Back to newsletter

How to manage outsourcing risk?

I’d like to ask readers how they manage outsourcing risk. We lack a formal analysis and measurement process, and I believe that we are exposed to a high level of risk. Any and all suggestions welcome!

— James K.

Three ways to mitigate the risk of outsourcing

When it comes to managing the risk of outsourcing work, readers offer numerous suggestions that range from general business advice to more specific recommendations concerning payment. They suggest three ways to get the best value from outsourcing:

• Determine risk factors – cost, operations, security
• Take advantage of factors that mitigate risk
• Understand how failures can happen

Determine risk factors.

One reader writes in to say that, generally, businesses can classify IT offshoring risks into three categories — cost, operations and security. He notes:

1. Cost. “Outsourcing could involve hidden costs, such as international travel or infrastructure.”
2. Operations. “(Outsourcing) could entail issues with the quality of service due to high employee turnover or a client’s lack of knowledge of IT services.”
3. Security. “Most organizations need to secure their intellectual property from theft and harden their data security.”

In regard to security, he also says that since there isn’t adequate governance, readers should take a look at the Software Engineering Institute at Carnegie Mellon University, because it certifies companies based on their adherence to a framework of best practices, known as the capability maturing model integration.

Another reader mentions that companies should review and periodically update their service-level agreements as determined by the contract terms with the outsourcing organization. 

Take advantage of factors that mitigate risk.

Bjorn Olafsson notes that the best outsourcing relationships, like many business relationships, are based on trust and proximity between organizations that have similar cultures due to common history or common language. He also says, “It’s a most effective relationship when vendors and clients share a technical language and are familiar with one another’s organizational practices.”

On the other hand, Pedro Correa, Chief Technology Officer and Founder of Quali-OnTelephone, says, “How you calculate payment is key; if by function point, for example, the risk of not satisfying basic non-functional requirements is higher than when you use other approaches. So, I have three suggestions for the reader:

1. Couple the risk of not satisfying requirements to the payment approach the company uses.
2. Negotiate a consensus regarding risk classification and alert/proximity indicators for each type (project, institutional, legal, etc.), detailing threshold attainment criteria and RASI-type action/risk mitigation plans.
3. If feasible, couple penalties and bonuses for unsatisfactory and above-expectations collaborative risk management work on the part of the provider, as a way to provide incentive to desirable behavior and curb non-compliance. Hope these three suggestions help.”

Understand how failures can happen.

Finally, Debra Pearson writes in to suggest that understanding what could bring about failure is as important as what can bring success. Apart from the points mentioned by other readers, she sees two other problems:

• “Do not outsource a broken function. While the tendency may be to get rid of things that aren’t working, fix them first or communication will be ineffective.
• “Ineffective contract management causes failure. The risk of failure increases if the arrangement isn’t well-designed, negotiated and managed.”

James, readers have shared some valuable ideas; we hope that these suggestions will help you address the security risks inherent in outsourcing your IT functions.