What to Outsource and What to Keep In-House

A confluence of complex regulations, a shortage of qualified compliance executives, and continuing pressure to do more with less is driving many companies to seek the help of outside service providers to keep up with compliance demands.

“It's really hard for the compliance community today to keep pace with all the regulatory changes and requirements,” says Tracey Straub, managing director at outsourcing technology provider Compliance11, a subsidiary of Charles Schwab. “Compliance outsourcing is a way to leverage the tools that are out there and not be stuck on an island by yourself.”

According to a recent report from Deloitte, outsourcing select compliance processes can yield potential benefits, including gains in efficiency and quality achieved by leveraging structured processes, flexibility to scale up or down deployment of skilled resources, reduced burden on internal infrastructure and resources, and better data analytics and reporting tools that provide predictive trends and insights.

“We find that more companies are interested in outsourcing today than ever before,” says Vishal Chawla, a principal with Deloitte. “This is especially true in highly regulated industries, particularly the life sciences and financial services industries; they've been most apt to adopt compliance outsourcing, he says.

A shortage of candidates for compliance positions is also leading companies to consider outsourcing more processes, suggests the Deloitte report. “Increased regulatory compliance complexity requires individuals who are skilled in risk management and have knowledge of regulatory and compliance operations,” the report's authors write.

“These professionals are in short supply and high demand. Organizations have to deal with increased operational budgets to provide training, an extended talent pool to manage continued compliance, and high attrition issues.” In other words, companies are spending money to train compliance executives only to see them hired away by their competitors. Outsourcing is a solution to that cycle.

The cost savings can be significant. According to Deloitte's 2012 Global Outsourcing and In-sourcing Survey, 57 percent of 111 companies surveyed across 22 industries reported that they had achieved cost savings of more than 10 percent.

Compliance outsourcing allows companies to “capitalize on vendors with special knowledge, areas of expertise, and talent,” says Chawla. “It allows companies greater flexibility to turn their high, fixed costs into low, variable costs.”

What to Outsource

Not all compliance processes, however, should be outsourced. Because every company faces its own unique regulatory concerns, knowing which functions to keep in-house and what can be farmed out to third parties is an important part of reducing overall risk.

“Compliance outsourcing is not a one-size-fits-all solution,” says Chawla. Each company needs to determine for itself where a compliance outsourcing provider can add value, he says.

Processes that are routine or administrative in nature or data-focused are the sort of processes that companies commonly outsource, says Straub. Such functions include e-mail review and surveillance, training and education programs, e-discover, and reporting mechanisms such as whistleblower hotlines.

According to Deloitte, other examples of compliance processes that may be outsourced more easily and effectively than others include:

· Collecting compliance data and information from systems and individuals;

· Assisting with internal and external compliance reporting;

· Testing and monitoring business processes and systems for compliance; and

· Performing trend analysis and predictive modeling for compliance operations.

“Compliance outsourcing is a way to leverage the tools that are out there and not be stuck on an island by yourself.”

—Tracey Straub,

Managing Director,

Compliance11

Companies may consider outsourcing the execution of a compliance function, but retain the initial conceptualizing and development stages. For example, companies like to keep the actual development of training in-house—such as what specific components should be in the training—but might prefer to outsource the execution of that training, whether it be an online course or a software development models for that training, says Ryan McGuire, research team leader at Cutting Edge, a consulting and research firm for the pharmaceutical and biotech industries.

Keep This Stuff

There are plenty of compliance processes, however, that don't lend themselves to outsourcing either because they are too central to building the company's culture and identity or the risks associated with putting them in the hands of others is too great.

Compliance processes that should generally not be outsourced, according to Deloitte, include:

· Establishing compliance policies and setting compliance risk tolerance levels;

· Performing qualitative compliance risk assessments and assigning risk ratings;

· Interpreting laws and regulations and determining business applicability;

· Preparing and filing regulatory reports;

· Communications with the regulators; and

· Decision-making authority in approving/disapproving customer transactions

That doesn't mean these tasks should be completely off limits for leveraging outside expertise and guidance. Outsourcing providers can assist or support management in performing some of the above activities, but they should never take over any of the above activities on a fully outsourced basis, says Chawla.

Other example of compliance activities and processes that should not be outsourced include compliance functions that recently experienced “significant control failures and regulatory compliance issues,” says Chawla. “If you outsource a mess, it's still a mess. You have to fix it, you have to standardize it, and then you have to go and look for alternative solutions to help you with execution.”

Who's Outsourcing Compliance?

According to a recent report conducted by Cutting Edge, big drug companies maintained the largest number of outsourced employees for their compliance functions, averaging one outsourced job for every two in-house employees.

In comparison, small drug companies, biotech firms, and medical device companies averaged two outsourced full-time employees who work with their compliance teams. Medical device companies maintained larger internal teams with 11 in-house employees compared to small companies that had eight full-time employees.

WHY OUTSOURCE?

According to Deloitte, the decision to outsource may be driven by one or more of

the specific challenges that compliance functions currently

face, including the following:

Coping with talent shortages:

Increased regulatory compliance complexity requires individuals who are

skilled in risk management and have knowledge

of regulatory and compliance operations. These

professionals are in short supply and high demand.

Organizations have to deal with increased operational

budgets to provide training, an extended talent pool to

manage continued compliance, and high attrition issues.

Sub-optimal compliance processes:

Organizations want to focus on improving and streamlining to make

their compliance processes predictable. However,

continuous changes in the regulatory landscape can

make investments in compliance processes reactive. This

often leads to a challenge for the organization whereby

compliance processes may not follow the leading

practices. This can result in a higher cost of compliance,

lower quality levels, and possibilities of rework.

Investing in technology infrastructure:

Organizations are continuously investing in technology and related

infrastructure to help facilitate meeting compliance

needs. With the continuous changes in existing

regulations, as well as new regulations, technology

investment needs are both one-time and continuous.

Addressing global compliance needs:

International organizations are making extensive investment in

hiring and training global talent pool. Additional

investments are needed to develop a global knowledge

base and expertise to address differences in regulatory

requirements and successfully drive their global

compliance operations.

Increasing operating costs:

Increased resource requirements (people, processes, and technology) due

to significant changes in regulatory environments are

having significant impact on operating costs.

In recent times, these compliance challenges have been

amplified due to increased regulatory requirements such

as the Dodd-Frank Wall Street Reform and Consumer

Protection Act (Dodd-Frank), U.S. healthcare reform, the

Physician Payment Sunshine Act, the Foreign Account Tax

Compliance Act (FATCA), Markets in Financial Instruments

Directive II (MiFID II), as well as longer standing, and often

changing, regulations in areas such as product safety,

quality, Anti-Money Laundering (AML), and many others.

Source: Deloitte.

What compliance processes companies outsource also differs significantly from sector-to-sector. Many companies in the life sciences industries, for example, are seeking third parties who can bring knowledge of local regulations around the globe to the table. “When you start looking for regulatory expertise across 50 to 100 global markets, you have to be able to call on experts that you most likely do not have on staff,” says Adam Bianchi, chief operating officer and co-founder of Cutting Edge Information.

They are also seeking to outsource data-intensive processes. The data entry component of recording all adverse events that happen around the globe from a drug safety perspective, for example, can be a monumental task, McGuire says. Such a task could mean having to generate data from potentially 100 different markets, he says.

Compliance teams in the banking industry, on the other hand, may outsource compliance testing against regulations, or the performance of risk and compliance reviews. With all the new regulations associated with the Dodd-Frank Act, financial services companies are looking for help digesting the new requirements. “They are having a hard time understanding all these new rules,” says Straub.

One financial company outsourced compliance testing of its credit card business processes with applicable U.S. laws and regulations, for example.  This was a new requirement and the organization lacked trained, qualified individuals to execute the compliance testing.  Building up a new team was going to result in significant reporting delays and was cost prohibitive.

Keep in mind, though, that outsourcing a process doesn't shift responsibility to the service provider. “Irrespective of who provides execution of compliance processes, the company still remains accountable for the work performed by third parties,” says Chawla. “That's how companies need to look at compliance outsourcing, and that's why they need to be very selective about where this model really adds value.”

For this reason, it's also important to monitor the third parties who are performing compliance outsourcing for your organization “to make sure they're doing the things that you've contracted them to do, and they're doing it regularly, consistently, and accurately,” says Straub.

You still want somebody in-house who is responsible for escalating issues up the chain of command when problems arise, says Straub. “You don't want someone who is not in touch with the day-to-day operations of the business to make that call.”