As the volume of IT outsourcing increase globally, controlling the risk factor becomes vital. Even while unlocking value for corporations and shareholders, the global growth has brought about considerable change in operating models as different functions of the same supply chain are now being performed in geographically dispersed environments.
This is a paradigm shift and is still in evolution. Businesses are continuously trying to adapt to this change. Such changes in operating models and dispersed global footprints of corporations has brought with it risks, which need to be managed effectively. These risks have multiple dimensions that include political, economic, geographical, legal, social, technological and operating model risks.
A few indicative risks are: (i) business continuity management (BCM) risks. This includes existence of single point of failure (SPOF) arising out of concentration of operations at one location; lack of adequate fault tolerance/ redundancy in IT infrastructure etc;
1) Information security/data privacy related risks. This includes risk of data theft, exploitation of IT security vulnerabilities, social engineering attacks, etc;
2) process related risks. This includes inadequate segregation of duties, inappropriate management oversight
A robust risk management model is therefore a critical business fundamental and increasingly a differentiator particularly for outsourced operations. Risk management can be done by adopting quantitative/qualitative methods and there are many ways in which it can be approached.
It is very important that such initiatives be driven by qualified professionals who have the knowledge to understand various threats, vulnerabilities, controls and residual risks. Factors such as financial impact, operational impact, legal impact, reputation impact, health and safety etc need to be considered before arriving at risk ratings.
Risks, once identified, need to be carefully analysed by leadership in order to understand the various options for a cost-benefit analysis. This stage is crucial in arriving at a sound risk treatment plan in line with the risk appetite of the organisation. There are various risk treatment options that can be considered in order to address risks.
- risk mitigation (implementation of additional controls to bring down the residual risk);
- risk acceptance (management agrees to accept this risk);
- risk elimination (eg, changing the way in which a particular process is being performed to eliminate/ circumvent the source of risk;
- risk transfer (eg, outsourcing a part of significantly risky process to a provider which specialises in that process or by other appropriate means).
Once a robust risk management model has been established and is functional, it leads to subsequent programs to address the risks exposures across the cross section of the organisation. Some of the programs include: Sarbanes Oxley Act (SOX) compliance; information security management; business continuity management and disaster recovery program; operational risk management program; fraud risk reduction program;
Let's consider some specific examples. A large global organisation with multi-geography presence can bank on multi site, multi network strategy to deliver 24X7 business continuity solutions. This approach, best summarised as 'don't keep all your eggs in one basket' gives better redundancy. This approach may impact cost and that will be dependent on the geographies selected for delivery.
"Fortune favours the prepared" --- a rigorous testing schedule of the business continuity plans provides additional comfort to management and customers as well.
Data privacy programs must reflect the privacy posture of the organisations. The privacy framework needs to focus on choice of data use, data access and data integrity, security, onward transfer, security and enforcement/oversight. Given the typical information life cycle through the organisation, the privacy framework needs to include measures to protect personal information and map them with the privacy policies. For instance, while collecting information directly from customers, the organisation should: provide notice of how the information is to be used and choice to the customers on providing the information; store personal information in accordance with the IT Security policy and standards; ensure data integrity; Ensure that the information is used only for the intended purposes; ensure that the information is not transferred or shared with 3rd parties without consent.
Implement an oversight program addressing customer enquiries, complaints, and a system of audits are in place to ensure that personal information is handled and managed appropriately.
Going forward, risk management programs are getting linked to the competitive advantage of the organisations. In the outsourcing world, a robust risk management model not only alleviates management concerns but also pleases the buy-side decision makers.