Introduction
In addition to importing risk from external organisation via links through your enterprise resource planning (ERP) and supply chain management (SCM) systems, perhaps the fastest growing source of importable risk is from your outsourcing partners. At this time, the quantity and scope of enterprise risk attributable to outsourcing is expanding exponentially. IDC estimates that business process outsourcing (BPO) will grow to an estimated USD 1.2 trillion this year, up by more than a factor of 40 in just three years. Just slightly further back along the curve, IT services outsourcing is following the same track of rapid expansion.
Moreover, many small and medium sized companies are now relying on outsourcing through their IT systems for the provision of services traditionally done in-house. In addition, many are using the application service provider (ASP) model to outsource key functions and their host applications to a third party.
Despite outsourcing’s cost savings and ability to allow your company to focus on core competencies, a poorly managed outsourcing relationship can easily become a black box of large, but unknown risks that your IT system readily imports into your otherwise well-run organisation. The complexities involved imply that no single automated system can evaluate these dangerous uncertainties that can occur from such a relationship.
Instead, the enterprise risk management (ERM) must be extended to your outsourcing partners. Below is a brief overview of the key areas through which IT outsourcing can affect your organisation’s risk profile and the basic ERM guidelines for dealing with them.
Caption: Fig. 1: Reasons for Outsourcing
IT Risk
Traditionally, outsourcing transfers a portion of your enterprise’s IT infrastructure, and therefore, IT operation’s risk to third-party providers. However, the corollary of this is that a significant portion of the outsourcer’s risk profile is, by implication, transferred to your company too. This, in turn, quickly increases your company’s operations risk and can indirectly be translated into strategic and market risk.
In addition, you must now address threats such as computer viruses, Trojans, denial-of-service attacks, privacy issues, firewalls and employee security policies not only for your organisation but also for the outsourcing party. The policy-based risk management approach increasingly adopted to deal with IT security threats will have another layer of complexity added since you have no choice but to factor in your outsourcer’s ERM profile and strategies to those of your overall organisation. Hence, your choice of outsourcing partner should be based on the compatibility of their risk management approaches to IT security as much as on the cost savings they offer.
To transfer IT operations to an outsourcing partner, the latter requires technology specifications, intimate knowledge of security policies, privacy and confidentiality issues unique to your organisation. When done internally, the establishment and communication of such risk factors was usually done informally and face-to-face. This may now require a formal context and binding legal contracts.
Once IT operations are developed off-site, it becomes more important than ever to create an application lifecycle management (ALM) system capable of incorporating these ERM concerns into the architecting, design, coding, testing and development of system components by offshore partners.
Caption: Fig. 2: IT Functions Outsourced
By adapting existing ERM tools and related ALM and IT governance applications, your enterprise’s internal and external (outsourcer) IT risks can be monitored and managed in a manner acceptable to both yourself and your outsourcer.
Operational Risk
Although BPO can create profound operational cost savings, outsourcing parts of the operations, such as supply chain management magnifies the scope for importing external risk. Firstly, the SCM system, even when in-house, serves as a conduit through which the risks of external parties can be imported into your organisation. By delegating this porous SCM function to a third party, the outsourcing partner’s risk profile and risks generated by the management of this function are added to the list of risks that can be internally imported through this channel.
Hence, selecting an inappropriate BPO supplier for functions like ERP or SCM can significantly affect operational risk. Often, a deep understanding of your operations is required; therefore, you may need to invest in training and education for the outsourcing staff required for such tasks. In addition, the information security infrastructure of your outsourcer’s operations cannot be assumed to have your level of automated protection or strictness with regards to policies and formal safeguards.
Moreover, the robustness and built-in redundancy of your outsourcing partner’s operations must be evaluated. Here, often questions that would not come up in-house must be addressed. For example, an outsourcer must allocate a certain amount of storage capacity for each client, with excess capacity for future growth. If this amount is not explicitly agreed upon, the outsourcer’s excess storage capacity might be used for the needs of other clients, causing everything from your SCM systems to online retail transactions to experience serious bottlenecks and delays.
A breakdown in the provisioning of customer services, ordering of raw materials, production or service quality, for example, may not only have a serious short-term effect on your operations but also frustrate trusted clients or prospective new customers. In this way, outsourcing risks affecting operations can quickly transform and threaten an enterprise’s strategic or market position.
While emerging ALM, IT governance and risk management applications are beginning to address these needs, many only address internal risk issues. Customising these emerging applications or tools to deal with operational risks imported from outsourcing partners should be a key ERM imperative. With all these considerations in mind, one should do a cost-benefit analysis of whether IT pipelines that link up to external suppliers and markets can be safely delegated to third parties, even if their explicit material costs appear to be lower than yours.
Financial Risk
With money being defined by a former Citibank president as 'information on the move', the relationship between an enterprise’s financial department, the enterprise system and risk management is complicated by the presence of external outsourcing parties. Uniform financial control is an important component of ERM but achieving it is much more difficult when a significant portion of financial risk resides in external parties located overseas. Hence, if their effect is not anticipated, cultural differences, linguistic barriers, and different financial reporting requirements can make outsourcing an impenetrable black box of financial risk.
Furthermore, although outsourcing is typically undertaken to augment cash flow net of expenses, many hidden costs may reduce net profits. In order to evaluate and safeguard against many of the risks outlined in this article, there are often unpredictable, potentially large costs arising from the need to undertake vendor due diligence. Costs are often exacerbated by the need to do overseas travel or offshore investigations.
Developing the infrastructure to support off-site operations can be expensive and not fully anticipated because of the complex IT hardware and software requirements. In addition, ongoing costs that must be factored in include monitoring service quality, contract performance and security. Time, money and travel expenses are generated when creating a long-term, consultative stakeholder relationship with key outsourcing staff as part of your ERM strategy.
Strategic/Market Risks
These typically occur when management relocates IT dependent processes related to core strategy and market position – including coding, application development, testing or CRM functions such as customer call centres, to remotely located providers.
Market risk is particularly manifested when core, IT-driven business processes that can affect a customer’s experience with the company are outsourced, any consequent inconsistency in the effectiveness of your company’s product or service delivery can hinder its capacity to meet the agreed upon strategic objectives. Often, this occurs indirectly, such as via component applications that work well individually but because they were developed by different outsourcing partners, do not operate as intended when they are placed together in the same system.
In CRM type environments, poor communication due to inadequate training or cultural differences may result in suboptimal delivery of customer services, thereby compromising the company’s ability to maintain and expand its customer base. Therefore, in an effort to save on labour costs, production costs and development time, an organisation can undermine its strategic goals or market position.
Perhaps the greatest strategic risk arising from outsourcing is the unintentional leakage of confidential information, whether it is private customer details or confidential company strategy.
Ultimately, an outsourcing partner greatly exposes an enterprise’s core business competencies and enables external parties to learn either directly or through induction, its core business strategies. Many times, outsourcing-based leaks of confidential information do not occur as a result of any operational errors but rather differences between the two parties’ work culture, corporate ethics code, or internal governance policies. Finally, the outsourcer can face these same risks both by its interaction with your company and those of its other clients – some of whom may be your competitors, thereby creating potential conflict of interest situations.
To effectively and safely outsource, these have to be evaluated carefully and communication channels between key outsourcing executives and host decision-makers have to be as strong and well defined as those between the CIO and internal ERM risk stakeholders.
Conclusion
A comprehensive ERM view of the risks involved with outsourcing identifies, assesses, and manages the significant risks arising from your particular outsourcing relationship. The particular risk details of your enterprise’s unique business model cannot be known by your prospective outsourcer any more than they can be addressed by one article. Nevertheless, it is imperative for the CIO to evaluate the types of risks implicit in prospective outsourcing relationships, the available means of managing them and the unspoken, silent costs they add to your enterprise’s bottom line.
Failure to evaluate the risks from an enterprise risk management perspective can lead to an accumulation of risks far greater than the monetary or risk savings offered by the outsourcing arrangement. On the other hand, taking an ERM approach to managing risks arising from outsourcing enhances the profitability and security of not only your company but even the outsourcing party, who faces a lower level of risk from interacting with your well-run organisation.
One thing however, is for sure: Since BPO was only made possible through IT, the data pipeline that imports outsourcing-related risk to your organisation inevitably passes through the CIO’s office.
|
