Outsourcing Risk Management
This is one in a series of risk management articles submitted by the Malta Association of Risk Management (MARM) for The Accountant. The article sets out to describe the benefits and risks pertaining to outsourcing arrangements and the methods which can be employed to manage associated risks. The author has a number of years’ experience assisting firms across various industries to improve their risk management practices and internal control frameworks.
Why consider outsourcing and what are the risks?
The mounting pressure on firms to boost their bottom line and drive performance is pushing executive management to consider leaner operating structures that can be scaled up or down according to the prevailing needs of the business.
The commercial benefits of outsourcing cannot be underestimated; these range from enhanced flexibility in operating models to economies of scale instituted by suppliers who are able to build expertise and industrialise processes at significantly lower unit costs. Despite the benefits, such arrangements can significantly alter the risk profile of an entity. It is therefore critical that any outsourcing strategy is properly aligned to the risk appetite of the board and that appropriate measures are put in place in response to any resulting shift in risk profile.
Outsourcing can expose your organisation to the following risks:
- Operational risks such as impaired business continuity arrangements, inability to respond promptly to changes in regulatory frameworks or to market needs and restricted transparency over the quality of services provided
- Legal risks arising from the quality of the contract with service providers and resulting litigation
- Reputational risks stemming from aggravated consumer relations
- Erosion of technical skills and in-house knowledge arising from heightened dependence on service providers
- Financial risks resulting from the underestimation of service costs
These risks are of paramount concern when the function or activity subject to the outsourcing arrangement is essential to your core operations and particularly when the quality of service delivery can materially impact the firm’s ability to sufficiently control its risks. Outsourcing does not transfer the underlying risks linked to the activity; on the contrary, Boards remain fully responsible for the proper performance of these activities throughout the lifetime of the outsourcing arrangement. Therefore, unless these risks are properly managed within a prescribed framework, a seemingly successful arrangement can rapidly turn sour.
Managing outsourcing risks – a four-phased approach
The following framework is based on four key phases. It ensures that all stages of the outsourcing cycle are appropriately considered and that such arrangements do not impair the overall performance and quality of business.
Service providers should be selected on the basis of a predefined set of objective criteria where financial and commercial considerations are weighed against an evaluation of quality, experience, financial soundness and reliability. The due diligence exercise must incorporate any potential risks associated with the outsourcing arrangement including possible conflicts of interests which may undermine the integrity of your business. If the outsourced activity is directly linked to your core operations, it is important to ascertain whether the service provider has an appropriate risk management and internal control system in place such that your organisation is not exposed to unwarranted levels of risk.
Any outsourced activity should be subject to a formal contract which clearly defines acceptable service levels and the respective rights and obligations of each party. Besides integrating standard confidentiality clauses, the contract should clearly set out your right to audit the service provider at any time and allow for unrestricted access to records pertaining to the outsourced activity. It is good practice to request full transparency over the business continuity arrangements instituted by the service provider in order to safeguard the continuity of the outsourced activity and hence operations as a whole. Termination clauses which define notice periods for the dissolution of the agreement should neither be unduly lengthy nor so short that alternative arrangements cannot be made within a reasonable timeframe.
Relationships with service providers must be managed and the quality of service monitored continuously. Appointing someone within your organisation with oversight of the outsourced activity will ensure that there is appropriate steering of the function at all times. This person should possess sufficient knowledge and experience related to the activity in order to appropriately challenge the performance and outputs of the arrangement. Where relevant, key performance indicators should be set up and periodically monitored in order to evaluate the quality of the service delivered against agreed service levels. Appropriate and timely action should be taken in circumstances where the service provider falls short of acceptable service levels.
The objective of the controlling phrase is to ensure that the service complies with the contractual terms of the arrangement and to assess whether there are sufficient grounds to remediate the relationship through renegotiations, invoking penalty clauses, or, in more extreme circumstances, termination clauses stipulated in the contract. If the outsourced activity is directly linked to your core operations, it would be necessary to evaluate the effective operation of the internal control systems in place. Incidents should be duly reported and suitable measures put in place to mitigate recurring problems. The results of business continuity tests performed by the service provider should be obtained and analysed with a view to identify factors which may inhibit the continuity of service.
Reversibility is perhaps among the most important considerations in any outsourcing arrangement linked to a core business activity. In order to ensure that sufficient expertise is maintained in-house, or can be readily transferred to another provider, processes should be well documented. Exit strategies should be devised from the start to allow for smooth transitionary measures and to minimise the impact on your business should the contract be terminated.
Proportionality – one size does not fit all
This framework serves to guide you through the key aspects of any outsourcing strategy, particularly where this relates to a core business function carried out by a third party where there is little visibility over the operating processes and control framework governing the activities in question. These best-practice principles should be applied proportionally to the risks involved, taking into account the complexity of activities falling subject to the outsourcing arrangement. All in all, a well-defined outsourcing arrangement will help the business reach its objectives by leveraging on the skills and proficiencies of service providers while appropriately managing any incoming risks.