While financial institutions have invested (sometimes heavily) in reaching DORA requirements by early 2025, these efforts should be embedded with organizational practices to maintain such a situation of compliancy. It is hence recommended to fundamentally rethink the outsourcing/procurement function.
This article highlights the recommended attention points for financial institutions to remain compliant to EBA Guidelines for Outsourcing (EBA/GL/2019/02 and related) and the DORA Act, however limiting to the consequences specific to the outsourcing and procurement fu
nction. The needs for an Enterprise Architecture practice, for a broader NFR function and deeper IT Service Management are, though important, not considered here.
The combined effects of these regulations on the procurement and outsourcing function are:
Procurement needs to take up its role as SPOC (Single Point of Contact) for procurement and outsourcing matters. Organisations can define flexibly how this role will be embodied, from a passive gatekeeper to a business support function. The critical functions to be taken up are the registration, qualification and risk assessment of contracts and vendors, with an adapted data platform.
The procurement function needs a permanent alignment to the business and risk functions for identifying and applying the definition of Critical or Important Functions. Instate on an Enterprise Architecture practice, supporting strategic and tactical functions of the enterprise, is the best guarantee to meet that requirement.
Procurement function need to monitor its suppliers on a
permanent basis. As a minimum, there should be strict control plan on how changes within business or with the supplier can affect your risk situation. Again, the Architecture Practice is a key support here. A Know-Your-Supplier program needs to be set up, monitoring changes which can affect your risk situation.
These requirements are a game changer in the needed skills for procurement staff: legal, market monitoring, risk assessments, auditing and enterprise architecture competencies need to be attracted to the process.
The implementation of an upgraded procurement function need to consider major roadblocks and risks:
Concentration of duties to a specific team can (will) create organizational issues like bureaucracy, bottlenecks, delays, alternative processes (the hidden organisation) and a sense of alienation with key players. Eventually, business accountability should prevail.
Alternatively, scattered tasks and responsibilities to a large scope of actors will encounter issues like lack of lifecycle accountability, coordination, planning, issue resolution and politics deviating focus from business outcomes.
The major issue to be considered remains resistance to change. Where in most organisations purchases are considered as highly technical matter and hence managed by a small group of experts, the DORA requirements obliges organisations to adopt a holistic view from start till finish, from results over risk.
It remains essential to keep your focus on the business benefits which can be realized with this adapted organization. Only focusing on regulatory compliancy will lead to an additional load of bureaucracy, missing the hidden fruits. Some recommendations:
Synergize the Enterprise Architecture practice, Risk and Procurement function, supported by internal audit, with a vision, focusing each on specific value creation and closely related to each other.
Define the processes to run procurement and outsourcing and implement with a maturity development view, with metrics and regular evaluations and corrections. Trying to implement the perfect organisation from day 1 is the best way to fail.
Implement minimum 3 classes of criticality to filter out the detail from the critical, aligned over Enterprise Architecture, Risk and Procurement. For procurement, that translates into: standardized purchases with pre-validated vendors and products for low impact matters, process-led purchases for medium impact topics and project-led purchases for high impact purchases and outsourcing.
Incorporate the change in an organizational vision on performance and quality, involving people into an engaging roadmap, focused on business outcomes.
Plan for regular audits and reviews, mixing internal and external (independent) resources.
MSD Partners can help you defining and materializing the roadmap. Feel free to engage in an inspiring discussion with our partners!
Marnik Demets
Comments