Saturday, February 11, 2012
Google  
Web voicendata.com
  RSS | Archive    
 Home > bpOrbit > Risk Management: Managing Risk In Outsourcing Arrangements
  BPORBIT
Risk Management: Managing Risk In Outsourcing Arrangements
Develop a holistic view for managing outsourcing risk, where all the functions that have a responsibility for controlling risk work together
Saturday, January 06, 2007
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit

In 2005, three former employees of an outsourcing center in India were arrested, along with nine accomplices, for allegedly milking Citibank customers out of approximately $350,000, by convincing them to reveal their PINs over the phone, and then using an international wire-transfer system to move the funds.

Embarrassment aside, there was evidence that Citibank had performed some due diligence in selecting the outsourcing center. For example, the outsourcing center had received two third-party certifications and a background check of the employees conducted by the center revealed no prior criminal record. Still, according to a press release from Forrester Research on the event, "Clients and prospects should not be lulled into security complacency by a laundry list of certifications or process changes that suppliers roll out. Customers are going to have to implement their own aggressive requirements."

When it comes to selecting outsourcing providers and making sure they meet requirements, a lot of departments in an organization come to the table - procurement, security, IT, legal and others. One other department that should never be absent is risk management. Risk-management expertise is required to assist in the selection process, work through contractual issues to prevent risk exposure and manage potential risk situations.

Outsourcing Risk
While there are many ways to categorize risk exposures in outsourcing arrangements, four of the most convenient are operational disruption risk, data risk, quality risk and reputation risk.

Operation disruption risks are focused on business continuity and disaster recovery issues. "It is important to make sure that suppliers have sufficient security, controls and business-continuity plans, so that, if a disaster occurs, the provider has adequate backup plans," says Suresh C Gupta, partner and worldwide head of Global Sourcing Consulting, Capco.

Data risks include risks related to data security, customer-information privacy and intellectual property. "If you outsource some portion of your business process, and the provider doesn't have the same controls that you do, it could end up exposing your customers," says Gupta. "Consider the Citibank incident."

Quality risks are related to the ability of the outsourcing company to do the job. "If a vendor lacks sufficient experience in the programming language that your application development needs, then there is a risk that the application will not perform the way it was intended," says Gupta.

Resolving The Risk

A survey on outsourcing conducted by the Institute of Financial Services of executives in 36 international financial-services organizations found that 84% of respondents felt offshoring increases the risks associated with outsourcing, and 83% felt offshoring would negatively impact the quality of service.

Concern for offshore outsourcing is well placed. In addition to the risks associated with domestic outsourcing, there are several formidable ones associated with offshoring. These include political disruption, country financial risk (including currency volatility), lax government regulations (such as inadequate laws protecting personal privacy), social disruption (including riots and labor instability), terrorist attacks, wars and disease epidemics.

When an organization is considering offshoring, one of the first responsibilities of the risk manager should be to help in identifying the countries where the outsourcing could, as well as cannot, take place. The risk manager should also decide if it makes sense to concentrate all of the company's outsourcing risk in one country or if it makes sense to spread risk among two or more countries.

One additional point: It is important to make sure that there is proper contractual language in place to address the exposures related to what might be unique political, legislative and economic situations in that country, according to Michael Rasmussen, VP, Risk and Compliance Research, Forrester Research. "For example, if a country has lax laws related to intellectual property, you need to address these in specific detail in the contract. Finally, you also need a clause stating that dispute resolution will occur on your premises."

Reputation risk is the risk that customers end up being adversely exposed in some way due to an outsourcing relationship. "Customers may decide to begin doing business with one of your competitors that isn't involved in outsourcing," says Gupta.

Risk managers must understand and anticipate these risks, identify and raise them to the management team and make sure there are plans in place to mitigate these risks, says Gupta.

Managing Risk
A number of options exist for mitigating such risks. "One is a contract solution, where risk responsibility is placed on the outsourcing provider, a second is to purchase insurance and a third involves practical solutions, where risks are managed by developing better business practices. "The challenge for companies is to determine on a holistic basis what the most appropriate combination of solutions and remedies is," says Stephen Johnson, Partner, Kirkland & Ellis, a law firm.

Achieving this requires a coordinated effort among risk, legal and security departments. "In many cases, the risk, legal and security functions tend to operate in silos," says Johnson. For example, the risk-management function will be focused on insurance, the legal function will be focused on limitations of liability and indemnity, and the security function will be focused on intrusive issues, such as access security and network security.

The "silo mentality" causes problems. For example, the legal function is good at identifying potential risk, but often has problems coordinating with the risk-management function to determine how each risk is going to be handled. "It can be difficult to get the risk-management function to meet with the legal function to determine distinguish which risks are covered by insurance from the ones that need to be borne by the outsourcing service provider," says Johnson.

According to Johnson, it makes more sense to develop a holistic view for managing outsourcing risk, where all the functions in the organization that have a responsibility for controlling the risk work together. "Senior management's responsibility is to create a process so that all of these functions end up working together," he says.

One risk professional who understands the importance of working in a team environment is Stanley Rose, MD, Risk Management, Data Architecture and e-Business, The Bank of New York. "My role is to ensure that we are doing appropriate due diligence of the service provider to protect the bank," he says. To ensure this, the outsourcing team looks at a number of things.

First, it looks at protection of customer data, which is an information-security issue. "For this, we look at their security policies, personnel policies, human resources policies, the physical facilities and other areas," says Rose. The depth of investigation depends on the individual situation. For example, if the vendor's personnel will be involved in handling the data, the team will go deep into their personnel policies and security policies. If the data is at the vendor's site, the team will dig deep into its network policies and physical-security policies.

"We also look at the protection of the bank's interests from safety and soundness perspectives," says Rose. Here, the team looks at the financial history of the vendor to determine whether it is a viable one to deal with.

"We also look at their business-continuity process," he says. "If they are providing services to us that are critical to our business, we have to make sure that, if they have any kind of problem, they have sufficient backup of facilities, data, etc., just as we ensure these for our own systems."

In sum, according to Rose, the team is really just extending to the vendors the risk management that it does for its own business. "As is stated frequently, you can outsource functions, but you can't outsource the risk," he says. "You maintain ownership of the risk."

Page(s)   1  2  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit
CASE STUDY: At Your Service
TPI: Watch That Bottomline
BPO PRICING: Fallacies About Failure
 

Subscribe to our Newsletter
Name:
Email Address:




 

Current Issue
Click here to book your copy now






Your Opinion Matters

Does cloud computing cast a cloud on the future of IT professionals?

Is your Accounts Payable Solution working for you? Think Again…

   CIOL Services
IT News | IT Jobs | IT Outsourcing | IT Shopping
 



  For Voice&Data Print Subscription
  [ Magazine Subscription ]  [ Contact Info ]  [ Media Kit ]
 
Other CyberMedia web sites
[Dataquest]  [PCQuest]  [CIOL]  [Living Digital]  [CMR India]
[DQ Channels]  [The DQweek]  [CyberMedia Events]
[CyberMedia Digital]  [Cyber Astro]  [CyberMedia India]
[Global Services]  [BioSpectrum]  [BioSpectrum Asia]  [DARE]
[Computer Shopper]   [College Buying Guide]   [Technology Review

CyberMedia India Ltd

 
  Copyright © CMIL. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmaster@ciol.com