For decades, businesses have used ‘outsourcing’ (obtaining goods or services through a 3rd party, rather than from an internal source) as a mean of reducing expenses, eliminating overhead and reducing risks.
As a Business Continuity professional, I’ve always been leery of the risk reduction angle. While outsourcing may shift the burden of risk onto the outsourced party, it doesn’t eliminate the consequences of the risk, should it occur. It’s easy to dismiss the potential impact of a disruption that occurs to an outsourced process, function or service. But – like every other risk – the internal ‘ripple effect’ can still be felt, even though the actual disruption happens to that 3rd party.
Most outsourcing contracts require that the 3rd party have a Business Continuity and/or IT Disaster Recovery Plan in place. Too often, that Plan’s existence is never verified. You should know how often it is updated and tested. You should get a copy and read it (even if you have to visit the 3rd party to view it). Perform your own audit: is the plan adequate when compared to your own BCM standards? If not, make suggestions for improvements, and follow-up to assure those improvements occur.
Even when the relationship is contractual, there are limitations to the amount of actual ‘risk’ that is transferred. Despite any guarantees, failure is failure, and an SLA is just an agreement – not a guarantee. The performance failure of your outsourced process might result in a reimbursement or penalty – later. In the short term you are left to deal with the impact of that failure. You may be able to outsource the process, but you can’t outsource blame: if your customers are impacted they’ll hold you responsible – not that 3rd party to whom you outsourced the failed process.
In many cases the only mitigation option for the disruption of an outsourced process is a Business Continuity Plan. The best time to create that Plan is just before the torch passes to the 3rd party. Use that opportunity to document the original process, map its dependencies and catalogue its required resources. Of course that’s not always an option. Perhaps the process has already been outsourced for some time; or the process was initiated at the 3rd party. Developing an in-house plan to respond to those 3rd party’s failure may be more difficult – but not impossible.
The bottom line is simple: just because your organization outsourced a function or process doesn’t mean all risk associated with that function or process has disappeared. As a Business Continuity Professional you still have an obligation to assure the continuity of your organization’s Products and Services – even when a 3rd party performs some of all of the work.