But many clients of outsourcing service providers are themselves in regulated industries - indeed arguably the greatest take up of outsourced (and offshore) business process services has been in regulated industries such as financial services and utilities.
Regulators have therefore taken a keen interest in the implications of outsourcing and offshoring for their members, particularly with regard to operational risk and the potential impact on their customers.
Other industry sectors can learn a great deal from the way the regulators have addressed this issue - their guidelines are pretty close to a good practice summary for any outsourcing arrangement in any organization.
Take the UK Financial Services Authority Handbook which has recently incorporated additional requirements due to the new European-wide Markets in Financial Instruments Directive (MiFid).
This sets out standards that any organization should meet in their outsourcing arrangements.
A few pertinent examples are summarized below, with my comments in brackets:
- The need for a written contract setting out the respective rights and obligations of the client and the service provider (one would hope that most organisations have understood this by now.
) - Robust governance arrangements in place (the "g" word is now of course the current hot topic in the outsourcing world)
- No delegation of senior personnel's responsibility (i.
e.
outsourcing is a means of delivering, not an abdication of responsibility) - Service provider must have the ability and capacity to perform the services professionally (and therefore the client is responsible for carrying out the due diligence to find out if they have)
- Client must establish methods for assessing the standard of performance of the service provider (so no more SLAs which never get monitored or even drafted)
- Client must retain the necessary expertise to supervise the outsourced functions effectively (which means that the work can not just be thrown over the fence)
- Client must have the right to terminate where necessary (note this is a "right", which means it must be addressed in the contract)
- Contingency plans for disaster recovery must be in place and be periodically tested (no good just having vague assurances in the contract).
Whether or not these standards are generally adhered to in the outsourcing arrangements in place in the financial services industry is a question for those organizations, the FSA and other regulators.
But regardless of this, the questions these standards raise apply equally to any significant outsourcing of what the FSA calls "critical and important" functions (which would certainly include IT, Finance and HR) in any industry.
Regulators and regulations tend to get a bad name.
But in this case they seem to have it about right.
Anyone in any industry either considering outsourcing or wondering how good their arrangements are could do worse than check out SYSC 8 of the FSA handbook for a start.
And for those organizations outside financial services considering outsourcing or offshoring but who are worried about the operational risk, this should provide much comfort.
Responsible regulators have sanctioned the outsourcing and offshoring of much complex processing in the financial services sector, with a major, critical proviso - it must be done properly.