I am always amused when business development people or IT outsourcing providers ask their prospects, “What keeps you up at night?” Then, they take that input and promptly develop a “value proposition” that is supposed to make the client sleep soundly! Soon the conversation goes to what value proposition they can offer to the prospect – and every attempt is made to avoid any conversation about risks associated with the solution or about risk mitigation options.
A key success in managing risk is to view it as a “process” rather than a program. The word “program” implies a finite completion. Managing risk is like managing quality. There is no end. Process implies three things:
1. definition and development of the process
2. ongoing management and maintenance
3. constant vigilance and discipline in following the process
My experience and studies have shown that all buying decisions are based as much on managing risk as they are on getting value. We buy cars that offer greater safety. We contract services with companies that are well established, experienced, and stable so as to not be exposed to a future problem. Outsourcing service acquisition is not any different than any other buying decision.
A typical outsourcing decision is based on a continuum. Risk must be balanced against the perceived value of outsourcing and only when the risks have been clearly identified and weighed against the value, should outsourcing be considered. Companies are often reluctant to tackle risks head-on in any conversation, but inadequate identification and management of risks is one of the biggest reasons for the failure of outsourcing agreements.
Identifying Risks and Appetite
Before a strong risk management process can be developed and implemented, a comprehensive list of risks must be identified and their impact on business assessed. In a strong risk management process, there are two types of risks identified: corporate level risks that affect all transactions and a transaction based set of risks that vary depending on what is being outsourced and how it is to be managed. Identification of risks will help develop a management process framework around each of these risks.
It is also important to define risk management appetite. Not all businesses have the same appetite for risk. A risk appetite profile for the business depends on the type of business, the strength of management in managing risks and the potential negative exposure if risks are exposed. A financial services institution may have a different risk exposure appetite (generally lower due to laws and financial impact) than a retail business.
Generally, risks are categorized in one of the following broad categories (although all of them can be identified as “financial risks” since the impact will result in not achieving financial objectives – reduced profit, lower credit rating and loss of revenue).
1. Strategic risks – risks that may adversely impact business / product strategy such as late product introduction, adverse customer reaction
2. Operational risks – risks that may jeopardize operational aspects of business such as disruption of supply chain or product/service unavailability
3. Transactional risks – risks that make outsourcing transaction difficult to manage and end up impacting one of the other risks
When considering any offshoring (outsourced or captive), there are other risks that need to be identified and categorized under one or more of the above broad categories. For example, instability of the offshore country government may result in strategic as well as operational risks.
Risk Management Process
The risk management process is a “closed loop” process, just as any “learning” process has to be in order to improve the process results. The process begins with creation of risk management policy (often approved through senior management and even board of directors). Then, risks are identified and categorized. Various methods have been used successfully to identify the risks, including conducting a brainstorming session or engaging subject matter and/or risk management experts.
Once the risks are identified, the risk management plan is developed and included in the risk management plan would be risk avoidance and mitigation action desired. These risk avoidance and mitigation actions end up as outsourcing contract requirements. For example, all outsourcing contracts generally have “disaster recovery or business continuity” actions. These are both built on risk avoidance and mitigation once the risk becomes real.
The risk management plan also becomes a foundation for the ongoing governance of outsourcing. This is akin to the inspection in a quality process. It assures ongoing compliance with the identified risks and implementation of risk avoidance/mitigation plans. Based on the governance and audit, risk profiles are updated and the risk management plan revised; closing the loop. This is why I refer to risk management as a process rather than a program.
Risk Management Vigilance
Successful risk management requires a strong commitment and vigilance towards the process. I often refer to this as “relentless discipline,” and it is one of the cornerstones in my framework for governance. Managing risks cannot be an “after the fact” action but must be anticipated and mitigated. Not following it will be like closing the barn door after the horses have fled.
In my experience, I have come across many of these pitfalls in risk management and in almost all cases, they resulted in a negative experience for both the customer and the provider:
1. Not viewing risk management as a process but as a “one time” program
2. Not assigning importance to it even before engaging in an outsourcing transaction
3. Not enough senior management exposure to the risk management process (not just to get their support but to obtain their perspective on risks profiles)
4. Not having someone accountable and responsible for managing the process
5. Not providing enough time and budget for the risk management process
6. Not fully engaging customers and providers in developing, implementing and managing the process
I assure you that if there is a strong risk management process, as outlined here, there will be fewer sleepless nights.
Jagdish Dalal is Founder and President of JDalal Associates LLC (JDA) and Managing Director, Thought Leadership for IAOP and a world-renowned consultant in the field of outsourcing. He is also a Certified Outsourcing Professional.