/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
In 2005, three former employees of an outsourcing center in
India were arrested, along with nine accomplices, for allegedly milking Citibank
customers out of approximately $350,000, by convincing them to reveal their PINs
over the phone, and then using an international wire-transfer system to move the
funds.
Embarrassment aside, there was evidence that Citibank had
performed some due diligence in selecting the outsourcing center. For example,
the outsourcing center had received two third-party certifications and a
background check of the employees conducted by the center revealed no prior
criminal record. Still, according to a press release from Forrester Research on
the event, "Clients and prospects should not be lulled into security
complacency by a laundry list of certifications or process changes that
suppliers roll out. Customers are going to have to implement their own
aggressive requirements."
/vnd/media/post_attachments/d6ced3eef39b236730e13c14d28d1ff54d32aa0c4ae427e27fd76d4d1df3c9a0.jpg)
When it comes to selecting outsourcing providers and making sure
they meet requirements, a lot of departments in an organization come to the
table - procurement, security, IT, legal and others. One other department that
should never be absent is risk management. Risk-management expertise is required
to assist in the selection process, work through contractual issues to prevent
risk exposure and manage potential risk situations.
Outsourcing Risk
While there are many ways to categorize risk exposures in outsourcing
arrangements, four of the most convenient are operational disruption risk, data
risk, quality risk and reputation risk.
Operation disruption risks are focused on business continuity
and disaster recovery issues. "It is important to make sure that suppliers
have sufficient security, controls and business-continuity plans, so that, if a
disaster occurs, the provider has adequate backup plans," says Suresh C
Gupta, partner and worldwide head of Global Sourcing Consulting, Capco.
Data risks include risks related to data security,
customer-information privacy and intellectual property. "If you outsource
some portion of your business process, and the provider doesn't have the same
controls that you do, it could end up exposing your customers," says Gupta.
"Consider the Citibank incident."
Quality risks are related to the ability of the outsourcing
company to do the job. "If a vendor lacks sufficient experience in the
programming language that your application development needs, then there is a
risk that the application will not perform the way it was intended," says
Gupta.
|
Resolving The Risk |
|
A survey on outsourcing Concern for offshore When an organization is One additional point: It is important to |
Reputation risk is the risk that customers end up being
adversely exposed in some way due to an outsourcing relationship.
"Customers may decide to begin doing business with one of your competitors
that isn't involved in outsourcing," says Gupta.
Risk managers must understand and anticipate these risks,
identify and raise them to the management team and make sure there are plans in
place to mitigate these risks, says Gupta.
Managing Risk
A number of options exist for mitigating such risks. "One is a contract
solution, where risk responsibility is placed on the outsourcing provider, a
second is to purchase insurance and a third involves practical solutions, where
risks are managed by developing better business practices. "The challenge
for companies is to determine on a holistic basis what the most appropriate
combination of solutions and remedies is," says Stephen Johnson, Partner,
Kirkland & Ellis, a law firm.
Achieving this requires a coordinated effort among risk, legal
and security departments. "In many cases, the risk, legal and security
functions tend to operate in silos," says Johnson. For example, the
risk-management function will be focused on insurance, the legal function will
be focused on limitations of liability and indemnity, and the security function
will be focused on intrusive issues, such as access security and network
security.
The "silo mentality" causes problems. For example, the
legal function is good at identifying potential risk, but often has problems
coordinating with the risk-management function to determine how each risk is
going to be handled. "It can be difficult to get the risk-management
function to meet with the legal function to determine distinguish which risks
are covered by insurance from the ones that need to be borne by the outsourcing
service provider," says Johnson.
According to Johnson, it makes more sense to develop a holistic
view for managing outsourcing risk, where all the functions in the organization
that have a responsibility for controlling the risk work together. "Senior
management's responsibility is to create a process so that all of these
functions end up working together," he says.
One risk professional who understands the importance of working
in a team environment is Stanley Rose, MD, Risk Management, Data Architecture
and e-Business, The Bank of New York. "My role is to ensure that we are
doing appropriate due diligence of the service provider to protect the
bank," he says. To ensure this, the outsourcing team looks at a number of
things.
First, it looks at protection of customer data, which is an
information-security issue. "For this, we look at their security policies,
personnel policies, human resources policies, the physical facilities and other
areas," says Rose. The depth of investigation depends on the individual
situation. For example, if the vendor's personnel will be involved in handling
the data, the team will go deep into their personnel policies and security
policies. If the data is at the vendor's site, the team will dig deep into its
network policies and physical-security policies.
"We also look at the protection of the bank's interests
from safety and soundness perspectives," says Rose. Here, the team looks at
the financial history of the vendor to determine whether it is a viable one to
deal with.
"We also look at their business-continuity process,"
he says. "If they are providing services to us that are critical to our
business, we have to make sure that, if they have any kind of problem, they have
sufficient backup of facilities, data, etc., just as we ensure these for our own
systems."
In sum, according to Rose, the team is really just extending to
the vendors the risk management that it does for its own business. "As is
stated frequently, you can outsource functions, but you can't outsource the
risk," he says. "You maintain ownership of the risk."
"You
can outsource functions. But you cannot outsource risk. You maintain
ownership of risk"
-Stanley Rose, MD, Risk Management and e-Business, The Bank of
New York
Risk-Management Strategies
Risk managers need to determine risk tolerance for various facets of
performance that might be compromised during the life of the contract. One
important step is to check with your own insurance broker or carrier to
determine the extent of coverage.
"You first have to identify the risks that exist or may
exist, determine the company's risk-tolerance levels, and then determine what
controls can or should be put in place to mitigate those risks to keep them
within acceptable risk tolerance levels," says Michael Rasmussen, VP, Risk
and Compliance Research, Forrester Research.
The next step is to determine what the controls will cost.
"If the cost to implement the risk controls are higher than the projected
savings of the outsourcing relationship, then it doesn't make sense to move
forward," says Rasmussen.
According to the Gartner Group, only 20% of unplanned IT outages
are attributed to disasters and other external events. The remaining 80% are due
to internal issues, such as application failures and operation errors. Thus, it
is important to determine what kind of internal strategies the outsourcing
provider has in place to prevent interruptions.
It is also important to make sure the outsourcing provider has
sufficient levels of insurance coverage, an internal risk-management program and
an internal security program. In terms of insurance, the provider should have
adequate levels of coverage for information technology security,
property/casualty, general liability, errors/omissions and workers'
compensation.
You also need to help create methods to identify problems early
during the outsourcing engagement. Therefore, it is important to meet with the
provider's risk manager to review the risk-management program and the security
manager to review the security program. "When you meet the risk manager,
you should discuss the overall communication of risk," suggests Forrester's
Rasmussen. "Focus on issues that could compromise the provider's business
directly, as well as those that could impact the information being shared
between the two organizations."
Risk managers need to specify expectations of performance from
the outsourcing organization. "When developing the contract, the most
important thing risk managers need to focus on is compliance controls,"
says Rasmussen. A regulatory agency is going to hold an organization responsible
for these, even if the function in question is being outsourced. "They also
need to contractually specify how intellectual property is going to be
protected, as well as making sure business continuity controls are in place,
including service-level agreements," he adds.
Risk managers also need to create ways to measure vendor
performance, often called "service-performance indicators." It is
important to specify in the contract who in the organization will have oversight
over the outsourcing provider's performance, how they will have access to this
information (e.g., types and frequency of audits), and what steps will be taken
if and when concerns arise. "You want to make sure there is a "right
to audit" clause in place, so that you can visit the outsourcing
organization to review their performance and controls," says Rasmussen.
Effective Risk Management Programs
While many organizations have effective outsourcing programs, one of the
most impressive, in terms of covering risk-management issues, is the program in
place at Fifth Third Bank. Not only is the program effective, but also is
efficient. "We had a goal of reducing manhours by 10,000 hours, and we were
able to achieve this," says Linda Tuck Chapman, SVP and CSO, Fifth Third
Bank.
Risk-management specialists are integral to the bank's
outsourcing process. In fact, within the last year, the bank's enterprise risk
management group has seen fit to transfer the risk-management function for
third-party relationships into the purchasing department. "We are not just
integrated in name only," says Chapman.
Risk management has three broad areas of responsibility related
to outsourcing. The first is to make sure that all of the right things are
reviewed and assessed according to due diligence. The second involves creating a
review process for the operational risk managers in the specific lines of
business, so they know how to review and assess the operational risks presented
by the ongoing outsourcing relationship, how often to review them and how much
depth to go into. The third is the need to understand risk management from the
perspective of being a provider, since the bank itself is also an outsource
service provider (performing outsourcing for a number of banks and other
companies). "We want to make our customers feel comfortable that we have
our risk-management processes well in hand," says Chapman.
/vnd/media/post_attachments/829aa4537a17bb3434b8166c8fcbb59c8d337fa339615581b2135c4610336f1d.jpg)
When the bank is exploring a new outsourcing relationship, it
looks at risk from a variety of perspectives. "My department may operate in
a full-service mode, where we will act as a coordinating body to make sure
everything is covered," she says. "In this situation, we do a lot of
work ourselves." However, the department also relies on other experts in
the organization, such as the IT group, the legal department, the compliance
group, the disaster recovery and business continuity group and the security and
risk services group.
Another requirement involves improving efficiency and
effectiveness by focusing resources where they are most needed. "The first
thing we did to make sure we were complying with regulations related to
outsourcing was to determine what was really defined as outsourcing and what was
not," says Chapman. The bank realized that regulations were in place to
provide protection for all involved. "However, we realized that the
regulations really specified few things related to outsourcing," she says.
"As a result, we met these requirements, then added our own to make sure we
weren't putting the bank at risk."
Next, the bank assessed the level of tracking it was engaged in
with each outsourcing relationship. "We found we were tracking far too many
relationships, even for regulatory purposes," she notes. Investigation
revealed that the bank was tracking about 600 relationships, but really only
needed to seriously track about 150 of them - those that represented true
outsourcing relationships. The remaining 450 were more aptly defined as
strategic relationships (e.g., the ad agency that the bank uses).
The bank then categorized the 150 outsourcing relationships as
either high risk, medium risk or low risk. Each has a different level of
intensity related to requirements. "For high risk, we need a lot more
intensity for due diligence and more evidence of what we are looking for,"
she says. "For low risk, we scale this down quite a bit."
Once the relationships are in place, the bank has specific
procedures for managing and monitoring them, which are tailored to the level of
risk involved. "We gave these procedures to all of the operational risk
managers," says Chapman. "Now, when they are doing their reviews, they
know how much due diligence to go through based on the risk level."
Regardless of whether a relationship is categorized as high
risk, medium risk or low risk, the bank has introduced a number of strategies
that help all relationships work smoothly. "First, we like to utilize
evergreen contracts that let us upgrade our service-level agreements on a
forced-frequency basis," she says. The bank then combines this with regular
operational reviews, and it schedules business reviews every three to six months
to provide historical snapshots of what is taking place. Action plans are
identified for the future, and, once a year, there is a strategic review of
where each provider's business and industry is going in general.
While Chapman's department handles the management of the
outsourcing process and some of the governance, true governance is handled by
the bank's enterprise risk management group and the audit group. "The
enterprise risk management group holds the operational risk managers accountable
and also holds us accountable," she explains. "The enterprise risk
management department has to agree that we have done all of our homework. We don't
have the final say that the risk issues have been covered, nor do I think it is
appropriate that we do." Then, to ensure maximum effectiveness, the audit
group comes in and audits everything, she notes.
"Overall, we have found ourselves involved in extremely few
unsuccessful outsourcing relationships," says Chapman. "By focusing
efforts where they need to be focused, we find few surprises in our
relationships with outsourcing providers."
William Atkinson
vadmail@cybermedia.co.in