Outsourcing Business Processes
(without In-sourcing the Associated Risks)
Gregg Anderson – Crowe Horwath (risk manager)
Doug Tripp – Crowe Dunlevy (outsourced provider)
Leslie Lamb – Cisco Systems, Inc (facilitator)
RMG 303
April 2012
The Scenario
• Sport Co is an industry leader in manufacturing
sporting goods products and services
• Revenues are $1B annually
• Headcount is 10,000 worldwide
• Headquarters is in North Carolina
• Major locations include North Carolina,
California, Bangalore and London
2
2
The Challenge
3
3
The COO’s Worst Nightmare
4
4
The Solution
• Outsourcing
– Information technology infrastructure
services, including data centers
– Supply chain management
– Customer care
5
5
The Risk Manager
• Identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the
achievement of entity objectives.
– Derived from COSO ERM Definition
• In other words – “Manage risk to achieve
objectives.”
6
6
Our Enterprise Risks
Market
Market
Strategic
Strategic
• Macro Economics
• Right Solutions
• Customer Economics
• Business Model
• Financing
Financial
• Competition
Integrity
• Brand & Marketing
• Growth
• Consolidation
• Acquisitions
Financial
• Organizational Design &
Resources
• Foreign Exchange
Human
Resources
• Budget
Operations
Integrity
• Revenue Recognition
• Regulatory Compliance
• Financial Reporting
• Legal
• Access to Funding
• Fraud
• Margin
• Data Security
Human Resources
Operations
• HR Compliance
•Training
• Facilities
• Authorization
• Attract, Develop & Retain
Talent
•Aging Workforce
• Business Disruption
• Costs & Efficiencies
•Incentives &
Compensation
• Policies & Procedures
• Customer Service
• Decision Making
• Contracting
• Employee Morale & Culture
• System Capabilities
7
7
Sample Risk Universe
Traditional Third Party Risks
Market
Market
Strategic
Strategic
• Macro Economics
• Right Solutions
• Customer Economics
• Business Model
• Financing
Financial
• Competition
Integrity
• Brand & Marketing
• Growth
• Consolidation
• Acquisitions
Financial
• Organizational Design &
Resources
• Foreign Exchange
Human
Resources
• Budget
Operations
Integrity
• Revenue Recognition
• Regulatory Compliance
• Financial Reporting
• Legal
• Access to Funding
• Fraud
• Margin
• Data Security
Human Resources
Operations
• HR Compliance
•Training
• Facilities
• Authorization
• Attract, Develop & Retain
Talent
•Aging Workforce
• Business Disruption
• Costs & Efficiencies
•Incentives &
Compensation
• Policies & Procedures
• Customer Service
• Decision Making
• Contracting
• Employee Morale & Culture
• System Capabilities
8
8
Sample Risk Universe
Expanded Third Party Risks
Market
Market
Strategic
Strategic
• Macro Economics
• Right Solutions
• Customer Economics
• Business Model
• Financing
Financial
• Competition
Integrity
• Brand & Marketing
• Growth
• Consolidation
• Acquisitions
Financial
• Organizational Design &
Resources
• Foreign Exchange
Human
Resources
• Budget
Operations
Integrity
• Revenue Recognition
• Regulatory Compliance
• Financial Reporting
• Legal
• Access to Funding
• Fraud
• Margin
• Data Security
Human Resources
Operations
• HR Compliance
•Training
• Facilities
• Authorization
• Attract, Develop & Retain
Talent
•Aging Workforce
• Business Disruption
• Costs & Efficiencies
•Incentives &
Compensation
• Policies & Procedures
• Customer Service
• Decision Making
• Contracting
• Employee Morale & Culture
9
• System Capabilities
9
Understanding the Objectives
Primary Objective: Reduce Operating Cost
Secondary: Maintain Fixed Costs below a target
% of Revenue
10
10
Other Objectives of Outsourcing
• Improve Results – leverage the outsourcer’s
expertise
• Re-focus on core competency – redirect
management’s skills toward what made Sport
Co. the industry leader
• Improve customer experience
• Compliance
11
11
Understanding the Objectives
Reduce Operating
Costs
Outsource IT
Infrastructure
Reduce Spend
Outsource Supply
Chain Management
Improve Resiliency
Outsource Customer
Care
Improve
Performance
12
12
Anticipating the Risks
Loss of Talent
Outsource IT
Infrastructure
Reduce Spend
Data Breach
Reduce
Operating
Costs
Outsource
Supply Chain
Management
Improve
Resiliency
Outsource
Customer Care
Improve
Performance
Business
Disruption
Outdated
Systems
Brand
Deterioration
13
13
Understanding the Risks
•Operational – poor service, disruption in operations, loss of control,
deterioration
•Financial – overruns, change requests, 3rd party charges, the outsourcer’s
solvency
•Compliance and Security – data breach, disclosure of sensitive information /
customer data / PII or PHI, compliance with laws
•Extraordinary Risks – armed conflict near service facility, tsunamis and
earthquakes, major security breaches
•Brand Reputation – spans across all of the above
14
14
Engaging the Outsource Provider
(things to think about)
Super IT Consultancy - Outsourcing IT Infrastructure
• Flow of information from SportCo to Super IT
• Super IT’s storage facility: cloud or data center
• Understanding the type of data stored: HR related, customer
info etc
• Contractual issues
• Super IT’s compliance with standards i.e. PCI
• Super IT’s call center availability
15
15
Engaging the Outsource Provider
(things to think about)
Flexible Outsourcing International – Contract Manufacturer
• Location, location, location
• what are the hazards?
• International or US?
• Flexible’s Quality Control Program
• Intellectual Property
• Contractual issues
• Flexible’s Business Continuity Program
• Social Responsibility
• Environmental Responsibility
• Political Issues (terrorism, govt unrest, employee care)
16
16
Engaging the Outsource Provider
(things to think about)
Accentumetrics Technical Responders – Outsourcing Customer
Care
• Location and language
• Hours of operation
• Training programs
• Brand reputation
• Intellectual Property
• Contractual issues
• Social Responsibility
• Political Issues (terrorism, govt unrest, employee care)
17
17
Managing the Risks via the Contract
• Robust Governance Provisions
• Comprehensive Audit Rights
• Contractual Requirements
– Continuity of Key Personnel
– Compliance with Laws
– Mandatory Technology Refresh / Release Versions
– Key Performance Metrics with Meaningful
Remedies
18
18