We pick up where we left off on one of my recent blog posts: Outsourcing: Insights on Reaching the Decision, for that’s where oversight truly begins. To review, the key drivers for asset managers to consider in outsourcing middle- and/or back-office operations are: profitability and efficiency; growth and complexity; enhanced data management capabilities, transparency and risk mitigation.
Let’s focus on the last one: risk mitigation.
An asset manager may outsource processes to limit risk. However, the transfer of functions from in-house to an outside source can trigger its own set of risks.
This is where oversight comes in.
In our context, oversight refers to the set of activities to review middle- and back-office processes and output of a service provider. The purpose is to seek to avoid financial and operational errors that may incur reputational risk.
Oversight, when done well, represents the difference between a successful deal and an ordeal.
This is to say: Outsourcing and oversight should go hand-in-hand. In fact, an asset manager’s risk-based oversight program should evolve as part of the outsourcing decision process.
Here are the basics of building an oversight model.
Gear Up with a Risk and Activity Analysis
An asset manager should start by focusing on the functions to be outsourced. The service level agreement (SLA) is a good place for the team to assign operational risk(s) to each outsourced process and then the relative ranking. Accenture recommends using a matrix that lists each function, the risks, the likelihood of an error and degree of oversight needed. Firms should get as granular as they need to in listing the functions. And the more serious the risk, the higher the level of oversight it should receive.
This upfront step lays the foundation for the risk-based model. It determines the oversight actions required to limit risk and derive quality output from the service provider.
Inputs include identifying and assessing:
- Key processes tagged for outsourcing
- Volume and complexity of funds/accounts
- Strengths and weaknesses of the service provider
- Associated key business risks with likelihood of an error and impact
- Controls and procedures used by middle- and back-office providers
- Capabilities of internal and external technology architecture
Oversight considerations: What can go wrong? What is the likelihood of something going wrong? What is the impact? Where should checking/reviewing spend the most time?
Sharpen Your Pencils: Set the Framework
Insights garnered from the first step fuel the next. With all of this in place, the oversight team can begin to map out the oversight architecture.
The details of a service provider’s processes and controls constitute important information to factor into the model. For this and other reasons, the design team and service provider should maintain a strong working relationship. To do so, ongoing communication and collaboration is critical.
This phase establishes program elements, including:
- “Green-light” criteria ─ standards for the service provider to prove proficiency
- Structure of day-to-day oversight activities and reporting requirements
- Monthly/quarterly senior management forums
Realign and Reassign Staff
Both outsourcing and oversight require transitions. For the latter, this step addresses an essential success factor for a risk-based model. It moves from a processing-centric environment to one that performs selective reviews of service provider output.
This might require an asset manager to recast its operations staff from “doers” who produce output to “reviewers” who analyze it. Human factors can present barriers to effective oversight, such as cultural resistance to change. That, in turn, calls for strong leadership with management commitment.
To do’s include specifying the number of resources assigned to oversight and the right level of experience of in-house staff assigned to oversight.
Oversight model development begins during the due diligence phase of an outsourcing discussion… and continues for the life of the arrangement.
Get Ready to Power Up
Plan, plan, plan! Before taking the oversight model live, an asset manager needs to put an implementation plan in place. This critical step outlines and prioritizes major initiatives for the new environment. It describes policies and procedures for oversight tasks. It spells out tolerance levels, responsible parties and oversight activity frequency. And it includes an estimate of the resources required to implement recommendations and the timeframe.
Again, work from the SLA to inject accountability and outline:
- Responsible parties
- Escalation policies for service provider outputs
- Items required from asset manager, e.g., trade files
Keep It Open and Ongoing
New risks surface all the time. That’s why an oversight model is an evolving and changing process. With that in mind, once the risk-based model goes live, so does the need to evaluate risks and activities… continuously.
In all, the reasons for using a risk-based oversight model are as many as the potential rewards. It bridges the asset manager and service provider. It also helps to achieve the cost savings, scalability and efficiency, which drove the outsourcing decision in the first place. And, when successful, it keeps key stakeholders happy and out of trouble.