“My Company has signed up for a three-year process outsourcing contract with a third party service provider. Their service delivery is poor but I cannot do anything about it.”
“The key person who handles our outsourced processes already resigned. I’m now left with a new and inexperienced person.”
“My service provider has not been delivering based on expectations. They’re giving me headaches.”
These are the common complaints that I hear from my clients and friends. It has become our regular topic during catch-up meetings. As a Risk Assurance professional, I can’t help wondering about the plight of other companies that followed the same suit of outsourcing as part of their businesses. Evolving business models have led these companies to become more integrated with their suppliers, distributors and other third parties.
While it is said that outsourcing can be an extremely effective means to achieving strategic operational gains and cost savings, many companies are not getting all the value available from this initiative, more so that they’re getting more exposed to outsourcing risks.
From my experience, companies need to take responsibility for driving improvements and must constantly challenge their service providers throughout the outsourcing contract. They also need to look deeper into their outsourcing arrangements. Here are some pointers that companies might want to consider in reviewing their outsourcing initiatives:
Are you realizing the business benefits outlined in your original business case?
Is your service provider adding value to your business, as well as performing the transactional agreements?
Is your pricing model flexible, scalable and transparent?
Is your service provider periodically benchmarked for market competitiveness?
Is there a culture of innovation and continuous improvement?
Is your service provider sharing good practice and tools?
Is the service delivery constantly improving?
Is your service provider proactive in preventing and resolving issues?
Can your service provider ensure business continuity in times of emergency?
Are you outsourcing the right breadth of activities?
Could you benefit from engaging multiple outsource providers?
Is the scope of your outsourcing arrangement flexible?
Can your service provider transform their services as your business grows?
Are you leveraging your service provider’s technology and expertise?
Is the culture of the service provider aligned with the culture of your organization?
Is your partnership with your service provider growing in strength?
Do you have a termination and exit procedure in place?
Does your service provider communicate effectively, seek common ground, take on board difficult points of view and compromise where appropriate?
Now, in so far as outsourcing risks are concerned, this topic is nothing new. It has just taken more prominence as companies have been using third parties more and more to support their businesses. Even the senior management and the board are talking more about it. Regulators have likewise put more focus on third parties since they see them as extension of these companies. Customers also hold these companies accountable for the actions of their outsourced service providers if anything happens. Any risk exposures such as data breach committed by the outsourced service providers can cause great damage to these companies.
But unlike any other risks, outsourcing risks operate outside of the companies’ environment. It is not within the companies’ control and is not part of the companies’ risk management process. It is then important for companies to look into the processes and controls that they can put in place to address outsourcing risks. In particular, they need to look into the adequacy of contract provisions to protect their companies. For some companies, having simple contract terms are enough, without realizing that they are putting themselves at a disadvantage. The common pitfall here is not including or clearly defining the performance metrics and corresponding service levels against each metric, the manner to measure compliance and penalties for non-compliance. Other points to consider are the inclusion of the right to terminate relationships in case of violations to the contract terms and right to audit clause, which can be useful especially on high risk situations or processes.
Talking about risk assessment, it is generally seldom that companies look at their risk assessment processes over third parties. More so that they have maintained an inventory of all their third party relationships. Perhaps, the most important questions to ask are: Do they know their significant third party relationships and if so, how well do they know them? Have they performed due diligence on the outsourced service provider’s capabilities and reputation? Part also of the risk assessment process is to prioritize the outsourced service providers with respect to the financial value of relationships and provide risk rating depending on the location of the operation, sensitive data shared, among others.
At the governance level, the Audit Committee, similar to any other significant risks, should look into the outsourcing risks and elevate matters of concern to the companies’ board of directors. The Board, on the other hand, may consider knowing first where the accountability lies within the company. In some companies, the broader third party relationship is a shared responsibility between the Internal Audit and the Legal Departments, but it is important to clearly define who ultimately owns it. They also need to define the regularity of reporting and set the reporting guidelines. Lastly, discussion on outsourcing risks should always be part of the Board’s agenda.
Companies always need to remember that potential rewards from outsourcing initiatives often go hand-in-hand with risks and challenges, and that while business functions and operations can be outsourced, they can never outsource the risk.
Rosell S. Gomez is a Risk Assurance Partner, Lead Partner for Global Technology Solutions/Chief Information Officer and Lead Partner for General Office Services of Isla Lipana & Co./PwC Philippines. Email your comments and questions to firstname.lastname@example.org. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.