Going All Out

Outsourcing, clearly, is not new. Continuing pressures, escalating demands and increasing competition have made farming out functions or parts of functions attractive — if not necessary — for a good number of organizations across a wide variety of industries.

The initial consideration seemed squarely focused on gaining efficiencies and alleviating stress on the bottom line. However, the view of potential benefits appears to be broadening into the quality, performance and customer service realms.

  It all sounds rosy and is certainly tempting in light of the many demands that organizations face. But every action inspires an equal and opposite reaction and, as such, organizations must ensure they are carefully and comprehensively contemplating the risks that may be coming back.

Solid protections, agreements and contracts must be in place that anticipate all possible “what ifs,” while also ensuring those partners selected can deliver on their promises and address matters should something untoward occur.

Outsourcing raises questions. What are the associated risks? Are those risks fully known and, if so, appropriately addressed through insurance, risk mitigation and risk transfer? Are well-conceived and forward-looking agreements in place to address issues, anticipated and not, that could unfold? And is it sometimes the case that outsourcing may simply be too great a risk for an organization to take?

IN OR OUT?

Grant Williamson’s belief is outsourcing is definitely on the rise, noting that it is a subject that is relevant to every organization. “Everybody’s being squeezed,” points out the managing director and leader, Eastern Canada for Jardine Lloyd Thompson Canada Inc. Companies are moving beyond some of the first outsourcing functions, like payables and receivables, and now branching out and “looking at different areas, whether it’s H.R., whether it’s operations, whether it’s customer service,” Williamson reports.

Beyond cutting costs, he sees outsourcing as a way to improve efficiency and quality, as well as gain expertise that may not be available in-house. “It’s a way to gain a bunch of other buckets, not just the cost-reduction piece,” he adds.

“We absolutely need to outsource, and it has been increasing,” suggests Darius Delon, president and principal consultant for Risk Management 101.

Delon says functions such as insurance procurement, property inspections, liability inspections, property appraisals, claims management and actuarial are currently well-supported. Emerging roles that might benefit from outsourcing in the future, he notes, include emergency response planning, business continuity planning, enterprise risk management design and implementation, and independent insurance program design.

From a general perspective,there currently seems to be a higher level of focus and outsourcing with regard to IT, says Ben McAllister, manager of risk, insurance and business continuity planning for the University of Victoria.

Of course, with any function that is outsourced or employs a vendor, risks can be created.

Consider, for example, customer service and the potential associated reputational risk, Williamson says. “It’s your brand, it’s your reputation, it’s your product and it’s being represented by a third party. So right out of the gate, you’ve got this risk of somebody else managing your brand and your product and your customer experience, which can be an issue if it’s not handled properly,” he says.

McAllister cites threat intelligence as a good example of a service that vendors are providing that may simply not be feasible in-house. There are a “number of organizations that provide very specific information to different industries related to the threat landscape and they have, in fact, relationships with some of the shady organizations that exist to be able to get a more clear understanding of who’s the target, why are they targeted, what are they after,” he reports.

Cyber is, clearly, an issue receiving more attention. With cyber having the potential to cross outsourced functions, Jennifer Drake, vice president of the legal and research practice at Aon Reed Stenhouse, says “we use electronic data, technology and information technology resources so much that it does come into play with almost any service provider to some extent.”

Whether outsourcing relates to data storage, website maintenance or cyber security, it is becoming quite common among organizations of all sizes since they may not “necessarily always have the time or the money to invest in doing it internally,” Drake notes. Common or not, organizations still must take into account risks arising from a third-party service provider gaining access to the organization’s systems, she advises.

DOTTED LINE

“The key for people to understand is there is going to be a new element to their cyber security. It’s no longer just a question of what is our internal security?” she points out. “The liability still tends to come back to the organization that collected that data in the first place,” Drake says, meaning the organization must carefully look at contractual risk transfer.

Williamson says companies have done a good job of engaging the stakeholders needed to develop agreements and contracts, including staff in compliance, risk management, legal, audit, operations, IT and even vendor management.

Contracts are something risk managers and the broking community do well, he says, but adds that it seems more analysis is being done at the organization level to determine if it wants to take on the risk.

A key question to be addressed in the contract is this: “What are you actually making the third-party vendor responsible for?” Williamson asks.

“Are they actually viable to be responsible for the things you’re making them responsible for?” he asks. “It’s one thing to say you’re responsible for that in a contract, but have you actually done the risk management and the business analysis to say they actually can take that on and can be responsible for that in the event of an issue or a loss or a claim.”

GET SPECIFIC

“Third-party contractors need to be managed just like any other professional staff,” Delon says. “Contractors must be qualified, directions need to be clear, context of the organization needs to be understood, a realistic timeline needs to be developed with the contractor, progress updates should be given by the contractor, and the contractor needs to be motivated to perform the task,” he says.

“A proper scope of work needs to be developed to ensure the solution is of high enough quality, achieves the specific needs of the board, is on time and on budget,” Delon says. “The scope of work plays the most important role in providing a solution and, therefore, should be the best researched and accurate portion of the contract,” he adds.

McAllister says that determining what sort of agreement is needed is highly “dependent on the specifics of what you’re trying to manage.” At UVic, for example, he says the university has a very robust procurement process. “The up-front part on the procurement piece is really important because that’s where your roles and your responsibilities are well-defined,” McAllister notes.

With respect to cyber, “if you’re putting into play some robust service agreement, which should be happening, then there should be certain questions that organizations are considering or asking themselves,” says Drake. These include such considerations as what happens with data at the end of the contract (if maintained, can it potentially be compromised later) and what breach and privacy laws apply (each jurisdictions will have different obligations).

Another consideration that needs to be nailed down is whether or not subcontractors can be used by the contractor and, if so, who they are, she notes.

If a contractor is outsourcing to another party, says Williamson, “do they actually have contractual requirements in place with whoever they’re outsourcing to that match?” It is paramount that everyone is “aligned in how we think about risk.”

While Williamson’s view is that companies are doing a very good job of managing that first piece, the first entity, that is not necessarily the case beyond the first layer. An organization must understand “how far down does the rabbit hole go,” he says. “Do we have a good view to all the inherent risks that exist.”

ADEQUATE COVER?

Beyond the “standard nuts and bolts of a contract,” says McAllister, of particular importance is “that evaluation of the indemnity provisions and the insurance provisions.”

Drake would likely agree. Something like cyber insurance must be considered for both for the organization and the provider. While companies often think about themselves, she says, “I don’t know that they always think to say that any service provider they’re using must also purchase cyber insurance.”

Beyond requiring that a provider have coverage, limits also should be specified, she advises. “If there is third-party coverage on that service provider’s insurance policy, then that is a bit of a solvency guarantee for the client,” Drake says.

By knowing there are “at least some insurance proceeds there to respond,” she explains, “then you can consider what is the real limit of liability and can we push it to a point where we think it’s going to be adequate if we do need to sue the service provider and try and recover some money.”

Also keep in mind that some service providers, particularly large ones, may guarantee provision of certain security or risk management measures, but “will either place a cap on the liability or really try to push that liability back onto the organization that collected it (the data),” Drake explains.

“Organizations need to understand that because they are outsourcing to a third-party service provider — let’s say the storage of sensitive information — it doesn’t mean they’re also outsourcing that liability,” she emphasizes.

And if an organization has decided to outsource a function for which there are only one or two providers, “they will have all the leverage to push everything back onto you,” Williamson points out.

One likely challenge going forward is cloud-based computing, which, as it stands, is a somewhat new and non-standard area with regard to contracts.

Vendors providing these services “have what I would describe as prohibitive limitations of liability,” McAllister says.  “There’s a lot of negotiation that needs to happen and there needs to be a lot of push-back by the client on these service providers around what should we reasonably expect to take in terms of risk and really what’s your risk,” he argues.

“The cloud environment is certainly an area that I’m monitoring, particularly from the contract side, because these vendors are reluctant to take on any risk. And the whole point, for us, is to have a more efficient system and have less risk.”

Drake’s view is that very large cloud providers are unlikely to accept much, if any, liability going forward. “They can’t realistically agree to that because if you think of the millions of organizations that are using” a large service, it could not continue if it were to “agree to a certain amount of liability with every organization that it does business with,” she says. “It would just be too great a risk.”

McAllister sees a definite imbalance forming. “We have a contract right now that we’re investigating and there’s a limitation for liability for $25,000. That’s a drop in the bucket when you consider the cost of a potential data breach.”

His view is the provider “should be assuming the risks of their systems and there needs to be a conversation between the client and the vendor around what is the risk and how do you manage that.”

At the university, it is “certainly pushing back on those providers,” McAllister reports, adding “in some cases, not moving forward because it’s not worth it.”

Recent survey results from Clutch show that polled enterprises in the United States are increasingly tapping internal and U.S. resources to address IT services needs. “As IT functions become increasingly critical to the operation of the enterprise, many decision-makers want more control over how these functions are managed, thus, prefer to keep IT work in-house,” Clutch reports.

Whatever the issue or type of business, Williamson suggests a positive from push-back is that enhanced awareness by all involved is resulting in “more educated push-back and a smarter conversation than they may have had in the past.”

KEEP AN EYE OUT

With regard to risk management contracting, Delon says, “there is often a lack of understanding on the subject matter and there is an over-reliance on the contractor.” What is needed, he says, is a “more mature and embedded model,” that includes monitoring as a key component. “A better-defined process, for most organizations, needs to exist to prequalify and select the appropriate contractor for the organization’s needs.”

Monitoring is a difficult area, sources agree. It may be that an organization has no way to “audit or confirm compliance of some of those background-type elements of the services that they’re providing,” McAllister notes. At UVic, the university tries, when possible, to contract with people who have deep pockets so that if something happens and a need arises to rely on indemnity or other contract provisions, “they have the financial means to be able to back-stop some of those things,” he says.

A possible solution to the monitoring challenge may be to require that an independent evaluation of systems be reported back to the organization, he suggests.

Williamson agrees the contractor risk monitoring piece could potentially be improved upon. For those organizations trying to do it internally, “I think you need to have a dedicated vendor management team.” Without that, it may be best to outsource the function, he notes.

FILLING ANY GAPS

Delon suggests there is a great divide between the C-suite and the risk professional since the reporting line varies widely depending on the organization, with some reporting to the board while others report to procurement.

“Reporting to finance is often a decent compromise between procurement and CRO (chief risk officer),” he suggests.

“It’s absolutely paramount that the C-suite buys into how the company thinks about risk, how the company is going to manage risk so that everybody is on the same page,” Williamson emphasizes.

On the cyber front, more and more organizations that previously did not think they had any cyber or privacy risk are starting to realize “this is a real risk exposure that they can no longer ignore,” Drake says. “It’s important to remember they’re probably retaining more risk than maybe they realize,” she says, citing the importance of the vetting process.

“Networking with internal stakeholders is a hugely important part of being a risk manager and making sure you have those relationships internally,” says Williamson. “The risk management group needs to be well-integrated into the business at every level in order for it to work.”

Before considering outsourcing functions, it is essential to engage in conversations internally and to go through the risk assessment process to quantify the risk to the organization, determine the likelihood of that risk occurring and developing strategies to reduce both the likelihood and impact should something occur, McAllister advises.

“Risk management is really about dialogue. It’s about understanding what could impact the objectives of your organization and be able to have a conversation about that and make informed decisions,” he adds.

“The risk that I see increasing, especially in a flat or slow-growth economy, is the variance between what board members expect to happen with the management of risks and the quality of the solution,” Delon offers. “The real question is, will senior leadership see the risks clearly and acknowledge the need for expertise outside of their organization and not just rely on internal resources in an attempt to save costs during what has been a slow recovery since 2008?”