• ⇤
• ⇽
• ≡
• ⇾
• ⇥

risk, opportunity, and the service organization

the journal of Michael Werneburg

twenty-eight years and a million words

Specialist information technology services organizations play a substantial role in regulated industries such as finance. These service organizations make their living by being able to provide the expertise, flexibility, and speed in developing information-based solutions within their niche that their clients often simply can’t. But they are now coming under new pressures. IT processes, standards, and technologies have so drastically improved that continuous excellence in service delivery is expected. At the same time, regulators, auditors, and boards are becoming more aware of the hazards posed by regulated industries sharing risk with service organizations.

This propels regulators to establish risk management guidance on outsourcing arrangements that set the bar for service organizations at the same level as the regulated firms themselves. Regulated firms effectively come to download portions of their regulator-mandated enterprise risk management regimes to the technology service organizations that serve them.

In turn, service organizations—even small-scale operations—are adopting annual external audits to provide evidence of effective enterprise risk management. For service organizations to adapt to the new requirements and thrive in their regulated market place, a solution exists in adopting enterprise risk management through an initiative for risk-centric process improvement.

And I believe that this allows enterprise risk management practices to unlock new opportunities for service organizations. First, a look at what’s involved.

What

For a technology service organization to obtain a clean third-party audit, it must meet or exceed standards in several areas, for example:

• Executive: setting and communicating objectives; monitoring performance, and directing improvements; establishing service level agreements; business continuity planning; and risk-aware strategy planning.
• Human Resources: background checks; hiring, management, and termination policies; code of conduct; and site security.
• Production management: the software development life cycle; the service desk function; and identity and asset entitlements management.
• Data management: information classification; data aging & disposal; data & data processing integrity.
• IT: disaster recovery; technology standards; information security management; systems availability, capacity, and performance management; version & package management; entitlements custody management.
• Internal control: internal audit; operational risk management; policy management.

It’s a broad list, but also deep. Regulators are directly referencing complex and prescriptive guidance such as the AICPA/CICA “trust services principles”, which outline hundreds of controls for a service organization.

Who

The skill-set required to effect these changes isn’t necessarily the same skill-set already possessed by a service organization’s management team; in addition to the daunting scope and complexity, an outside change leader may be required.

How

Complicating matters, the field is currently in flux. Some evolving trends include:

• The establishment of new standards in third-party audit reports (e.g. SOC-2) for demonstrating competence in operational and information risk management.
• Greater reliance on legal remedies as a means of resolving disputes.
• Changes to standards in information systems management (e.g. COBIT 5), information security (e.g. ISO 27001:2013), and risk management (e.g. ISO 31000:2009).

And after all the effort, expense, and change imposed, after adopting new standards of performance and a perpetual cycle of audit-and-remediation, there is no guarantee of success. The auditors will be the ones to decide when their requirements are met.

So it’s worth looking at the opportunity that lies on the far side of all of this work. What are the payoffs?

And finally, the most important question: why

Speaking from my experience in the field, integrating risk-centric business practice improvements into a business strategy can:

• improve customer satisfaction and improve reputation,
• free up executives' time by minimizing decision-making during regular processes,
• speed up the sales cycle

Here’s how I believe it works. Initially, a process improvement initiative exposes the differences in expectations, assumptions, and interpretations behind existing process. Elimination of those differences allows the firm to adopt a unified way of thinking and a unified level of consistent behavior. It allows the firm to adopt a culture of excellence, and allows the firm to find a competitive advantage based on processes that are not merely improved but (in the words of Michael Porter) that “fit” and are hard-to-copy.

Without the sort of demonstrable excellence that's behind an audit report, a sales journey within a regulated firm can include a series of gatekeepers similar to that in the image below. But a service organization armed with an audit that’s backed by genuine internal excellence and a unified vision can bypass the gatekeepers and engage the client's decision-makers in the sort conversation that really matter.

Simply having the auditor's report conveys to your prospects that you're speaking their language. But meeting their needs at every level earns and keeps a client's trust and builds "brand" with every interaction. A focus on the customer is the most powerful way of winning and keeping that customer. This sounds like a marketing talk on purpose; marketing experts understand the importance of a consistent message of excellent results. And what is an audit but proof of consistency?