Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
16 January 2019

Should you outsource your risk and compliance activities?

It’s a fact that the management of risk and compliance is becoming increasingly complicated. The compliance function requires more skills, experience and knowledge than ever before - especially with the growing regulatory complexity that compliance teams need to understand and navigate.


This complexity also increases the importance of having capable specialists managing this function on behalf of your organisation, which places even greater pressure upon the recruitment and retention of these sort-after resources.

As a result, more and more organisations are once again looking to outsource certain aspects of their compliance workload - turning to third party suppliers for support. And, as compliance has grown tougher to manage, the compliance solution market has evolved in response with new services and tools designed to help.

So, the starting point is to ask those key questions. Does it make sense to centralise some of your compliance activities? Is it viable to automate more of them? And is it possible to have a third party in place to support an internal, centralised function - to operate and police some of the more routine compliance tasks?

This post will explore the pros and cons, so you can decide what is right for your organisation.

The benefits of outsourcing

Thanks to the increased focus on compliance there is now a shortage of talent and skills in this discipline - with many organisations struggling to fill posts and cover absences in their internal teams. Bringing in external help alleviates this pressure, as you can quickly plug any gaps to build a fully-resourced, blended team – rather than relying on an over-stretched team, which may lack key skills.

As well as relieving pressure on your internal team, outsourcing compliance can also save you money. Paying an outsourcing firm doesn’t always work out to be less expensive than handling everything yourself, however it is often done better. That’s because these companies specialise in delivering just one or two services for multiple companies. As a result, savings are possible too, due to economies of scale and a clear operational focus, which means they can offer a very competitive rate.

Outsourcing can also provide you with much quicker access to more sophisticated systems – such as compliance analytics – that you would otherwise have to pay for or develop in-house. An outsourced solution can also save you a lot of time, as it’s your outsourcing partner’s responsibility to stay on top of all the latest regulations and rule changes, freeing up your own staff to concentrate on key compliance projects or remediation activities.

For many internal teams, it can be comforting to know that external expertise is immediately available should it be required. It’s also useful if the 3rd party is proactively recommending improvements and sharing best practices to the compliance operation, based on its exposure to many other clients and its visibility of what is working for them.


The challenges of outsourcing

Fear of the potential loss of control is typically what prevents many organisations from outsourcing aspects of risk management. Ultimate accountability for non-compliance will always remain with you - the client - which is why many choose to keep almost everything in-house.

Many feel that through outsourcing, management becomes one-step removed and as such, standards may slip. Others worry the service provider may not deliver to the set expectations, resulting in more than just poor service - as any subsequent fines will only compound the financial impact of your partner’s sub-par performance.

Nevertheless, many of these concerns can be alleviated if the right governance structures, KPIs, shared systems and communication frameworks are all in place between both parties.

When considering outsourcing, it’s likely you will face resistance from your own internal compliance team – as they are already managing the process and may well be against the idea of third-party support, fearing their jobs maybe diminished in some way.

However, it’s important to remember that outsourcing is about supporting existing in-house functions, not replacing them. Your in-house team will still have a huge role to play, not least in overseeing the outsourced work. Again, ultimate responsibility for the compliance process must rest within your organisation and transparency and real-time reporting are critical components of the relationship. This is where some of your internal teams liberated time would likely be spent. It is often less about removing the internal team’s responsibility, but more about avoiding additional costs of growing the team to be able to take on more and more activities as the scope of risk and compliance grows.

So, it’s important to bring your in-house specialists on-board and make it clear that their role is not under threat. Have discussions and initiate a process that looks at where a third-party can complement existing skills and alleviate pressure, and where activities should certainly be retained.

There may still be a question mark over an outsourcing partner’s ability to understand all the relevant complexities and nuances of your operation. While it is important for your partner to understand your business and your compliance obligations, there are certain transactional activities that can legitimately be centralised and run by a third-party, without being an industry expert.

It’s typically audit and regulatory expertise that’s most needed from a third-party provider, which is then enhanced with specific business knowledge from your in-house team, as and where necessary.

Finally, outsourcing compliance has the potential to present data security risks, as sensitive information could now be accessible to people outside your organisation. As such, you must make sure that any third-party compliance provider takes all the necessary steps to protect the security of your data. You can also invoke SSAE16 standards in your contracts, ensuring the appropriate delegation of responsibilities specifically mandate that particular activities, reporting and GDPR obligations (i.e. data transfer agreements) are agreed - therefore appointing your provider as a legitimate data processor.

In summary

Compliance outsourcing is not an option for everyone. In some organisations, compliance activities must be kept in-house due to organisation strategies, policies or internal beliefs. But an increasing number of organisations are finding that outsourcing helps to manage the increasing burden of compliance.

It may take courage to challenge the traditional in-house approach to compliance, but there has actually never been a better time to consider outsourcing. This is because the compliance solutions market has evolved in response to rising demand, with more suppliers in the sector than ever before and new services and tools becoming available all the time.

It’s true that establishing successful outsourcing is not an easy process and there is certainly no ‘one-size-fits-all’ solution that’s right for every firm. However, by initiating a process that looks at which compliance activities to outsource and which to keep in-house - and carefully considering the pros and cons in each case - you can achieve a balanced in-house/outsourced model that is right for your organisation.


Read more about GRC Management Services here: