Outsourcing Doesn’t Eliminate Risk

For decades, businesses have used ‘outsourcing’ (obtaining goods or services through a 3rd party, rather than from an internal source) as a mean of reducing expenses, eliminating overhead and reducing risks.

As a Business Continuity professional, I’ve always been leery of the risk reduction angle.  While outsourcing may shift the burden of risk onto the outsourced party, it doesn’t eliminate the consequences of the risk, should it occur.  It’s easy to dismiss the potential impact of a disruption that occurs to an outsourced process, function or service.  But – like every other risk – the internal ‘ripple effect’ can still be felt, even though the actual disruption happens to that 3rd party.

Most outsourcing contracts require that the 3rd party have a Business Continuity and/or IT Disaster Recovery Plan in place.  Too often, that Plan’s existence is never verified.  You should know how often it is updated and tested.  You should get a copy and read it (even if you have to visit the 3rd party to view it).  Perform your own audit: is the plan adequate when compared to your own BCM standards?  If not, make suggestions for improvements, and follow-up to assure those improvements occur.

Even when the relationship is contractual, there are limitations to the amount of actual ‘risk’ that is transferred.  Despite any guarantees, failure is failure, and an SLA is just an agreement – not a guarantee.  The performance failure of your outsourced process might result in a reimbursement or penalty – later.  In the short term you are left to deal with the impact of that failure.  You may be able to outsource the process, but you can’t outsource blame:  if your customers are impacted they’ll hold you responsible – not that 3rd party to whom you outsourced the failed process.

In many cases the only mitigation option for the disruption of an outsourced process is a Business Continuity Plan.  The best time to create that Plan is just before the torch passes to the 3rd party.  Use that opportunity to document the original process, map its dependencies and catalogue its required resources.  Of course that’s not always an option.  Perhaps the process has already been outsourced for some time; or the process was initiated at the 3rd party.  Developing an in-house plan to respond to those 3rd party’s failure may be more difficult – but not impossible.

The bottom line is simple:  just because your organization outsourced a function or process doesn’t mean all risk associated with that function or process has disappeared.  As a Business Continuity Professional you still have an obligation to assure the continuity of  your organization’s Products and Services – even when a 3rd party performs some of all of the work.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…