Three Types of Risks
Apart from plain old thievery, the outsourcing industry faces three broad types of risks, says Ravi Aron, Wharton professor of operations and information management and a leading authority on outsourcing trends:
Operational risks show up as slippages on time, cost, and quality. Professor Aron says these frequently arise with breakdowns in the transfer of work processes, or in repetitive processes that are prone to human error. He notes that operational risks don’t arise from deliberate misbehavior; instead, they’re most likely to occur when the service provider does not completely understand a client’s requirements.
Strategic risks are rooted in deliberate, opportunistic behavior by service providers or their employees. Theft of intellectual property is the most common — but far from the only — example. Another type of strategic risk involves providers who cut corners by understaffing. A third is what Professor Aron calls an “asymmetry of dependence”: “All goes well for three years, and when the contract comes up for renewal, the contractor doubles the price because he knows the client is locked in and it is not easy for it to switch suppliers.”
Composite risks manifest themselves when a client company has outsourced a process for so long that it can no longer implement the process for itself, says Professor Aron. “For instance, over a period of eight to 10 years, a retail financial-services company may not have any back-office operational capabilities if all of its retail customers are managed by offshore contractors in Mauritius or Manila,” he says. That could present problems when the client company has a new product and discovers that an entire set of needed in-house skills has eroded. Professor Aron adds that such risks have a relatively easy solution: Companies can retain minimal residual capacities so that they always have in-house access to outsourced skills.
Operational and strategic risks call for multipronged preventive measures. The first step, says Paul Fielding, is for client companies to recognize that “when you outsource a task, you don’t outsource the responsibility and accountability for that task.” For example, the client company can better manage data privacy by making sure no individual has complete access to the information. “In a financial institution, it is important to break up responsibility so that no one person can put the organization at risk,” Mr. Fielding says. To achieve that, he says, companies must understand the workflow and the supply chain to identify points of risk and then put in place preventive valves. The cases he has tracked all involved a single point of failure, and thus “they could all have been prevented.”
Mr. Fielding also cautions against overreliance on hardware and software as security blankets. More firewalls don’t necessarily mean increased security, unless they are appropriately administered, he says, adding that many companies have become lax on best practices. Even so, companies must ensure that their technology stays current, including virus updates. “For every piece of [security] technology, there is somebody out there thinking of a way to beat it,” he says.
Focus on the Weakest Link
Outsourcing companies should also focus on interdependencies, says Howard Kunreuther, Wharton professor of business and public policy and an expert on risk management and insurance. “The challenge in supply chains and outsourcing is, how do you begin to get a better handle on managing risk when you have interconnects among the various groups,” he says. “One weak link in the system can bring all of the others down.” Professor Kunreuther draws cues from work he is currently doing on inspections and quality control with Wharton professors Serguei Netessine and Stanley Baiman and Columbia University professor Geoffrey Heal. He offers the example of an apartment owner who tries to protect himself with smoke detectors, alarms, sprinklers, and other measures. An insurer would not be impressed, unless all the neighbors in that apartment building have taken similar protective measures. “This issue of interdependency is completely untapped and is probably the most important issue to start thinking about with regard to risk,” says Professor Kunreuther.