Source for the goose?
Operational Risk - June 2004
Regulators used to give the impression of approaching outsourcing as if armed with a clove of garlic and a stake in case they had the good luck to meet it at a cross-roads. It represents an abdication of responsibility, they cried ("Oh no it doesn't", we cried back), or a way of running the firm on the cheap or, at best, an abdication of control and was therefore, in the words of 1066 and All That, "a Bad Thing".
The counter was, of course, that firms thought it better to keep on doing what they did best, and to pay others to do what they did best. That way service standards go up and everybody plays to their strengths. And the regulators seemed to chill out. The FSA's guidance became more neutral in tone. Outsourcing was no longer a Bad Thing, but something to be managed.
Now, though, the European banking supervisors have published their draft principles (1) and life has got difficult again. Perhaps that's for two main reasons. First, the old suspicions of outsourcing obviously die hard. Second, we are back to our old friend 'home-host', the subject of my last column. I must admit the Basel Committee's paper in early May made me think this particular water was becoming safe to go in to. Now I'm not so sure.
But let's deal with the suspicions first. It's interesting to see what's in and what's out. If you read the vast literature on the subject (where incidentally the PC word is 'sourcing' not 'outsourcing', which is really the opposite but helps to confuse the issue) the received wisdom is that you outsource non-core functions and retain the core. Which is how the regulators see it too. So you can outsource business processes, but you can't outsource risk management, for instance. Reasonable, but also restrictive. Why should outsourcing be limited to process? And why not outsource risk management, especially those elements which directly relate to a product - plastic cards, mortgages, or whatever - if you're effectively white labelling?
Where it all gets particularly interesting, and where we stray onto home-host territory, is where functions such as risk management are performed on a group-wide basis, as with other utilities, such as IT and HR, which run a group's infrastructure. The Basel paper helpfully recognises the inherent conflict between the responsibilities of regulators to supervise the legal entities under their jurisdiction and the fact that international banking groups run themselves on business, functional or regional lines and not on the basis of legal entities within national boundaries. So Basel quite rightly says that the problems should not be insurmountable and encourages lead supervisors to lead. Were the European colleagues sitting in the same room? It's rather like British Rail. Just when you've got a joined-up system, somebody comes along and tries to split it into its myriad parts. The Fat Controllers rule!
Nor is it clear in the CEBS paper whether practice is different between intra-group sourcing and third party outsourcing. Or whether there should be a difference between outsourcing to regulated or unregulated entities. It's all very complicated. And that's without trying to work out where all this fits into Gross Income, or any other capital measure.
But let's keep things simple and look at how we're meant to control those nice people who are handling the whole of our clearing or our IT. The rule here appears to follow the Sarbanes-Oxley prescription, which means that auditors could be in for a bonanza. External auditors must be able to certify a supplier's compliance. But that can probably only be done by the supplier's auditor. So the outsourcing firm's auditor assesses the certificate they've received from the supplier's auditor, audit fees go up and the auditors, who thought they were down to their last yacht, following all the unbundling of the last few years, have smiles on their faces again. Happy days.
Mind you, if you weren't smiling yourself, having just received the fee note, take a look at one requirement, which could stop the whole outsourcing industry dead in its tracks. It's the quiet thought that firms should effectively be able to in-source, if need be. It's one thing relying on a supplier's business continuity plans in case of crisis. Quite another to take the process back in-house if the supplier fails in delivery or fails entirely. That's a big task, and one which should make firms seriously ask whether they can afford both to outsource and to maintain that kind of contingency back-up.
What the issue also highlights is the lack of alignment between regulators' and firms' interests. If outsourcing is essentially a Good Thing, which I believe it is, then it needs to be managed properly by firms, but in a way which suits their risk management and business organisation, and not in ways which slavishly follow the regulators' prescription. What's sourcing for the regulatory goose, is not sourcing for the business gander.
John Thirlwell - Director, Operational Risk Research Forum. The views expressed in this article are those of the author.
Note: (1) Committee of European Banking Supervisors (CEBS), CP02 High level Principles on Outsourcing (May 2004)