Outsourcing (paying another company to do some portion of work your own company doesn’t want to, or can’t do itself) can be a tricky proposition. It may make sense when another company already has expertise, experience and capacity to perform tasks you need to add or expand. It may also – sometimes – save money.
When it comes to Business Continuity Management – whether on the technical or business side of the process – the prospects can be tempting for some organizations. Don’t confuse ‘contractors’ with outsourcing. Independent contractors – who are hired for their particular expertise – are one step away from being full-fledged employees. What’s the difference? Independent contractors work at the direction of the company – usually for higher compensation in lieu of benefits. Their ‘contract’ is often loosely written and adaptable to the changing demands of business operations. Outsourcers, on the other hand, are a separate company, using their own employees to fulfill an explicit set of duties defined in a legal document.
It’s that legal document that will make or break your BCM program. It spells out what the outsourcer will – and won’t – do. What may appear to be clear guidelines to one party may be interpreted as general by the other.
Hiring an outside firm to help with your BCM program is one thing. Hiring them to manage your BCM program can be quite perilous.
- The vendor doesn’t understand your corporate culture (and is unlikely to have unfettered access to acclimate themselves)
- They may not understand your value system. So they’ll operate from their own – which may not become apparent until something goes wrong.
- The outsourcer’s understanding of Service Levels (SLA) may not be the same as yours. The result may be a constant tug-of-war to accomplish things to your satisfaction
- Their metrics may differ from yours. When you talk about RTO will they hear what you mean – or what they understood before they signed the contract?
- Change will be a constant issue. Your organization, its risks, products and processes will be constantly changing. But the vendor’s contract may be narrow and fixed; every change will require an amendment. Sounds simple enough, but over time it’s exhausting.
Potential outsourcing problems go well beyond contract issues. When you hand the keys to the BCM program to someone else, you don’t outsource risks – you add new ones:
- What if the vendor screws up; if their BIA results are invalid, or their RTO’s are wrong? How long will it take until you detect their errors?
- What if the vendor fails to meet its SLA? You can impose penalties, but they’ll fight it. Service levels may deteriorate while you’re at each other’s throats.
- What if the vendor has a security lapse? You’re responsible (no matter what the contract says).
- What if the vendor faces a threat that doesn’t directly impact your Company – but causes a ripple effect (staffing reductions, adverse publicity, lawsuits, etc.)?
The bottom line is pretty simple: your organization has to deliver products and services to your customers. The key to continuity is your organization’s ability to continue to deliver within acceptable timeframes.
It won’t matter who made the mistake, or what caused the disruption: your organization will ultimately be held responsible. If the vendor developed inadequate plans, your cloud backup was corrupted, your DR site got hacked, it doesn’t matter – no plans or strategy relieves your organization of responsibility.
Putting your fate in the hands of outsiders (no matter their reputation) is a risk unto itself. Outsourcing your BCM program (or even your DR program) to someone outside your organization is risky; perhaps a big risk. Once you cede control, you may never really know if your organization will be prepared to respond effectively. You just have to keep your fingers crossed.
The myth of Outsourcing BCM is busted.
