Outsourcing is on the rise across a large range of industries. Recent figures show the value of UK public and private sector outsourcing rising from about £35bn at the turn of the millennium to a current figure of around £88bn. A significant increase. Unsurprisingly, businesses in the Channel Islands have also embraced outsourcing as a means to lower costs, increase efficiency, expand resources and expertise, and ultimately improve customer service. This can, however, open the door to operational and regulatory risks. As a result, before committing to outsourcing arrangements, a business should carefully consider carrying out appropriate due diligence in order to avoid, or at least mitigate, those risks. Here are some of the key points that need to be considered:
Establish a risk management framework and risk register enabling the outsourcer’s and service provider’s teams to identify and assess the project risks, their current status and any action needed to manage those risks.
Look inwards as well as at the prospective service provider. Start by considering what target services are currently being provided in-house, the service delivery model and the service levels being met, as well as the transaction volumes. This includes the number of employees engaged in providing those services, and if changes could affect staffing levels, or require a review of employment terms.
If cost is a key driver, the process should include a detailed review of current expenditure on the earmarked services.
Are there any third-party contracts currently in place to deliver the services? If those will cease to serve a function, can the business terminate the contracts without penalty or before expiration of a set notice period? If there will be a continued need for third-party services, but on amended terms, can the business unilaterally vary those terms?
Assessment of a prospective service provider requires a comprehensive analysis of all the services it is offering, how it will tailor those to the aspects the business wishes to outsource, and how it will deliver those services.
Fixing the detail of those services will inform the service provider’s proposals on pricing, which should make it easier for the business to price any changes to volumes and service levels.
Include an examination of the service provider’s corporate status and wider group structure, and its own (and its group’s) financial standing. Also, its insurance coverage and the risks covered.
Investigate the service provider’s compliance history, the existence of complaints, litigation or regulatory actions, and evaluate its track record in delivery of similar services.
Analyse the service provider’s disaster recovery and business continuity plans, its system of internal quality and other controls, its security history, and the extent to which it is audited, financially and otherwise.
If the business is a data controller and/ or data processor for the purposes of the
Data Protection (Jersey) Law 2005, and data is to pass to the service provider under the outsourcing arrangement, adequacy of data protection will be a key consideration.
Adherence to the six core principles laid down in the Jersey Financial Services Commission’s Policy Statement and guidance on outsourcing will be a critical factor for businesses in the regulated financial services sector. If, following the due diligence process, the decision is to proceed, the parameters of the outsourcing, and a detailed description of the services, should be set out in a comprehensive outsourcing agreement. This should, among other terms, include a precise description of the functions to be outsourced, and a clear delineation of the respective responsibilities of the service provider and the outsourcer. An early-stage and comprehensive evaluation of any proposed outsourcing arrangement is highly advisable. Failure to identify strategic, market, reputational and (to the extent applicable) regulatory risk could not only fundamentally affect the project’s economics, but also be potentially damaging to the outsourcing business.