Mitigating risk in outsourcing
Most organisations conduct some level of risk assessment, prior to executing an outsourcing transaction. We have observed no common best practice on how the outsourcing risk assessment is conducted, what criteria are used to determine risk exposure or how to sort/implement the risk mitigation strategies. The following article summarises one approach, delivering high value in determining what risks apply to an outsourcing arrangement and where an organisation should focus their efforts to reduce risk.
Here is a simplified approach to outsourcing risk management:
- Identify the list of all risks that apply to this outsourcing strategy/initiative
- Identify factors that contribute to the risk occurring, due to the outsourcing strategy execution
- Score each potential risk based on: a) probability of the risk occurring; b) risk impact if the risk occurs
- Create a risk scoring matrix, ranking the risks by “high”, “medium” and “low”
- Develop risk mitigation strategies
- Focus on the “high” risks, implementing risk mitigation strategies: risks can be mitigated by implementing control strategies that minimise the probability and the potential impact; detailed mitigation strategies for every single risk may not add business value and can be quite costly; risk mitigation costs should be built into the business case and tracked during the strategy execution.
Potential outsourcing risks for consideration in the assessment typically include: Project Resourcing, Requirement Definition, Procurement, Transition, Governance, Service Management, Service Tower-specific, Legal, HR, Labour Relations, Tax and IT (Capacity, Architecture, Capacity, Security, etc.) risks. When transactions consider offshoring as part of the delivery model (as most do today), other risks need to be considered including: Economic (currency exchange and inflation), Cultural, Political, Environmental etc risks.
We use a fairly standard model for determining the Impact and Probability Scoring of the risk occurring as follows:
1. Probability Scoring: what is the probability this risk will occur, during the deal term?
2. Impact Scoring: what will be the impact to the organisation if the risk occurs?
3. Risk Exposure: overall risk exposure = Impact x Probability
As described above, the risks are all prioritised by risk exposure and the high risks (and occasionally the medium risks, depending on the client risk tolerance) have extensive risk mitigation strategies developed and executed.
From Merit Outsourcing Advisors’ experience, we typically observe the same fundamental risks get classified as high risks, in the procurement (engagement) phase of the outsourcing lifecycle: Transition/Knowledge Transfer, Resource, Governance and Service Delivery risks. When global delivery is part of the transaction, Culture and Political risks are identified as high risk exposure, with very high impact. Of course every outsourcing transaction is different, resulting in additional deal-specific risks, some service tower-specific and others from the list above.
There is clear evidence, that organisations who act on the risk assessment, track and implement the risk mitigation strategies, in conjunction with their service provider, have higher customer satisfaction and deal success. Our research has demonstrated that organisations that conduct periodic risk assessments as part of their governance and relationship assessment process, will minimise deal-specific risks during the contract term, have higher client satisfaction, lower levels of escalated issues and higher renewal rates with incumbent service providers.