Managing Risks in Offshore Outsourcing Relationships Date:   Thursday , April 02, 2009 As strange as it may sound, many Fortune 1000 companies don’t have a process for risk assessment and best practices when dealing with offshore vendors. While most major companies recognize there are risks associated with the development of offshore relationships, many fail to develop a strategic approach to risk management. In most instances, risk management plans are reactive and tactical rather than proactive and strategic. Very few organizations consider risk assessment and mitigation planning as part of their sourcing strategy. If there is a strategic approach to risk assessment, potential risks can be identified during the sourcing strategy phase. Risk Assessment, an Ongoing Process Risk assessment is a continuous process and should be conducted in all phases of the sourcing lifecycle, utilizing an established process. Risks must be categorized into groups vital to the ROI of the organization. Some standard risk categories to be included are: 1. Business risks These are risks that impact revenue, profitability, or customer satisfaction. These should be identified with inputs internally and externally. 2. Regulatory risks These risks depend on the industry and the organization. Some heavily regulated industries such as the pharmaceutical or financial services industry are under intensive scrutiny. While mitigation strategies can be developed, without identifying the risks and documenting those strategies up front, organizations (and industries) could expose themselves to legal action by their lack of proactivity. 3. Legal risks Legal risks, from copyright infringement to employment law, may include prolonged litigation for a variety of reasons. Legal risk identification and mitigation plans have matured over the years with the availability of law firms specializing in outsourcing contracts. The participants understand the need to have a legal framework to operate effectively, and both vendors and clients agree to standard clauses in the contract such as insurance, confidentiality, intellectual property protection, limited non-compete, warranty, mutual non-solicitation of employees, and payment terms. 4. Operational risks These risks are client dependent and could impact schedule and budget. Good project managers on both client and vendor sides will be able to identify most of these risks and develop mitigation plans. When project management capabilities are not mature (either at the client or at the provider side) there could be major risks in this category that could have a catastrophic effect on the engagement and provider ROI. 5. Change management risks This area is not given the appropriate attention it deserves in most enterprises. It is critical that companies define their governance protocols and share these with vendors, regardless of their level of involvement. It is critical that organizations define their governance protocols and appropriate RACI charts and expose these with the providers. An overarching concern is the importance of developing an escalation process to ensure that issues are escalated up as required so that immediate action can be taken as necessary. Other categories of risk may be included depending on the nature of the businesses as well as their geographic location. For all risks, the probability and business impact should be estimated. Then, as mitigation plans are developed, the probability and business impact should be re-computed. A good mitigation plan should be one that reduces the probability and the business impact. During the vendor evaluation and contract negotiation phase, already identified risks should be part of the evaluation and negotiation framework. It is unreasonable to expect vendors to own the risks, when the clients insist on retaining the control. For example, the providers will push back on accepting resource risks when the client insists on interviewing every resource and retaining a right-to-hire clause. While it is ideal for clients to attempt to transfer risks to the provider, many organizations use internal staff to manage risks. Thus, the risks remain with the client along with the additional expenses involved in maintaining a larger internal resource pool than required. Transferring Risks In order to successfully transfer risks to the provider, it is not enough to develop a legally binding contract. The internal team should be trained to manage the sourcing relationships instead of keeping track of vendor’s resources. Managing risks effectively might require returning some measure of control to the vendor. For example, the day-to-day management of the resources should be the vendor’s responsibility. Service Levels Critical to the Business Service Level Agreements (SLA) can be used to mitigate several business and operational risks. While developing service levels, organizations should look at service levels that have the highest business impact for them. Clients require service levels from vendors for the sake of accountability. Vendors must meet those SLAs in order not to find themselves in breach of contract. Service levels that are aligned to the business needs will help the organization reduce risks that could impact business performance. Utilize Governance Forums to Identify and Mitigate Risks Most vendors follow standard project management procedures, which include risk management. The vendor risk management processes are more likely to be more mature than the client’s own processes. In order to ensure that the vendors have a forum to discuss risks, it is important to define a sourcing governance program with multiple layers. Layer 1: At the lowest level, the vendor onsite team will work with client IT managers. They should meet on a weekly basis, discuss status, and mutually agree on risks and mitigation plans. This team should also carefully review the service level reports and agree on service level breaches by the provider. Layer 2: The second layer should be at the director level. This level should look at demand forecasts, review issues and risks that are escalated, and review any service level breaches. This team can meet monthly and review service level performance for the month and identify appropriate corrective actions. This team should also look at the risks as identified by the vendors for the smooth completion of the projects. Layer 3: At the highest level, there should be a quarterly meeting between the vendors and the CIO, where the CIO requests that vendors discuss the top 10 projects with the highest degree of risk. This would ensure that the internal staff escalates issues that require CIO attention. This governance level will also provide an opportunity for vendors to bring recommendations on innovation and new ideas to the client. The subject of risk and mitigation will change with every client. Master Service Agreements (MSA) written by the attorneys differ for each client. Yet, in order to effectively manage outsourcing relationships, a risk management process must be defined. Appropriate contract terms, service level definitions, and effective governance models must be utilized to fairly share the risks without jeopardizing either the client or the vendor. In order to be successful in managing risks in an outsourcing relationship, both vendor and client must work together to manage outcomes rather than resources. Successful outsourcing relationships require the clients to trust the vendors and give them enough control to manage the projects in such a way as to minimize risks for both parties and maximize the benefits for the clients. The author is General Manager – UST Global, Former Consultant with Gartner