can actually reduce risk, however it is important that the regulator be able to satisfy depositors that all arrangements have had associated risks identified and mitigated’ – Greame Thompson, CEO of Australian Prudential Regulatory Authority (APRA)
1 comment:
Waah kiya baat hai :)
Post a Comment