Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fit for Service
A strategy for service organizations.
Michael Werneburg, 2013.04.13
Updated 2015.11.16
TL;DR
A technology & service provider can have great products and still get nowhere
because the clients lack trust. An ent...
You want to sell to the financial
industry.
But it’s becoming harder.
The target market—banks and life
insurance firms—are jointly called
“federally regulated entities”.
They are accountable t...
DEEPLY
Of particular interest to regulators is the preservation at the
regulated entity of strong corporate governance. In...
Selling information services to
these regulated entities means
meeting their stringent regulations.
The vetting process fo...
Dealing with these requirements
ad-hoc can be difficult, lengthy,
and disruptive.
ITLegalComplianceRisk
Mgmt.
PMOVendor
Mg...
But these clients now also want
annual service audits and SOC-2
attestation reports.
Passing these audits can require
new ...
Your clients know the risks can
be complex.
Fatal to the relationship.
Even “systemic”.
What to do
Turn the problem into a strength.
The service you offer is where you
have chosen to compete.
Performing at the mandated level
is how you will win.1
You can ...
Key outcomes:
• Consistently excel in all points of
contact with clients.
• Optimize the fit between internal
activities.
...
Implementing a “fitness” regime
How to turn this mess around and build a resilient business that performs.
The evolving SOC-2 standard is embodied
in the AICPA’s “trust services principles
and criteria”1.
1. http://bit.ly/1luCdHr...
DO NOT just approach this as a huge list
of controls to implement.
Instead, step back and understand
what you’re really do...
I’ve written about this here1 and here2.
1. http://risktopics.com/service-audits-are-risky-business
2. http://risktopics.c...
Put it this way: your technology firm
already has standards and practices.
But you’re about to review
hundreds of these, a...
Your business is a unique collection of
processes and competencies. The crucial
ones span departments, and add value
to yo...
It’s a new company!
But not just any new.
You’ll build a more consistent
company. Consistency is the heart of
culture, and of brand1.
Consistency is a natural outco...
You’ll also be building a more competent
firm; when you build governance into
your processes, your people eliminate
uncert...
When your people understand that they
are responsible for reaching a certain
bar for achievement, something magical
happen...
Even when no auditor is watching.
Adults don’t say, “Oh, we have to
do X and Y right, but the auditor’s
not looking at Z.”
A holistic approach can make all this
happen. This is “doing things the hard
way”.
But an unplanned approach will
leave yo...
Again, I’ve written about this here1 and
here2.
1. http://risktopics.com/service-audits-are-risky-business
2. http://riskt...
A Case Study
The story of a successful approach to SOC-2, by a technology & service provider.
We were a fifteen person firm.
With one client.
And big ambitions.
We’d been in business for a decade.
But new, regulated ...
We were a fifteen person firm.
With one client.
And big ambitions.
We’d been in business for a decade.
We did SOC-2 “the e...
Executive: setting and communicating objectives; evaluating operations and financial
performance; service level management...
Processes
&
controls
Clients
COBIT
Trust
Services
Auditors
Regulators
Vendors
CICA
The sources were many.
We did not know where we were going.
As unplanned as our initiative was,
it began to pay off at once.
1. Immediate sales benefits
• Easy RFP’s and RFI’s. Just hand over the
documentation.
• No more one-off requests for proof...
In the words of one software executive;
“Now that we have our audit report, we’re
having a whole other level of discussion...
2. Operations running smoothly:
• Delivering software updates in a reliable
fashion (1 error in 557 releases)
• Hosting ou...
3. Life was easier for existing clients
• No more one-off requests for proof of
capability from vendor managers, IRM,
lega...
Confident and transparent
• Reduced need for monitoring by clients.
None has ever called for an ad-hoc audit.
• Clarity ar...
4. Leaders free to make decisions
and lead:
• Far fewer procedural questions.
• Far fewer mistakes due to uncertainty or
i...
Cross-team processes smooth:
• Mature practices mean teams work together
as expected.
• Entrusting functional managers wit...
5. Low turnover:
• People not wearing out from rework and
confusion.
• They enjoy the blend of responsibility and
quality ...
6. Growth:
• Stable processes allow a business to scale.
• Problems that creep in turn up at the first
quarterly risk cont...
7. The magic of being “approved”:
• Having that audit report indicates that
you’re part of the regulated industry.
• Once ...
These things occurred to us
with time.
And only when we had gone
through rounds of corrections
sensing that they were poss...
The results are worth it.
Your challenge is to do it
“the hard way”,
to realize the benefits the first time.
Having a great product got you
to the door.
Your risk management capabilities
are the security pass to get you in
and keep...
I can help
My role as a specialist in governance, risk, and strategy.
Reach out! I like to advise:
• Understanding risk analysis (MSc in Risk Management).
• Understanding service delivery stra...
Michael Werneburg
647-896-3850
michael@risktopics.com
Upcoming SlideShare
Loading in …5
×

Fit for Service - A strategy for service organizations.

536 views

Published on

A strategy turning the SOC-2 audit necessity into a strong and durable strategic advantage in a regulated industry.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Fit for Service - A strategy for service organizations.

  1. 1. Fit for Service A strategy for service organizations. Michael Werneburg, 2013.04.13 Updated 2015.11.16
  2. 2. TL;DR A technology & service provider can have great products and still get nowhere because the clients lack trust. An enterprise risk function can overcome this by guiding improvements to service consistency. Bend your audits to shift your focus & capabilities, then use your audit report as a hall pass.
  3. 3. You want to sell to the financial industry. But it’s becoming harder.
  4. 4. The target market—banks and life insurance firms—are jointly called “federally regulated entities”. They are accountable to several regulators domestically and abroad. OSFI CSA IIROCOSC MFDA FSCO
  5. 5. DEEPLY Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm's management from fulfilling its regulatory responsibilities are of concern to regulators. The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences. Outsourcing in Financial Services. Basel Committee on Banking Supervision, Bank of International Settlement, 2005 http://bit.ly/1kGr8wv The regulators are deeply concerned with third party risk.
  6. 6. Selling information services to these regulated entities means meeting their stringent regulations. The vetting process for a new vendor can involve 80-page RFI’s full of questions.
  7. 7. Dealing with these requirements ad-hoc can be difficult, lengthy, and disruptive. ITLegalComplianceRisk Mgmt. PMOVendor Mgmt. …
  8. 8. But these clients now also want annual service audits and SOC-2 attestation reports. Passing these audits can require new activities for your firm, and hundreds of new internal controls. (You do have internal controls, right?)
  9. 9. Your clients know the risks can be complex. Fatal to the relationship. Even “systemic”.
  10. 10. What to do Turn the problem into a strength.
  11. 11. The service you offer is where you have chosen to compete. Performing at the mandated level is how you will win.1 You can leverage the risk management function to get you there. 1. Drucker. Or someone.
  12. 12. Key outcomes: • Consistently excel in all points of contact with clients. • Optimize the fit between internal activities. • Adopt managed change as a way of life.
  13. 13. Implementing a “fitness” regime How to turn this mess around and build a resilient business that performs.
  14. 14. The evolving SOC-2 standard is embodied in the AICPA’s “trust services principles and criteria”1. 1. http://bit.ly/1luCdHr It sets the level of performance, and suggests a governance framework to monitor and foster progress.
  15. 15. DO NOT just approach this as a huge list of controls to implement. Instead, step back and understand what you’re really doing: altering your company forever.
  16. 16. I’ve written about this here1 and here2. 1. http://risktopics.com/service-audits-are-risky-business 2. http://risktopics.com/a-strategic-approach-to-the-value-chain But it’s a fairly simple. When we make changes to our core practices, we’re building a new company.
  17. 17. Put it this way: your technology firm already has standards and practices. But you’re about to review hundreds of these, and start making changes.
  18. 18. Your business is a unique collection of processes and competencies. The crucial ones span departments, and add value to your clients1. Change those crucial processes and competencies, and you’re finding a new unique mix. 1. Porter. And then everyone.
  19. 19. It’s a new company! But not just any new.
  20. 20. You’ll build a more consistent company. Consistency is the heart of culture, and of brand1. Consistency is a natural outcome of the governance function built into the audit process. 1. Porter, again.
  21. 21. You’ll also be building a more competent firm; when you build governance into your processes, your people eliminate uncertainty. A certain company where everyone understands their role and what to do next.
  22. 22. When your people understand that they are responsible for reaching a certain bar for achievement, something magical happens. People who have taken a quality standard to heart expect quality in everything they do.
  23. 23. Even when no auditor is watching. Adults don’t say, “Oh, we have to do X and Y right, but the auditor’s not looking at Z.”
  24. 24. A holistic approach can make all this happen. This is “doing things the hard way”. But an unplanned approach will leave your firm with a countless, seemingly unrelated, controls.
  25. 25. Again, I’ve written about this here1 and here2. 1. http://risktopics.com/service-audits-are-risky-business 2. http://risktopics.com/a-strategic-approach-to-the-value-chain But enough; let’s have a look at the company that emerges.
  26. 26. A Case Study The story of a successful approach to SOC-2, by a technology & service provider.
  27. 27. We were a fifteen person firm. With one client. And big ambitions. We’d been in business for a decade. But new, regulated clients wanted that SOC-2.
  28. 28. We were a fifteen person firm. With one client. And big ambitions. We’d been in business for a decade. We did SOC-2 “the easy way”, implemented countless controls.
  29. 29. Executive: setting and communicating objectives; evaluating operations and financial performance; service level management; business continuity planning; budget approval; vendor management. Human Resources: background checks; asset entitlements management; hiring and termination policies; privacy; acceptable use; code of conduct; confidentiality; whistle- blowing; site security; staff evaluations. IT: SDLC; change control; disaster recovery; technology standards; patch management; security incident management; information classification; log monitoring; viruses; bring-your- own-device; data disposal; encryption; firewall management; remote access. Internal control: internal audit; risk management; policy management. (This is a sample; It is not practical to list everything.) The scope was daunting.
  30. 30. Processes & controls Clients COBIT Trust Services Auditors Regulators Vendors CICA The sources were many.
  31. 31. We did not know where we were going. As unplanned as our initiative was, it began to pay off at once.
  32. 32. 1. Immediate sales benefits • Easy RFP’s and RFI’s. Just hand over the documentation. • No more one-off requests for proof of capability from vendor managers, IRM, legal, etc. • Shortened and easier sales cycle.
  33. 33. In the words of one software executive; “Now that we have our audit report, we’re having a whole other level of discussion. The gate-keepers simply ask for the report and we’re done. Everyone thanks us for making their jobs easier.”
  34. 34. 2. Operations running smoothly: • Delivering software updates in a reliable fashion (1 error in 557 releases) • Hosting our service in a secure and uninterrupted fashion (no downtime after four years and counting). • Stable processes free the time of SME’s and management.
  35. 35. 3. Life was easier for existing clients • No more one-off requests for proof of capability from vendor managers, IRM, legal, etc. • Improved “story” for service owners. • More interest in expanding services with us.
  36. 36. Confident and transparent • Reduced need for monitoring by clients. None has ever called for an ad-hoc audit. • Clarity around roles and responsibilities. • Comprehensive service level attainment is demonstrable through reporting.
  37. 37. 4. Leaders free to make decisions and lead: • Far fewer procedural questions. • Far fewer mistakes due to uncertainty or improper process. • Stable processes free the time of SME’s and management.
  38. 38. Cross-team processes smooth: • Mature practices mean teams work together as expected. • Entrusting functional managers with governance process leads to automatic correction of deviations. • A strong sense of ownership of product and service.
  39. 39. 5. Low turnover: • People not wearing out from rework and confusion. • They enjoy the blend of responsibility and quality outputs. • Stable processes free the time of SME’s and management.
  40. 40. 6. Growth: • Stable processes allow a business to scale. • Problems that creep in turn up at the first quarterly risk control self-assessment. • Persistent problems turn up in the auditors’ report.
  41. 41. 7. The magic of being “approved”: • Having that audit report indicates that you’re part of the regulated industry. • Once you’re reached the level of being an approved vendor, you’ll find yourself able to rapidly grow in your industry. • Partners will seek you out. Others will more readily accept you as a mature organization with the right types of clients.
  42. 42. These things occurred to us with time. And only when we had gone through rounds of corrections sensing that they were possible.
  43. 43. The results are worth it. Your challenge is to do it “the hard way”, to realize the benefits the first time.
  44. 44. Having a great product got you to the door. Your risk management capabilities are the security pass to get you in and keep you in.
  45. 45. I can help My role as a specialist in governance, risk, and strategy.
  46. 46. Reach out! I like to advise: • Understanding risk analysis (MSc in Risk Management). • Understanding service delivery strategies (20+ years experience). • Understanding IT and IT governance frameworks (e.g. ITIL, COBIT). • Mapping the governance framework to business strategy. • Knowledge of regulated financial industries and the software/service firms that support them. • Business process renewal and the writing of process manuals. • Managing the auditors. (Certified Internal Auditor designation). • Project management (I am a PMP).
  47. 47. Michael Werneburg 647-896-3850 michael@risktopics.com

×