Today’s increasingly rigorous regulatory environment fundamentally changes the game for both buyers and providers, and presents a range of significant challenges. Clients are ultimately responsible for third-party oversight and ultimately liable for breaches; for service providers, meanwhile, demonstrating “compliance readiness” is becoming a table stakes capability for competing in the marketplace. And this is no longer an issue just for financial services, where regulatory pressures have long been front and center; indeed, a number of industry sectors are now placing third-party risk management higher and higher in their list of priorities.
Ensuring adherence to regulatory standards throughout the service delivery chain carries significant implications for contracting, reporting and governance. More specifically, the performance of due diligence has become a core component of the sourcing lifecycle and of doing business. Consider the evaluation and selection process: clients send out multiple detailed questionnaires requiring detailed responses related to alignment with regulatory mandates, and conduct thorough site visits and audits involving multiple follow-up questions and requests for additional information.
While onerous for clients, the due diligence process places intense pressure on providers, who must focus resources on responding to client inquiries that – while to some extent standardized – typically require a significant amount of one-off activity. Providers who fail to respond quickly and thoroughly to client inquiries, meanwhile, raise red flags and sow doubts about their capabilities.
Clearly, the task of adhering to today’s strict regulatory mandates is nobody’s idea of fun. However, there’s a bright side, as the exercise of ensuring regulatory compliance can lay the groundwork for an effective governance strategy and play a key role in enabling a successful partnership. Traditional outsourcing relationships that lack transparency and clearly defined roles and responsibilities often devolve into situations where services delivered don’t align with contractual terms. From the outset of the agreement, neither party is diligent about tracking or reporting, and over time the relationship settles into a comfortable – if sub-optimal – pattern. The problem is, at some point the client team decides to enforce the terms of the agreement. When that happens, the provider team finds itself scrambling for additional resources to fulfill the long-overlooked contractual requirements. Client trust erodes, along with the provider’s margin.
Today’s strict regulatory and third-party risk management requirements are making this scenario less likely, by forcing organizations to adopt the discipline needed to develop effective vendor management – discipline that is often lacking if not imposed by external forces. By driving transparency and rigor into sourcing relationships, compliance mandates are undermining the old-school “keep the contract in the drawer” approach to outsourcing – which is a good thing that can benefit both parties.
Third-party risk management will be a featured topic on the agenda at Collaborate 2016. This event, which will be held November 2-3 in San Antonio, TX, brings together service providers, Alsbridge advisors and clients to discuss a wide range of sourcing and industry topics. I will be joined at the event by Nicholas Smith, a Partner at the law firm of Milbank, Tweed, Hadley & McCloy, to discuss the implications of third-party risk management requirements for service providers.
About the authorDavid offers over 25 years of experience in information technology outsourcing with extensive experience in vendor management, change management advisory services. David has provided outsourcing advisory services for a number of clients supporting RFP development, provider selection retained organization design, vendor governance and obligation management.