Your Outsourcing Policy: The Risks and Considerations

Estimated Reading Time: 4 Minutes
Written by Aaron Nolan
Outsourcing involves the transferring of responsibility for activities to an Outsourced Service Provider (OSP). Outsourcing has become an increasingly common practice in today’s world, as it brings to businesses the benefits of reducing costs, increasing scalability and allowing for the use of external expertise when required.

However, outsourcing is often not as straightforward as it seems, as there are many risks and factors to be taken into consideration.

An organisation’s board and management structure are uniquely responsible for the risks involved in outsourcing. Should anything happen as a result of outsourcing business-critical functions, the board and its management will be held accountable by their governing body.

Before deciding to outsource part of your organisations critical business functions to an OSP, several things should be understood and pondered. This article will provide a brief overview of the crucial factors to be considered, which hopefully can help you make a more informed decision.

Looking for specific information on outsourcing your IT management? We have more details on the article: Does Outsourcing Technology Support Really Work?

Awareness

The Board must be aware of what needs to be outsourced and what can be managed internally. Are there enough resources to keep certain functions in-house? Is it feasible and beneficial for the business? Keeping things in-house has its benefits, and will allow for direct manipulation of activities. However, without awareness, it can sometimes be just as faulty as outsourcing and not having controls in place.

A cost vs benefit analysis should be carried out before outsourcing a business-critical contract. This should then be followed by a risk assessment of the outsourced function. This reflection exercise will give senior management a much broader view of the risk involved in outsourcing this function. By doing this, it should become easier to understand which functions should be prioritized or how the budget can be assigned.

Once the board and senior management agree that a function is required to be outsourced, they should go about understanding the Maximum Tolerable Downtime (MTD) of this function. Maximum Tolerable Downtime is the maximum length of time a business function can be down without causing irreparable harm to the business.

The organisation should then set about looking for an Outsourced Service Provider who guarantees that their Recovery Time Objective (the time it takes to restore critical functions) is less than their MTD. This means, in short, that a business’ expectation must meet the outsourcer’s promise for the relationship to work.

Only when both organisations understand and agree on the relevance of these functions, they can potentially engage in business. These Service Level Agreements (SLA) should be written into contracts and reviewed regularly.

Risk

Before outsourcing a business function, an organisation should go about doing a due care and due diligence process on the function and the providers. A risk assessment should be carried out on a provider before outsourcing any business functions. An organisation may use a tendering process or use the MTD mentioned previously as an indicator of the provider’s ability to meet its required SLA.

Once a service provider has been selected, the organisation should add the Outsourced Service Provider to their internal risk register or a list of third-party providers for regular review to ensure SLA’s are being met.

To learn more about risk, read: Understanding and Calculating Organisational Risk

Business Continuity Management

When an organisation decides to outsource business functions, it is their responsibility to ensure that SLA’s are tested regularly. There is no point in having Recovery Time Objectives and Recovery Point Objectives in place if they are not tested at least once a year.

Sometimes backups fail, system patching isn’t always up to date, and changes to infrastructure are not always recorded, resulting in the BCP process taking longer than expected. Therefore, it is vital to test your business continuity plan as regularly as possible.

It is also critical for the organisation to implement an exit strategy with any service providers to ensure a smooth transition to another provider and return of any data held by the service provider. This could easily become an obstacle for business growth if left unchecked.

In Conclusion

With the ever-evolving advancements in technology making businesses more efficient, it has become more and more necessary to outsource functions due to the lack of in-house knowledge.

Outsourcing functions increase the scope of a business, but will also increase exposure, risks and the challenges for compliance. Tasks such as mapping the data flow and having full visibility of the suppliers’ activities can become extremely complicated.

Regulatory requirements like GDPR force boards and management to understand and protect their data. It is critical for the organisation’s senior management to have awareness and understanding of the scope of its business – especially if choosing to adopt a framework, guideline or standard.

Once the organisation understands its scope, it can then go about addressing the risks of not only its internal functions but now its outsourced functions. These outsourced functions should be tested regularly to ensure SLA’s are being met and critical data is being backed up.

If you are looking for yet more detail on the major risks and factors related to outsourcing policies, we recommend reading the following whitepaper from the Central Bank of Ireland: Outsourcing – Findings and Issues for Discussion.

Thank you for reading, and for more compliance and business advice, visit our blog.
Follow Spector on our Social Media channels for more exclusive content.