“The Risk of Outsourcing and its Impact on the Bank’s Commitments to its Clients”

“The Risk of Outsourcing and its Impact on the Bank’s Commitments to its Clients”

Phd. Abdelmoujib BENDRISS AMRAOUI

Ecole Nationale de Commerce et de Gestion / Abdemalek Essaadi University

DOI: https://dx.doi.org/10.47772/IJRISS.2024.8100269

Received: 10 October 2024; Revised: 22 October 2024; Accepted: 25 October 2024; Published: 23 November 2024

ABSTRACT

Faced with increasingly sophisticated computer crime and the increased digitization of banking products, the bank must make risk management a strategic priority. This situation is likely to worsen further in the event of outsourcing, which despite its advantages; it presents risks for the bank as well as for its customers.

Consequently, the risks faced by banks can have serious consequences in terms of operational performance but also in terms of professional reputation. This is why the bank must reconcile the search for performance with risk management.

To fully understand the outsourcing phenomenon within banks, this research essentially aims to provide conceptual and theoretical insight by adopting a mixed approach combining qualitative and quantitative methods and at the end proposing recommendations with new avenues of research.

Keywords: Risks, outsourcing, bank, customer, performance

INTRODUCTION

No company operates without risk; financial theory has long developed its models based on the risk/return relationship: low risk = low return; high risk = high return. “The question is therefore never about eliminating risk but rather about identifying, assessing, and managing it. Since risk is consequently inseparable from profitability, the latter must match the level of risk taken, and the demand for profitability must reflect a positive relationship between risk and return.”

In Morocco, one of the main objectives of the Digital Development Agency’s roadmap is to promote outsourcing, particularly in information technology. According to data from the Moroccan Federation of Service Outsourcing for 2022, this sector generated approximately 15 billion dirhams in revenue. Among the various sectors utilizing this outsourcing, banking and insurance account for nearly 40% of this amount.

Moreover, in this industry driven by information technology and human capital, human factors often represent the “weak link,” leading to various malfunctions. This may seem obvious in terms of skill deficits or negligence, but it is also true for information systems, which are frequently weakened by human errors.

Additionally, faced with increasingly sophisticated cybercrime, banks are not immune to hacking and data breaches. Today, risk management has become a priority. Securing IT service networks is an extremely complex task that must ensure the Confidentiality and safeguarding of both the bank’s and its clients’ information while adhering to applicable regulations.

Although outsourcing offers advantages, it simultaneously exposes both the beneficiary bank and its service provider to various risks. The increasing sophistication of products, the emergence of new technologies, and the complexity and interconnectivity of activities and services significantly expand the range of risks associated with outsourcing.

Among these risks, some arise from operational dysfunctions and system failures or from losses resulting from natural disasters or external causes (terrorism, pandemics), while others are linked to clients and business practices or involve employment conditions and the execution of processes.

Consequently, the risks faced by banks can have repercussions in terms of operational performance as well as professional reputation. This is why effective risk management is crucial for achieving good results in a context of multiple uncertainties.

Furthermore, the issue of our research is to outline the various situations that trigger outsourcing risks, presenting their stakes for the bank and its clients; we also aim to highlight their significance as isolated risks and in combination with other risks.

This objective leads us to examine the following key questions:

• How do the various outsourcing-related risks manifest for banks?
• What are the consequences of these risks on banks?

To address this issue, we will follow the structure: Methodology, Results & Discussion, Conclusion and Perspectives.

METHODOLOGY

This research adopts a mixed approach combining qualitative and quantitative methods to provide a comprehensive view of the issue, aiming to analyze outsourcing risks and assess their impacts on the relationships between banks and their clients. The sample includes banks that have adopted this outsourcing in recent years. We employed stratified sampling to include banks of various sizes operating in different market segments. A structured questionnaire was used, incorporating Likert scale questions to measure risk perception and its impacts, along with semi-structured interviews with key stakeholders. This integrated methodological approach will allow for a comprehensive and detailed assessment, thereby providing relevant recommendations for the management practices of outsourced services in the banking sector.

RESULTS & DISCUSSION

Internal Outsourcing Risks in the Bank

Whenever an activity is heavily reliant on human capital and knowledge, employees represent a risk factor. These two elements make the banking sector more exposed to human risk than others because, on one hand, human capital is the main resource for value creation in banks due to their highly qualified staff; and on the other hand, banks are more susceptible to fraud risks as well as risks related to the organization and execution of processes.

Intrinsic Risks of Outsourcing Processes

According to ISO 9000 standards, a process is defined as a “set of interrelated or interacting activities that transform inputs into outputs.” It is essential to emphasize that the primary objective of a process is to add value to the product or service. Thus, a process is a series of coordinated activities “that integrates resources, infrastructure, systems, and procedures, aiming for clearly defined objectives.”

Schematically, a process can be defined as the ordered sequence of activities producing increasing added value, allowing for the delivery of the product or service that corresponds to the client’s initial request. Indeed, a process must:

• Be repeatable: The process can be repeated under the same conditions over time, and it can be understood by all personnel who operate or improve it.
• Be measurable: It ensures that the product or service resulting from the process meets the set objective, with performance indicators in place.
• Possess interactions with other processes within the organization.

Consequently, a process is effective if its output data aligns with the established objectives. Its effectiveness can be measured through performance indicators while systematically managing risks. To safeguard processes against potential risks, these indicators should be placed where the risks are most significant; generally at the boundaries with other processes (inputs/outputs) or at interfaces with stakeholders (clients) or after each complex, difficult, or hazardous activity.

In practice, there are several types of indicators: rates, ratios, costs, etc., to measure process performance, along with methods implemented to identify “process” risks. For example, they can be assessed using the “5 M” method:

1. Method: (The process is too complicated; the process is unnecessary; the process is incomplete…)
2. Manpower: (Human resources are insufficient in number; personnel are not trained; the process owner does not master all process steps…)
3. Material: (Input and output data are not compliant…)
4. Means: (Indicators are poorly defined and do not verify alignment with objectives; interactions with other processes are poorly defined; procedures and/or operating modes for task execution are poorly defined…)
5. Environment: (The process lacks the necessary environment for proper execution; the environment has changed significantly…).

Organizational Dysfunctions

According to the ORX report, “the frequency of claims due to this type of dysfunction has registered a percentage of 32.16% compared to other risk categories.”

Additionally, “Bank of America and Wells Fargo Bank lost $225 million and $150 million respectively due to system failures and transaction process breakdowns.”

Other examples illustrate that organizational aspects play a crucial role in preventing such consequences. A poorly defined organization, where responsibilities are vague or poorly established, can present significant risks. Similarly, a process that centralizes power among a few collaborators capable of executing operations and concealing them for an extended period is also problematic.

We believe that banks must ensure transparency in procedures with well-defined tasks and clearly established organizational responsibilities, adhering to the principles of separation of functions and formalization of powers and delegations.

First, the functioning of companies tends to focus primarily on individual goals and those of each department. Thus, the final outcome for the client or the overall profitability of the operation is of little importance as long as personal objectives are met. The consequences of individual actions on the operations of subsequent services in the process are often overlooked. Additionally, there can be internal competition between departments, fueled by managers seeking to advance their careers.

On the other hand, while front office salespeople are held accountable for sales targets in terms of quantities in their performance evaluations, back office staff are assessed based on adherence to procedural compliance and risk management standards. This divergence between the concerns of the two levels necessary for service execution impacts client relationships. Indeed, the front office’s lack of consideration for back office activities leads to a lack of rigor in file preparation, incessant exchanges between the two levels, and ultimately, additional delays.

Thus, the role of management is to “reconcile the visions of both levels without oscillating between high commercial demands one day and strict risk management requirements the next.”

Anomalies in Transaction Management

This can include losses due to issues in transaction processing, process management, or client relations. Here are some examples:

• Input, execution, and monitoring of transactions:

• • Errors in data entry or tracking.
  • Failure to meet deadlines or mismanagement of software.
  • Non-compliance with notification obligations.
  • Inaccuracies in external reports (losses).

• Client account management:

• • Absence of client authorizations or waivers.
  • Missing or incomplete legal documents.
  • Unauthorized access to or operations on accounts.
  • Incorrect or lost client data due to negligence.

Considering the client as a focal point, the client process can encompass certain subprocesses such as: client listening subprocesses aimed at the structured analysis of client needs and expectations, or client relationship subprocesses: ongoing relationship management and complaints management.

However, these client-focused processes and subprocesses can expose the company to a multitude of risks that need to be managed effectively. We can highlight the following issues: failures in the mechanisms for listening to client needs lead to dissatisfaction and/or a decrease in loyalty rates; failures in managing complaints lead to legal disputes.

By analyzing these examples, we see that risks are associated with each process and can impact its execution. Therefore, to identify all potential risk events that could occur during a process, we note that some risks may appear across numerous processes, such as human error or system interruptions.

Starting from the process framework, some companies recommend defining for each process the situations of potential risks (knowing that each process traverses a number of entities) and comparing them with regular controls (verifications, signatures, etc.). This is to ensure “the right controls at the right time and place” regarding a risk situation, without losing sight of the essential need for coherence.

Moreover, if “processes are often dematerialized and dependent on IT systems, they primarily respond to an economic segmentation of the bank’s activities rather than an organizational segmentation.” Therefore, each process is associated with incidents that could potentially disrupt its execution and lead to direct losses or failure to achieve quality and timing objectives.

Errors in Transaction Execution

A study conducted in 2008 by the BIS (Bank for International Settlements) revealed that most cases of realized risk are related to execution errors and that their impacts are greater than those of fraud risk.

Indeed, in outsourcing activities, the possibilities for errors are numerous: data entry errors, failures, and dysfunctions related to processes (file instructions, execution, risk monitoring, etc.) can exacerbate the level of intrinsic risk; a lack of adherence to procedures formalizing processes thus constitutes a risk that increases other types of risks.

Additionally, we notice in practice that risks related to processes stem from non-compliance with procedures and errors resulting from transaction recording: double entry of a transaction, errors attributed to a corporate client’s account, exceeding limits and authorizations for executing a transaction, etc.

Finally, other risks can arise when management implements risk reduction measures that focus solely on the technical aspect, neglecting the cultural factor and potential contradictions. “These one-dimensional strategies, which modify the work environment and organization to reduce risks without considering less obvious social and cultural implications,” can lead to a multiplication of errors, disrupt workflows, and alter relationships with clients.

Deterioration of the Social Climate

The quality of the social climate fundamentally stems from management’s ability to provide company stakeholders with a serene environment conducive to carrying out activities pragmatically and effectively. The quality of the social climate will consequently determine the quality of interactions among collaborators in hierarchical exchanges, enabling better contributions to the overall value chain of the company.

Of course, like any company, there will always be management of situations that breed frustration and disagreement in banking. Such is the reality of any human group, and no one can change human nature. However, a good, calm social climate can foster open dialogue and allow for constructive confrontation of ideas, which is a source of value.

In practical terms, risks associated with the social climate are quite simple to detect when they manifest. Thus, we can observe the risk of a strike, either partial or total, emerging and potentially paralyzing banking activities, which are highly sensitive to social movements.

Certain banking operations, such as market transactions, check processing, and automatic transfers, cannot be postponed. Even when a postponement is possible, it can lead to administrative dysfunctions and provoke client dissatisfaction. Furthermore, security rules require a minimum number of employees for the opening of a bank branch. Thus, a limited number of strikers can suffice to block the opening of several branches, especially when unions choose critical periods to assert their demands to banking institutions.

In France, in 1974, Crédit Lyonnais faced a major strike that paralyzed its banking network for several weeks, resulting in significant financial losses for the institution. This event marked banking managements, making them particularly sensitive to the risks of social conflicts and generally inclined to make concessions to minimize social movements. Thus, at the end of December 2001, to avoid any social upheaval, many banks granted general salary increases as well as a bonus related to the adoption of the euro.

In fact, managing the strike risk is a complex scenario to simulate “because, in the specific case of internal strike management, it generates a conflict of objectives; it involves reconciling two seemingly antagonistic objectives.

External Risks to the Bank

Among the risks of outsourcing, some may result from a natural disaster or other external events. In contrast, the human factor is directly involved in risks related to customers and business practices.

These damages may result from natural disasters or other incidents. Every year, “approximately 250 million people worldwide are affected by droughts, floods, cyclones, earthquakes, large wildfires, and other hazards whose impact is exacerbated by increased population density, environmental degradation, global warming, and poverty.”

Risks from Natural External Events

The risk of natural events encompasses the direct destruction of property due to a natural disaster: climatic disturbances (drought, snow, fire, etc.), earthquakes, floods, etc. These disruptions to the natural environment can lead to the destruction of the bank’s assets and can also have very damaging consequences on its infrastructure (electricity, computers, connectivity, etc.) as well as its relationship with clients.

A natural disaster is a sudden and violent event of natural origin that causes major disruptions, potentially resulting in significant material and human damage. Although these disasters arise from meteorological, seismic, or other causes over which humans have no control, the impact of these events largely depends on the human factor.

Indeed, managing natural disasters involves prevention actions (such as zoning, safety standards, and awareness), the use of alert systems (such as sirens and weather bulletins), as well as interventions and relief during and after the events (including evacuation, medical care, and reconstruction).

Like many other countries, Morocco is vulnerable to increasingly destructive major climatic disruptions. It is now urgent for the authorities to redefine their approach to emergency management. The goal is to better identify natural hazards to reduce human losses and material damages that could result from these events, especially since population growth and rapid urbanization in Morocco increase its exposure to these risks. The consequences of natural disasters are concerning. The average annual cost of these risks is estimated at 5.6 billion dirhams. In addition to earthquakes, the study also highlights floods, whose damages can reach up to 1.8 billion dirhams.

Furthermore, the floods in Casablanca, the heart of the Moroccan economy with over half of industrial production, the majority of services, and almost the entire banking sector, have caused a major disaster. These weather events led to considerable economic and social disruptions, such as loss of life, flooding of certain homes, power outages in several neighborhoods, and the closure of many businesses, including banks. The losses due to these floods should include not only material damages but also loss of time, destruction of data, and damage to equipment.

To address this situation, it is essential to plan the human and material resources necessary for rehabilitation and reconstruction after the disaster. It is also crucial to inform populations when natural disaster risks are foreseeable. Proper information and adequate awareness among residents of at-risk areas can reduce harmful impacts by helping populations adopt the right reflexes. Since 2009, ISO has published a risk management standard, ISO 31000. “This standard is a genuine anticipatory approach; for it to be effective, the requirements of the standard must be met. The ISO 31000 standard presents various possible risks: risks at work, environmental risks, security risks.”

Damages Caused by Fires

Each year, workplace fires result in fatalities and often lead to dramatic economic consequences, making fire risk prevention essential to avoid the permanent closure of a bank following an incident.

Such was the case with the fire at the headquarters of Crédit Lyonnais, which will go down in history as one of the largest disasters in the banking sector, occurring on May 5, 1996. “Insurers paid out compensation of 1.6 billion francs, split between 1.3 billion for fire coverage and 330 million for business interruption.”

According to Article 230, paragraph 2 of the Labor Code: “Prevention must be organized in advance and thought out from the planning stage. A fire safety officer must be designated. They will need to work with the maintenance manager and occupational health services…” The most effective preventive measures are those implemented from the design and construction phases of the premises. They ensure optimal evacuation conditions, consider isolation, separation, and safety distances to limit the spread of fires, and select materials that ensure structural stability while reducing gas and smoke emissions in case of a disaster.

Thus, fire risk prevention is a crucial issue for both employee health and safety and the protection of assets, such as the bank’s IT equipment. Fire risk must be understood through its multiple facets: prevention, detection, extinguishing, and evacuation. Risk management should be treated as a true project. The scope is broad; it affects the bank and its clients, but once the scope is identified, it is easier to set the goals to be achieved.

Incidents Due to Terrorist Acts

External causes to the bank can lead to losses from terrorist acts or vandalism. The attacks of September 11 left their mark in venues beyond the United Nations because they occurred at the heart of the American system.

Indeed, these attacks illustrate the complex interaction between national security and events occurring at the global economic level, as well as the vulnerability of the latter to devastating terrorist actions. Certainly, “it is virtually impossible to accurately establish the cost of the September 11 attacks, but American analysts have estimated the direct costs and unprecedented compensation claims made on insurance, which could range between 50 and 60 billion dollars; while the human loss from these attacks has been estimated at just under 3,000 dead and missing.”

However, while spectacular, the consequences of the events of September 11, 2001, are difficult to gauge. For example, some countries experienced a decline in tourism revenue. “While Turkey recorded a significant decline in tourism revenue (715 million euros), Morocco saw a noticeable drop in its tourism receipts (-32 million euros).”

On the Moroccan side, it also fell victim to a “deadly attack in May 2003 in Casablanca that resulted in 45 deaths, and another terrorist act in April 2011 in Marrakech, known as the ‘Argana bombing,’ which left 17 dead and 20 injured of various nationalities.”

Moreover, the events that shook Laâyoune on November 8, 2010, caused significant damage, particularly to local banks. The Banque Populaire in that city saw seven of its branches vandalized by rioters. However, the management’s response was swift. As a result, despite the substantial material damage, the bank continued to provide all its IT services. The human capital was unharmed, as all staff members, including those trapped in the fires at certain branches, were safely evacuated on the same day the incidents began.

Consequently, these events once again highlight the exposure of businesses to external risks and their heavy reliance on various “systems” (IT, electrical, etc.); therefore, it is essential to prepare for upcoming incidents by learning from past incidents to identify vulnerabilities, but also by anticipating the unexpected, and especially by testing, testing, and retesting these information systems.

Once again, the vulnerability and exposure of businesses to risks are underscored, illustrating the potential costs of negligence and procedural failures in this context.

Risks of Cybercrime

According to a report by Kaspersky published in July 2020, “between April and June 2020, during the lockdown related to the Covid-19 pandemic, Morocco detected 13.4 million cyberattacks. This report highlights three main trends: social engineering, where cybercriminals use techniques to deceive careless users and obtain their confidential data, resulting in the infection of their computers with malware; Morocco ranks 32nd worldwide for this type of attack; local threats, where Morocco is ranked 48th globally; and the role of servers hosted on its territory, with a global position of 61st.”

On July 25, 2020, Morocco adopted Law No. 05-20 on cybersecurity to strengthen the legal framework against cyberattacks and cybercrime in response to the growing threats faced by the state, public institutions, and businesses.

To ensure state governance in cybersecurity, several organizations have been established over the past decade:

• The Strategic Committee for Information Systems Security (CSSSI), created in 2011 and chaired by the Minister in charge of National Defense Administration, is responsible for defining strategic directions. The General Directorate of Information Systems Security (DGSSI), also established in 2011, is tasked with implementing these directives.
• The National Agency for the Regulation of Telecommunications (ANRT) oversees the regulation of the telecommunications sector.
• The National Commission for the Control of Personal Data Protection (CNDP) ensures compliance with legislation related to personal data protection.
• The Moroccan Center for Polytechnical Research and Innovation (CMRPI) coordinates the National Campaign Against Cybercrime.

Moreover, Morocco has ratified international conventions on cybercrime and terrorism, such as the Budapest Convention on Cybercrime.

RECOMMENDATIONS

We found it important to study the main risks in relation to the level of operational performance. As shown in the table below, the risk of outsourcing is significantly present in banks that reported being moderately performing, with a percentage of 19.6% compared to 8.7% for poorly performing banks and only 3.5% for banks considered highly performing. The table also indicates that this observation holds true for other major risks.

Table 1: Degree of Operational Performance and Nature of Risks

Moroccan banks, particularly those with international operations, recognize the importance of implementing specific strategies and processes to prevent risks. It is therefore crucial to:

• Establish ethical charters defining professional standards and codes of conduct, while ensuring compliance obligations to clients.
• Map risks and develop an effective action plan to manage them.
• Formalize any outsourcing agreement through an official contract specifying the obligations of both the bank and the service provider.
• Retain key strategic functions in-house and avoid outsourcing them.
• Ensure that the management of risks related to outsourcing is the responsibility of both the outsourcing entity and its provider.
• Pay special attention to any issues that could significantly affect the bank’s ability to continue operations.
• Integrate outsourcing into a clearly defined policy, including emergency plans and exit strategies.

CONCLUSION & PERSPECTIVES

This article presented a study on outsourcing, a practice increasingly common globally. The goal was to highlight the risks, whether internal to the bank or external. To do this, we utilized previous research as well as concrete examples to illustrate the nature and severity of each risk, both for the bank and its clients. This approach allowed us to assess the relationship between the two partners and identify potential issues related to outsourcing an information system, from decision-making to implementation.

Banking outsourcing, while beneficial for banks in terms of cost and efficiency, carries risks that can impact commitments to clients. Banks must adopt robust strategies to manage these risks in order to maintain service quality, protect sensitive data, and preserve their reputation. By implementing security measures, cost management, and continuous monitoring, financial institutions can mitigate the negative impacts of outsourcing while honoring their commitments to clients.

Finally, we formulated some recommendations to mitigate the impacts of risks related to outsourcing on all stakeholders. However, some limitations of this study may arise due to its experimental nature, which prevents consolidating the results obtained at this stage. It would therefore be pertinent to broaden our experimental scope by conducting another field survey.

BIBLIOGRAPHIC REFERENCES

1. Allam I, “The Impact of Operational Risk Management on the Performance of Moroccan Credit Institutions.” International Journal of Accounting, Finance, Auditing, Management and Economics – (IJAFAME), Volume 3, Issue 4-1 (2022), pp: 287.
2. Aoufir & Erragragui, “The Determinants of Business Performance: A Literature Review.” Revue du Contrôle de la Comptabilité et de l’Audit, (2023) Vol 7: No. 3, (pp: 384-407).
3. COUVOIS Georges, “Cloud, Outsourcing: What Risks for the Transfer of Data Outside the Company?” Revue Sciences de l’Information – March 2014 (Volume 51).
4. DABCHY Hassan, “Towards Managing Major Risks.” Revue Economie Entreprise 133 – January 2011.
5. DENGLOS Grégory, “Risk and Value Creation: Should We Reassess the Hypothesis of a Positive Relationship?” Revue des Sciences de Gestion 226 & 227 – April 2007.
6. DUFOUR Nicolas and TENEAU Gilles, “Risk Management: A Borderline Object.” Editions Le Harmattan – 2013. pp: 159.
7. ENDA, Studies and Research No. 264-265: “Reducing the Risks of Natural Disasters” Published by Enda Tiers-Monde, Editions ENDA (Environmental Development Action in the Third World, Senegal – 2008. pp: 15.
8. EVERETT Colby, “Designing Controls to Counter Threats.” CGA Magazine. Professional Development Network. March – April 2014.
9. FEMISE (Euro-Mediterranean Forum of Economic Science Institutes), “Economic Consequences of the September 11 Events in Mediterranean Partners.” Annual Conference on Economic Transition in Southern Mediterranean Countries, Euro-Mediterranean Forum of Economic Institutes – June 2002.
10. FERRARY Michel, “The Human Factor as a Source of Operational Risk in the Banking Sector.” Revue Banque 697 – January 2008. pp: 11.
11. GENERALI, “The Contribution of a Process Approach in Identifying Operational Risks.” Seminar held on Thursday, September 29, 2011.
12. HULL John, GODLEWSKI Christophe, MERLI Maxime, “Risk Management and Financial Institutions.” Pearson Education France – 2010. pp: 378.
13. JARDAT Rémi, “Where Does the Uniqueness of Trading Activities Relate to Operational Risk? An Exploratory Diagnosis through the Lens of HRO.” Revue Management & Avenir 48 – August 2011, pp: 315.
14. KEREBEL Pascal, “Risk Management.” Edition EYROLLES – 2009. pp: 73.
15. LAMAND Guy, “Mastering Risks in Sales Contracts.” Edition AFNOR, 1993. pp: 29.
16. LAMARQUE Éric, “Can the Bank Still Manage Risk?” Lavoisier | “Revue française de gestion.” 2009/8 No. 198-199, pp: 204.
17. METAYER Yves & HIRSCH Laurence, “First Steps in Risk Management.” Edition AFNOR, 2007. pp: 63/66.
18. NSEKE Léopold, “The Economic and Social Impact of Terrorism.” AFRIQUE EXPANSION published on May 3, 2011.
19. RAQUIN Michel, “Process Management and Operational Risk Management at Crédit Lyonnais.” From Operational Risk Management to Performance Improvement.” Dossier du Club: le Pilote de processus – December 2011, pp: 13.
20. SANTI Pascale, “Fire at Crédit Lyonnais: A Loss of 1.6 Billion Francs.” LES ECHOS Journal, January 22, 1997.
21. STOBAND Olivier & CASTELBAJAC Laurent, “From Operational Risk Management to Performance Improvement,” OTC Conseil No. 47 – October 2011, pp: 2.