What's the future of Risk, Control and Compliance?

Transforming your Risk, Controls and Compliance functions

  • Share

There are three key aspects of transitioning to a centralized operating model:

1. To “shift and lift” or “lift and shift”?

One of the first considerations in transitioning to a centralized operating model is the decision on whether to:

  • “Shift and lift” — move existing processes, activities, reporting, technologies, etc., as currently performed, and then standardize these within the new operating center over time.


  • “Lift and shift” — in transitioning to the new operating center, the organization standardizes the processes, activities, reporting and technology, so the new ways of working are embedded from day one.

Both models have their advantages and disadvantages.

shift and lift vs. lift and shift

"Shift and lift"



  • Speed of transition — ability to move activities swiftly to a new centralized operating model

  • Benefits case realization — wage arbitrage cost savings are realized sooner

  • Business acceptance — by following existing practices and procedures, business acceptance is likely to be greater (in the short term)

  • Commitment — demonstrates early commitment to
  • Complexity — the need for the centralized operating center to manage the complexity of the different practices and procedures per operating unit/region

  • Productivity — linked to the above, the benefits case associated with standardization is deferred

  • Change fatigue — the business will have to manage two transitions:
    1. The switch of activities to new operating center
    2. Subsequent standardization of activities in the monitoring, testing and reporting on risks, controls and compliance


"Lift and shift"



  • Productivity — the new centralized operating model is based on new standardized ways of working from day one. This increases the productivity and benefits case of the new operating center — once it is established (see “Speed of transition”).

  • Business impact — the business and operating units will
    experience a single, albeit more fundamental, change. This needs to be managed carefully to ensure success in transition, but it significantly reduces the time spent in managing multiple transitions and frees the business to focus on other initiatives and priorities.
  • Speed of transition — given the potential scale of change to the business and the centralized operating center (processes, controls, systems, roles and responsibilities) the move will take longer to design and implement when compared to “shift and lift.”

  • Business acceptance — the switching of activities to a more remote, centralized location (e.g., reliance on controls monitoring from an offshore center in India versus people who used to reside in the same office) and the standardization of activities (e.g., a common controls framework definition and standardization in risk, control and compliance reporting) will, if not well managed, lead to business resistance and push back. Ultimately this can adversely impact the speed to transition, the scope of transition and the overall benefits case of the new operating model.

Each transition plan needs to be assessed on its own merits to arrive at the right conclusion. Our experience indicates that business case realization in the longer term is higher when adopting the “lift and shift” approach.

2. Defining the right operating model for risk, control and compliance

It is critical that the operating model for risk, control and compliance must be aligned with organization strategy. Also, it is imperative that organizations have a long-term view of the model being chosen as it is likely to have a significant impact on both cost and performance.

The following key factors should be considered for organizations to assess the right operating model:

  • Cost — SSC setup costs must be compared with the cost of transitioning to an outsourced vendor. There could be hidden costs due to poor service delivery performance, particularly in an outsourced setup.
  • Talent availability — This factor is determined by the location chosen for the new operating center and has a potentially significant impact on the overall commercial viability of the entire model. Choosing a location with an adequate talent pool of the necessary skill set is critical, and this also includes having the requisite language skills.
  • Market stability — The location must not be politically unstable or exposed to significant market or currency risk.
  • Process vulnerability — It is important that the process being transitioned to a SSC, or outsourced to a third-party vendor, continues to operate within the prescribed risk appetite of the parent organization. While the organization needs to have clarity of reason for choosing a centralized operating model, process-specific risk dynamics must be evaluated to ensure that the transition has not resulted in a significant dip in quality of service delivery due to cost or other associated benefits.

3. Challenges and risks of moving to a new centralized operating model

There are a series of practical challenges and risks faced when moving to a new centralized operating model. In our experience, these can be categorized as:

  • Getting the design right
  • Managing the transition

Centralized operating model key risks

Key risks to be managed — in design

Key risks to be managed — in transition

  • Use of shifts
    In a new centralized operating model there can be a failure to make full use of shifts within a shared/offshore service center to maximize productivity and global coverage.

  • Service-level agreements
    With SLAs, there can be a lack of clarity on what is required from the centralized operating unit to fully support the business in managing risk, controls and compliance. Deterioration in the effectiveness of the second and third lines of defense leads to potential financial loss, reporting error or fraud.

  • Roles and responsibilities
    With new roles and responsibilities there can be a lack of clarity in roles and responsibilities — and hand-over points — between group, business units and central operating unit. Deterioration in the effectiveness of the second and third lines of defense leading to potential financial loss, reporting error or fraud.

  • Number of centers
    The use of one center challenges the ability to provide global coverage and represents a single point of failure due to operational, social or political challenges.

  • Exchange risk, inflation risk, telecommunication costs
    There can be a failure to take into account the offshore risks and costs that will influence how well the operating center is deemed to be performing and related SLA measures.
  • Ramp up
    When ramping up, there is the possibility of failure to understand and manage expectations on how long it takes to recruit into an SSC — especially when dealing with offshore countries such as India and Poland. This will either delay “go live” or incur costs to accelerate ramp up (e.g., through the use of third parties).

  • Transition
    Things often go wrong in transition periods and will need to be rectified. Difficulties typically include delays in reporting, incorrect reporting due to data issues, limited business understanding of those in the operating center frustrating the business (see below), and technical and telecommunication failures and interruptions.

  • Knowledge transfer
    There is a need for a transfer of knowledge to those people within the operating center having insufficient knowledge of the business at a group and business unit level. There is a risk of having a limited understanding and awareness of the day-to-day risks, controls and compliance needs of the business.

These risks, if realized, can seriously undermine the value and confidence in the move to the new operating model. In many (but not all) cases they come back to people and ensure that:

  • Customers of the new operating model are absolutely clear on what they need to do to, what they will receive, and when they will receive it.
  • The learning curve of people within the new operating center is explicitly managed as they become increasingly familiar with their role.