AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
Shared Services Strategy And GRC Considerations: Lessons From Buenos Aires As A Regional Hub
The Strategic Logic Of Shared Services Centers
Organizations pursue shared services strategies to achieve three interrelated objectives: the integration of fragmented operational processes across business units and geographies, the consolidation of transactional activities into centralized operations that benefit from scale and specialization, and the standardization of processes to eliminate duplication, reduce variation, and enable continuous improvement. These objectives are not new. They reflect the fundamental operational principle that repetitive, rules-based, high-volume transactional activities can be performed more efficiently and more consistently when they are concentrated in purpose-built operations rather than distributed across multiple business units, each with its own processes, systems, and staffing models.
The functions most commonly migrated to shared services centers include finance and accounting (accounts payable, accounts receivable, general ledger, fixed assets, intercompany accounting, financial reporting, and tax compliance support), human resources and payroll (employee data management, payroll processing, benefits administration, and recruitment support), information technology (infrastructure management, application support, help desk operations, and development services), procurement (purchase order processing, vendor management, and invoice verification), and supply chain support (logistics coordination, inventory management, and order fulfillment support).
The migration of these functions from corporate headquarters and local subsidiaries to a shared services center follows a structured transition process. Activities are documented and mapped in their current state, redesigned for standardization and efficiency, migrated to the shared services operation, and then continuously improved through process optimization, automation, and performance measurement. The objective is not merely to relocate activities to a lower-cost location but to fundamentally improve the quality, consistency, and efficiency of the processes through standardization and scale.
Location Selection: The Factors That Determine Success
The selection of a shared services center location is one of the most consequential decisions in the shared services strategy because location determines the labor market available for staffing, the cost structure of the operation, the regulatory and tax environment, the infrastructure quality, the time zone alignment with supported operations, and the operational risk profile of the center.
The factors that organizations typically evaluate in location selection include the following.
Labor market quality and availability. The shared services operation requires a sustained supply of qualified professionals with the functional expertise, language capabilities, and educational background needed to perform the center's activities. For finance and accounting shared services, this means professionals with training in accounting principles, familiarity with the relevant accounting standards such as US GAAP or IFRS, and the analytical capabilities needed for financial reporting and analysis. For IT shared services, this means professionals with the relevant technical certifications, programming skills, and systems knowledge. The depth of the local labor market, the quality of local educational institutions, and the competition from other employers for the same talent pool directly affect the center's ability to recruit, retain, and develop its workforce.
Language capabilities. Shared services centers that support multi-regional operations require staff who can communicate effectively in the languages of the regions they serve. Centers serving Latin American, North American, and Southern European operations benefit from a labor market with strong bilingual English and Spanish capabilities, and in some cases trilingual capabilities including Portuguese or Italian.
Cost competitiveness. Labor costs represent the largest component of shared services operating costs, and the differential between labor costs in the shared services location and the locations from which the activities are migrated is a primary driver of the financial business case. However, cost should be evaluated on an all-in basis that includes not only direct compensation but also social charges, benefits, facilities, technology infrastructure, management overhead, and the transition costs associated with migration and stabilization.
Time zone alignment. Shared services centers that support operations in multiple regions benefit from time zone positions that enable overlap with the business hours of the regions they serve. A location positioned between the time zones of Europe and North America, for example, can provide real-day support to both regions without requiring extensive shift work.
Infrastructure quality. The physical and telecommunications infrastructure of the location determines whether the center can operate reliably, securely, and with the connectivity required for real-time system access and communication with supported operations. Power reliability, internet connectivity, office space availability, and transportation infrastructure for employee commuting all affect operational viability.
Regulatory and business environment. The local legal, regulatory, tax, and labor law environment affects the center's operating costs, its flexibility in staffing and organizational design, and its compliance obligations. Employment law provisions regarding termination, working hours, collective bargaining, and social security contributions vary significantly across jurisdictions and directly affect the center's cost structure and operational flexibility.
Quality of life and cultural alignment. The ability to attract and retain talent is affected by the quality of life in the center's location, including safety, healthcare, education, cultural amenities, and the overall living standard. Cultural alignment between the shared services workforce and the headquarters and subsidiary cultures that the center supports facilitates communication, reduces friction, and improves the quality of service delivery.
Buenos Aires has been selected by numerous multinational organizations as a location for shared services centers serving regional and global operations. The city's selection reflects its strong position across multiple location factors, including a large and well-educated professional workforce, widespread bilingual English and Spanish language capabilities, competitive labor costs relative to North American and European alternatives, favorable time zone positioning between European and North American business hours, well-developed commercial infrastructure, and a cultural orientation that aligns with Western European and North American business practices. Major energy companies, technology firms, consumer goods companies, professional services firms, and industrial conglomerates have established shared services operations in Buenos Aires to support finance and accounting, HR, IT, procurement, and customer service functions across Latin American, North American, and European operations.
The GRC Perspective On Shared Services
From a governance, risk management, and compliance perspective, shared services centers create both opportunities and risks that the GRC framework must address.
The governance opportunity is that centralization enables the organization to implement consistent processes, controls, and policies across the activities performed by the shared services center. When accounts payable processing is performed in twenty different subsidiaries, each with its own process variations, system configurations, and control practices, the organization's control environment is inherently inconsistent and difficult to audit. When the same activity is performed in a shared services center with a single standardized process, a common system configuration, and a unified control framework, the control environment is more consistent, more auditable, and more amenable to continuous improvement.
The compliance opportunity is that centralization creates a single point at which regulatory compliance requirements can be embedded into standard processes. A shared services center that processes invoices for multiple jurisdictions can implement anti-corruption screening, sanctions checking, and tax compliance validation as standard steps in the centralized process, ensuring that every transaction passes through the same compliance controls regardless of which business unit or jurisdiction originated the transaction.
The risk management opportunity is that the concentration of transactional data in a shared services operation creates a rich data environment for analytical monitoring, exception detection, and continuous auditing. The earlier posts on detecting illegal payments, SAP transaction codes for auditing, and continuous controls monitoring all described analytical techniques that are more effective when applied to centralized data than to fragmented data distributed across multiple systems and locations.
However, shared services also create specific risks that the GRC framework must address.
Concentration risk arises from the dependence of multiple business units and regions on a single operational center. A disruption to the shared services center, whether from a technology failure, a natural disaster, a political or economic event in the host country, a pandemic, or a labor action, can simultaneously affect all of the business units and functions that the center supports. Business continuity planning for shared services centers must address these concentration risks through redundancy arrangements, geographic diversification, and defined recovery procedures.
Segregation of duties risk may be elevated in shared services environments because the standardization and efficiency objectives of shared services can conflict with the separation of functions required for effective internal controls. When a shared services center processes high volumes of transactions with a relatively small number of specialized staff, the pressure to maintain processing efficiency can lead to the assignment of incompatible functions to the same individual. The earlier post on segregation of duties conflicts in SAP addressed the specific transaction combinations that create SoD risk, and these conflicts must be specifically evaluated in the shared services context where staffing constraints may create pressure to consolidate functions.
Data privacy and cross-border data transfer risk arises when the shared services center processes personal data, financial data, or other sensitive information for operations in jurisdictions with data protection regulations that restrict the cross-border transfer of such data. The GDPR in Europe, the LGPD in Brazil, and numerous other data protection laws impose specific requirements on the transfer of personal data to jurisdictions that may not be deemed to provide adequate data protection. Organizations must ensure that their shared services arrangements comply with applicable data transfer requirements, including the use of standard contractual clauses, binding corporate rules, or other approved transfer mechanisms.
Regulatory compliance risk in the local jurisdiction affects the shared services center itself. Employment law, tax obligations, social security requirements, and local regulatory obligations apply to the center's operations and workforce, and the organization must maintain compliance with these requirements alongside the compliance obligations of the regions it serves.
Service quality and transition risk arises during the migration of activities from business units to the shared services center. The transition period, during which activities are being transferred, staff are being trained, and the new processes are stabilizing, represents a period of elevated operational risk. Transaction processing errors, reporting delays, and control gaps are common during transition and must be managed through structured transition governance, parallel processing, and enhanced monitoring during the stabilization period.
Vendor and third-party risk applies when the organization supplements its shared services workforce with outsourced or contracted resources. The earlier posts on FCPA audit procedures and global compliance program design addressed the compliance obligations associated with third-party relationships, and these obligations apply with equal force to outsourced resources within the shared services operation.
Internal Audit And Assurance Over Shared Services
Internal audit plays a critical role in providing assurance over shared services operations. The centralization of transactional activities into a single operation creates both the opportunity for efficient audit coverage and the obligation to ensure that the concentrated activities are adequately controlled.
Scope of assurance. Internal audit should provide assurance over the design and operating effectiveness of the controls embedded in the shared services center's processes, the adequacy of segregation of duties within the center, the security of the technology environment including ERP access controls and data protection measures, the quality of the transition and stabilization process for newly migrated activities, and the center's compliance with applicable local regulations and with the organization's global policies.
Coordination with external audit. When the shared services center performs financial accounting and reporting activities that are relevant to the organization's consolidated financial statements, the external auditor must evaluate the controls at the shared services center as part of the audit of internal control over financial reporting. Internal audit should coordinate its shared services audit coverage with the external auditor to ensure consistent coverage, avoid duplication, and share relevant findings. This coordination is consistent with the assurance mapping principles discussed in the earlier post on coordinating risk oversight.
SOX compliance considerations. For organizations subject to SOX Section 404, the controls performed by the shared services center are within the scope of management's assessment of internal control over financial reporting. The key controls over accounts payable, accounts receivable, general ledger, fixed assets, and financial reporting that are performed by the shared services center must be documented, tested, and assessed for operating effectiveness. The earlier posts on key controls versus non-key controls and on what SOX auditors test in SAP provide the frameworks for determining which shared services controls are key and how they should be tested.
Continuous monitoring. The concentration of transactional data in a shared services operation creates ideal conditions for continuous controls monitoring, as discussed in the earlier post on integrating GRC controls through business intelligence. Automated monitoring of transaction patterns, exception rates, processing timeliness, and control effectiveness indicators can provide real-time assurance over the shared services operation and can identify emerging control weaknesses or process deterioration before they produce material errors or losses.
The Strategic Decision: Build, Partner, Or Outsource
Organizations establishing shared services operations must decide whether to build and operate the center with their own employees (captive shared services), to partner with a third-party provider that operates the center under the organization's direction (managed services), or to outsource the activities entirely to a business process outsourcing provider (BPO).
Each model carries different implications for governance, risk management, and cost structure. Captive shared services provide the greatest control over processes, data, personnel, and the control environment, but require the organization to invest in facilities, technology, management, and local operational expertise. Managed services transfer operational responsibility to a partner while retaining varying degrees of control and oversight, but introduce vendor management complexity and dependency risk. BPO provides the most immediate cost benefit and scalability but creates the greatest governance, compliance, and data security challenges because the organization's transactional activities are performed by an external party with its own processes, systems, and control environment.
The GRC implications differ significantly across these models. Captive shared services centers are subject to the organization's own governance framework and control standards, and internal audit has direct access to the operation. BPO arrangements introduce the need for service organization control reports (SOC 1 Type II reports, formerly SAS 70) to provide assurance over the controls at the service organization, the establishment of contractual service level agreements and right-to-audit provisions, and the implementation of vendor risk management and oversight processes.
The selection among these models should be informed by the organization's risk appetite, its capability to manage third-party relationships, the sensitivity of the activities being centralized, the regulatory requirements of the jurisdictions involved, and the organization's strategic assessment of whether shared services management is a core competency that should be retained or a support function that can be effectively delegated.
From Operational Efficiency To Governance Advantage
Shared services centers, when designed and governed effectively, provide benefits that extend well beyond the cost savings that typically justify the initial investment. The standardization of processes creates a more controllable and auditable operational environment. The centralization of transactional data creates opportunities for analytical monitoring that are impractical in distributed operations. The concentration of specialized expertise creates a professional community that can develop deeper functional knowledge and more effective control practices than individual business units can achieve independently.
However, these benefits are realized only when the shared services strategy is accompanied by a governance framework that addresses the concentration risks, the compliance obligations, the data protection requirements, and the control environment challenges that centralization creates. A shared services center that achieves cost savings while introducing segregation of duties conflicts, data transfer violations, or business continuity vulnerabilities has not achieved a net improvement in the organization's risk profile.
The organizations that derive the greatest strategic value from shared services are those that treat the governance and risk management dimensions of the shared services strategy with the same rigor as the operational and financial dimensions, and that view the shared services center not merely as a cost-reduction mechanism but as a platform for control environment improvement, compliance standardization, and analytical capability development that strengthens the organization's GRC framework as a whole.
What Companies Typically Look For In An SSC Or BPO Location
When companies evaluate a location for shared services or outsourcing, they usually look at a combination of factors.
They assess whether the labor market provides sufficient talent in finance, accounting, IT, operations, and language support. They examine whether the workforce can operate in multilingual environments and support international service standards. They consider communications infrastructure, business continuity, cybersecurity readiness, and operational resilience. They also look at wage competitiveness, labor flexibility, management depth, regulatory complexity, inflation exposure, tax conditions, and the practical ease of building or scaling an operation.
Buenos Aires has often been considered attractive because it can support relatively sophisticated business services while offering strong professional talent and useful geographic positioning. That said, any location assessment should also consider macroeconomic volatility, labor market dynamics, currency issues, and operational risk. No location is attractive on strengths alone.
Ranked Outsourcing Companies
Why Finance And Accounting Work Often Moves First
Finance and accounting are among the most common functions to migrate into shared services models because the work is process intensive, scalable, and highly sensitive to standardization. Activities such as accounts payable, accounts receivable, billing, reconciliations, fixed assets, intercompany accounting, payroll support, close support, reporting preparation, and master data maintenance are all well suited to centralization when processes are stable enough and control design is strong.
Argentina has historically been attractive for this type of work because of the depth of accounting and finance talent and the ability to support multinational processes in both regional and cross regional settings. In some cases, organizations also use such hubs for internal control support, SOX related documentation, reporting analytics, and selected audit support services.
The control implication, however, is important. A finance SSC is not just an efficiency platform. It becomes part of the internal control environment. That means service design, governance, escalation, access controls, supervision, and process ownership all need to be clear from the start.
What A Strong Shared Services Strategy Should Actually Achieve
Many organizations describe shared services in terms of cost reduction. That is too narrow. A mature SSC strategy should aim to improve process quality, increase standardization, strengthen data consistency, reduce local fragmentation, improve service levels, and create a clearer basis for automation and control monitoring.
Done well, shared services can streamline handoffs, reduce non value added activity, improve control visibility, and support stronger process ownership across geographies. Done poorly, they can simply centralize broken processes, create distance from the business, and introduce new operational, conduct, and compliance risks.
That is why the strongest SSC designs are built around service architecture, controls, governance, and customer orientation rather than labor arbitrage alone.
Why Governance And Control Matter In Location Decisions
A common weakness in outsourcing and shared services decisions is that organizations focus heavily on cost and talent while underestimating governance and risk. This is especially dangerous in finance, payroll, procurement, HR, and IT support activities where process errors can quickly become financial reporting issues, data protection incidents, compliance failures, or operational disruptions.
When evaluating a location or provider, companies should assess not only service capacity but also business continuity, access governance, data privacy controls, fraud risk, legal enforceability, regulatory exposure, incident response capability, internal control maturity, and the quality of management oversight. They should also understand whether key controls remain with the business, move into the SSC, or become split across teams in ways that create accountability gaps.
This is particularly relevant in any location with macroeconomic volatility or evolving regulatory conditions. The right response is not to avoid such environments automatically. It is to design the control model with that reality in mind.
Why Buenos Aires Has Been Used For More Than Basic Back Office Work
One of the more important insights in your original draft is that Buenos Aires has not only supported transactional processing, but also more skilled work. That remains an important point.
In many cases, operations based in Buenos Aires have supported multilingual service delivery, financial reporting support, intercompany processes, procurement support, data analysis, IT support, internal control related activities, and regional or cross regional customer operations. This is one reason the city has remained relevant. It is not only a low cost processing location. It has often been used as a talent platform for broader business support.
The more credible way to state this in a timeless article is not to anchor the argument in the headcount of specific companies at a specific moment. It is to note that a range of multinational companies across energy, technology, consumer, logistics, industrial, and professional services sectors have historically used Buenos Aires as part of their global service delivery footprint.
What Types Of Services Are Most Commonly Supported
The service mix typically associated with Buenos Aires and similar hubs includes finance and accounting support, payroll and HR administration, data processing, procurement support, reporting services, customer support, IT support, analytics, and selected professional service activities.
Finance and accounting services often include billing, payment processing, reconciliations, reporting preparation, fixed asset support, close support, intercompany accounting, and control documentation. Back office support may include data entry, document management, CRM support, order administration, and service desk work. IT related support may range from staff augmentation and application support to selected managed services or development support depending on the operating model.
The specific service mix depends heavily on the maturity of the company’s process model and the complexity it is willing to centralize.
What Organizations Should Watch Closely
A balanced thought leadership view should also address the watchpoints.
Companies using Buenos Aires or any similar location should pay close attention to inflation and currency effects, wage competitiveness over time, retention in critical skill pools, regulatory and tax changes, data transfer requirements, labor law considerations, and concentration risk if too much work is centralized in one city or region.
They should also examine whether the service model has enough resilience. A location may appear efficient in steady state but become fragile if the company has not built adequate continuity planning, leadership depth, process documentation, and cross training.
This is where GRC leaders should be active. Outsourcing and shared services decisions are operating model decisions, but they also have direct implications for internal control, data governance, resilience, and compliance.
Why The Decision Should Be About Operating Model Fit, Not Only Cost
The strongest companies do not ask only whether a location is cheaper. They ask whether it is the right fit for the work, the control environment, the talent model, and the customer service expectations they need to support.
In some cases, Buenos Aires may be highly attractive for finance, multilingual support, analytics, and professional back office work. In other cases, the right answer may be a more diversified hub model across several locations. The decision should be based on service criticality, risk appetite, continuity needs, and the maturity of the company’s process architecture.
That is the difference between tactical outsourcing and strategic shared services design.
Final Perspective
Buenos Aires has remained relevant as a shared services and outsourcing location because it offers more than labor cost advantage. It has historically provided educated talent, language capability, and the ability to support relatively sophisticated business processes for multinational organizations.
The strategic question for companies is not simply whether the city is attractive in general. It is whether the location fits the specific service model, control requirements, resilience expectations, and governance design the company needs.
That is how location strategy becomes part of enterprise operating model design rather than just a sourcing decision.
References
Leading market practice in shared services strategy, global business services design, and outsourcing governance
Publicly available provider reviews and market observations from sourcing and BPO directories, to be used cautiously and supplemented with direct due diligence
Professional services guidance on shared services operating models, control design, and service governance