• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Fit for Service - A strategy for service organizations.

Fit for Service - A strategy for service organizations.



A strategy for selling technology services to federally-regulated banks and life insurance firms. Includes a case study in which a small services organization utilized a clean audit report to ...

A strategy for selling technology services to federally-regulated banks and life insurance firms. Includes a case study in which a small services organization utilized a clean audit report to gain—and keep—the market's trust.



Total Views
Views on SlideShare
Embed Views



2 Embeds 10

http://risktopics.com 6
http://www.linkedin.com 4



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Fit for Service - A strategy for service organizations.Fit for Service - A strategy for service organizations. Presentation Transcript

    • Fit for ServiceA strategy for service organizations.Michael Werneburg, 2013.04.13
    • THE CHALLENGEA technology & service provider can have great productsand still get nowhere because the clients lack trust.
    • The target market—banks and lifeinsurance firms—are jointly called“federally regulated entities”.They are accountable toseveral regulatorsdomestically and abroad.OSFI CSAIIROCOSCMFDA FSCO
    • Selling information services to these“regulated entities” means meetingtheir stringent regulations.The vetting process for a newvendor can involve 80-page RFI’sfull of questions.
    • Every client has specialists with longlists of requirements. Dealing withthis bureaucracy on their terms canbe difficult, lengthy, and disruptive.ITLegalComplianceRiskMgmt.PMOVendorMgmt.
    • The requirements are exacting andthere’s little appetite for uncertainty.A brilliant and perfectly timedproduct or service gets you only asfar as the doorstep.
    • Keeping these clients has itsown challenges.UsClientThe two shapes on thispage show the sizes of ourcompany and the typicalsize of global organizationswe serve. To scale.
    • WHAT TO DOTurn the problem into a strength.
    • The service you offer is where you havechosen to compete. Performing at themandated level is how you will win.1. Get the clients and keep them.2. Define your unique activities andconstantly refine and adapt.3. Build real barriers to entry.
    • Key goals:• Excel in all points of contact withclients.• Optimize the fit between internalactivities.• Adopt change as a way of life.
    • A THREE STAGE PROGRAMHow to build a resilient business that performs.
    • 1. Implementing a fitness regime.• Identify the required level ofperformance. Set goals.• Adopt a governance framework tomonitor and foster progress.• Build the team, the processes, thetools, and the structure to operate at ahigh level.
    • 2. Get audited yearly. A third-partyassurance report covers all thebases.• The SOC attestation reports for serviceorganizations communicates yourcommitment to excellence.• They are recognized standard withinternational equivalents.
    • 3. Your annual audit reports satisfythe gate-keepers. Freeing you tofocus on the conversations with thestakeholders and decision makerswho need you.• (Watch for quote in case study below.)
    • A CASE STUDYThe story of a successful technology & service provider.
    • PortfolioAid provides a crucialautomated compliance service• Compliance is a must have• Effective compliance is a differentiator ina hyper competitive environment• Even the regulators consider this service“material”
    • •Specialists in rating risk forsecurities.•Market leader in retail brokeragecompliance automation.•Experiencing rapid growth as thecompliance market matures.
    • Our goals as a service organization• Deliver reliable software releases withaccuracy• Deliver a secure & available service• Stay responsive and agile• Develop an end-to-end service levelagreement
    • We have sensitive client data• Confidentiality• Integrity• Personal information/privacy
    • Our systems must be• Functional• High-performing• AvailableEveryone knows this. But…
    • Managing systems change is moredemanding.• To deliver functional enhancements• …without error…• …and propagate between clients.A multi-dimensional issue.
    • Our people have to be• Competent• Reliable• TrustedWe need skills, training, the drive todeliver, and yes: rules.
    • Executive: setting and communicating objectives; evaluating operationsand financial performance; service level management; business continuityplanning; budget approval; vendor management.Human Resources: background checks; asset entitlements management;hiring and termination policies; privacy; acceptable use; code of conduct;confidentiality; whistle-blowing; site security; staff evaluations.IT: SDLC; change control; disaster recovery; technology standards; patchmanagement; security incident management; information classification; logmonitoring; viruses; bring-your-own-device; data disposal; encryption;firewall management; remote access.Internal control: internal audit; risk management; policy management.This is a sample; It is not practical to list everything.
    • Processes&controlsClientsCOBITTrustServicesAuditorsRegulatorsVendorsCICASources of guidance
    • An IT governance framework• COBIT 5 focuses on realizingbenefits, optimizing risk levels, andoptimizing resource use.• COBIT 5 does not focus only on the ‘ITfunction’, but encompassesstrategy, business planning, resourceoptimization/budgeting, HR, vendormanagement, etc.
    • Guidance for service organizations• Hundreds of detailed “must have” criteriato map to internal controls.• Covers five domains: security, availability,confidentiality, processing integrity, andprivacy.• Blends perfectly with COBIT.
    • Implementing governance• PortfolioAid identified the relevant areasof COBIT for implementation.• Starting with core functions(SDLC, hosting, human resource), the“governance project” began in January2011.
    • Implementing governance• COBIT blended with AICPA/CICA “TrustServices Principles” criteria.• First audit passed, October 2011.• COBIT implementation expanded in2012.• First clean CICA Section 5025 auditreport obtained October 2012.
    • Immediate benefits• Easy RFP’s and RFI’s. Just hand over thedocumentation.• No more one-off requests for proof ofcapability from vendor managers, IRM,legal, etc.• Shortened and easier sales cycle.
    • In the words of one software executive;“Now that we have our audit report, we’rehaving a whole other level of discussion. Thegate-keepers simply ask for the report andwe’re done. Everyone thanks us for makingtheir jobs easier.”
    • Life is easier for existing clients• No more one-off requests for proof ofcapability from vendormanagers, IRM, legal, etc.• Improved “story” for service owners.• More interest in expanding services withus.
    • Running smoothly:• Delivering value-added functionality in areliable fashion (1 error in 557 releases)• Hosting our WatchDog service in a secureand uninterrupted fashion (no downtimeafter two years and counting).• Stable processes free the time ofPortfolioAid SME’s and management.
    • Confidence and transparency• Reduced need for monitoring by clients.None has ever called for an ad-hoc audit.• Clarity around roles and responsibilities.• Comprehensive service level attainment isdemonstrable through reporting.
    • Governance framework• 64 process manuals• 261 controls being measured• Annual audits and pen-testClean audit achieved in 2nd year• Copies of report for all clients
    • HOW I DID ITMy role as a specialist in governance, risk, and strategy.
    • I provide:• Understanding of service delivery strategies.• Understanding IT and IT governance frameworks (e.g. ITIL,COBIT).• Mapping the governance framework to business strategy.• Knowledge of capital markets, life insurance, and thesoftware/service firms that support them.• Business process renewal and the writing of process manuals.• Managing the auditors. (Certified Internal Auditor designationin progress).• Project management (I am a PMP).
    • Michael Werneburg416-848-4136michaelw@portfolioaid.com