Should You Outsource Your Risk And Compliance Activities?

Simon Persin

It’s a fact that the management of risk and compliance is becoming increasingly complicated. The compliance function requires more skills, experience, and knowledge than ever before – especially with the growing regulatory complexity that compliance teams need to understand and navigate.

This complexity also increases the importance of having capable specialists managing this function on behalf of your organization, which places even greater pressure upon the recruitment and retention of these sought-after resources.

As a result, more and more organizations are again looking to outsource certain aspects of their compliance workload – turning to third-party suppliers for support. And, as compliance has grown tougher to manage, the compliance solution market has evolved in response, with new services and tools designed to help.

The starting point is to ask these key questions: Does it make sense to centralize some of your compliance activities? Is it viable to automate more of them? And is it possible to have a third party in place to support an internal, centralized function – to operate and police some of the more routine compliance tasks?

This post will explore the pros and cons to help you decide what is right for your organization.

The benefits of outsourcing

Thanks to the increased focus on compliance, there is now a shortage of talent and skills in this discipline, with many organizations struggling to fill posts and cover absences in their internal teams. Bringing in external help alleviates this pressure, as you can quickly plug any gaps to build a fully resourced, blended team – rather than relying on an over-stretched team, which may lack key skills.

As well as relieving pressure on your internal team, outsourcing compliance can also save you money. Paying an outsourcing firm doesn’t always work out to be less expensive than handling everything yourself; however, it is often done better. That’s because these companies specialize in delivering just one or two services for multiple companies. As a result, savings are possible, too, due to economies of scale and a clear operational focus, which means they can offer a very competitive rate.

Outsourcing can also provide you with much quicker access to more sophisticated systems – such as compliance analytics – that you would otherwise have to pay for or develop in-house. An outsourced solution can also save you a lot of time, as it’s your outsourcing partner’s responsibility to stay on top of all the latest regulations and rule changes, freeing up your own staff to concentrate on key compliance projects or remediation activities.

For many internal teams, it can be comforting to know that external expertise is immediately available should it be required. It’s also useful if the third party is proactively recommending improvements and sharing best practices to the compliance operation based on its exposure to many other clients and its visibility into what is working for them.

The challenges of outsourcing

Fear of the potential loss of control is typically what prevents many organizations from outsourcing aspects of risk management. Ultimate accountability for noncompliance will always remain with you – the client – which is why many choose to keep almost everything in-house.

Many feel that through outsourcing, management becomes one step removed and as such, standards may slip. Others worry the service provider may not deliver to their expectations and result in more than just poor service, as any subsequent fines will only compound the financial impact of your partner’s subpar performance.

Nevertheless, many of these concerns can be alleviated if all the right governance structures, KPIs, shared systems, and communication frameworks are in place between both parties.

When considering outsourcing, it’s likely that you will face resistance from your internal compliance team. They are already managing the process and may well be against the idea of third-party support, fearing that their jobs may be diminished in some way.

However, it’s important to remember that outsourcing is about supporting existing in-house functions, not replacing them. Your in-house team will still have a huge role to play, not least in overseeing the outsourced work. Again, ultimate responsibility for the compliance process must rest within your organization, and transparency and real-time reporting are critical components of the relationship. This is where some of your internal teams’ liberated time would likely be spent. It is often less about removing the internal team’s responsibility, and more about avoiding the additional costs of growing the team to be able to take on more and more activities as the scope of risk and compliance grows.

So, it’s important to bring your in-house specialists on board and make it clear that their role is not under threat. Have discussions and initiate a process that looks at where a third party can complement existing skills and alleviate pressure and where activities should certainly be retained.

There may still be a question mark over an outsourcing partner’s ability to understand all the relevant complexities and nuances of your operation. While it is important for your partner to understand your business and your compliance obligations, there are certain transactional activities that can legitimately be centralized and run by a third party without being an industry expert.

It’s typically audit and regulatory expertise that’s most needed from a third-party provider, which is then enhanced with specific business knowledge from your in-house team, as and where necessary.

Finally, outsourcing compliance has the potential to present data-security risks, as sensitive information could become accessible to people outside your organization. As such, you must make sure that any third-party compliance provider takes all the necessary steps to protect the security of your data. You can also invoke SSAE16 standards in your contracts, ensuring that the appropriate delegation of responsibilities specifically mandates that particular activities, reporting, and GDPR obligations (for example, data-transfer agreements) are agreed upon – therefore appointing your provider as a legitimate data processor.

In summary

Compliance outsourcing is not an option for everyone. In some organizations, compliance activities must be kept in-house due to organization strategies, policies, or internal beliefs. But an increasing number of organizations are finding that outsourcing helps to manage the increasing burden of compliance.

It may take courage to challenge the traditional in-house approach to compliance, but there has actually never been a better time to consider outsourcing. This is because the compliance solutions market has evolved in response to rising demand, with more suppliers in the sector than ever before and new services and tools becoming available all the time.

It’s true that establishing successful outsourcing is not an easy process, and there is certainly no one-size-fits-all solution that’s right for every firm. However, by initiating a process that looks at which compliance activities to outsource and which to keep in-house – and carefully considering the pros and cons in each case – you can achieve a balanced in-house/outsourced model that is right for your organization.

This article originally appeared on Turnkey Key Insights Blog and is republished by permission. Turnkey Consulting is an SAP silver partner.


Simon Persin

About Simon Persin

Simon Persin, director of Operations at Turnkey, is an experienced SAP enterprise GRC and security solution architect. He works with major blue-chip clients to design, review, and implement risk, controls, and compliance solutions. Simon leads Turnkey’s global delivery capability, helping customers shape their security, risk, and compliance requirements into solutions that deliver the most business value. With extensive experience in SAP security and GRC solutions, Simon is regularly called upon as an expert adviser and as a regular contributor/speaker at industry events.