Wednesday, 25 June 2008

Risks of Outsourcing

Outsourcing is a process of acquiring services from an external party. In the strictest of legal senses, all companies outsource. The statement makes the most sense when you understand that a company can only act through its employees and directors. The company is not an independent entity with a will of its own. Employees are sourced from a location external to the organisation and can for the most part, leave with little effort.

In addition, services that do not have as much of a strategic focus are generally acquired from contractors. In fact, for any service that is not critical to the organisation in the sense that it is not something that they will excel at, it is generally better to obtain the services from a specialist. In most cases the specialist is a contract. Companies have relatively high degree of control over both employees and contractors. When they do this, they shouldn't most if not all the risk of what these parties do. There are some exceptions. In the case of vicarious liability, criminal acts that require mens rea cannot be directly attributable to the company but are rather associated with the individuals responsible and the directors.

In the majority of cases, the company will usually owed or otherwise control the technologies and assets that the employees (and sometimes the contractors) utilise. In this case, the whole risk of the system remains with the company. For key systems this can make sense. As an example, it would not make sense for a manufacturing organisation to outsource the quality control systems within their own facility.

On the other hand, call centre, payroll, data facilities, telecommunications and even warehouse inventory control systems may not be within the general scope of what an organisation specialises in. In these cases, the outsourcing of these operations may be the most effective way to manage the risk associated with these functions.

There are a number of possible solutions to outsourcing. Some of these include:

  • Acquiring a turnkey solution that is commissioned in its entirety. In many cases the company will take over risk and acceptance or the latest at the end of the warranty period.
  • Using a variety of suppliers and vendors the source individual component pieces and then hiring systems integrators to install and run them. The company takes more upfront risk in this instance but can handle some of the ongoing risk to the outsourcing party.
  • The other option is to contract the entire operation to a specialised service provider. This has become common within IT and especially with the ASP models. In this instance, the outsourcer is responsible for acquiring all the equipment and expertise. In this instance the outsourcer has complete control of risk in the system. In this latter example the risk of non-performance remains. The company will have no control of and no risk in the technology itself however.

The important consideration in all of these instances is that not all risk can be transferred. In the case of financial reporting obligations, a failure on nonperformance by the outsourcer will leave the company vulnerable. Likewise, many other risks will not be transferred but will rather be shared between both the company and the outsourcer. In this instance insurance is important.

It is necessary to protect against the risk the supplier will not deliver upon its promises. To do this, a company needs to ensure that escrow arrangements have been made. Escrow arrangements rely on a third-party those entrusted with the source code, drawings, plans, designs and other documentation necessary for the operation and maintenance of the system.

Escrow arrangements are enacted only in the event that the supplier fails.

There are many types of insurer will risks and just as many types of insurance to go with them. Some of many categories of insurance include:
  • professional services,
  • product insurance,
  • asset protection,
  • contract liability,
  • workers compensation,
  • intellectual property protection,
  • insurance against damage to property or injury to people,
  • litigation insurance, and
  • business interruption protection.
The key point to remember is that insurance does not remove risk but rather transfers selected instances of risk. It is important to always examine the insurance contract. Named parties and covered risks should be taken into account and always understand the exclusions that exist within the policy.

No comments: