The past decade has seen outsourcing continue to grow, transforming the business models of many companies.
Outsourcing brings a wide variety of benefits.
For many, it gives flexibility of service allowing you to scale up or scale down quickly. For others it allows access to best practices or technology. And of course it can reduce costs when using cheaper nearshore or offshore providers. It can allow businesses to focus on their “core competency” – those activities that provide their true value to the marketplace whilst letting someone else deal with other ancillary activities.
But don’t forget about the risks…
It is very easy to forget that outsourcing comes with its own risks that need to be recognised and actively managed. This is particularly important with “material outsourcing”, where the services are of such importance that their weakness or failure could severely disrupt operations. Regulators such as the UK’s Financial Conduct Authority are recognising the increasing dependence of firms on material outsourcing and have recently introduced new policies and guidance to ensure that firms consider this as part of their assessment of operational resilience.
Outsourcing typically ends up with a degree of “remoteness” due to the service being provided offsite from the service provider’s own premises, and often overseas. This brings with it quality and control issues. From my experience, the proximity of the activity to the business does have an impact the level of control. The saying “out of sight out of mind” often rings true.
Also don’t forget that the outsource service is provider is a business, trying to make a profit. Over time it will find ways to cut costs, especially when the service has become established. This may take the form of changes to the resource mix (replacing with less skilled) or altering the processes or activities in an attempt to make it more efficient and save money. These may impact some key controls within the activity and may be implemented without your knowledge.
So how do you go about ensuring that any material outsourcing, or any outsourcing for that matter, is managed and monitored closely?
Four key steps to better manage your outsourced processes
There are steps you can take. None of these are particularly ground-breaking or original, they are just good practice that should be applied to any business activity, whether outsourced or not.
1. Know what they are doing for you
2. What are the risks inherent in these activities?
3. What controls are in place?
4. How do you know that the controls are operating effectively?
1. Know what they are doing for you
This sounds like an obvious one – of course you know what they are doing for you! This was all covered when the original contract was signed, and handover completed. But in my experience, the agreements do not necessarily include detailed procedures and tasks, and there is a disconnect between what was actually signed-off at a high level and what is really happening. Also over time the activities may change (or the staff that perform the activities change) so processes may become out of date. So ensure that any procedures are fully documented and are signed off by you, and any later changes to these procedures or the owners is subject to close change control, with approval by both you and the provider.
2. What are the risks inherent in these activities?
It is very easy to forget that all the risks inherent in outsourced activities ultimately remain with you. The service provider may be responsible if the process fails, but the risks of the failure are yours to manage and can increase because of the very fact that you have engaged someone else to do it for you. Spend time checking that you really understand the risks, and make sure that these risks are simply and clearly articulated, are documented, and are monitored regularly.
3. What controls are in place?
You will need controls in place to mitigate these risks. And you will also need to ensure that the controls are properly assigned to the right owners (whether this is you or the service provider) and that they are being performed on a regular basis that is appropriate to the significance of the risk that it is mitigating.
So far so good.
4. How do you know that the controls are operating effectively?
You will face the same considerations with controls that are being performed remotely. In fact it is even more important for you to ensure that these controls are being performed on time and that you can see evidence of this performance. But you are not going to travel halfway around the world to check working papers and sign off signatures, so you need to digitally capture the evidence, in the form of performance timestamps, soft copy documentation, and be able to access them remotely at any time, ideally supported by real-time dashboards or exception reports. For this to work effectively, you need to minimise the effort required by the service provider to capture and collate this data so that it does not become an unnecessary burden on them (or on you to repeatedly remind them to do it).
Making it all happen
These steps are not new nor ground-breaking, but putting in place a real working framework that covers all the steps and answers all the questions may seem a rather daunting (and costly) exercise. But it doesn’t need to be. It can be set up and implemented quickly and be a very “light touch” activity that takes a few minutes each day, becoming a daily routine or habit, just like cleaning your teeth.
If you want to know more and have an open and practical discussion, just contact us.