strategy+business is published by the global management consulting firm Booz & Company
 
or, sign in with:
strategy and business


Click here to list all strategy+business/Knowledge@Wharton articles.

Published: 11/30/05
Page 1 2 3 4 5 All
 

Reining in Outsourcing Risk

Security problems are interdependent when risk faced by one firm is determined in part by the behavior of others, says Professor Kunreuther. More important, the behavior of the other firms affects the incentives of the first firm to reduce its exposure to the risk. Professor Kunreuther studied this challenge in a paper on airline security he cowrote in October 2002 with Professor Heal and Peter Orszag, a senior fellow at the Brookings Institution in Washington, D.C. “Even an airline with an infallible screening system is at risk,” they write, “since only the bags checked by passengers who initiate the trip with that airline are inspected; those bags transferred from another airline are not.” So it is with interdependent computer networks: They note that “once a hacker or virus reaches one computer on a network, the remaining computers can more easily be contaminated.” The potential uncontrolled exposure in this scenario reduces the incentive for an individual computer operator to protect against outside hackers. “Even stringent cybersecurity may not be particularly helpful if a hacker has already entered the network through a ‘weak link,’” they write.

Outsourcers have begun asking their service providers to incorporate tighter checks and balances to secure data privacy and prevent fraud.
U.S. financial-services companies have already bought into the need for industry-wide action. Identifying and managing outsourcing risk is an ongoing theme at BITS (once known as the Banking Industry Technology Secretariat) in Washington, D.C., a nonprofit consortium of 98 banks and financial-services institutions. Over the past two years, a 40-member IT service-providers working group at BITS has produced four documents to serve as guides for member organizations as they devise their risk management strategies. “These documents are comprehensive and provide recommendations and considerations throughout the entire outsourcing life cycle,” says Faith Boettger, a senior consultant at both BITS and at the Santa Fe Group consulting firm in New Mexico who helped to develop them. “The report is written from the financial institution’s perspective as a user: What are financial institutions required to do, what controls can be put in place commensurate with the risk, and what background information may be available by country.”

The BITS offerings include everything from a survey of the key considerations in background screening of employees to recommendations on termination clauses in outsourcing contracts. But even the BITS work can’t cover every eventuality. There isn’t always a right answer for an institution weighing a certain type of risk, says Ms. Boettger. Much depends on the nuances and the risks inherent in the service outsourced. “We have provided considerations organizations can use to manage risk, not measure risk,” she cautions.

Extend the Organization
Many risks can be avoided if outsourcing companies successfully transport their best practices to service providers, says Booz Allen’s Paul Fielding. Doing that is far more than a matter of words on paper; rather, clients and providers need to work closely together on an ongoing basis. “Oftentimes, what I see in contracts is people trying to abdicate their responsibility with contractual language, and often the vendors are left in charge of checking themselves,” says Mr. Fielding. The guiding principle, he says, is “trust, but verify.”

But how? Wharton’s Professor Aron advocates an “extended organization form,” a model that brings together two forms of governance — one imposed by the outsourcing “market” and the other by the in-house management, or “hierarchy.” “The chief discipline of the ‘market’ is efficiency of cost, while the ‘hierarchy’ brings managerial control,” he says. “The extended organization form will give a company the great benefit of contracting with a third party provider for cost control, and also the ability for real-time control of that project’s performance.”

Page 1 2 3 4 5 All