Outsourcing minus risk equals reward

Business process outsourcing is a risky proposition, but due diligence can pave the way to success

Outsourcing is a risky proposition. By definition outsourcing exposes a business to the influence of other businesses that have an impact — both positive and negative — on operations, financial performance and customer satisfaction.

However, when an organization’s internal business function continually operates below a minimum level of acceptable performance, it has to ask itself a simple question: is outsourcing the function an option?

If outsourcing likely leads to an increase in risk, then the organization could simply avoid outsourcing, though it would still have to find ways to address the underperforming operation. If the operation can be improved by addressing internal processes, or if the risk should be retained, such as when the loss or misuse of corporate data could do irreparable harm to the business, then outsourcing may not be the best answer.

Even if the risk can be transferred to an external provider, a lot of work still has to be done to minimize the risk and maximize the value to make outsourcing a valuable option.

Defining the risks

One of the first steps is to develop a comprehensive list of the risks. This step helps illustrate the short- and long-term consequences of outsourcing.

If an organization is concerned about objectivity, third-party advisory firms that don’t provide actual outsourcing services can bring an external perspective as well as the experience gained from other organizations that have gone through a similar process.

The next step is to determine the magnitude of each risk factor to the business. These risk factors will vary according to the unique circumstances of the business. For example, if the outsourcing involves unionized employees, it could contravene labour agreements and cause labour disruptions.

Four risk factors

From an outsourcing perspective, risk factors can be grouped into four main categories: strategic, operational, results-related and transactional.

•Strategic risks include issues such as the loss of control and loss of business knowledge or intellectual property. They also include the potential that the service provider encounters its own business troubles.

•Operational risks include factors such as the impact on HR, including the impact on people being transferred to the outsourcer and their pension and health benefits. It also includes the impact on the people who stay with the business who may wonder whether they will be outsourced in the future. Other factors to consider include the impact of integrating or changing business processes — such as the difference between contacting a call centre for payroll issues rather than walking down the hall to talk to the payroll administrator — the effect of poor performance and changes in regulatory requirements and compliance.

•Results-related risks primarily revolve around the realization of intended goals and objectives and their impact on the organization.

•Transactional risks include factors such as contract termination, dispute resolution, liability, indemnity and payment requirements.

The next step is to determine the most effective risk management strategies in each stage of the outsourcing process including identifying prospective suppliers, contract negotiation, transfer of responsibility and the ongoing management of the relationship.

One vendor or multiple vendors?

If the organization has a strong relationship with an existing outsourcer, then it may be possible to “sole source” the selection to that particular vendor. If that type of relationship is lacking, the organization can opt for comparative (two suppliers) or competitive (three or more suppliers) alternative sourcing strategies.

The comparative and competitive selection alternatives typically require the issuance of requests for information and requests for proposals, which will draw upon the work the organization has already done in terms of identifying the key requirements for outsourcing as well as the need for vendors to address key risk management concerns.

How the sourcing relationship will work is also an important decision. Choices include prime providers in which organizations source from a single provider, a prime provider with sub-contractors or a best-in-class approach in which multiple suppliers are engaged for specific expertise.

CIBC is a good example of the best-in-class approach. CIBC contracted with EDS for HR, Relizon for document management, Hewlett Packard for IT outsourcing and TSYS for card processing services.

Due diligence also requires organizations to assess the capabilities of outsourcing providers by conducting site visits as well as conducting interviews with suppliers and visiting customer sites.

For all four risk categories, organizations can develop strategies and negotiate clauses that maximize the protection of their investment without creating undue harm to the provider.

In terms of strategic risk, organizations can segment activities or processes that allow for the retention of decision-making authority. Intellectual property should not be negotiated away when it comes to things like product design or research and development output.

In contrast, business knowledge may be easier to give up, such as in the case of payroll processing, if this is something that has made outsourcing acceptable.

Mitigating operational risk requires the consideration of internal and external factors. Developing a migration plan that considers the transfer of people, systems interfaces, data flows and reporting requirements is an important step. Issues that affect performance and regulatory changes should be addressed contractually. This would include determining when applications will be upgraded, how this is scheduled and how frequently.

Sharing risks and rewards

Organizations can work with vendors to put some of the spending at risk. If the vendor does not meet its contractual obligations or service levels, it forfeits revenue. This strategy should only be considered if there are equal and offsetting opportunities for vendors to earn extra revenue by performing above expectations. The risks and the rewards should be shared equally.

Managing the risks associated with achieving results involves conducting pre-sales due diligence, negotiating performance goals and penalties into the contract and creating an effective project management or governance structure that address relationship and performance concerns on an ongoing basis. The organization must continually measure costs, identify activities and address problems as they arise. Many companies that outsource take baseline measurements for costs associated with services and personnel of other outsourcing providers to ensure the agreement is competitive.

Finally, managing transaction risks requires organizations be familiar with the legal implications of using external service providers. This requires the involvement of the in-house legal department as well as the potential involvement of third-party advisors, legal or otherwise, that are capable of providing objective advice and guidance.

Most businesses have undertaken, either formally or informally, a cost-benefit analysis and have decided their security is not compromised by sending work outside. From an IT or HR outsourcing perspective, businesses can undertake this type of assessment and use the strategies outlined above to protect themselves, reduce risk and improve competitive positioning.

Jim Westcott is research manager for the Canadian business transformation and process outsourcing services research at global research and consultant firm IDC Canada in Toronto. He can be reached at [email protected].

Latest stories