Four Things You Definitely Cannot Outsource

Outsourcing in all its various forms is now an accepted part of our business. And in some sectors that appears to be truer than others. But what exactly is outsourcing and in particular, are there any circumstances when outsourcing means handing a task or a service over lock, stock and barrel to a third party?

More time on the golf course?

When outsourcing was originally conceived as an idea, the concept was very simple. Take a particular function of the business, preferably one which is a direct cost to the business without generating income. Then find someone who is able to deliver that service at a lower cost than the firm can. Then enter into a contract with the service provider which means that they deliver that service at a lower price. So you no longer have to do the work, and it’s saving you money. Oh, and the third party not only gets penalised if they don’t meet your service standards, if anything goes wrong, they’re liable and not you!

Sounds great doesn’t it? That’s outsourcing in its purest form, which is a win/win for both sides. The business saves money and the outsourced service provider gains a client for whom it can deliver a service that it can make a profit on. And the best bit is that the firm outsourcing the service can sit back and let the third party do all the work for them.

From dreams to reality   

The reality, though, has proven to be somewhat different, especially for regulated businesses. That’s not to decry outsourcing in any way. As a concept it has grown and matured, and indeed, for many services now, the outsourcer market has become so mature and well-developed, that firms could not realistically contemplate doing them in-house. And for some firms, outsourcing has become a fundamental component of their business model

But the one piece that has not played out in practice is the ability of the firm to effectively “take their hands off the wheel” and not oversee what the outsourced service is provider is doing. The regulators have been aware of the risks involved with outsourcing for some time, and are becoming evermore so.

On a basic level, the requirement from a systems and controls perspective is that firms need to be applying appropriate oversight to their material outsourcing arrangements. And you can get a feel for the way the FCA is heading in its activity by reading the results of its recent review into outsourcing in the general insurance market. This covered a number of aspects of outsourcing in this sector, but the overriding theme is that the FCA is concerned about how “delegated authority” was being applied. And by delegated authority, it means that way in which insurers generally delegate various different functions to third parties and intermediaries. But whichever way you define it, delegation, in the eyes of the FCA, is outsourcing.

Finding the roots

Look at this paper closely and you’ll see that the FCA is concerned about not just the impact that outsourcing ultimately has on customers, through for example, product design and delivery of customer services, but also the degree of oversight that insurers have over their third parties.

As a result, the FCA has set out its concerns in four key areas, on the basis that firms need to address these in order to meet their obligations.

1 Conduct risk

One of the big talking points crops up again here. So for example, if the processing of claims has been delegated to a third party, how does the insurer satisfy itself that the processes the third party operates generate the right outcomes for customers? Or are they just putting up barriers to claims being dealt with efficiently?

2 Selection of provider

The expectation is that insurers will conduct appropriate due diligence when selecting a third party. In particular, as far as the FCA is concerned, this due diligence has to have a conduct focus, looking for evidence that the issues raised above are able to be mitigated as far as possible.

3 Responsibility for controls

The point was raised around the controls over outsourced claims functions, in particular around the management of potential conflicts of interest in the outsourced claims process.

But this is an indication of a bigger concern, that insurers need to have a vested interest in, and input into, the controls operated by their outsourcers.

4 Oversight

The other major concern is the lack of insurers’ own oversight of the controls applied around the outsourcing arrangement – and in particular, a tendency to rely too much on the audit function within the outsourcer.

Take each of these points in turn, and the conclusions that you can draw from what the FCA is saying are as follows:     

Conduct risk is still the responsibility of the insurer

Granted, the outsourcer will also have a responsibility, but primarily this rests on the shoulders of the insurer – the customers belong to them, so does the ultimate responsibility to ensure the appropriate outcomes and manage the associated risks

Due diligence is essential

When entering into a new outsourcing arrangement, firms must conduct full and comprehensive due diligence. End of story.

Controls cannot be delegated

Yes, outsourcers are responsible for designing controls. But firms have to make sure they work – for them and for their customers.

Don’t rely on the outsourcers for auditing

Auditing and monitoring are essential components of the firm’s controls framework, and cannot be cut back, just because a function has been outsourced.

All of this requires training

It’s essential that everyone in firms who outsource their services understands what the regulator is looking for in terms of controls and oversight, and how they can best deliver that. Otherwise, the message is clear – there will be regulatory scrutiny if not.

As a result, there are external training providers who can provide assistance here with what is a very complicated subject. Help is at hand thanks to Industry Events Online.    


Martyn Oughton    

By Martyn Oughton a Professional Member of the International Compliance Association (ICA).  Martyn now writes a regular blog for Industry Events Online focusing on the importance of training in all aspects of compliance. Read Martyn's other publications at Martyn's Writers' Residence website.

To keep up to speed with new events and blog posts sign up to the Industry Events Online weekly newsletter.