Outsourcing—A Risk Management Perspective 

Download Article

Outsourcing—especially offshore outsourcing—continues to be prevalent in today's business landscape. As reported in the Global Outsourcing Report,1 "Three-quarters of U.S. companies outsourced some or all of their information technology activities in 2004, and that percentage is likely to increase this year...." According to META Group, 40 percent of all new development is outsourced. Offshore IT services are expected to grow from 3 percent to between 6 and 7 percent of overall IT services spending over the next three years.

The practice of offshore outsourcing is here for the foreseeable future and thus requires that management and those auditing on behalf of management understand the potential risks and reasons for transferring data and process ownership to a third party.

In an effort to understand the risks associated with outsourcing and to gauge management's response and perceptions of these risks, Protiviti and APICS performed a survey targeting executive, operations management, supply chain management and procurement communities. The survey and its results are used as the basis for much of the information presented herein.

Drivers of Outsourcing

What causes companies to outsource? The Protiviti/APICS survey found the top three drivers that most often lead to an outsourcing event to be:

  • Cost or internal headcount needs to be reduced.
  • Internal capacity is constrained by increasing market demand.
  • Internal manufacturing or service performance is insufficient or does not meet requirements (see Figure 1).

Interestingly, senior management chose constrained capacity rather than the need to reduce costs as the primary driver of outsourcing reviews. The overall result may indicate that those below senior management may be assuming that outsourcing is being considered because costs are out of line. Perhaps management could lower the resistance to outsourcing by more deliberately communicating the rationale and objectives of each outsourcing program.

In the largest companies, the strategic sourcing process primarily drives an outsourcing review. This is a sourcing risk management best practice, and is one that should be adopted by all organizations.

The Decision-making Process

When determining what should be outsourced, the majority of respondents considered all four of the items in Figure 2 important or very important. The table lists these items by order of importance.

Some interesting differences of opinion are highlighted in Figure 2.



Cost of Internal vs. External

The cost of internal vs. external is almost always a major consideration in making the decision to outsource. However, it is common to find that the total costs of the targeted outsourced functions are not well understood. Many companies struggle to identify the actual tasks performed by the functions being outsourced. These unknowns may affect the cost of the outsourcing or the level of satisfaction with the end product or service. Total costs, including functional interdependencies, must also be understood because they often drive costs indirectly related to the outsourced function. These total costs must also be included in the quantitative analysis.

Key executives most often rated the cost of internal vs. external slightly lower than other respondents. The cost of internal vs. external was rated very important by all groups except senior management (see Figure 3). This is consistent with the results of the top drivers results noted earlier and demonstrates that senior management often views outsourcing as a means to achieve strategic objectives, such as marketshare expansion, or to manage risks associated with constrained capacity.



Separating Outsource Risk Analysis From Risk Management

Outsourcing activity brings a significant set of risks. Most companies recognize this and respond by adopting a thorough risk analysis process. While risk analysis is a valuable tool, it must be accompanied by ongoing risk management to effectively mitigate outsourcing risks. Figure 4 illustrates this distinction.


Outsource Risk Analysis

Risk analysis is typically a point-in-time assessment. It is usually performed before provider selection but is also a useful tool to periodically reassess a provider's risk profile. As Figure 4 illustrates, it is a process by which potential providers are compared to a set of risk criteria that the outsourcing company has established. As potential providers are filtered through the criteria, a risk ranking of the providers is developed. The best provider may indeed be one that is rated as high risk. In this event, management is aware that the provider is high risk and can deploy appropriate strategies, which may be more expansive than those for a medium- or low-risk provider. The desired provider relationship is also defined during the supply risk/impact analysis phase.

Outsource Risk Management

Risk management is an ongoing process that consists of three elements: provider management, the service level agreement (SLA) and billing accuracy (see Figure 5). Provider management keeps track of the statistics or historical performance of the outsourcing relationship over time. These statistics are continually leveraged to improve the performance of the relationship for the outsourcer and the outsource provider. The SLA establishes which statistics will be kept and states the requirements of both parties. The SLA should be reviewed and updated periodically as defined clearly in the contract terms. Billing accuracy is separated in figure 5 because many issues with outsourcing revolve around billing. The outsourcing party must continually review billing to ensure compliance with the contract terms.


Companies generally benefit if they identify the outsourcing contracts that have the highest risk and importance to them. Once this is done, contracts can be segmented into categories such as high, medium or low risk and can be managed accordingly. High-risk contracts will be on a more continuous review cycle because they provide a mission-critical product or service, or have a high monetary value or transaction volume. Medium-risk contracts might be actively monitored and reviewed on a frequent (perhaps quarterly), but not continuous, basis. Low-risk contracts may not need to be as actively monitored. Rather, there might be metrics that are tracked and review might be triggered by deviations to contracted service levels.

Risks of Outsourcing

Outsourcing has proven to be effective, but it brings significant risks that must be recognized and managed. In outsourcing, a company is relying on someone else to run certain business functions. If the outsourcing risks are not properly managed, they may negatively affect companies' operations and customers. The product or service can be outsourced, but the risk cannot. Some of the potential negative outcomes include:

  • On-time delivery performance and end-customer satisfaction levels may decline because of delays at third parties. This risk can be severely aggravated as the product/service is outsourced. Delays can be caused by many factors that are outside the control of the outsourcing company. Examples include port/customs delays, labor disputes, weather and political unrest. More extreme examples include terrorism-related delays and interruptions and uncertainty resulting from the outbreak of contagious diseases such as SARS. As lead time and variability increase, so does the need for higher stock levels and other costly buffers, while overall supply chain confidence deteriorates.
  • Product or service quality may also suffer in outsourcing, affecting customer satisfaction. Companies must carefully select, qualify, contract with and manage their outsourcing partners to ensure that quality does not deteriorate. This often requires adequate transition periods and/or parallel production as well as effective cross-training between companies. These aspects are often neglected because of cost-saving efforts. According to DiamondCluster in June 2005:

    ...the number of buyers prematurely terminating an outsourcing relationship has doubled to 51 percent while the number of buyers satisfied with their off-shoring providers has plummeted from 79 percent to 62 percent.
  • The outsourcing transition phase may also fail if schedules and budgets are not achieved because of insufficient planning and/or resources. An outsourcing project must be run with the same discipline and planning as a well-run, large-scale systems implementation. Outsourcing is a replacement of production or service functions, and these functions have a direct bearing on the company's ability to meet its commitments to customers and shareholders.
  • Providers may not be financially viable, thereby exposing the company to supply interruption risk. Surprisingly, effectiveness of the financial viability criterion scored lower than others in the survey, indicating that a significant number of companies could be at risk of supply interruption or related problems because of their providers' lack of financial resources.

Project Planning and Management Risks

Project planning and management are critical disciplines to enable successful outsourcing initiatives. The planning and management referred to here go beyond PERT or Gantt charts and critical path analysis—although those are important disciplines and tools. Also included is the effective use of the people who possess the appropriate project management and risk management skills and experience, and the ability to use the right tools and programs to get the work done. Members of outsourcing teams also need to bring with them specific knowledge regarding the outsourced product or function, business and stakeholder objectives, and the knowledge of the market and the skills to analyze the potential supply market and associated risks for the product or service to be outsourced. Team members must also be able to think critically, assess what could go wrong, and put sourcing and risk mitigation/contingency strategies and plans in place to handle those scenarios.

Assessment of Project Risk

As identified in the Protiviti/APICS survey, assessment of project risk is carried out with average or less than average effectiveness 63 percent of the time. This indicates that there is a large opportunity for improvement, especially with all the risks inherent in many significant outsourcing decisions.

In this category, too, senior management rated effectiveness lower than the other respondents, with as many as 34 percent saying their companies' proactive management of outsourcing project risks was actually below average. Additionally, those holding other key outsourcing roles most often rated their companies' effectiveness at managing the assessment of project risk as below average.

Outsourcing organizations need to use models such as the one in Figure 6 to help develop strategies and tactics for assessing and managing project risk. This is a generic project risk management model, but it applies equally to outsourcing and to systems integration/systems project risk management. The basic notion is that the project is continually evaluated in relation to the goals and objectives that were set for it initially. Items or barriers that could prevent the objectives from being achieved are identified. Then risk management strategies are put in place, followed by control mechanisms to ensure that the risk management strategies are followed. The controls are actively monitored. Feedback from monitoring activities helps identify opportunities to improve the risk management capability. Proactive and effective project risk management can help predict and then prevent major implementation problems.



Provider Selection Risks

One of the easiest management actions to put in practice is a rigorous selection process. The primary steps of a good selection process include:

  • Identification of best providers/sources—Determining the right vendors for the service required that fit the company profile
  • Comprehensive request for proposal (RFP)/request for quote (RFQ)—Developing and implementing an RFP process that clearly articulates the services desired and defines management expectations. The process must require standardized responses in easily comparable categories to allow for a meaningful analysis.
  • Provider financial viability—Evaluating the long-term viability of the vendor. Financial viability cannot be overlooked as a major consideration when selecting providers and managing outsourced providers. It may be important that the provider has the capital necessary for research and development. Additionally, it is important to understand other aspects of the provider's business, such as who the provider's major customers are; the provider's susceptibility to the loss of a major account, including the account of the company planning to do the outsourcing; and the provider's ability to remain in business if such a loss occurs. In addition, what kind of financing is employed, how likely is it that note covenants will be triggered, and if they are, will the company be able to meet its obligations? These are some of the important questions that should be considered when assessing financial viability.
  • Technical evaluation—Evaluating the ability of the vendor to provide the services required. It is crucial to understand the vendor's expertise in delivering similar services to other companies with the same complexities of the business model, geographical dispersion, use of technologies, etc.
  • Country/third-party risk assessment—Understanding and evaluating where the provider will execute the delivery of the service, as well as whether it will all be done in-house or whether the vendor plans to outsource components to other third parties. This could be a major problem because the rise in global sourcing is making it necessary to give more attention to country-specific risks. Management must be aware of these risks and either accept them or develop risk mitigation or contingency plans to handle them.

Outsource Contracting and Negotiation Risks

Fifty-eight percent of respondents said their company did not create and use an outsource contracting and negotiation plan. Creating such a plan is a best practice that organizations should follow to enable them to consistently develop and negotiate sound, competitive and enforceable deals.

Negotiation planning enables the outsourcing team to prepare for the contracting and negotiation process. Price and total cost are typically major factors in any negotiation plan. However, the planning process enables other key objectives to be identified, documented and addressed proactively, including:

  • Defining and documenting a clear and precise understanding of expectations of the outsource provider—the requirements of the outsourcing company
  • Discussing and confirming the contract terms and conditions that the company needs to negotiate to govern performance
  • Defining what other actions need to be taken and what further information is needed to ensure that the provider can fulfill all the requirements effectively
  • Reconciling any key exceptions that may have been made by the potential provider in response to the request for information (RFI)/RFP/RFQ
  • Documenting all information required to help ensure that the provider understands and is prepared for the subsequent contract performance and management expectations and process

The negotiation plan should leverage documentation and information from the analysis phases and related activities in the outsourcing process that the team worked through to this point in the negotiation and contracting process. These include:

  • A description of the product or service being outsourced and the business case
  • The provider market analysis
  • The procurement risk and business impact analysis
  • The documented sourcing strategy
  • A record of the RFI/RFP/RFQ process
  • An analysis of proposals or bids received and the rationale for selecting providers with whom the company will negotiate
  • The detailed analysis of the requirements and the total costs, including price, time, quality, etc., that the contract must satisfy

With the negotiation plan defined and approved by the appropriate executives and/or stakeholders in advance, the outsourcing project team will be prepared and empowered to negotiate and agree on the contract within those preapproved parameters. Role playing can be predefined for the negotiation process so that all members are clear as to what is negotiable and what is not.

Contracting and Negotiation

With the benefit of a comprehensive overall contract plan and a well-defined and agreed-upon negotiation plan, companies can more easily and effectively manage the contracting and negotiation considerations. Protiviti/APICS survey participants were asked to rate how effectively their companies manage the following contracting and negotiation considerations:

  • Product specification and performance standards
  • Service level agreements
  • Regulatory, privacy, information technology and security requirements
  • Intellectual property
  • Transition requirements and provisions

The responses indicate that most companies believe they manage these considerations in a better-than-average way. However, transition requirements and provisions was the area of least confidence within the survey. More than half of the respondents said this was managed with average or lower-than-average effectiveness.

One of the most critical phases in outsourcing, the transition process, is the point where dialog and direct responsibility is often moving from the deal makers to the operators. Thus, it is a time when issues may surface for the first time. Building transition requirements and provisions into the outsourcing plans and agreement can greatly ease this transition process and put the appropriate focus and expectation into this portion of the arrangement.

Transition and Start-up Risks

In the transition stage, issues can surface for the first time that have not been anticipated or contractually arranged for, and these may cause business disruption as well as an unhealthy animosity between the parties.

Survey respondents said the top three effectively managed transition and start-up risks are product or service supply interruption, plans for production factors, and the mutual commitment by both teams.

Risks Specific to Management and Employee Resistance

Overall, risks specific to management and employee resistance were reported to be managed with average or better-than-average effectiveness more than 73 percent of the time. However, this implies that the risk is managed in a less-than-effective manner in more than 26 percent of the cases, which should be a big concern and which leaves a large opportunity for improvement for many organizations.

Employee resistance can be a major issue when outsourcing any type of operation. Losses in morale, productivity and personnel are common. Sabotage is also possible. Simple and effective strategies and tactics can be employed to dramatically reduce the impact of these risks, but they must be well planned in advance of any internal or external announcements regarding outsourcing.

Effective communication and change management plans should address specifically targeted audiences through the proper communication channels with tailored messages and careful timing. The planning should also address and, most likely, change compensation and incentive plans during the interim transitional period. In addition, the change management plan should assess and address roles, responsibilities, resource skills, training requirements, etc. All these elements must be present to effectively minimize the inevitable resistance risks to outsourcing.

Problem Escalation Process

Key executives most often said that their companies are managing the problem escalation process with average or below average effectiveness. Twenty-five percent of those in other key roles and 29 percent of key executives rated management of this risk as ineffective. This is another important part of the outsourcing relationship implementation process, and the associated relationship and performance risks should be managed proactively and effectively.

Outsource Contract and Provider Performance Risks

Survey respondents said the top three effectively managed outsource contract and provider performance risks are provider performance and compliance, assignment of company and provider roles, and establishment of the performance feedback loop and controls.

These are critical control areas for successful outsourcing. A range of effective and efficient performance and compliance monitors and controls must be in place. The outsourcing team should also have well-defined procedures, reporting matrices and meeting schedules/calendars, and should document in detail the roles and responsibilities for all parties.

To manage outsourcing performance risks, management controls and forums should be set up and executed to address issues such as:

  • The analysis and resolution of performance issues
  • Internal and external customer issues
  • Personnel issues
  • Joint proactive crisis prevention and contingency planning
  • Third-party provider issues (as applicable)
  • Forecasting and demand planning issues
  • Recommendations for changes
  • Planning of new initiatives
  • Review of major changes to either party's processes or technology
  • Billings and payments

Audits of Provider Processes, Documents and Data

More than 25 percent of the survey respondents conduct audits of provider processes in a less-than-effective manner, and about 55 percent conduct audits in an average or lower-than-average manner.

Supply chain leaders, key executives, senior management, department/division management, companies with revenues of US $100 to $499.9 million, and companies with revenues of US $5 billion or greater most often said that their companies are effectively managing audits of providers. Functional management most often said that their companies are very effectively managing audits of providers.

Of companies with revenues of US $500 million to $999 million, 24 percent of respondents said they were ineffective in their audits of providers. This indicates that as companies approach revenues of US $1 billion, they recognize the need for provider audits but have not yet invested sufficiently to effectively build the capability.

Common Challenges

Outsourcing presents some common challenges regardless of what is being outsourced. If these challenges are met, outsourcing can be a highly effective strategy.

These strategies include:

  • Understanding the hidden risks—Outsourcing may affect other business processes, reputation or customers.
  • Meeting operational performance targets—The success of the outsourced operation should be quantified not only by evaluating SLAs, but also by tying the operation to customer service goals.
  • Achieving end-user satisfaction—SLAs that meet the contractual requirements may not meet the needs of the other key business process stakeholders.
  • Achieving the promised cost savings—It is important to understand, quantify and communicate the true value generated through the outsourcing duration.

Reasons for Failure

Many reasons exist for the failure of outsourcing arrangements. Each reason is unique to a particular company and situation. The following list will help identify some potential failure points that may arise during an outsourcing process:

  • Outsourcing a function that is strategic or broken—The natural tendency is to get rid of things that are not working well. This tendency must be avoided when considering which functions to outsource. Business requirements cannot be adequately communicated with a broken process, and managing a process effectively requires an understanding of how it is supposed to work. The process must be fixed before it can be outsourced.
  • Lack of understanding of the total cost structure, value improvements or savings, and/or avoidance—If cost is a factor in the decision to outsource, all parties must understand the financial goals of the outsourced function. Not only should the goals be stated, but how they will be monitored should also be clear. Because some assumptions that were valid when the arrangement was executed may eventually prove to be invalid, the agreement must define and report upon what is expected to be delivered.
  • Misunderstanding the service levels—Although SLAs are often documented, it is common for them to be misunderstood. This is why it is a good idea to run parallel operations for a period of time or to build an interim checkpoint into the agreement. The checkpoint can be used to make sure SLAs are achieved, achievable and understood, and to make adjustments if needed.
  • Strategic sourcing process not effectively employed—As obvious a necessity as it seems, many times an effective planning, supply market analysis, risk analysis, strategy selection and provider selection process is not followed.
  • Contract management process not used—Likewise, an ongoing contract management process is not always employed. Risk of failure increases dramatically if the outsource arrangement is not well designed, negotiated, managed, controlled and executed.
  • Upfront risk assessment not performed—Again, if the risks of the outsourcing program are not clearly understood before action is taken, it is easy to make a bad outsourcing decision, even when the right provider is chosen.


1 CIO Insight Magazine, "Global Outsourcing Report 2005," Ziff Davis Media, 2005

Nicholas A. Benvenuto, CISA, CDP, CSP, ABCP
is a founding managing director in Protiviti's New York (USA) office. He leads the technology risk and internal audit consulting (TRC) practice and is a leader on the financial services industry team. He is a member of Protiviti's Technology Risk Steering Committee, responsible for leadership and direction in technology risk and audit services, internal audit technology, and application management and controls. Benvenuto has more than 25 years of experience in internal and external technology auditing; project management; and internal controls focused specifically in the capital markets, banking, asset management, insurance and financial products industries.

David Brand, CISA, CPA
is a managing director for Protiviti and has an extensive background in the areas of IT infrastructure analysis, design and implementation, and IT internal audit.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.