Risk Topics

Risk, opportunity, and the service organization


Specialist information technology services organizations play a substantial role in regulated industries such as finance. These service organizations make their living by being able to provide the expertise, flexibility, and speed in developing information-based solutions within their niche that their clients often simply can’t. But they are now coming under new pressures. IT processes, standards, and technologies have so drastically improved that continuous excellence in service delivery is expected. At the same time, regulators, auditors, and boards are becoming more aware of the hazards posed by regulated industries sharing risk with service organizations.

This propels regulators to establish risk management guidance on outsourcing arrangements that set the bar for service organizations at the same level as the regulated firms themselves. Regulated firms effectively come to download portions of their regulator-mandated enterprise risk management regimes to the technology service organizations that serve them.

In turn, service organizations—even small-scale operations—are adopting annual external audits to provide evidence of effective enterprise risk management. For service organizations to adapt to the new requirements and thrive in their regulated market place, a solution exists in adopting enterprise risk management through an initiative for risk-centric process improvement.

And I believe that this allows enterprise risk management practices to unlock new opportunities for service organizations. First, a look at what’s involved.


For a technology service organization to obtain a clean third-party audit, it must meet or exceed standards in several areas, for example:

It’s a broad list, but also deep. Regulators are directly referencing complex and prescriptive guidance such as the AICPA/CICA “trust services principles”, which outline hundreds of controls for a service organization.


The skill-set required to effect these changes isn’t necessarily the same skill-set already possessed by a service organization’s management team; in addition to the daunting scope and complexity, an outside change leader may be required.


Complicating matters, the field is currently in flux. Some evolving trends include:

And after all the effort, expense, and change imposed, after adopting new standards of performance and a perpetual cycle of audit-and-remediation, there is no guarantee of success. The auditors will be the ones to decide when their requirements are met.

So it’s worth looking at the opportunity that lies on the far side of all of this work. What are the payoffs?

And finally, the most important question: why

Speaking from my experience in the field, integrating risk-centric business practice improvements into a business strategy can:

Here’s how I believe it works. Initially, a process improvement initiative exposes the differences in expectations, assumptions, and interpretations behind existing process. Elimination of those differences allows the firm to adopt a unified way of thinking and a unified level of consistent behavior. It allows the firm to adopt a culture of excellence, and allows the firm to find a competitive advantage based on processes that are not merely improved but (in the words of Michael Porter) that “fit” and are hard-to-copy.

Without the sort of demonstrable excellence that's behind an audit report, a sales journey within a regulated firm can include a series of gatekeepers similar to that in the image below. But a service organization armed with an audit that’s backed by genuine internal excellence and a unified vision can bypass the gatekeepers and engage the client's decision-makers in the sort conversation that really matter.

image of man going to the desks of several gatekeepers

Simply having the auditor's report conveys to your prospects that you're speaking their language. But meeting their needs at every level earns and keeps a client's trust and builds "brand" with every interaction. A focus on the customer is the most powerful way of winning and keeping that customer. This sounds like a marketing talk on purpose; marketing experts understand the importance of a consistent message of excellent results. And what is an audit but proof of consistency?

© 2013 - 2019 werneburg information risk management inc.