Outsourcing risk management

Anthony Kruizinga Partner, Risk & Regulation lead, PwC Netherlands 09/06/21

Do what you do best, let others do the rest

During recent client conversations I have observed a rapid increase in questions on outsourcing risk management activities. Simultaneously, in those talks I also hear quite some scepticism - or concerns - about the viability of such an undertaking, not to mention the limitations caused by strict regulatory requirements.

With the intention to balance the diversity of voices, I invite the sceptics to foster the spirit of 'whatever you think, think the opposite': if you were to forget all limitations and challenges for five minutes, could you come up with reasons for outsourcing parts of Risk?

In this blog I will explore how outsourcing can act as a driver for cost reduction and value creation within risk management, echoing my earlier blog on harmonising the ‘cost out’ with the ‘value in’. First, I’d like to talk about outsourcing - and potentially offshoring - high volume and operational tasks. Then, I will look into sourcing scarce expertise for more strategic Risk activities, and the option of having third parties perform this work ‘as a service’. Finally, I would like to touch upon your role in embracing this opportunity as a Risk leader.

Back to the roots: why outsourcing makes sense from an economic perspective

Personally, I take great pleasure in gardening, but I am not too modest if I say that my gardening skills are moderate. Or so people tell me... From a purely economic perspective, it made more sense for me to choose a profession about which I was also passionate, and in which I could make a difference. So, I ended up studying computer science. (As life unfolded, I found myself in Risk Consulting; that story is perhaps better shared at another time.)

This example illustrates the principle of comparative advantage, which is key in the context of outsourcing. Many can perform standardised routine work, but few have the unique ability to oversee and effectively manage risks at your organisation. I often encounter Risk functions with risk managers who have an abundance of energy, experience, knowledge and potential, but spend their days doing mundane tasks instead of work which fits skills and allows them to use their expertise to the maximum. A pity, wouldn’t you agree?

Outsourcing and offshoring high-volume operational tasks 

Recurring operational activities in the Risk domain such as periodic control execution, testing and monitoring, producing standard risk reports, model monitoring, model validation, running periodic stress tests, customer due diligence and transaction monitoring are activities which can typically be outsourced. Most of these activities are predictable, scalable, and can be planned upfront well in advance, making it easier to engage parties other than your core team.

Besides comparative advantage, competitive advantage also plays a role here. Organisations in all corners of the world can perform this type of operational work quicker and cheaper than your company, while delivering higher quality due to standardisation and specialisation. In this respect, competition and the commercial tension between the outsourcing party and the service provider is likely to lead to increased levels of innovation and automation, because  the provider will want to - and will need to - perform tasks in a more efficient manner. 

Contrary to common belief, in my view standardisation and automation is not a prerequisite for outsourcing such tasks. Service providers whom you outsource operational tasks will only benefit from such an cooperation if they perform these tasks more efficiently. They have an inherent incentive to standardise, innovate and automate. Therefore, it is essential that you have the right contract and remuneration structure in place, so that the service providers are effectively motivated to do the work cheaper, quicker and better. This results in a win-win situation, making outsourcing successful. You steer on output, quality and costs. 

You can also 'outsource' activities to an entity within your organisation by creating a centralised 'shared service centre'. This centre is usually located in another country, with a good labour market and an adequate technical infrastructure, but with lower labour cost levels. This is a viable option, especially for larger international establishments. On another note, I do observe that  'near-shoring' to countries closer to headquarters is gaining ground over 'off-shoring' to countries farther away. This is due to concerns about working conditions, human rights, ecological footprint of employees travelling to the outsourcing location, language and cultural differences and ultimately, also time differences. These are also important factors to consider when choosing a third party.

How do you identify viable options for outsourcing?

It is essential that you determine for yourself which processes you would like to innovate and automate yourself, and which ones you prefer leaving to a third party. To decide which activities to outsource, compile a ‘catalogue’ of the risk management products and services you deliver. Subsequently, articulate who your internal customer is, and what the costs (and if possible, the value) of that product or service are. This will give you an initial insight in  potential cost reductions. Comparing your organisation to peers whose business model is similar to yours may help you substantiate your analysis. 

Subsequently, you can refine your list of products and services by considering options for “rationalisation” (what can we stop doing, e.g. how can we eliminate redundant controls), options for automation and possibly outsourcing. For all these choices, I suggest that you make a concise and clear business case, in which you weigh investments and transition costs against savings, considering the time in which you want these savings to materialise. If outsourcing seems to reap the most benefit, it is time to kick off the third party selection process.

You cannot outsource your responsibility

Do note that you can only outsource the execution and optimisation of Risk tasks, but you can never outsource the responsibility. The ownership of the risk - and the final responsibility for the control thereof - will always remain with you. And regulators (and I am sure also your shareholders and other stakeholders) will hold you accountable, no matter what you outsource operationally. Outsourcing therefore requires you to develop some important new skills such as contracting and managing your service providers.

Risk as a Service

I often have conversations about the need to make risk management more efficient. At the same time, more and more specialist skills are needed in Risk. Risk management is a complex subject that requires deep technical skills. It is difficult for Risk teams particularly in smaller organizations to attract the right talent with quantitative, technological or other specialised skills, such as managing cyber risks, climate risks and behavioral risks. The demand for these experts is currently already greater than the supply. 

That is why I believe that, in addition to outsourcing routine tasks with a high volume, it can also be a consideration to (temporarily) bring in specialist expertise through third parties. These parties oversee the developments in the sector and can put your risks in an 'outside-in' perspective. They can constitute a flexible layer of experts that you can scale up or down as needed. You can also choose to build a new competence in your team with the help of external expertise.

To go a step further, many organisations, except maybe for large ones, do not have the technological capabilities (think of the computational capacity required for complex modeling and data analysis) to do state-of-the-art risk management and derive value from their 'big data'. There are now parties that can do that for you - under the umbrella of ‘Risk as a Service’ - by deploying new innovative technology and outsourcing risk data to the cloud. By opting for RaaS as a permanent solution, you can also reduce your investments in IT infrastructure, applications and licences.

So, what is it that you do best?

You may ask yourself - if this is what the future holds, what will my core Risk team continue doing in-house? You as a Risk professional define the risk strategy, oversee the risk landscape you are facing, continuously evaluate what you and your team are good at, and what the associated costs are. As such, you can pinpoint which activities are better left to others. 

This may require a paradigm shift, at the same time, the idea that core activities need to remain in-house is behind the times. We’ve gotten used to it, but in a rapidly changing world where most organisations are becoming part of an ecosystem, you need to concentrate on what you are the best at. Some firms will focus on client relationships, others may excel at operational execution, and yet others could stand out by offering a technology platform.

To spark further discussion, as an engineer-turned-consultant I would like to ask you a thought-provoking question: if NASA can outsource rocket building, why can’t your organisation outsource risk management?

Playback of this video is not currently available

0:02:06

The transformation of risk management

Improving risk and regulatory strategies

The COVID-19 pandemic has accelerated the speed at which risk events occur and the extent to which they spread. Risks that once seemed remote and improbable have become the norm. Organisations are looking to cultivate a new trait: resilience. They are adopting a proactive approach in order to be prepared for these changes and to be able to respond to new laws and regulations.

Is your approach to risk fit for the world of tomorrow?

Read more >

Contact

Anthony Kruizinga

Anthony Kruizinga

Partner, Risk & Regulation lead, PwC Netherlands

Tel: +31 (0)61 308 76 37

Follow us