Outsource, but be ready for the risk
Edigio Zarella, Global Partner-in-charge, IRM, KPMG
elaborates on what outsourcing an organisation's business functions is all about
in a conversation with Anil Patrick R
Can a company get back to basics and focus on its core
business by outsourcing its support functions to a third-party service provider?
Organisations across the world believe in a basic philosophy
when it comes to outsourcing. The common approach is that the outsourced functions
risk management responsibility is off my head now, and I can concentrate on
my core business.
That is why organisations cover the risk management front only at their end.
The mindset here is that you are giving dollars to a third-party for the infrastructure
and services that it provides. So whatever risk is present at the outsourcing
providers end is completely their responsibility and not the organisations.
So when we look at the big picture there is already a conflict. In the case
of an organisation which is outsourcing, the focus is on reducing costs and
increasing quality. And in the case of the provider, the focus is on making
as much money as possible. That is why you need to start with the right philosophy.
And the right philosophy is..?
The truth is that the responsibilities for the function(s) that are outsourced
still lie with the organisation. It needs to be able to manage the risks that
are present at the providers end as well. We at KPMG like to call this
part the enterprise risk management framework.
This kind of risk management for outsourced functions has become important from
a regulatory perspective as well. For example, SEC (Securities and Exchange
Commission) expects the same level of control and risk management on the outsourced
functions as well. SAS 70 expects the same levels of controls at the providers
end as well as the outsourcers end.
Apart from the regulatory perspectives what are the other
factors to be considered when a business outsources certain functions?
The truth is that the responsibilities
for the function(s) that are outsourced still lie with the organisation.
They need to be able to manage the risks that are present at the providers
end as well. We at KPMG like to call this part the enterprise risk management
The next responsibility that you have to shoulder when outsourcing a business
function is what you owe to your shareholders. It is essential that when you
plan to outsource, you need to thoroughly review the third-party since any slip
up on that front will affect the business and thereby your stakeholders.
When things go wrong
what does a company do?
The usual approach if systems go down or are compromised
is to sue the company that you have outsourced the function to. This damage
control mechanism is not effective since your customers are already affected.
In fact, your customer is likely to sue your organisation.
This is precisely why the rules that you apply to your organisation
should apply to the provider as well. There has to be the same level of quality
and controls across all the parties involved. Most captive organisations in
India do not outsource their functions to others due to this reasonthe
lack of a common culture.
While there is no way to completely eliminate risk, there is a need to be pragmatic.
So the only way to go ahead is to deal with acceptable risks.
What is your observation when it comes to the adequacy
of legal contracts that are made between the parties concerned when outsourcing?
Legal departments have already started putting clauses to counter things going
wrong. These rarely get practiced though!
Can SAS 70 help an organisation outsource its business
SAS 70 is detailed when it comes to how to deal with anything that you might
outsource. Its focus is more on management of risks and controls. Risk can also
be about maximising each opportunity.
The ISO standards, Six Sigma, SAS 70, and so on are all different components
or views of how to manage the entire organisationto get them more streamlined.
Many a time these are given lip service rather than actually followed.
You had mentioned an enterprise risk management framework.
Can you tell us more about it?
Due Diligence can be started right
at the point of time when you are thinking of outsourcing. The point to
note is that Due Diligence has to be conducted right up to maybe six or
twelve months from the time the deal commences
We call the framework the Due Diligence framework. It consists of different
aspects like financial, cultural, people, market profile, number of clients
and reference checks.
For example, many organisations do not have site visits at the premises of
the organisation it is going to outsource business to. It is necessary to conduct
at least a single day site visit of the third-party service providers
There needs to be detailed research on the provider. This will involve talking
to its other clients.
While this check can entail making a huge investment in the short termsenior
executives like the CEO, CIO, and CFO visiting the location itself can be quite
an expensein the long run this investment is worth it. Compare this investment
with your total revenue to put it in perspective.
What is the recommended sequence of processes on the Due
This is usually conducted over three to four companies or even more. After Due
Diligence is conducted, it is time for the RFP (Request for Proposal). While
the RFP can be performed before or after Due Diligence, it is usually better
to get the RFP after the evaluation.
Due Diligence can be started right at the point of time when you are thinking
of outsourcing. The point to note is that Due Diligence has to be conducted
right up to maybe six or twelve months from the time the deal commences. It
might even be required to break off the deal if things do not work out. It is
better to terminate the relationship than go on on an unsatisfactory note.
The same process has to be repeated at the time of contract re-negotiation as
On the SLA front what are the factors that need to be kept
Long SLAs cannot be managed, so refrain from getting into such agreements. The
important aspects have to be stuck to. The rest are usually a given, but the
primary aspects have to be met at all times.
Contracts have to be simple. This is because long contracts
will never be followed. During discussions a copy of the contract is usually
never at hand for close inspection. This should not be the case. The contract
should be set upfront and not afterwards.
Successful outsourcing is based on having a relationship which will make me
successful. This is not a partnering relationship since you are not sharing
revenues. Its more like a vendor relationship and should be treated that