What do you need to know about Risk Management?


What’s behind SSOPro? You’ve heard about the 10 core competencies that we have identified, and you may even have seen one of the live demos. But what can an online learning program such as SSOPro really do for you?

Interview with Roy Barden, consultant to SSOPro’s Risk Management competency, on why we need to develop our knowledge base when it comes to risk management.

SSON: What made you pick Risk Management as the competency you wanted to design and lead?

A recent survey of our clients indicates that risk and compliance are still top priorities for them. The growth of outsourcing is making this even more central to their – and our – thinking.

SSON: What are the 2-3 main problem areas you think clients and providers could avoid given a better understanding of risk management?

There are effectively nine basic risk areas:

  1. Strategic Risk
  2. Compliance Risk
  3. Financial Risk
  4. Operational Risk
  5. Environmental Risk
  6. Employee Risk
  7. Political Risk
  8. Health & Safety
  9. Commercial Risk

The ones highlighted below are particularly important to shared services centres.

Strategic Risk – what this means is: does your shared services strategy support your business strategy? What is the major driver? Is it cost / flexibility / growth / efficiency / effectiveness? You need to be aware of what’s driving your shared services operation.

Compliance – do you need to support control regimes such as SARBOX? What else could weigh in here?

Operational Risk – this links in with recruitment, accounting controls, IT systems, knowledge transfer, etc. Much of this links in with employee risk.

SSON: What is the impact of the current market on internal risk evaluations? How is this making itself felt in the captive vs. outsourcing decisions people are making?

If you have an outsourcer involved, you need to be aware of whether they need to meet regimes such as SAS70 and its successors (SSAE16 / ISAE3402) in order to deliver sufficient comfort regarding compliance. This is important!

Also you need to consider how you’ve built "innovation and process improvement" into your contractual arrangements – who pays for what, and how are the rewards shared?

SSON: What are the top classic mistakes people make as a result of not having enough experience with risk management?

They are essentially:

  • Don’t invest time to identify and assess risk
  • Don’t follow through on mitigating actions
  • Don’t have a learning loop
  • Don’t monitor the costs
  • Don’t test the effectiveness of controls
  • Don’t stand back to see the big picture
  • Denial
  • Design for today not tomorrow – e.g. impact of automation on offshoring business case
  • Design sub-optimises the whole, e.g. functional versus end-to-end process solutions

The last two are of particular importance in Shared Services and Outsourcing.

SSON: What can people learn from the mistakes of others?

Risk management is not rocket science – it just requires a systematic approach AND enough of an investment. You can break learning’s into a few key steps:

Step 1: Assess Risk

  • Identify Risk
  • Assess Probability
  • Assess impact

Step 2:Response

  • Accept
  • Transfer (especially important in outsourcing)
  • Reduce probability and/or impact
  • Eliminate

The biggest issue for Shared Services today is the erosion of the business case for moving transactional activity offshore in the face of rising wage costs and automation enhancing high cost locations.

SSON: What are most practitioners still not sufficiently aware of when it comes to managing risk? What can they benefit most from learning about?

It would be good to explore recognised risk frameworks. Which organisations are leading the charge here? What are the myths and the realities regarding SAS70 and its successors SSAE16 / ISAE3402, in delivering comfort regarding compliance? Can these really help address risk – or are they just a comfort blanket?

Roy Barden
Executive Director
Novo Altum

Roy Barden leads the Shared Services and Outsourcing Advisory practice for Novo Altum.

Roy has spent the last 15 years as a consultant leading change within the support functions of global organizations , helping clients deliver both in-house and outsourced Shared Services.

Before joining Novo Altum, Roy led the Global Business services Advisory practice for the Hackett Group.

Prior to consultancy, Roy spent 13 years working in the finance functions of multinational firms in the paper and chemical industries based in the UK before becoming CFO of a multinational speciality chemical firm located in the Netherlands.

Roy has a degree in Economics and an MBA from the London Business School and is a Fellow of the Chartered Institute of Management Accountants.