CEOs, you can’t ignore compliance. Before selecting an outsource partner, CEOs and executives need to evaluate and manage risk.
By TAS CEO, Shane Baker
In the face of digital disruption and an increasingly complex business world, CEOs need to put compliance as the top consideration when selecting an outsource partner. CEOs need to take ownership of compliance, evaluating and managing risk effectively. Risk isn’t something that can be offset or outsourced.
Compliance needs to be an executive decision. We need to enable CEOs to make better decisions, based on an in-depth understanding of their specific compliance requirements. Selecting a cloud provider as a commodity decision is fraught with compliance pitfalls.
Compliance is traditionally understood as the conformity in satisfying formal requirements. The entrenchment of compliance within an organisation and key partners is often overlooked. This is further heightened when an organisation opts to procure core services from a material outsourcer i.e. from private and/or public cloud, a managed services provider and so on.
Whether an organisation is subject to external regulatory compliance or augments its policies with specific standards and frameworks such as ASAE 3402, PCI DSS, ISO 27001/2, ISO 31000 risk management, an organisation must look to embed a governance model that encompasses the board and CEO, as much as the operational staff within the business.
The business case for outsourcing is clear. However, CEOs need to tread carefully before selecting an outsource partner, because there is risk involved. CEOs need to address compliance at a strategic level, building upon a solid and unbreakable internal framework.
The ever-increasing complexity and scope of compliance means that companies need the right resources to drive adequate risk management. Third parties continue to be the single biggest worry for companies when conducting risk assessments. Specific tactics are needed to manage third-party risks more effectively.
That’s why CEOs need to choose carefully. Before you select an outsource partner, it’s crucial that you clearly define and communicate your organisations’ strategic goals and compliance mandate
Here are five key tips on how to implement a robust compliance framework internally, before selecting an external outsourcer:
- Create a robust internal framework. Deloitte found that 82% of organisations surveyed now undertake enterprise-wide compliance risk assessment at least once a year. To stay ahead of the game, create a robust internal framework that limits risk and ensures compliance. Before you engage and work with outsourced partners, you need to build strong internal foundations.
- Evaluate and manage risk. To evaluate and manage risk across your organisation, firstly check in with your people. Do the people selecting your technology partner understand the compliance obligations? CEOs, talk to your people on the ground, and ensure they understand the full picture.
- Adhere to industry standards. Implement service, technology and engagement frameworks that adhere to the compliance standards required by your industry. Whether your organisation is subject to external regulatory compliance or augments its policies with specific standards, embed a governance model that encompasses the board and CEO, as much as the operational staff within the business.
- Ensure there is no risk of moving services to a material outsourcer. CEOs need to ensure that there is no increased risk of moving services to a material outsourcer. Examples of increased risks to be mindful of include the technology roadmap, security, and the viability of the material outsourcer.
- Select a partner that can move with you. CEOs, do you have a partner that can move with you? To drive business success for the future, take changes in compliance and regulation into account. Aim to build robust relationships in the long-term, rather than looking for short-term fixes.
This article was first published on September 23, 2016 by CEO Magazine.