I have attended a round table session organised by the Dutch chapter of ISACA. Antal, the presenter, did his best to show how compliance can influence the outsourcing relationship.
At the end of the presentation Job, the host, concluded that this was a complex subject and that more time could, and should, be spent explaining all possible consequences. Sorry, but I disagree with that conclusion.
Compliance is a requirement and non-compliance is a risk. What does this mean in a demand-supply relationship (a.k.a. customer-supplier relationship)?
As the demand partner, the customer is accountable for identifying both his requirements and his risk acceptance levels. In case of compliance the customer should identify:
Which rules and/ or regulations apply to the service agreement
How he wishes to be assured about the compliance with the individual rules
What is his risk acceptance level of non-compliance
There are many rules and regulations in this world SOx, Hipaa, PCI, Information Security (compliance with internal rules and regulations is just as much compliance as compliance with external rules), Data Privacy, etc.
Compliance requirements form part of the integral requirements set that the customer hands to the service provider; this accountability cannot be transferred. In the same way, the method of assuring and reporting the compliance status forms part of the compliance requirements.
Working with an outsourcing partner does not make a difference on these points. And then there is the third point: acceptance of the non-compliance risk. In theory, if we had unlimited resources we would be able to completely mitigate risk so there is no residual risk.
In practice, the best (and probably only) way to achieve this is to stop all activity of the organisation (i.e. go out of business). So it starts with your cultural attitude towards risk. I was working for a financial institution during the SOx glory days and their attitude towards compliance could be described as follows: “We are a financial institution. The trust of our customers, based on our reputation, keeps us in business. SOx compliance failure is not an option.”
And believe me they put their money where their mouth was; I was very impressed with that effort. Another company, also on the SOX compliancy ticket: “Our reputation with the financial world has been tarnished because of mistakes we made in the past. We will use SOx to show and prove that we have learned from our mistakes and (if possible) wipe the slate clean.” And again: “SOx compliance failure is not an option, we do not even want it to be a close call”.
They also backed that statement with the necessary resources. On the other hand, there is the story of another financial institution. That story is written in a Dutch Book called “De Prooi”(The Prey). It is about the Dutch ABN Amro bank, a global bank that struggled and was finally sold in parts.
From a governance perspective this is an absolute “must read” in my opinion. Amongst others because it describes how mistakes in governance, risk and compliance management were amongst the root causes of the failure of what was a great institution.
In this book it is described how the Bank had a “cavalier” attitude towards compliance and after repeated warnings they were punished by the US financial authorities. The point I am trying to make is not that you should do everything to comply, but to think: What is the risk, what is the cost of non- compliance? In money, reputation, etc.
This is nothing new; these are the questions you can also read in “Risk Management for dummies”. However, you are not supposed to think it, let alone say it, but at times it might be worth taking the penalty for non-compliance since the cost of achieving compliance is ridiculous compared to the penalty.
I have never heard it stated but I have seen situations where the organisation was clearly non-compliant (and that fact was known to those who should take action) yet it was decided that no action would be taken.
When the cost of compliance is internal to the organisation (even if it is another department) most people understand this trade-off and will act accordingly. But somehow when a third party is responsible for remaining in-compliance the customer often forgets: Compliance costs money.
Since third-party outsourcers are not in business just for the fun of it, they will transfer the cost of compliance to their customers. If they don’t it is even worse, they are likely to go out of business. So from the perspective of the demand side: be clear in what you want regarding compliance for your service, why you want it and do not go overboard. Every extra costs money.
Now to the supply side. As with any good outsourcing deal the customer should clearly specify what he wants, not how the supplier is supposed to provide it! If I walk into a car dealer, do I get to tell the dealer how to run his business? Can I order the manufacturer to build his assembly plant in a certain way?
Not exactly, I can tell him for example that the car should meet the European Union road-safety regulations as I want it delivered in Europe and I want to drive it there. When I walk into an US car dealer, that might pose a problem for him.
Chances are I am the first customer ever to ask him that question, so if he decides to take my order he will have to investigate what the rules are and figure out how to change the car (and the service that goes with it). If he has to go through all that trouble just for me, it will be very expensive.
This is where a smart outsourcer can make a difference: If you have a lot of customers all wanting cars for the European Union, you might set-up a special assembly line just to comply with those rules.
Once you have done that, you walk over to the European authorities and get a seal of approval for the complete assembly line. As a result you do not need to prove compliance for each individual car produced.
The tool to achieve this for an outsourcer is called the SAS 70. The external auditor of the outsourcer supplies a statement that the outsourcer has implemented sufficient control to meet named control objectives.
If the control objectives the regulator wants the customer to meet are amongst those on the named list of the SAS 70, he may use that statement as proof of compliance towards his external regulator.
A SAS 70 expert might have issues with my layman’s explanation of a SAS 70, but in broad lines that’s how it works. So if you are considering outsourcing your Compliance sensitive services, look for a partner that already has knowledge and experience with the regulations you need to comply with; you might be able to achieve considerable economies of scale and thus cost savings.
By Arno Kapteyn