Should organisations look to hand out CoSec duties to an expert global provider, or is there a legitimate argument for retaining in-house functions? Our world-class compliance experts share their views.
An obvious solution to handle CoSec duties is to outsource the problem. Delegate, and forget. The corporate endorsement of this approach is highly varied. Some multinationals outsource aggressively. Others develop in-house CoSec functions. Small and medium sized organisations are also mixed in their approach.
So, what is the most efficient method? Should organisations look to hand out CoSec duties to an expert global provider, or is there a legitimate argument for retaining in-house functions?
“This might surprise you, as I come from a global professional services provider, but outsourcing is not suitable for everyone,” says Matthew Eckford, Entity Management Director at TMF Group and an acknowledged expert on the business of outsourcing. “Some organisations may be ill-prepared to outsource. Or they may have the scale and resources to address their requirements with an in-house team.”
The best policy may come down to the expertise of an organisation. Small organisations may lack resources to focus on compliance. Outsourcing here is the only option. As organisations grow, so may their ability to manage compliance obligations in-house, but the costs of such teams will grow as well.
A critical question is where the organisation operates. Compliance is more onerous in some jurisdictions than others. Brazil, Kuwait, the Philippines and India are rated by the World Bank as some of the more difficult places to do business. Completing CoSec duties in these jurisdictions will be tough. And yet, Eckford says that does not necessarily mean an end to in-house compliance. Other factors may outweigh this single consideration: “Perhaps surprisingly, the most complex jurisdictions may not necessarily be the best candidates for outsourcing. Instead, multinationals with significant scale may assign an in-house resource that is familiar with the variety of compliance requirements in different jurisdictions and understands local authority demands.”
Cost will be part of the equation. The catch is that compiling accurate figures for CoSec compliance can be troublesome. External professional advisors tend to bill in different currencies, formats, and use different terminologies for assistance provided. Some may charge billable hours, rather than fixed fee. Internally, costs are hard to quantify. Utilising an in-house lawyer for CoSec incurs a cost, but their time may be missed in a narrow audit. All this makes it a challenge to produce a reliable carrying cost.
An argument in favour of a single global service provider is that a centralised invoice service will make cost analysis more rigorous.
The ability to outsource may depend on the industry. The financial services industry places more stringent CoSec requirements on organisations than, for example, the FMCG sector. Most board meetings at a bank must be treated as “live”, attended and correctly minuted. These meetings require a high degree of preparation, with agendas and board packs, terms of reference, and minute creation. It makes sense to build an in-house team to address these needs. By contrast, FMCG, technology and media can run infrastructure-light operations. They regard CoSec as non-core, and are happier to delegate to a professional service provider.
Partnering with an external party tends to be better to identify errors. Overworked in-house teams can miss even quite basic mistakes.
For example, a company which paid $15,000 a quarter for leasing a premise in a jurisdiction found after some years the fee was redundant after incorporation. $250 per annum was the actual required fee. The in-house team was too busy to notice (and solve) the overspend.
Readiness is a critical, but often overlooked concept. Outsourcing may be theoretically preferable, but if the organisation is not well prepared for a change in approach, the strategy may fail. Eckford has seen projects which look good on paper fail because the client was unprepared: “Some companies just want to pay someone else to solve the problem. They lack executive sponsorship. They lack understanding of what is involved. Outsourcing is a synergist partnership, and both parties need to be willing to understand the other side. Without that mindset, the outsourcing won’t work.”
Similarly, companies hoping to build in-house teams may find the challenge more onerous than expected. For example, software is often purchased with an expectation it will create a uniform and up-to-date record of CoSec status across jurisdictions. In fact, without the right processes in place the software will fail to deliver these benefits. The wrong data, lack of auditing, lack of timeliness of the submission of data: these can undermine even the best software database.
All too often companies fail to make a decision. Instead, projects are handled in an improvised way in each jurisdiction. Local advisors come with their own preferred solutions: sometimes recommending lawyers and accountants, other times working with bespoke specialists. The nadir is when the central secretariat loses sight not merely of whether entities are compliant, but even how many entities the organisation has under its supervision and where.
Any decision on outsourcing must begin with a thorough due diligence work. Mission critical obligations can be identified, as can lesser obligations. When activities are outlined for outsourcing, a business case must be made to ensure all stakeholders are onside.
Any change will take time. In certain cases, and depending on the volume and reach, a timeline of two years to incorporate the use of professional providers may be realistic. This will include broader objectives, such as consulting with other departments, explaining the changes to stakeholders, and weaving the plan into the long-term corporate strategy.
The final factor to consider is increasing complexity. Compliance duties are only going to get more onerous. Retaining an in-house function is viable: but the pressures and sophistication of CoSec activities will only increase. As the compliance industry becomes more specialist and demanding, the appeal of utilising an expert global partner will only proliferate.