Changing anatomy of large outsourcing deals


Is the number and size of large outsourcing deals getting shrunk? Answer seems to be Yes. For the mega deals happening in the market, there are some business takeover activity – where suppliers have to make significant upfront payments. It typically involves writing a check to create joint fund, buying an asset or taking over delivery centers with a large ticket long term deal commitment. This requires a revised mindset of suppliers and such changing behaviors include,

  • Put skin in the game to partner in large smart sourcing transaction rather than just winning a hefty TCV contract
  • Collaborate with clients to expediting cloud adoption – end of life asset strategies and strike a balance with apt markups to manage cloud contracts
  • Refresh application / software currency delivering services in hyper connected world
  • Enable efficient business processes with platforms that offer predictive and prescriptive capabilities with consumption based pricing
  • Not really offshoring but the right balance with local-shoring offering cost arbitrage
  • Revived business model with competitive margins. Automation is the next frontier for to improve profit margins
  • Progress beyond automation – a software bot is costing about one-third the price of an offshore full-time employee
  • Keep in mind “Digital is default” – partner to digitally reimagine client’s business and transform into AI’led sourcing.

Category Strategies for Digital

strategyEarly adopters of Digital forces – social, mobile, cloud, big data & analytics, and AI & robotics have a clear competitive edge in their line of business. It is becoming the new basis of competition, helping organizations build new business and operating models. Sourcing arena is transforming rapidly as Digital services become increasingly important to the business environment. Digital demands companies manage an ever larger pool of smaller deals that are, in many ways, different from their traditional category scenarios. Hence Digital technologies are complicating an already intricate procurement value chain.

Digital poses a tremendous change to the way of working for procurement that require a fundamental “rethink” regarding organization and capabilities, both of which will need to be reshaped over time. Successful Digital category strategy encompass the niche players along with traditional providers to optimize the costs and right balance the skill gaps with capability mix. It’s bringing in a new set of players who do things differently instead of just bringing more suppliers into the mix. So managing an eco-system of multiple suppliers throws a different challenge to client procurement organizations. Few of the challenges/opportunities of integrating Digital into procurement models and what are the ways to handle them is provided below.

Changing category value proposition: Procurement organizations can create new business models for itself and move from being a cost center to a profit center. This is possible because procurement possesses strategic know-how about suppliers and their markets and a deep expertise about the goods and services that are procured, as well as the alternatives on offer, including emerging innovations

New ways to contracting: Clients have to manage broader ecosystem of suppliers, disparate processes, service levels and pricing units. Procurement, legal and vendor management teams who are accustomed to dictating their standards to suppliers need a different approach to manage the complexity driving the standardization wherever possible.

Confidentiality and IP Rights: Confidenti­ality and intellectual property provisions and other restrictions on use of data abound in signed Digital contracts. Companies should review their Digital sourcing deals closely to ensure that they don’t restrict their data use or analysis rights.

Realize the full potential of Digital: Procurement organizations should have the knack of leveraging the Digital as a new frontier to change the world of customer needs. From big data analytics to 3D printing — is revolutionizing organization’s operational and administrative processes and creating innovative digital products and services.Reflecting the effects of Digital cutting-edge technologies and data management on strategic and operational procurement , category strategies for Digital demanding a constant change.

In conclusion, procurement organizations need innovative category approach encompassing Digital services to accelerate adoption of new technology formats for operational efficiency, cost optimization and for business growth.



Preparing Banks for “Getting to Strong” Regulatory Mantra with robust Vendor Risk Management

“A bank can outsource a task but cannot outsource the responsibility”

Anatomy of Vendor Risks at Banks:

In today’s world it became inevitable for Banks to outsource and integrate external vendors for effective and efficient operations. Banks sourcing arena extended to entire value chain beyond core processing and information technology to accounting, appraisal management, internal audit, HR, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing etc. Most large banks deal with over 1,000 vendors; many have tens of thousands. Besides the large number of vendors, banks use of Global In-house Centers (GICs) and 3rd party service providers increased from very insignificant levels in early 1990’s to almost 10 times higher by the end of 2015. Historical approach to sourcing indicates that the degree of vendor play varies by LoB – Mortgage, Investment Banking, Credit Card, Corporate Banking, Retail Banking and Treasury Services and further by Function within each LoB, ex: for Credit Card LoB – Origination, Servicing, Collections, Fraud, KP, Customer Care and IT. Ensuring outsourced activities are conducted in a safe and sound manner is bank’s board of directors and senior management responsibility. The irony is enforcement actions and fines banks facing as a result of breaches, cyber-attacks, data security running over billions of dollars mounting bank risk exposure. The following are few common risks in sourcing engagements.

  • Strategic Risk: Risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the organization’s strategic goals.
  • Compliance risks arise when the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.
  • Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
  • Reputational risks arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution
  • Country risks arise when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions and events from the country where the provider is located.
  • Operational risks arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems or from external events and human error.
  • Legal risks arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.
  • Transaction Risk: Risk arising from problems with service or product delivery such as inadequate capacity, technological failure, human error, or fraud, exposes the organization to transaction risk.
  • Credit Risk: Risk that a third party, or any other creditor necessary to the third party relationship, is unable to meet the terms of the contractual arrangements with the organization or to otherwise financially perform as agreed. Credit risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers/members, conduct underwriting analysis, or set up product programs for the organization.

Hence having robust vendor risk management program and stringent oversight is deemed necessary for Banks and Financial Institutions that are striving to satisfy the U.S. “Getting to Strong” regulatory mantra. Large banks are integrating comprehensive risk management into their sourcing governance and mid-tier banks most often managing vendor risks at the transaction level. But according to “2015 Vendor Risk Management (VRM) Benchmark Study” by the Shared Assessments Program and Protiviti, the overall VRM maturity rating of ❤ on a scale of 5 is alarming and Banks shall focus on advancing vendor checks and controls. Therefore, the Office of the Comptroller of the Currency (OCC) expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that

  • Could cause a bank to face significant risk if the third party fails to meet expectations.
  • Could have significant customer impacts.
  • Require significant investment in resources to implement 3rd relationship and manage the risk.
  • Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.

US Regulatory Landscape:

With the pressing need of ensuring appropriate vendor risk management at banks, the key regulatory bodies like Office of the Comptroller of the Currency (OCC), Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) is marching in step on the topic. Greater attention on status and progress of VRM programs is demonstrating through consistent follow-ups by Federal Financial Institutions Examinations Counsel (FFIEC).  Financial Stability Oversight Counsel (FSOC) and Presidents Working Group on Capital Markets (PWG). Other standards and coordinating forums bringing emphasis on assessing and mitigating risks which include – ISO 27000 (International Organization for Standardization: Code of Practice for Information Security Management), COBIT (Control Objectives for Information Technology) and NIST (National Institute of Standards and Technology).

The following are key steps for a bank “Getting to Strong” Regulatory Mantra through establishing robust Vendor Risk Management.

First Step is Assessment of Vendor Risks: 

The popular approach to risk assess the vendors is the evaluation of the likelihood and impact of identified vendor risk (Quantity of Inherent Risk) compared with the vendor controls in place (Quality of Mitigating Controls) to derive the Residual Risk rating that determine the degree of risk with each provider.

The Quantity of Inherent Risk inherent with the vendor is determined by evaluating the criticality, access to sensitive data, reliability, and scalability of the vendor. Vendors rated as High or Moderate should then have respective vendor controls evaluated to determine the overall Residual Risk. The key dimensions to consider include, Strategic Risk, Reputation Risk, Operational Risk, Transaction Risk, Compliance Risk and Credit Risk as defined above.

Quality of Mitigating Controls refers to how well risks are identified, understood, and controlled. A rating of Weak, Adequate, or Strong is determined through interviews and assessment with Organization managers. The following table details the dimensions considered in determining the Quality of Mitigating Controls

  • Responsibility: Level of Board and/or senior management involvement with overseeing vendor management program. Training on vendor products and services. Alignment of vendor with the Organization’s strategic goals.
  • Policies and Procedures: Written policies governing the use of the vendor. Operational procedures that provide instructions for activities using the vendor’s products and services.
  • Vendor Selection: Descriptions of the Organization’s expectations and due diligence efforts involved in the selection of the vendor.
  • Contracts: Contract durations, termination, and assignment with vendor including use of escrow agreements, legal counsel involvement, rights and responsibilities, and service level agreements.
  • Ongoing Monitoring: Monitoring policies and procedures that review the financial strength of the vendor, service level metrics, key vendor personnel, and alignment of the vendor with the Organization’s business strategy. The review of the vendor’s internal control environment.
  • Information Security: The protection of confidential information through the review of the vendor’s information security environment.

Finally Residual Risk Rating of the vendor is determined by comparing Quantity of Inherent Risk) with the vendor controls in place (Quality of Mitigating Controls).

Second step is Understanding Bank’s Risk Appetite and Segment the Risks:

After determining the residual risk rating of Vendors, bank has to evaluate its own Risk appetite which is one of the essential concepts that must be understood and consistently applied to be able to reap the strategic benefits out of this emerging perspective on governance and risk management. Risk appetite is the amount and type of risk that a bank is willing to pursue or retain (ISO/IEC guide 73:2009). Similarly, the COSO’s Enterprise Risk Management Framework defines risk appetite as the “amount of risk an entity is willing to accept in pursuit of value” clearly recognizing the opportunity dimension. The COSO framework also recognizes that is reflective of the entity’s risk management philosophy, which in turn influences the entity’s culture and operating style.

Risk appetite is about establishing a strategic boundary between the amount of risk that a bank is willing and able to take as an integral part of its business model / profitability on one hand and the level at which it wants to expose itself to “bad things happening” on the other, together with a set of strategic, financial and operational risk parameters and tolerances.

Regulator’s perspectives on risk include both institution-specific and systemic risk arising from risk concentration. So risk segmentation is an important phenomena for a bank that goes in tandem to measuring risk appetite to define VRM measures aligning with criticality of the sourced services. By overlaying risk appetite and vendor residual risk rating, the risk segmentation of bank’s services typically fall into one of the following three major clusters.

  • Tier I services (or vendors) are critical activities that warrant individual focus and dedicated resources to asses and manage risks, including specific actionable plans for key risk exposures
  • Tier II services are typically those activities with lesser-value exposure and operational sensitivity. These services require moderate time, attention and resources
  • Tier III services are low-risk activities, which may be managed as a group or on an exception-basis only

On a Ongoing Basis Taking a Life Cycle Based Approach to Vendor Risk Management:

The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures. An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:

  1. Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.
  2. Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract5 helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.
  3. Contract negotiation: Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.
  4. Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.
  5. Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.

In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:

  1. Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.
  2. Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
  3. Independent reviews: Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.

Captive / GIC Monetization – A Viewpoint

Monetization is defined as parent companies sell or exit the majority ownership and management of their offshore captive operations to an external party. Captive monetization meets the need of parent organizations to focus on core business and to raise cash. But the buyers aspire to acquire industry-specific capabilities, grow to global scale and grow size of existing book of business and its maturity.

OUTLOOK: Attraction to acquire captive merely to add scale has lessen with time. With growth & maturity of marketplace, private investors may not find it attractive to invest in “me-too” operation in an overcrowded market. Captive transactions will occur for more tactical than strategic reasons, thereby, shifting the balance of negotiation in favor of service providers


  • Lack of maturity of Service Providers to offer the services – Service providers with right credentials available who can provide such services;
  • The desire for direct and complete control – Increasingly considered as management distraction if provider can deliver same services;
  • Regulatory restrictions – Potential to multi-source. Retain such work which is proprietary but outsource what’s possible;
  • A risk perception in sourcing from a service provider – With the track record of many years and the scale at which the work is being performed, the risk perception has certainly reduced;
  • The cost-value equation – Providers can potentially provide better cost-value equation. Possible to leverage their cross industry & customer capabilities and innovation programs;
  • Having a large enough scale for captive viability – Despite scale, captives risk saturation over time in terms of retaining employees and offering careers;
  • Corporate culture will not allow outsourcing services – Change in management attitude and/or potential to multisource


  • Service providers to offer variable cost and capacity models with much higher level of flexibility
  • Offer flexible arrangements that provide the desired ‘Degree of Control’
  • Share risks (and commensurate rewards)
  • Enable client to focus on their core business – to free up of key SMEs and management resources
  • Align and benchmark with prevalent cost-value equation for type of service rendered

IN SUMMARY: If the way forward is to monetize the GIC, with right due diligence one of the following two models prevails

  • Ownership Transfer of Captive: Depending on the maturity of the specific service area, the opportunity for captives to earn attractive valuations is diminishing over time. Captives operating in new and niche areas offer an attractive set of capabilities to service providers, will continue to offer attractive monetization. Captives that have reached critical mass of employees are potential candidates for monetization (Ex: ~Half a dozen Financial Services captives in India).
  • Conversion of Mature Captive into Service Provider: Parent company convert captives into 3rd party service firms without exiting ownership – i.e. shifting growth curve of the captive without a change in ownership, allowing to cash out at higher valuations at a later point. Ex; One of the financial services captive in India after sold by a US major experienced significant growth in its enterprise value in a span of 3 years.

eProcurement & e-Auctions : Lessons Learned and Best Practices

Auctions have been around for centuries. Seller with goods/services wanted an efficient way to sell those goods/services to buyers who wanted those goods/services. Over the years, various auction formats were devised and executed, including the most well-known format, the reverse auction. Rather than having one seller with many buyers, a reverse auction involved one buyer with many sellers. Sellers placed decreasing bids on a set of goods or services and followed the same set of rules.

Reverse auctions are getting real time through e-Auction and organizations increasingly leveraging e-Auction in ITO/BPO supplier selection process. In this post, I am sharing the following points captured from earlier experiences on e-Auction lessons learned and best practices.

I. Auction Event in Outsourcing Lifecycle :

  • Auction event is conducted during the course of RFP / Pursuit process in lieu of a traditional protracted negotiation process, enable Clients to baseline and benchmark suppliers cost
  • Auction event allow the suppliers to (1) understand where their pricing is within the market as compared to their peers; (2) sharpen pricing toward providing the best value proposal; and (3) increase the chances to become a preferred supplier
  • The auction is not a “winner-take-all” event and in general it is only a refinement of the pricing of proposals
  • Recent experiences indicates that Auction Event is conducted online

II. Auction Process:

  • Mock Auction: This step allows suppliers to get acquaintance with the auction rules & toolset
  • Live Auction: Actual online bidding event
  • Post Auction: The next step after live auction is either of two potential scenarios

§ Suppliers are not expected to submit any pricing forms post auction if the bid points are the rate cards or discrete/granular price points that will enable Client teams 1) to compare apples-to-apples 2) compute the base outsource cost

§ If one or more of the bid points are blended rates, role wise rate card considered to arrive at the blended rates is expected to be submitted post auction

III. Auction Bid Points: Few common bid points that are part of reverse auction are

  • Blended Rates: For Managed Services scope OR location-wise across skills OR Effort based scope
  • Resource Rate Card: Location-wise (Onsite/Offshore/Near-shore) rates by skill & experience band
  • Transition Cost: To cover total cost of transition and on-boarding
  • Volume Discount: Discounts offered based on committed annualized revenue OR effort volumes
  • Tenure Discount: Defined in bands & based on the committed duration of a resource in engagement
  • Pass-through Charges: Bid point for Link (one-time & recurring), Software, Tools etc. cost

IV. Auction Rules & Mechanics:

  • Initial bids placed are either be equal to RFP submitted values OR allowed to start with any value
  • “Lots” or auction events are defined for each of the applicable bid points above. Lots are defined by location in case of multi-geographic deals.
  • Lot closing is staggered and timing for each lot close is published (ex: 15 to 20 minutes) in advance
  • Each Lot last for a defined/specified duration, with extensions of durations if a bid is received towards end of bidding duration (as pre-defined) of the Lot.
  • Suppliers are allowed to bid in USD and/or respective local currencies, but there is a high possibility that bids are evaluated in USD’s if the deal is multi-geographical involving USA
  • A bid must be lower than the previous bid placed by, at minimum, the bid decrement. Bid decrements are defined as % reduction or $ reductions.
  • Suppliers know their respective rakings real-time after each bid is submitted. In general, the details of competitor names and competitor bid values are not disclosed/displayed

V. Supplier Selection:

  • The auction is not a “winner-take-all” event and in general it is only a refinement and of the pricing of proposals
  • Suppliers selection is based on rank in reverse auction and combining it with the qualitative evaluations based on service/breadth of capabilities, innovation, investments etc.
  • Auction is in lieu of a traditional protracted negotiation and hence post auction selection leads to noncommercial negotiations for the contract closure

VI. Best Practices:

  • Alignment and availability of Bidder Management and decision makers for real time decisions during auction
  • Build scenarios for bid points based on decrement guidance and have pre-approved (profitability) scenario for rock-bottom price
  • Need not to aim for consistent good rank on all bid points, but the reprioritization of strategically important bid points helps for internal preparedness and last minute decisions
  • Have all stakeholders join over web-ex for auction with one assigned owner to enter bid points
  • Before auction make sure to confirm Client’s terms & conditions, get it internally vetted, have approval from Bidder business, finance, & legal and communicate to client on key assumptions