fit for service - a strategy for service organizations
DESCRIPTION
A strategy for selling technology services to federally-regulated banks and life insurance firms. Includes a case study in which a small services organization utilized a clean audit report to gain—and keep—the market's trust.TRANSCRIPT
Fit for ServiceA strategy for service organizations.Michael Werneburg, 2013.04.13
THE CHALLENGE
A technology & service provider can have great products and still get nowhere because the clients lack trust.
The target market—banks and life insurance firms—are jointly called “federally regulated entities”.
They are accountable to several regulators
domestically and abroad.
OSFI CSA
IIROCOSC
MFDA FSCO
Selling information services to these “regulated entities” means meeting their stringent regulations.
The vetting process for a newvendor can involve 80-page RFI’s
full of questions.
Every client has specialists with long lists of requirements. Dealing with this bureaucracy on their terms can be difficult, lengthy, and disruptive.
ITLegalComplianceRiskMgmt.
PMOVendorMgmt.
The requirements are exacting and there’s little appetite for uncertainty.
A brilliant and perfectly timed product or service gets you only as
far as the doorstep.
Keeping these clients has its own challenges.
Us
Client
The two shapes on this page show the sizes of our
company and the typical size of global organizations
we serve. To scale.
WHAT TO DOTurn the problem into a strength.
The service you offer is where you have chosen to compete. Performing at the mandated level is how you will win.1. Get the clients and keep them.2. Define your unique activities and
constantly refine and adapt.3. Build real barriers to entry.
Key goals:• Excel in all points of contact with
clients.
• Optimize the fit between internal activities.
• Adopt change as a way of life.
A THREE STAGE PROGRAMHow to build a resilient business that performs.
1. Implementing a fitness regime.• Identify the required level of
performance. Set goals.
• Adopt a governance framework to monitor and foster progress.
• Build the team, the processes, the tools, and the structure to operate at a high level.
2. Get audited yearly. A third-party assurance report covers all the bases.
• The SOC attestation reports for service organizations communicates your commitment to excellence.
• They are recognized standard with international equivalents.
3. Your annual audit reports satisfy the gate-keepers. Freeing you to focus on the conversations with the stakeholders and decision makers who need you.
• (Watch for quote in case study below.)
A CASE STUDYThe story of a successful technology & service provider.
PortfolioAid provides a crucial automated compliance service• Compliance is a must have
• Effective compliance is a differentiator in a hyper competitive environment
• Even the regulators consider this service “material”
•Specialists in rating risk for securities.•Market leader in retail brokerage compliance automation.•Experiencing rapid growth as the compliance market matures.
Our goals as a service organization• Deliver reliable software releases with
accuracy
• Deliver a secure & available service
• Stay responsive and agile
• Develop an end-to-end service level agreement
We have sensitive client data• Confidentiality
• Integrity
• Personal information/privacy
Our systems must be• Functional
• High-performing
• Available
Everyone knows this. But…
Managing systems change is more demanding.• To deliver functional enhancements
• …without error…
• …and propagate between clients.
A multi-dimensional issue.
Our people have to be• Competent
• Reliable
• Trusted
We need skills, training, the drive to deliver, and yes: rules.
Executive: setting and communicating objectives; evaluating operations and financial performance; service level management; business continuity planning; budget approval; vendor management.
Human Resources: background checks; asset entitlements management; hiring and termination policies; privacy; acceptable use; code of conduct; confidentiality; whistle-blowing; site security; staff evaluations.
IT: SDLC; change control; disaster recovery; technology standards; patch management; security incident management; information classification; log monitoring; viruses; bring-your-own-device; data disposal; encryption; firewall management; remote access.
Internal control: internal audit; risk management; policy management.
This is a sample; It is not practical to list everything.
Processes &
controlsClients
COBIT
Trust Services
Auditors
Regulators
Vendors
CICA
Sources of guidance
An IT governance framework• COBIT 5 focuses on realizing benefits,
optimizing risk levels, and optimizing resource use.
• COBIT 5 does not focus only on the ‘IT function’, but encompasses strategy, business planning, resource optimization/budgeting, HR, vendor management, etc.
Guidance for service organizations• Hundreds of detailed “must have” criteria
to map to internal controls.
• Covers five domains: security, availability, confidentiality, processing integrity, and privacy.
• Blends perfectly with COBIT.
Implementing governance• PortfolioAid identified the relevant areas
of COBIT for implementation.
• Starting with core functions (SDLC, hosting, human resource), the “governance project” began in January 2011.
Implementing governance• COBIT blended with AICPA/CICA “Trust
Services Principles” criteria.
• First audit passed, October 2011.
• COBIT implementation expanded in 2012.
• First clean CICA Section 5025 audit report obtained October 2012.
Immediate benefits• Easy RFP’s and RFI’s. Just hand over the
documentation.
• No more one-off requests for proof of capability from vendor managers, IRM, legal, etc.
• Shortened and easier sales cycle.
In the words of one software executive;
“Now that we have our audit report, we’re having a whole other level of discussion. The gate-keepers simply ask for the report and we’re done. Everyone thanks us for making their jobs easier.”
Life is easier for existing clients• No more one-off requests for proof of
capability from vendor managers, IRM, legal, etc.
• Improved “story” for service owners.
• More interest in expanding services with us.
Running smoothly:• Delivering value-added functionality in a
reliable fashion (1 error in 557 releases)
• Hosting our WatchDog service in a secure and uninterrupted fashion (no downtime after two years and counting).
• Stable processes free the time of PortfolioAid SME’s and management.
Confidence and transparency• Reduced need for monitoring by clients.
None has ever called for an ad-hoc audit.
• Clarity around roles and responsibilities.
• Comprehensive service level attainment is demonstrable through reporting.
Governance framework• 64 process manuals• 261 controls being measured• Annual audits and pen-test
Clean audit achieved in 2nd year• Copies of report for all clients
HOW I DID ITMy role as a specialist in governance, risk, and strategy.
I provide:• Understanding of service delivery strategies.• Understanding IT and IT governance frameworks (e.g. ITIL,
COBIT).• Mapping the governance framework to business strategy.• Knowledge of capital markets, life insurance, and the
software/service firms that support them.• Business process renewal and the writing of process manuals.• Managing the auditors. (Certified Internal Auditor designation
in progress).• Project management (I am a PMP).