REGULATORY GUIDELINES PROVIDE INSIGHT INTO OUTSOURCING By C. Ian Kyer and Warren Sheffer The Canadian IT outsourcing market currently generates approximately $6 billion in annual revenue with forecasted annual growth of about 10 per cent. 1 However, expansion in outsourcing activity, is not simply relegated to the information technology sector. In fact, the growing number of business operations that organizations are presently choosing to outsource from human resource functions to real estate administration -- seem only to be matched by the growing variety of reasons that such organizations choose to outsource from cost considerations to improved customer relations. Having a clear understanding of the varied reasons behind why one s oganization wants to outsource a particular function, as well as the expectations of doing so, is crucial to a successful redeployment. In this regard, decision-makers are wise to pay heed to the Socratic maxim know thyself prior to undertaking an outsourcing, and to appreciate the fact that outsourcing is not a strategy in and of itself but rather can be part of a good overall corporate strategy. 2 Without such introspective forethought, an organization risks failing to fully realize the significant benefits that can come from an outsourcing arrangement. 1 M.Snell, Outsourcing IT Functions paper presented at Ontario Bar Association conference, March 21, 2003. 2 G.Kimball, Outsourcing Business Processes: Building Successful Contracts (March 2003) The Licensing Journal 13.
- 2 - It is upon this fundamental principle that the Office of the Superintendent of Financial Institutions (OFSI) 3 has crafted its Guideline for Outsourcing of Business Functions by federally regulated financial institutions (FRFIs). 4 This article explores the Guideline: however, it is not about the OFSI or FRFIs per se. 5 Instead, it is our aim to show how the Guideline can be generally instructive for organizations that are considering outsourcing activities. Accordingly, we will explain the main components of the Guideline with a view to demonstrating how organizations can adopt them as part of a good corporate strategy. The Guideline, while specifically applicable to FRFIs, provides a useful host of considerations and recommendations that all organizations can and should employ before embarking on an outsourcing arrangement. By following the prescriptions of the Guideline, an organization can more clearly identify what it expects to gain from outsourcing one or more of its functions, and in this way can help ensure that it gets what it wants. Overview of the Guideline The Guideline requires FRFIs to develop a risk-management program for outsourcing activities that: 1) establishes an outsourcing risk philosophy; 2) identifies material outsourcing risks, existing or potential, to which the FRFI is exposed; 3) establishes sound and prudent policies 3 OSFI supervises and regulates all banks, and all federally incorporated or registered trust and loan companies, insurance companies, cooperative credit associations, and fraternal benefit societies and pension plans. OFSI draws its authority to regulate from the Office of the Superintendent of Financial Institutions Act. 4 Outsourcing of Business Function by FRFIs, No. B-10, May 2001. 5 Interestingly, the Ontario Securities Commission ( OSC ), in connection with its recent continued recognition of TSX Inc. ( TSX ) as a stock exchange, and the recognition of the TSX s parent, TSX Group Inc., as a stock exchange, has mandated that the TSX comply with certain outsourcing rules which share similarities to the provisions of the Guideline.
- 3 - governing the risks which arise from outsourcing business functions; and 4) monitors and controls associated risks. 1. Outsourcing Risk Philosophy Establishing an outsourcing risk philosophy involves setting out the objectives of the organization s outsourcing strategy, which may include controlling costs to improving the quality and/or the efficiency of the outsourced function, as well as the parameters for the control of the associated risks. Such risk parameters will be informed by the importance of the function(s) the organization intends to outsource within the context of the organization s overall structure and the organization s ability to absorb losses. This exercise of examining the objectives and risks of outsourcing is an important first step in guiding the organization in contracting with its service provider. 2. Identifying Material Outsourcing Risks (a) Risk/Materiality Assessment and Risk/Materiality Criteria Pursuant to the Guideline, FRFIs are required to evaluate the risk and materiality of existing and proposed outsourcing arrangements in order to determine whether such arrangements are subject to the provisions of the Guideline. Risk and materiality are to be determined against at least six weighted factors (the Guideline Factors ), the weighting of which, may vary depending upon the nature of the function to be outsourced:
- 4 - (i) Importance of business activity or function if the function is considered to be critical or important to the major objectives of the FRFI such function is considered material; (ii) Importance of outsourcing arrangement to the business activity if the outsourcing arrangement encompasses more than 25 per cent of the total business, it is considered to be material against this factor; (iii) Size of contractual expenditures if the function exceeds one per cent of the FRFI s net assets it is considered to be material; (iv) Potential impact of the outsourcing arrangement on the FRFIs external customers and/or reputation if more than 10 per cent of a FRFI s external customers are directly impacted by the outsourcing or if the FRFI s reputation could be impacted, the arrangement would be considered material; (v) Ability to replace the service provider at reasonable cost and in a timely manner if the service provider could not be replaced within 60 days and at an annual cost not exceeding 120 per cent of the previous year s annual cost, the outsourced function would be considered material; (vi) Likelihood that the service provider may become insolvent/be unable to continue service if there is a reasonable possibility that the service
- 5 - provider could be unable to continue service during the term of the contract, the arrangement would be considered material. In the event that a weighted assessment of the Guideline Factors reveals a score of more than 50 out of 100 (a Positive Assessment ), the Guideline s provisions on mitigating the risks associated with outsourcing are to govern the FRFI s outsourcing arrangement. For non-frfis, simply being aware of the Guideline Factors can be useful. However, more important is the development of awareness of the Guidelines provisions on mitigating risks, to which we now turn. 3. Sound and Prudent Policies Governing the Risks A FRFI that has completed a Positive Assessment must ensure that the following provisions designed to mitigate risk are established in respect of its planned outsourcing arrangement. (i) Approval Authorities OFSI takes the position that clearly defined and appropriate levels of authority for approval are required to help ensure prudent outsourcing decisions. Accordingly, OFSI states in the Guideline that delegation of authority must be clearly documented setting out, among other things, the positions or committees to whom authority is delegated and the scope of such authority. (ii) Capability/Expertise of Service Provider OFSI stipulates two components upon which the FRFI must assess its service provider. First, the FRFI must ensure through its own due diligence that its proposed
- 6 - service provider has sufficient capability and expertise to undertake the outsourced function. OFSI states that the FRFI should consider the service provider s experience, business strategy, human resource policies and service philosophy. Second, the FRFI must satisfy itself that its proposed service provider has sufficient financial resources to provide the contracted services on an ongoing basis. OFSI recommends that this be evaluated by reviewing publicly available financial information as well as internal audit reports of the service provider. (iii) Acceptable Contract for Services OFSI requires that service contracts contain provisions on the following key elements: Service Levels and Performance Standards; Audit Rights and Monitoring Procedures; Contingency Planning; Defaults and Termination; Pricing; Resolution of Differences; and Confidentiality and Security. 6 Service Levels and Performance Standards OFSI suggests that the FRFI s service provider contract address the frequency, content and format of the service being provided; time schedules for receipt and delivery of work, including processing priorities; performance benchmarks, some of which may trigger an event of default if not redressed, and the associated measurement system. Moreover, OFSI makes the important observation that contract provisions should be
- 7 - sufficiently flexible to accommodate both new services and modifications to existing processes. Audit Rights and Monitoring Procedures OFSI requires that the FRFI monitor the outsourced business function, which it recommends may take the form of regular and formal meetings with the service provider and/or periodic reviews to measure the success of the outsourced function. OFSI states that responsibility for auditing contracts must be assigned to an internal auditor who has sufficient expertise to identify issues related to the business function or to a qualified member of management not involved in the outsourced business function. Contingency Planning OFSI dictates that the FRFI s service provider contract must provide for backup records and facilities. It recommends that a disaster plan detailing how the outsourced function will continue in a disaster be contained in the service provider contract. Defaults and Termination OFSI notes in the Guideline that there can be significant risks associated with contract defaults and/or termination. Accordingly, OFSI states that termination possibilities must be contemplated in the contract, indicating which party can bring about contract termination, when it is triggered, how it is exercised, the right and 6 OFSI also requires that service contracts contain financial reporting and retention of records requirements, which will not be discussed here.
- 8 - responsibilities of each party, and what sort of transition assistance must be made available. Pricing With respect to this contractual element, OFSI suggest that [w]hen comparing the pricing of competing outsourcing proposals, FRFIs should measure long term stability and viability against potential shortterm cost savings. OFSI also suggests developing mechanisms for the sharing of unanticipated gains or short falls and incentives for reducing costs. Resolution of Differences OFSI advocates incorporating resolution mechanisms that include provisions covering service levels during a dispute, escalation procedures, and differences resolvable by arbitration, mediation and other means of dispute resolution. Confidentiality and Security OFSI states that a FRFI s service provider contract must address which party has responsibility for protection mechanisms, the scope of the information to be protected, and the powers of each party to change security procedures and requirements. 4. Monitoring and Controlling Associated Risks A FRFI s risk management program is also to address the monitoring and control of the risks that its outsourcing policies are designed to mitigate. OFSI supports a FRFIs use of audits to ensure, for example, that its risk-management policies and procedures for outsourcing are being
- 9 - followed internally and externally and that personnel involved in outsourcing risk-management have the expertise required to make effective outsourcing decisions. In this vein, OFSI also recommends the periodic review of a FRFI s risk management program by the FRFI s Board of Directors. There is no magical outsourcing formula that will guarantee the success of an outsourcing arrangement. However, taking notice and consideration of the foregoing Guideline prescriptions can help an organization be clear on its outsourcing needs and expectations.