Compliance and Outsourcing

Filed in archive Outsourcing Issues on February 11, 2009

Photo courtesy of iStockphoto, Image# 6537396

In a recent article, Karen Wilson of Citadel Compliance Group LLC describes compliance issues and concerns that arise during outsourcing and offshoring transactions. The article, intended for both outsourcing and compliance managers, highlights specific compliance concerns and maps them to particular aspects of outsourcing transactions. This is an interesting article that should be read by any manager involved in outsourcing or offshoring.

That being said, Ms. Wilson does not discuss one critical difference between in-house and outsourced compliance. Put simply, compliance risk is far more difficult to finely manage once a business process has been outsourced. When particular processes are owned in-house, compliance risk is considered on a near-real-time basis as business processes evolve and compliance concerns, often fueled by the news media or political changes, change.

Within a corporation, it is easy to socialize a greater perceived regulatory risk - put simply, the compliance manager calls up the COO and says that the Government Agency of X is getting more aggressive and that the COO needs to do a walk-through to ensure that potential matters regulated by Government Agency X are properly addressed. The simple, untold fact is that these efforts do vary depending upon the externalities faced by the organization.

This informal approach has the dual benefits of being flexible and cost effective. In essence, the company is adjusting its processes to reflect the perceived compliance risks at any given time. This informal approach, however, does not translate well to an outsourced or offshored relationship, where communications are formalized and process change is often subject to multiple layers of approvals and incremental costs.

In outsourced or offshored relationships, suppliers are asked to meet all applicable regulations and mitigate risk at all times, an effort that most client companies rarely undertake. The end result of this is an increase in compliance costs (either absolute or as a percentage of transaction fees) which to some extent compromises the value proposition of the outsourcing effort. In such instances, strict compliance guidelines are often put aside as too costly, leaving companies subject to substantial compliance risk.

Similar problems appear in other critical, but ancillary functions such as disaster recovery, auditing and governance. As regulators become more aware of these issues, however, it is reasonable to expect that companies will be forced to spend more to ensure that their compliance needs are met.