Outsourcing continues to be a key component for most businesses’ management and operational strategies. However, while it brings various advantages such as convenience and flexibility, dealing with third party companies comes with significant risks.
Most organisations today are facing increasing pressure to make frequent updates to strategy, against a backdrop of ever-intensifying business competition, both regionally and globally. With aims of putting more focus on the core functions of the business, many companies employ services from third-party organisations to manage several operational functions.
“There is a growing trend for corporates to outsource the entire functions of divisions such as procurement, HR and marketing using a ‘shared service centre’ methodology,” says Sam Achampong General Manager, Chartered Institute of Procurement and Supply MENA, and Chairman, CIPS UAE Fellows Committee. “Although this form of business process outsourcing is not new, previously it was mostly limited to specialised functions such as legal services. Another area where outsourcing is growing increasingly popular in is facilities management.”
Adding to this, Saad Maniar, Managing Partner, DIFC Branch, Crowe Horwath, says that organisations outsource segments such as customer service, social media management and even some finance functions as well. “There is no doubt that outsourcing can be a useful business tool,” he explains. “This allows a business to focus on its core functions. At the same time, outsourcing has been proven to improve service quality and ensure quicker delivery while reducing costs.”
Meanwhile, Rajeev Batra, Head of Risk Consulting, KPMG, notes that companies are even entrusting some knowledge elements of the business – content development for instance – to third-party firms.
As the list of functions that are being outsourced by businesses continues to grow, so does the amount of risks that they are exposed to. Therefore, leaders within organisations should have a clearer understanding of these potential challenges that can be brought by their external business relationships.
“Different kinds of risks, ranging from regulatory, litigation and financial and reputational losses are coupled with outsourcing,” Maniar says. “Others include operational, transactional, credit, compliance, legal and lawsuit risks among others. All these different kinds of perils, if not managed correctly, may impact the bottom line of the business.”
Achampong explains that when making the decision to outsource a business function, the tangible benefits increase based on the level of activity that they are willing to submit to the third-party firm. “If an organisation decides to outsource only 50 percent of, say, its procurement activity, then the benefits that it can potentially achieve will only be equivalent to that.
“Organisations are being pushed to outsource as much of the function as possible. This then increases the chances of the business being exposed to risks. An example of which is when the outsourced provider fails to deliver on the company’s expectations and requirements. This, of course, creates cost implications for the business,” he says.
Meanwhile, Batra highlights that aside from the usual operational and coordination issues that occur in external business relationships, concerns around confidentiality are becoming prevalent as well. “When subjecting a part of your business to be managed by a third-party company, you are also giving them access to various data that may be critical for managing that function. There are cases where it might be necessary for you to share confidential information with them, so of course, there are risks that come with that.”
Today, vendors and other third parties are more inclined to offer very attractive and competitive service-level-agreements (SLAs). With this in mind, companies employing third-party firms should carefully analyse the SLAs and regularly keep track if they are complying with the agreements in place.
“It’s important to note that managing risk is far more difficult today than it was a few years ago,” says Maniar. “This is mostly due to global markets connectivity, hence it is necessary to establish heightened expectations for risk management, governance and internal audit, particularly in large institutions. Many financial institutions are developing several best practices that together form a comprehensive approach to third-party risk management. Therefore, in an interconnected world, vigorous due diligence and ongoing monitoring of third parties are crucial steps toward reducing third-party risk.”
Achampong concurs, emphasising that with all business relationships, necessary due diligence is expected from both parties. “SLAs and key performance indicators should be in place for any such relationship. A forum for periodically reviewing expected service levels should also be embedded into any agreement. Essentially, any performance indicators should be easily measurable and not be subjective or open to interpretation. A further option is to embed financial penalties or rewards into performance mechanisms to ensure the supplier is incentivised to perform.”
Meanwhile, a question of who should take responsibility for monitoring the performance and risk management arises. Batar believes that the outsourcer is accountable for this task. “Most companies make a mistake of letting a third-party company assume the management of a function where they are not doing well in and that should not be the case,” he says. “A business’ maturity on a particular function that they are outsourcing should be at the same level as the third-party provider. This ensures that they get to monitor and manage the risks.”
On the other hand, Maniar believes that the risk management and monitoring function of a firm may include internal and external auditors, compliance officers, risk managers and physical inspectors. “Keeping track of the third-party relationship should be an ongoing responsibility for the risk management team, providing continuous improvement in the risk management programme and decision-making process. The report established by risk assessors forms part of the action plan that serves as the basis for making decisions on the need for future adjustments to the risk management strategy or implementation plan.”
As businesses work to effectively mitigate the risks accompanying third-party relationships, they are increasingly implementing various approaches to better risk management. “Recently reported supply chain issues such as the horsemeat incident with UK supermarkets or the fire in a Bangladesh garment factory have highlighted the fact that those making supplier relationship decisions must ensure that due diligence is carried out throughout the entire supply chain,” says Batar. “It is important to recognise that when issues such as insolvency, ethics, health and safety, reputation and scarcity affect any supplier within the third party suppliers’ supply chain, the impact will ultimately be felt by the client organisation. Initial appraisals should be followed up by periodical reviews and audits throughout the supply chain.”
In addition, Maniar highlights, “There are a number of important steps that can be taken to assess and manage risks associated with third-party relationships. These include proper due diligence while selecting a third-party, adopting risk management processes consistent with the level of risk and complexity of a company’s third-party relationships, and continuous monitoring of the third party’s activities and performance.”