Employment: Outsourcing: Key Risk Areas

In today's business environment, outsourcing processes to a third party has become relatively commonplace. The practice gives organizations an opportunity to gain efficiencies, improve performance, lower costs, and focus on core competencies. Many businesses, however, fail to complete necessary due diligence work before the outsourcing relationship begins and neglect to take sufficient care of the relationship, adopting an "out of sight, out of mind" approach once outsourcing begins.

Successful outsourcing is no different from any other business relationship — it requires nurturing and management so that the needs of all parties are met. It is critical that both the purchaser and the supplier of outsourced processes understand each other's expectations and dependencies, as well as focus on maintaining a strong communication channel. Regular monitoring and reporting, for example, provide valuable information on the health of the relationship. Moreover, the organization needs to consider carefully any risks involved in the outsourcing engagement and perform necessary up-front planning in advance of vendor selection.

Internal auditors play an important role in making sure risks have been addressed and verifying that the necessary steps have been taken to ensure the outsourcing relationship is successful. Let's consider the key risk areas which should be taken into account when controlling cooperation with a provider.

Security and Confidentiality

Organizations need to consider who has access to sensitive or confidential information and how that access affects compliance with regulations and policies. Those responsible for the outsourcing process should consider several issues, including: Will the vendor limit its employees' access to sensitive information? Is information stored at a vendor site? If so, is every storage location known to the outsourcing organization? What controls and security practices does the vendor enforce to provide assurances that critical information is handled appropriately? To obtain more direct insight on how the vendor handles sensitive information, organizational decision-makers should also ask the vendor to supply any certifications or outside assessment reports for audit review.

Reputation

When a problem occurs — and inevitably it will —the organization, not the outsourced firm, will bear responsibility no matter where that problem lies or who created it. If the organization has staked its reputation on exceptional customer service or rapid turnaround, for example, it should consider how these areas might be affected when direct control resides outside the core business. For instance, when an outsourcer provides help desk services, it acts as a customer interface on behalf of the organization. When providing back-end processing, the provider deals directly with the customer data on the organization's behalf. In both cases, the customer agrees to a relationship with the organization, thereby placing the organization's reputation at risk.

Strategy

Would outsourcing the process under consideration help the company meet its strategic objectives? If the process comprises back-office activities and can be performed by a vendor with greater expertise and resources, then outsourcing may allow the organization to better focus on its core strengths. If it involves a key business process, those responsible for the decision need to understand how outsourcing fits with company strategy. Moreover, the organization needs to determine the level of training and management that may be required to make sure the outsourced process works effectively and continues to support the strategy.

Organizational Structure and Composition

An organization's structure, size, and staffing can play critical roles in the success of an outsourcing relationship. Vendors that can react quickly to a change in requirements or address an issue rapidly, for example, can offer an advantage in meeting certain needs. However, this same nimbleness of response can be detrimental if solid controls and activity reporting are required for regulatory purposes, as the vendor may compromise in these areas to achieve efficiency. In addition, differences in internal reporting structures between the company and the outsourcing provider can lead to long-term conflicts if not recognized and addressed early in the process.

For example, an outsourcing provider may have a decentralized and informal security structure, which can be problematic for an organization that requires a more formally structured approach to information security controls. Small service providers may be more responsive to the organization's needs because they value the organization's business, but responsiveness may decrease if they have inadequate staffing levels to support operational needs. Formalized processes within larger or more mature outsourcing organizations can help support compliance and reporting needs, but can also slow responsiveness if not optimized. Staff turnover within the provider firm and an inability to retain staff experienced in the background and requirements of the company can also impact the success of the outsourcing effort.

Key Processes

Increasingly, companies decide to outsource key business processes to meet specific strategic objectives. A key process is one that is central to the services a business delivers and has a direct effect on organizational success, such as transaction or claims processing. When a key business process is outsourced it falls into a category of service provider called business process outsourcer (BPO). There are many potential advantages to outsourcing to a BPO — such as improving client service, turnaround time, and profitability — because the company is able to focus on more strategic objectives and allow the BPO to handle day-to-day processes with greater efficiency and expertise. However, the potential risks when outsourcing a key process are greatly increased because the outsourcing company gives up a significant amount of control over how that service is delivered to customers.