Compliance in an Outsourced World

(This article was contributed to Corporate Compliance Insights by Karen Wilson, Managing Partner of Citadel Compliance Group LLC. Ms. Wilson can be contacted by email at information@citadelcompliance.com, or by phone at 972-444-0271.)

The recent massive accounting fraud at Indian outsourcing giant Satyam has focused attention on risks associated with outsourcing. The Satyam case offers multiple lessons for companies considering outsourcing. Risks are not limited to the financial wherewithal of the outsourcer. Because the outsourcer controls key business operations of the client and interfaces directly with the client’s customers, often from offshore sites, regulatory risks associated with these services can be magnified. This article examines trends in the outsourcing industry and changes in services and delivery models that have a direct impact on the client’s compliance with laws.

Introduction

The outsourcing trend remained strong in 2008. At $360 billion annually and growing, outsourcing’s appeal is not limited by business type or size and thrives despite, or because of, challenging economic conditions.

American companies and government agencies historically have outsourced low-value operations to reduce expenses, realign resources, and shift risks. Businesses are drawn to the appeal of shifting so-called “non-core’ business operations to a third party who will improve the balance sheet and guarantee cost reductions and access to leading-edge technology and innovation. For some, outsourcing is the answer to poorly managed operations that sap resources and distract attention from the business. In outsourcing parlance, this is known as “your mess for less.” European companies have embraced outsourcing as well. In 2007, Europe outpaced the U.S. for the first time in the number of new IT outsourcing deals and that trend continued in 2008. Mergers between outsourcing competitors in 2008 should spawn better capabilities and stronger competition in the future. Major outsourcers and their specialties include:

(Source: Gartner, Inc. For more information about outsourcers and their services, go to www.businessweek.com/go/outsourcing.)

Without question, outsourcing is a widely accepted management practice offering strategic, operational and financial benefits. The prudent client, however, will consider both the benefits and risks of outsourcing, including a careful review of the regulatory framework that applies to the outsourced services.

Outsourcing a business process does not change the client’s regulated status or absolve it of regulatory responsibilities. In fact, outsourcing complicates legal compliance for clients who cannot assume (or do so at their peril) their providers will adequately manage regulatory risks associated with the services. The very nature of outsourcing requires handing over control to a third party and relying on new systems and processes. Changes in the outsourcing industry also have made attention to regulatory risk more urgent than ever. Clients are demanding value-added services and outsourcing increasingly complex functions. Evolving service models trigger new legal rules and requirements, often in foreign jurisdictions. Outsourcers continue to streamline systems and costs to maintain competitiveness as clients trend toward multiple providers and shorter contracts.

Yet it is the client who suffers the most significant consequences when a legal violation occurs on the outsourcer’s watch. Regulators, investors, clients and the public are not sympathetic to the excuse “the outsourcer did it.” Even without formal government action, legal breaches can disrupt operations, delay services, and deprive clients of important rights and benefits. Clients should not take too much comfort in contractual remedies, either. While the outsourcer’s financial liabilities may be significant, even punitive, they do not compare to the long-term damage to the client’s business and reputation when a high-profile regulatory violation occurs.

The key is prevention, the goal of every compliance initiative, but especially important in an outsourcing relationship. Clients must champion regulatory risk management early and often by emphasizing its importance in RFPs, down-selections, and service level commitments. Standards for managing legal risks should be defined by the client, the earlier the better, and not left to chance or the outsourcer’s discretion. Converting standards into practice requires an understanding of the outsourcer’s service delivery model, data flows, and third party resources. Informed clients will demand this information, and outsourcers should be prepared to provide it and explain it. During the life of the relationship, clients must be willing to commit adequate resources to monitor the outsourcer and evaluate the continuing effectiveness of policies and practices intended to prevent legal violations. While new to some, these actions are essential for companies concerned about maintaining the integrity and uniformity of regulatory controls for operations turned over to an outsourcer. They are essential investments in the success of an outsourcing strategy and too important to shortchange or ignore.