In 2005, Three former employees of an outsourcing center in India were arrested, along with nine accomplices, for allegedly milking Citibank customers out of approximately $350,000, by convincing them to reveal their PINs over the phone, and then using an international wire-transfer system to move the funds.

Embarrassment aside, there was evidence that Citibank had performed some due diligence in selecting the outsourcing center. For example, the outsourcing center had received two third-party certifications and a background check of the employees conducted by the center revealed no prior criminal record. Still, according to a press release from Forrester Research on the event, “Clients and prospects should not be lulled into security complacency by a laundry list of certifications or process changes that suppliers roll out. Customers are going to have to implement their own aggressive requirements.”

When it comes to selecting outsourcing providers and making sure they meet requirements, a lot of departments in an organization come to the table — procurement, security, IT, legal and others. One other department that should never be absent is risk management. Risk-management expertise is required to assist in the selection process, work through contractual issues to prevent risk exposure and manage potential risk situations as they arise during the outsourcing relationships.

Outsourcing Risk

While there are many ways to categorize risk exposures in outsourcing arrangements, four of the most convenient are operational disruption risk, data risk, quality risk and reputation risk.

Operation disruption risks are focused on business continuity and disaster recovery issues. “It is important to make sure that suppliers have sufficient security, controls and business-continuity plans, so that, if a disaster occurs, the provider has adequate backup plans,” says Suresh C. Gupta, Partner and worldwide Head of Global Sourcing Consulting, Capco.

Data risks include risks related to data security, customer-information privacy and intellectual property. “If you outsource some portion of your business process, and the provider doesn’t have the same controls that you do, it could end up exposing your customers,” says Gupta. “Consider the Citibank incident.”

Quality risks are related to the ability of the outsourcing company to do the job. “If a vendor lacks sufficient experience in the programming language that your application development needs, then there is a risk that the application will not perform the way it was intended,” says Gupta.

Reputation risk is the risk that customers end up being adversely exposed in some way due to an outsourcing relationship; this places your organization’s reputation at risk with the public in general. “Customers may decide to begin doing business with one of your competitors that isn’t involved in outsourcing,” says Gupta.

Risk managers must understand and anticipate these risks, identify and raise them to the management team and make sure there are plans in place to mitigate these risks, says Gupta.

Managing Risk

A number of options exist for mitigating such risks. “One is a contract solution, where risk responsibility is placed on the outsourcing provider, a second is to purchase insurance and a third involves practical solutions, where risks are managed by developing better business practices. “The challenge for companies is to determine on a holistic basis what the most appropriate combination of solutions and remedies is,” says Stephen Johnson, Partner, Kirkland & Ellis, a law firm.

Achieving this requires a coordinated effort among risk, legal and security departments. “In many cases, the risk, legal and security functions tend to operate in silos,” says Johnson. For example, the risk-management function will be focused on insurance, the legal function will be focused on limitations of liability and indemnity, and the security function will be focused on intrusive issues, such as access security and network security.

The “silo mentality” causes problems. For example, the legal function is good at identifying potential risk, but often has problems coordinating with the risk-management function to determine how each risk is going to be handled. “It can be difficult to get the risk-management function to meet with the legal function to determine distinguish which risks are covered by insurance from the ones that need to be borne by the outsourcing service provider,” says Johnson.

According to Johnson, it makes more sense to develop a holistic view for managing outsourcing risk, where all the functions in the organization that have a responsibility for controlling the risk work together. “Senior management’s responsibility is to create a process so that all of these functions end up working together,” he says.

One risk professional who understands the importance of working in a team environment is Stanley Rose, MD, Risk Management, Data Architecture and e-Business, The Bank of New York. “My role is to ensure that we are doing appropriate due diligence of the service provider to protect the bank,” he says. To ensure this, the outsourcing team looks at a number of things.

First, it looks at protection of customer data, which is an information-security issue. “For this, we look at their security policies, personnel policies, human resources policies, the physical facilities and other areas,” says Rose. The depth of investigation depends on the individual situation. For example, if the vendor’s personnel will be involved in handling the data, the team will go deep into their personnel policies and security policies. If the data is at the vendor’s site, the team will dig deep into its network policies and physical-security policies.

“We also look at the protection of the bank’s interests from safety and soundness perspectives,” says Rose. Here, the team looks at the financial history of the vendor to determine whether it is a viable one to deal with or whether there is a risk of it getting into some kind of financial trouble.

“We also look at their business-continuity process,” he says. “If they are providing services to us that are critical to our business, we have to make sure that, if they have any kind of problem, they have sufficient backup of facilities, data, etc., just as we ensure these for our own systems.”

In sum, according to Rose, the team is really just extending to the vendors the risk management that it does for its own business. “As is stated frequently, you can outsource functions, but you can’t outsource the risk,” he says. “You maintain ownership of the risk.”

“YOU CAN OUTSOURCE FUNCTIONS. BUT YOU CANNOT OUTSOURCE RISK. YOU MAINTAIN OWNERSHIP OF RISK”

Stanley Rose

MD, Risk Management and e-Business

The Bank of New York

Risk-management Strategies

Risk managers need to determine risk tolerance (both in terms of loss and liability) for various facets of performance that might be compromised during the life of the contract. One important step is to check with your own insurance broker or carrier to determine to what extent you are covered in relation to outsourcing arrangements.

“You first have to identify the risks that exist or may exist, determine the company’s risk-tolerance levels, and then determine what controls can or should be put in place to mitigate those risks to keep them within acceptable risk tolerance levels,” says Michael Rasmussen, Vice President, Risk and Compliance Research, Forrester Research.

The next step is to determine what the controls will cost. With this information, you can determine whether the relationship will make good business sense or not. “If the cost to implement the risk controls are higher than the projected savings of the outsourcing relationship, then it doesn't make sense to move forward,” says Rasmussen.

According to the Gartner Group, only 20% of unplanned IT outages are attributed to disasters and other external events. The remaining 80% are due to internal issues, such as application failures and operation errors. As such, it is important to determine what kind of internal strategies (such as quality control programs, business-continuity plans, etc.) the outsourcing provider has in place to prevent interruptions.

It is also important to make sure the outsourcing provider has sufficient levels of insurance coverage, an internal risk-management program and an internal security program. In terms of insurance, the provider should have adequate levels of coverage for information technology security, property/casualty, general liability, errors/omissions and workers’ compensation.

You also need to help create methods to identify problems early during the outsourcing engagement. For this reason, it is important to meet with the provider’s risk manager to review the risk-management program and the security manager to review the security program. “When you meet the risk manager, you should discuss the overall communication of risk,” suggests Forrester’s Rasmussen. “Focus on issues that could compromise the provider’s business directly, as well as those that could impact the information being shared between the two organizations.”

Risk managers need to specify expectations of performance from the outsourcing organization. “When developing the contract, the most important thing risk managers need to focus on is compliance controls,” says Rasmussen. That is, there are certain things that must happen to remain within regulatory compliance. A regulatory agency is going to hold an organization responsible for these, even if the function in question is being outsourced. “They also need to contractually specify how intellectual property is going to be protected, as well as making sure business continuity controls are in place, including service-level agreements,” he adds.

Risk managers also need to create ways to measure vendor performance, often called “service-performance indicators.” It is important to specify in the contract who in the organization will have oversight over the outsourcing provider’s performance, how they will have access to this information (e.g., types and frequency of audits), and what steps will be taken if and when concerns arise. “You want to make sure there is a “right to audit” clause in place, so that you can visit the outsourcing organization to review their performance and controls,” says Rasmussen.

Effective Risk Management: An Outsourcing Team in Action

While many organizations have effective outsourcing programs, one of the most impressive, in terms of covering risk-management issues, is the program in place at Fifth Third Bank. Not only is the program effective, but also is efficient. When the bank retooled its procedures for creating, identifying and monitoring outsourcing relationships, it was so successful that effectiveness increased significantly, while time requirements plummeted. “We had a goal of reducing manhours by 10,000 hours, and we were able to achieve this,” says Linda Tuck Chapman, SVP and Chief Sourcing Officer, Fifth Third Bank.

Risk-management specialists are integral to the bank’s outsourcing process. In fact, within the last year, the bank’s enterprise risk management group has seen fit to transfer the risk-management function for third-party relationships into the purchasing department. “We are not just integrated in name only,” says Chapman.

Risk management has three broad areas of responsibility related to outsourcing. The first is to make sure that all of the right things are reviewed and assessed according to due diligence. The second involves creating a review process for the operational risk managers in the specific lines of business, so they know how to review and assess the operational risks presented by the ongoing outsourcing relationship, how often to review them and how much depth to go into. The third is the need to understand risk management from the perspective of being a provider, since the bank itself is also an outsource service provider (performing outsourcing for a number of banks and other companies). “We want to make our customers feel comfortable that we have our risk-management processes well in hand,” says Chapman.

When the bank is exploring a new outsourcing relationship, it looks at risk from a variety of perspectives. “My department may operate in a full-service mode, where we will act as a coordinating body to make sure everything is covered,” she says. “In this situation, we do a lot of work ourselves.” However, the department also relies on other experts in the organization, such as the IT group, the legal department, the compliance group, the disaster recovery and business continuity group and the security and risk services group.

Another requirement involves improving efficiency and effectiveness by focusing resources where they are most needed. “The first thing we did to make sure we were complying with regulations related to outsourcing was to determine what was really defined as outsourcing and what was not,” states Chapman. The bank realized that regulations were in place to provide protection for all involved. “However, we realized that the regulations really specified few things related to outsourcing,” she says. “As a result, we met these requirements, then added our own to make sure we weren’t putting the bank at risk.”

Next, the bank assessed the level of tracking it was engaged in with each outsourcing relationship. “We found we were tracking far too many relationships, even for regulatory purposes,” she notes. Investigation revealed that the bank was tracking about 600 relationships, but really only needed to seriously track about 150 of them — those that represented true outsourcing relationships. The remaining 450 were more aptly defined as strategic relationships (e.g., the ad agency that the bank uses).

The bank then categorized the 150 outsourcing relationships as either high risk, medium risk or low risk. Each has a different level of intensity related to requirements. “For high risk, we need a lot more intensity for due diligence and more evidence of what we are looking for,” she says. “For low risk, we scale this down quite a bit.”

Once the relationships are in place, the bank has specific procedures for managing and monitoring them, which are tailored to the level of risk involved. “We gave these procedures to all of the operational risk managers,” says Chapman. “Now, when they are doing their reviews, they know how much due diligence to go through based on the risk level.”

Regardless of whether a relationship is categorized as high risk, medium risk or low risk, the bank has introduced a number of strategies that help all relationships work smoothly. “First, we like to utilize evergreen contracts that let us upgrade our service-level agreements on a forced-frequency basis,” she says. The bank then combines this with regular operational reviews, and it schedules business reviews every three to six months to provide historical snapshots of what is taking place. Action plans are identified for the future, and, once a year, there is a strategic review of where each provider’s business and industry is going in general.

While Chapman’s department handles the management of the outsourcing process and some of the governance, true governance is handled by the bank’s enterprise risk management group and the audit group. “The enterprise risk management group holds the operational risk managers accountable and also holds us accountable,” she explains. “The enterprise risk management department has to agree that we have done all of our homework. We don’t have the final say that the risk issues have been covered, nor do I think it is appropriate that we do.” Then, to ensure maximum effectiveness, the audit group comes in and audits everything, she notes.

“Overall, we have found ourselves involved in extremely few unsuccessful outsourcing relationships,” says Chapman. “By focusing efforts where they need to be focused, we find few surprises in our relationships with outsourcing providers.”