This ISG white paper examines the emerging regulatory environment in the financial services sector, challenges facing many organizations and their causes and characteristics, and keys to implementing effective governance and supply chain risk programs.

1. THE “UH OH” MOMENT
Financial Services Enterprises Focus on Governance, Transparency
and Supply Chain Risk
By Lois Coatney, Chuck Walker and Joseph Yacura, ISG Directors
www.isg-one.com

2. INTRODUCTION
A top priority for financial services enterprises today is assessing, monitoring
and mitigating operational risk. This emphasis largely reflects growing general
concerns about natural disasters, political instability, economic uncertainty
and a changing supplier landscape. In addition, having outsourced significant
portions of core functions, organizations are increasingly dependent on third
parties for critical operations, and are therefore potentially vulnerable to
disruptions at any point along the service delivery chain.
Coupled with this heightened sense of exposure, regulators are subjecting
financial services businesses to more intense scrutiny, partly in response to
new legislative and regulatory requirements, but also as a result of more
rigorous adherence to existing rules and standards.
To address these challenges, firms are focusing on improving governance and
risk management mechanisms to enhance accountability and ensure
oversight of operations and processes throughout the supply chain. It’s a tall
order, as many enterprises lack even rudimentary tools and capabilities to
monitor supply chain risks.
This ISG white paper examines the emerging regulatory environment in the
financial services sector, challenges facing many organizations and their
causes and characteristics, and keys to implementing effective governance
and supply chain risk programs.
THE “UH OH” MOMENT ■ LOIS COATNEY, CHUCK WALKER & JOSEPH YACURA 1

3. GLOBAL SERVICE DELIVERY CLOSER SCRUTINY
Outsourcing, offshoring and multisourcing are integral to In response to broader economic trends as well as the
the global operational models of financial services specific potential threats posed by sourcing trends,
organizations. According to ISG data, in 2011 the regulatory bodies are undertaking a more aggressive
financial services sector accounted for 35 percent of the approach to evaluating how financial services
total value of outsourcing contracts, and generated 29 organizations are managing service delivery.
percent of the outsourcing industry’s revenue. In recent
The Dodd-Frank legislation is the most prominent and
years, moreover, ISG research shows a clear trend of
visible regulatory initiative affecting the industry.
decreasing contract sizes, while total contract value has
Although confusion remains regarding the particular
remained relatively constant.
implications of specific rules, and while litigation and
Put simply, the critical operations and sensitive data of lobbying efforts continue, in 2013 the industry will move
today’s financial services organizations are increasingly from a wait-and-see attitude of what the rules will mean
managed by a growing number of third parties, often to one of taking action to comply. Accordingly, banks are
including layers upon layers of sub-contractors (often hiring compliance officers and technology experts to
termed “first-,” “second-,” “third-,” etc., tier suppliers). enhance their oversight capabilities, and are stepping up
Involving multiple external suppliers in the delivery chain efforts to communicate the implications of Dodd-Frank
poses the obvious potential risk of the “weakest link.” to clients.
More specifically, multisourcing can make it difficult to
Regulatory compliance concerns are not confined to
define end-to-end service accountability and process
Dodd-Frank. ISG has observed more rigorous audits of
owners, as well as open the door for finger-pointing
banks by the Office of the Comptroller of the Currency
when something goes wrong.
(OCC). Bulletin 2012-03 of the Consumer Finance
Global delivery service models increasingly deploy both Protection Bureau (CFPB) specifically directs banks to
third-party vendors and captive service centers in India, ensure that third-party providers who touch customers
China, Eastern Europe and Latin America. Concentrating are compliant with consumer protection laws. Recent
suppliers in any one region exposes businesses to risk audits of insurance firms by the Federal Reserve have
from natural disasters or political upheaval. While focused on transparency of outsourced services, while
dispersing providers geographically diffuses such risk, it the Securities and Exchange Commission (SEC) has
also expands the range of potential fail points in service emphasized the protection of service delivery continuity
delivery. as more and more providers become involved in the
supply chain.
In addition to being increasingly complex, global delivery
models are also highly volatile. For one thing, The combination of new regulations and legislation,
fluctuations in offshore labor rates result in frequent together with a stricter enforcement of existing risk
relocations of offshore delivery centers as businesses management standards, has significantly raised the bar.
seek the next low-cost “hot spot.” Concerns around Previous levels of compliance are no longer sufficient, as
productivity, access to skilled resources, foreign auditors increasingly demand specifics in terms of
exchange rate fluctuations, data security, quality and understanding how services are being monitored (in real
political fall-out, moreover, are causing many clients to time), what processes are being used and how service
rethink their offshore strategy and move operations provider performance is reported over time.
back onshore.
THE “UH OH” MOMENT ■ LOIS COATNEY, CHUCK WALKER & JOSEPH YACURA 2

4. CHARACTERISTICS OF THE PROBLEM Rather than ensuring coordination between the myriad
In an environment characterized by the increased entities and touch points involved, governance and
potential for supplier risk exposure, coupled with more supply chain risk management efforts are often limited
rigorous oversight by regulators, enhanced transparency to addressing discrete risks or solving isolated problems.
and improved governance processes and supply chain In this fragmented environment, it’s impossible to
risk management are becoming more urgent aggregate information across the delivery chain, as
requirements for financial services organizations. individual suppliers focus on collecting their own data,
using their own tools and managing their own fixes and
Evidence suggests that many financial services changes. As a result, the business struggles to
organizations today lack adequate governance processes understand the causes and effects of risks at different
and supply chain risk management tools to effectively states of the sourcing lifecycle, to ensure visibility into
assess, evaluate and mitigate risk in their outsourced critical processes, and to assign accountability for
service delivery chains. One fundamental problem is that problems that occur.
many banks and insurers simply don’t conduct adequate
due diligence. Those that do, moreover, tend to focus on
pre-contract due diligence, rather than monitoring THE “UH OH” MOMENT
contract performance and risk during contract execution For many banks and financial institutions, the key
and beyond. problem is that they simply don’t know what they don’t
In many cases, extensive financial and capability analyses know. While processes may be in place, and data may be
are conducted up front to qualify providers and make collected, analyses quickly reveal a gap between what
award decisions. However, with shorter contract terms the rules are and the ability to verify that the rules are
and one-year options, all the data collected early on has being followed.
a limited shelf life, so that three to six months into a As a first step in analyzing a governance and supply chain
contract the assessments made and data collected are risk management framework and processes, ISG often
outdated. Indeed, ISG has observed many financial assesses the data, reports and processes a client uses to
services organizations where extensive documentation make decisions. The review involves detailed questioning
exists but has little application to reality and provides no around how service providers are managed, what
decision-making support. processes are used, and how those processes would be
A front-loaded approach to governance also frequently demonstrated during a regulatory audit.
results in a lack of available resources for ongoing In many cases, clients struggle to provide substantive
oversight. In other words, the business not only lacks answers, and it quickly becomes apparent that significant
access to real time actionable data and documentation, it gaps exist between the theory of process oversight and
lacks the bandwidth and expertise needed to interpret the reality of day-to-day management decision-making.
the data in real time and take corrective action. If the This harsh epiphany convinces clients that immediate
governance and supply chain risk management and urgent action is imperative.
frameworks are inadequate from the outset, they will
typically be unable to address the complexity of the The challenge then becomes where to begin. As a first
service delivery chain – specifically, the multiple step, ISG recommends an initial risk assessment profile.
stakeholders involved, the hand-off points between This profile is a prioritization exercise to identify the
clients and suppliers, and between suppliers and other areas of both internal and external risk that have the
suppliers. most impact on the business. Subsequently, for each
critical area identified, service levels, issue and change
Without a target operating model in place, outsourcing management processes, ITIL frameworks and other
becomes a tactical rather than a strategic exercise, with criteria are assessed to identify specific problems and
different sets of roles and responsibilities for each high-priority corrective actions.
supplier. The result is a hodgepodge of standards and
multiple fractures in the service delivery process.
THE “UH OH” MOMENT ■ LOIS COATNEY, CHUCK WALKER & JOSEPH YACURA 3

5. The initial analysis that focuses on critical trouble areas While standard processes are essential, clients must at
should be followed by a broader collaborative exercise the same time categorize different types of suppliers
between the client and supplier teams, one designed to according to risk. This involves tiering different suppliers
facilitate discussion aimed at identifying problem areas based on the level of risk they are exposed to. In other
and outlining means of monitoring and opportunities for words, suppliers that regularly handle sensitive data will
improvement. By bringing all parties to the table, a require a high level of scrutiny of oversight, while those
holistic view of service delivery and the interrelationships that are less exposed will fall into a category requiring
along the service delivery chain begin to emerge. fewer resources. In addition to evaluating suppliers
Moreover, it becomes possible to calculate the value of individually, clients must understand where different
specific changes (limiting re-work or catching billing layers of sub-contractors might be exposed to risk, and
errors, assuring continuity of supply, etc.), define address those entities in an appropriate manner.
standard roles and responsibilities, and make contractual
By prioritizing the risk exposure posed by different
changes to re-define problematic supplier touch points.
suppliers, clients can assign the necessary resources to
monitoring different suppliers as appropriate. Clearly
STANDARD VS. CUSTOM defined categories, based on clearly defined rules and
standards, are also important to addressing regulatory
As the client and service provider teams build a holistic
inquiries.
view of service delivery, it’s critical to define a standard
set of taxonomies, roles and responsibilities, process Over the long term, organizational discipline and
owners, sources of real time data, etc., for all “strategic” commitment of resources is essential to the successful
(first-tier) suppliers and their critical (second-, third-, mitigation of supply chain risk. The best intentions of
fourth-, etc., tier) suppliers. This is necessary to address governance and supply chain risk management efforts in
the fractures in service delivery described earlier, and to early stages of a relationship yield only temporary value
ensure continuity and visibility into the multiple touch if not built into the fabric of the enterprise to assure a
points along the “total supply chain.” Perhaps most sustained focus.
important, standardization is essential to addressing the
compliance challenge, as it enhances transparency and
the ability to design to expectations.
ISG sees an opportunity for service providers to add
value to client relationships by proactively pushing for
and defining standard processes. In many cases,
suppliers bear the burden of defining mandates; while
this practice could be seen as accommodating client
preferences, in reality it prevents providers from
leveraging standard practices across multiple clients – if
the supplier gives every client a unique set of processes,
no single client can benefit from the supplier’s
economies of scale.
THE “UH OH” MOMENT ■ LOIS COATNEY, CHUCK WALKER & JOSEPH YACURA 4

6. LOOKING FOR A STRATEGIC PARTNER?
For further information, please contact Alex Kozlov, Director of Marketing, Americas, at alex.kozlov@isg-one.com
or +1 617 558 3377
Information Services Group (ISG) (NASDAQ: III) is a leading technology insights, market intelligence and advisory services
company, serving more than 500 clients around the world to help them achieve operational excellence. ISG supports private and
public sector organizations to transform and optimize their operational environments through research, benchmarking, consulting
and managed services, with a focus on information technology, business process transformation, program management services
and enterprise resource planning. Clients look to ISG for unique insights and innovative solutions for leveraging technology, the
deepest data source in the industry, and more than five decades of experience of global leadership in information and advisory
services. Based in Stamford, Conn., the company has more than 800 employees and operates in 21 countries. For additional
information, visit www.isg-one.com.
012913
© Copyright 2013 Information Services Group – All Rights Reserved