Outsourcing or the third-party risk is voted as the top 5 risks by a poll on Top 10 Operational Risks for 2021 conducted by Risk.net.
“It has never been more crucial for operational risk managers to take account of their company’s critical and core third-party service providers,” says an operational risk executive at a North American bank. “The risk they can expose to a company and its potential impact to daily business operations has never been greater.”
Introduction:
For good reasons, the acceptability of businesses to outsource IT functions has risen dramatically in recent years. Outsourcing has been mainstreaming in the back office for a long-time covering fund administration, transfer agency, collateral management, clearing and settlements. However, the approach has gradually extended to entire value chain spanning across vast range of industries and functions such as pharmacy management system, book-keeping, accounting, claim processing, shipping etcetera. Since it first gained momentum and popularity as a management tool, outsourcing has been more than just a strategy to cut costs to building strategic partnerships that adds more value to the firm where the focus of the firm is realigned to core systems and portfolios to remain competitive and as far as possible offload all tasks that can be entrusted to non-competing third parties.
With all the benefits that outsourcing has to offer, there are significant risks that arise while associating with a third-party vendor. One such leading risks are the operational risks associated with delivery or performance not at par with the expectations, data theft and breaches, Intellectual Property (IP) thefts, unethical code of conduct and violation of firm’s and outsourced country’s law, example patient data leak covered under HIPPA law and external factors such as breakdown of infrastructure or disaster. Such risks can be managed and mitigated by effective operational risk management.
Operational Risk Management:
Put simply, operational risk relates to the risk resulting from the execution of an organization’s business-functions. It constitutes the risk of a firm’s business operations failing due to human error. Operational risk comprises of any event which disturbs the usual flow of business processes of an organization and which creates financial loss for the organization. Unlike other risks like market or credit risk, operational risks are generally not voluntarily incurred by firms. They are also not diversifiable and can’t be laid off. If there are systems, people, and processes in place –and which are indeed not perfect in the real world, it is impossible to fully mitigate the operational risks. However, operational risk can be effectively managed to keep the losses within certain risk tolerance levels.
Operational Risk management (ORM) is a continual cyclic-process that includes risk-identification, risk-assessment, risk-decision-making, and implementation of operational-risk-controls, that result in the mitigation, acceptance, or avoidance of risk. The U.S. Department of Defense summarizes the principles of ORM as follows:
a) Accept the risk when the benefits outweigh cost
b) Accept no unnecessary risk
c) Anticipate and manage risk through planning
d) Make risk decisions at right level.
Operational Risks Associated with IT Outsourcing:
Operational risk will exist during the lifecycle of outsourcing project, i.e., pre-sales, contract period and post-delivery. These risks can be categorized into 3 sections.
a) Security Risk: Failure of vendor to secure client confidential dat.
• Intellectual Property (IP) Risk: The risk that the vendor does not possess proper security strategies and is unfamiliar with the recent security threats and practices to safeguard the firm’s products.
• Data Breach Risk: The risk that the vendor is not well versed with an array of protected information and its handling measures while working on the product.
b) Stakeholder Engagement Risk: Failure of vendor to meet client expectation of service.
• Requirement Risk: The risk that the product or service delivered by the vendor does not align with the strategic functional and architectural requirements as the project progresses.
• Performance Risk: The risk that the service provided by the vendor does not meet local laws and regulations and issues with the operating method to complete tasks thereby requiring extensive micromanagement by clients.
• Client Relation Risk: The risk that the vendor fails to maintain desired level of co-ordination, communication, and team management during the project.
c) Release and Delivery Risk: Failure of vendor to meet their agreement goal.
• Product Release Risk: Risk that the service and product provided by the vendor fails to meet the standardized design and quality expectations.
• Financial Risk: Risk that the sub-standard delivery and increase in not well-trained resources has led to exceeding the set budget.
• Coordination Risk: Risk having to manage complex system of people, groups, processes, and technologies.
d) External Environment: Failure of vendor to deliver tasks due to external hindrances.
• Environmental Risk: The risk caused by environmental disaster like floods, storms, pandemic, or epidemic that forces the vendor to restrict or stop the usual activities pertaining to project.
• Political Risk: The risk that leads to impediments corporations may face owing to political decisions or any political change which changes the expected value and outcome of a particular economic action, through change in the probability of attaining the business objectives. Political risk can also be defined as the risk of financial, strategic, or personnel loss for a firm due to such non-market factors as the macro-economic and social policies pertaining to labor, or events related to the political instability (riots, terrorism, civil war, coups, and insurrection) that may cause hurdles in daily functioning of vendor.
Effective Operational Risk Management in IT Outsourcing:
a) Service Level Agreement (SLA):
• SLA Risk Management at Proposal Phase – SLA risks is managed at various stages of lifecycle, such as, during proposal submission, during negotiation and contract signing, during transition of services and during ongoing steady state service execution. Following are the ways to mitigate the risks that may originate at any of the above stages:
▪ Only agreeing for justifiable client/vendor needs
▪ Reducing the “at risk impact” – the relative weight of At-Risk amount distribution must align with the priorities of the engagement.
▪ Defining SLA targets right- different targets during peak and off-peak hours must be defined and must be realistic within the context of the engagement and not pure aspiration.
3
▪ Baseline exercise- validation of proposed SLA targets based on past performance data analysis. During the baseline period, the performance against agreed set of SLAs is measured, tracked, and reported.
▪ Earn back clause- the clause specifies how an SLA credit may be reversed and serves as a positive incentive for the supplier to correct the underlying root cause for the default.
▪ Continuous improvement clause- the clause must factor the actual performance during the previous year and must be subject to upper limit.
▪ Excused events clause – accounts for factors where the supplier shall not be responsible for an SLA failure if the failure was caused by conditions such as outages during scheduled maintenance window etcetera.
• SLA risk management at implementation phase- few steps to consider mitigating risks during a project or program phase can be communicating and informing all stakeholders about the SLA risk queue on time, escalation on time for any risks observed during production environment drop phase, planning and prioritizing with the help of seniors, integrated toolsets, and real time or near real time dashboards that provides the delivery team a visual statistic about the SLA performance and likely SLA breach.
b) Risk Assessment:
• Each risk outlined above is process, system, people, or external environment related and thus requires assessment in different categories to identify risk at a stage that enables effective intervention.
▪ Processes: all process associated with outsourcing support processes, requirement processes, administrative processes etcetera.
▪ Systems: All hardware and software system
▪ People: All people involved in engagement lifecycle such as Architects, Product Owners Product Managers, Scrum Masters, Software engineers, Quality Analysts and Business Analyst.
▪ External Factors: Local labor laws, International labor laws, Market, and regulatory changes.
c) Outsourcing Readiness Assessment:
▪ Potential causes of project failure may not always be the fault of the vendor, the firm may also have gaps in operation readiness for IT outsourcing, for example the firm may not have proper process capabilities in place to support an external team and so assessing the organization readiness for outsourcing is an essential step to managing risks that originate with outsourcing activities.
▪ The firm may need to outline the reason for outsourcing that are justified, ensure how the outsourcing will fit the firm’s overall business strategy, set goals and expectation, set escalation and intervention forum, micromanage the capacity needs and determine areas that the firm expects the vendor to bring value to.
d) Strong Practice to Monitor Delivery:
▪ Risk management in outsourcing often focuses heavily on the planning and contract stages. But proper assessment needs to continue throughout outsourcing project lifecycle. It can be achieved by setting forth relevant performance metrics and KPIs.
Organizational Risk Management Framework:
a) Risk Identification:
• The detection of any event that potentially triggers a material-business-impact, or which represents a risk-profile modification, must be done as-early-as-possible and could be initiated by – key Risk Indicator breaches, new regulatory requirement, offshore audit finding, new product or project.
b) Risk Measurement:
• Once risks are identified then it can be measured using impact and likelihood scale.
c) Risk Reporting:
• This helps to enhance senior management awareness of any lingering risks.
d) Risk Monitoring & Mitigation:
• Monitoring – While some activities or processes can be monitored on real-time or daily basis some may have to be monitored at less frequent intervals. This frequency should reflect the frequency of occurrences of operational-risk failures and severity of losses – For example scope governance of a requirement being developed will have to be monitored ones in a month and monitoring of critical bugs is required daily.
• Mitigation – This is the last but most important step in operational risk management. There may not be one standardized way to mitigate operational risks. The guiding principle would be to know where the operational risk is coming from and accordingly mitigation measures can be used. The mitigation procedures should be well documented and should be reviewed from time to time. Some of the outsourcing operational risk mitigation measures can be – For example if the master code is erased during deployment then such losses can be mitigated by ensuring that adequate back-ups are maintained, and tight approval protocols are established. Proper training
and string internal audit procedures as well as proper monitoring will help mitigate operational risks that arise due to people related issues.
Stages in Developing an ORM framework:
a) Governance & Organization: ORM function design, committee oversight, detailed roles and responsibilities, resource requirements.
b) Strategy & Objectives: ORM goals, design ORM framework, capabilities and skills, development
c) Policies: ORM policy design, integration with other policies and standards
d) ORM tools and Processes: Data loss governance, alignment with strategic planning and accounting
e) Supporting Systems: Business requirements, Vendor selection, Change management
f) Measures and Reporting: KRI, Internal ORM reporting flows, External ORM disclosure requirements
Conclusion:
To Conclude, the way a firm manages its outsourcing activities says a lot about their business. Having a good hold on outsourcing is necessary to mitigate associated threats and vulnerabilities ranging from the operational impact of third-party failures to the reputational impact of poor work practices of third parties. But it also sets the standard by which third parties will perceive the organization and managed effectively, could open the door to strategic opportunities emanating from positive cost-reduction and innovation. Organizations that lose control of their management of outsourcing face heightened regulatory scrutiny, reputational damage and, ultimately, consumer backlash.
