Fit for ServiceA strategy for service organizations.Michael Werneburg, 2013.04.13

THE CHALLENGE

A technology & service provider can have great products and still get nowhere because the clients lack trust.

The target market—banks and life insurance firms—are jointly called “federally regulated entities”.

They are accountable to several regulators

domestically and abroad.

OSFI CSA

IIROCOSC

MFDA FSCO

Selling information services to these “regulated entities” means meeting their stringent regulations.

The vetting process for a newvendor can involve 80-page RFI’s

full of questions.

Every client has specialists with long lists of requirements. Dealing with this bureaucracy on their terms can be difficult, lengthy, and disruptive.

ITLegalComplianceRiskMgmt.

PMOVendorMgmt.

The requirements are exacting and there’s little appetite for uncertainty.

A brilliant and perfectly timed product or service gets you only as

far as the doorstep.

Keeping these clients has its own challenges.

Us

Client

The two shapes on this page show the sizes of our

company and the typical size of global organizations

we serve. To scale.

WHAT TO DOTurn the problem into a strength.

The service you offer is where you have chosen to compete. Performing at the mandated level is how you will win.1. Get the clients and keep them.2. Define your unique activities and

constantly refine and adapt.3. Build real barriers to entry.

Key goals:• Excel in all points of contact with

clients.

• Optimize the fit between internal activities.

• Adopt change as a way of life.

A THREE STAGE PROGRAMHow to build a resilient business that performs.

1. Implementing a fitness regime.• Identify the required level of

performance. Set goals.

• Adopt a governance framework to monitor and foster progress.

• Build the team, the processes, the tools, and the structure to operate at a high level.

2. Get audited yearly. A third-party assurance report covers all the bases.

• The SOC attestation reports for service organizations communicates your commitment to excellence.

• They are recognized standard with international equivalents.

3. Your annual audit reports satisfy the gate-keepers. Freeing you to focus on the conversations with the stakeholders and decision makers who need you.

• (Watch for quote in case study below.)

A CASE STUDYThe story of a successful technology & service provider.

PortfolioAid provides a crucial automated compliance service• Compliance is a must have

• Effective compliance is a differentiator in a hyper competitive environment

• Even the regulators consider this service “material”

•Specialists in rating risk for securities.•Market leader in retail brokerage compliance automation.•Experiencing rapid growth as the compliance market matures.

Our goals as a service organization• Deliver reliable software releases with

accuracy

• Deliver a secure & available service

• Stay responsive and agile

• Develop an end-to-end service level agreement

We have sensitive client data• Confidentiality

• Integrity

• Personal information/privacy

Our systems must be• Functional

• High-performing

• Available

Everyone knows this. But…

Managing systems change is more demanding.• To deliver functional enhancements

• …without error…

• …and propagate between clients.

A multi-dimensional issue.

Our people have to be• Competent

• Reliable

• Trusted

We need skills, training, the drive to deliver, and yes: rules.

Executive: setting and communicating objectives; evaluating operations and financial performance; service level management; business continuity planning; budget approval; vendor management.

Human Resources: background checks; asset entitlements management; hiring and termination policies; privacy; acceptable use; code of conduct; confidentiality; whistle-blowing; site security; staff evaluations.

IT: SDLC; change control; disaster recovery; technology standards; patch management; security incident management; information classification; log monitoring; viruses; bring-your-own-device; data disposal; encryption; firewall management; remote access.

Internal control: internal audit; risk management; policy management.

This is a sample; It is not practical to list everything.

Processes &

controlsClients

COBIT

Trust Services

Auditors

Regulators

Vendors

CICA

Sources of guidance

An IT governance framework• COBIT 5 focuses on realizing benefits,

optimizing risk levels, and optimizing resource use.

• COBIT 5 does not focus only on the ‘IT function’, but encompasses strategy, business planning, resource optimization/budgeting, HR, vendor management, etc.

Guidance for service organizations• Hundreds of detailed “must have” criteria

to map to internal controls.

• Covers five domains: security, availability, confidentiality, processing integrity, and privacy.

• Blends perfectly with COBIT.

Implementing governance• PortfolioAid identified the relevant areas

of COBIT for implementation.

• Starting with core functions (SDLC, hosting, human resource), the “governance project” began in January 2011.

Implementing governance• COBIT blended with AICPA/CICA “Trust

Services Principles” criteria.

• First audit passed, October 2011.

• COBIT implementation expanded in 2012.

• First clean CICA Section 5025 audit report obtained October 2012.

Immediate benefits• Easy RFP’s and RFI’s. Just hand over the

documentation.

• No more one-off requests for proof of capability from vendor managers, IRM, legal, etc.

• Shortened and easier sales cycle.

In the words of one software executive;

“Now that we have our audit report, we’re having a whole other level of discussion. The gate-keepers simply ask for the report and we’re done. Everyone thanks us for making their jobs easier.”

Life is easier for existing clients• No more one-off requests for proof of

capability from vendor managers, IRM, legal, etc.

• Improved “story” for service owners.

• More interest in expanding services with us.

Running smoothly:• Delivering value-added functionality in a

reliable fashion (1 error in 557 releases)

• Hosting our WatchDog service in a secure and uninterrupted fashion (no downtime after two years and counting).

• Stable processes free the time of PortfolioAid SME’s and management.

Confidence and transparency• Reduced need for monitoring by clients.

None has ever called for an ad-hoc audit.

• Clarity around roles and responsibilities.

• Comprehensive service level attainment is demonstrable through reporting.

Governance framework• 64 process manuals• 261 controls being measured• Annual audits and pen-test

Clean audit achieved in 2nd year• Copies of report for all clients

HOW I DID ITMy role as a specialist in governance, risk, and strategy.

I provide:• Understanding of service delivery strategies.• Understanding IT and IT governance frameworks (e.g. ITIL,

COBIT).• Mapping the governance framework to business strategy.• Knowledge of capital markets, life insurance, and the

software/service firms that support them.• Business process renewal and the writing of process manuals.• Managing the auditors. (Certified Internal Auditor designation

in progress).• Project management (I am a PMP).

Michael Werneburg

416-848-4136

michaelw@portfolioaid.com