Outsource, but be ready for the risk

Edigio Zarella, Global Partner-in-charge, IRM, KPMG elaborates on what outsourcing an organisation's business functions is all about in a conversation with Anil Patrick R

Edigio Zarella

Can a company get back to basics and focus on its core business by outsourcing its support functions to a third-party service provider?

Organisations across the world believe in a basic philosophy when it comes to outsourcing. The common approach is that the outsourced function’s risk management responsibility is off my head now, and I can concentrate on my core business.

That is why organisations cover the risk management front only at their end. The mindset here is that you are giving dollars to a third-party for the infrastructure and services that it provides. So whatever risk is present at the outsourcing provider’s end is completely their responsibility and not the organisation’s.

So when we look at the big picture there is already a conflict. In the case of an organisation which is outsourcing, the focus is on reducing costs and increasing quality. And in the case of the provider, the focus is on making as much money as possible. That is why you need to start with the right philosophy.

And the right philosophy is..?

The truth is that the responsibilities for the function(s) that are outsourced still lie with the organisation. It needs to be able to manage the risks that are present at the provider’s end as well. We at KPMG like to call this part the enterprise risk management framework.

This kind of risk management for outsourced functions has become important from a regulatory perspective as well. For example, SEC (Securities and Exchange Commission) expects the same level of control and risk management on the outsourced functions as well. SAS 70 expects the same levels of controls at the provider’s end as well as the outsourcer’s end.

Apart from the regulatory perspectives what are the other factors to be considered when a business outsources certain functions?

The next responsibility that you have to shoulder when outsourcing a business function is what you owe to your shareholders. It is essential that when you plan to outsource, you need to thoroughly review the third-party since any slip up on that front will affect the business and thereby your stakeholders.

When things go wrong… what does a company do?

The usual approach if systems go down or are compromised is to sue the company that you have outsourced the function to. This damage control mechanism is not effective since your customers are already affected. In fact, your customer is likely to sue your organisation.

This is precisely why the rules that you apply to your organisation should apply to the provider as well. There has to be the same level of quality and controls across all the parties involved. Most captive organisations in India do not outsource their functions to others due to this reason—the lack of a common culture.

While there is no way to completely eliminate risk, there is a need to be pragmatic. So the only way to go ahead is to deal with acceptable risks.

What is your observation when it comes to the adequacy of legal contracts that are made between the parties concerned when outsourcing?

Legal departments have already started putting clauses to counter things going wrong. These rarely get practiced though!

Can SAS 70 help an organisation outsource its business functions?

SAS 70 is detailed when it comes to how to deal with anything that you might outsource. Its focus is more on management of risks and controls. Risk can also be about maximising each opportunity.

The ISO standards, Six Sigma, SAS 70, and so on are all different components or views of how to manage the entire organisation—to get them more streamlined. Many a time these are given lip service rather than actually followed.

You had mentioned an enterprise risk management framework. Can you tell us more about it?

We call the framework the Due Diligence framework. It consists of different aspects like financial, cultural, people, market profile, number of clients and reference checks.

For example, many organisations do not have site visits at the premises of the organisation it is going to outsource business to. It is necessary to conduct at least a single day site visit of the third-party service provider’s facility.

There needs to be detailed research on the provider. This will involve talking to its other clients.

While this check can entail making a huge investment in the short term—senior executives like the CEO, CIO, and CFO visiting the location itself can be quite an expense—in the long run this investment is worth it. Compare this investment with your total revenue to put it in perspective.

What is the recommended sequence of processes on the Due Diligence front?

This is usually conducted over three to four companies or even more. After Due Diligence is conducted, it is time for the RFP (Request for Proposal). While the RFP can be performed before or after Due Diligence, it is usually better to get the RFP after the evaluation.

Due Diligence can be started right at the point of time when you are thinking of outsourcing. The point to note is that Due Diligence has to be conducted right up to maybe six or twelve months from the time the deal commences. It might even be required to break off the deal if things do not work out. It is better to terminate the relationship than go on on an unsatisfactory note.

The same process has to be repeated at the time of contract re-negotiation as well.

On the SLA front what are the factors that need to be kept in mind?

Long SLAs cannot be managed, so refrain from getting into such agreements. The important aspects have to be stuck to. The rest are usually a given, but the primary aspects have to be met at all times.

Contracts have to be simple. This is because long contracts will never be followed. During discussions a copy of the contract is usually never at hand for close inspection. This should not be the case. The contract should be set upfront and not afterwards.

Successful outsourcing is based on having a relationship which will make me successful. This is not a partnering relationship since you are not sharing revenues. It’s more like a vendor relationship and should be treated that way.