Airmic

Outsourcing & Offshoring - who controls the supply chain?

Everyone is doing it, but how many organisations can truly claim to have a handle on the associated risks. Outsourcing and its close relative offshoring are an integral part of the supply chain. Yet, as Lockton partner Andrew Cornish told the March AIRMIC breakfast meeting, they inevitably imply a significant loss of control.

Although the functions that are typically outsourced are often described as “non-core”, it does not feel like that when, say, an IT system crashes or key components required for the production line fail to arrive. It all adds up to an important risk issue, though how to get the board to take them seriously can be quite a headache.

The Lockton-XL seminar highlighted the complexity of supply chain risk and the need to have a process in place to deal with it. “There are multifaceted risks associated with outsourcing,” said Executive Director, Technology Risks Emily Freeman.

And, once you have made the decision, “you often don’t leave bridges.” In other words, you lose the capacity to provide the function in-house, so you are committed to a certain course even if it does not work out. Apart from under-performance, she highlighted a number of risks associated with outsourcing. Among them: privacy and security; intellectual property (who manages and who owns it?); financial (relating to the security of the service provider) and contractual; issues. She warned against the “have a nice day contract. In essence you retain the risk of whatever you’re doing.”

So, if anything goes wrong, you find there is little or nothing you can pin on your contractor. Contract escape routes include clauses that limit liability (for example, consequential damage may be excluded); force majeure (giving the contractor the excuse that any failings were beyond their control); and indemnities that prove to have little value or inadequate financial backing.

The upshot is that, even if your contractor is to blame, you may still be liable if the ultimate plaintiffs, typically customers or their customers, are let down. For all these reasons and more, said Freeman, it is highly important to have an effective relationship between risk management and legal. 

When you offshore, i.e. outsource overseas, the hazards multiply. She identified the following key additional risks:

• Geo political
• Credit
• Legal and regulatory
• Infrastructure
• Natural Catastrophe
• Currency
• Environmental

(A member of the audience added ‘cultural’ to the list, to general agreement.)

Andrew Cornish, a former risk manager and chairman of AIRMIC, pointed out that there is nothing unique about handling the threats associated with outsourcing and offshoring.

“The usual risk management process applies,” he said, commending the Risk Management Standard developed by AIRMIC. He recommended starting with a high-level risk assessment. Firms may then want to go deeper in certain areas, especially with high-impact risks.

There was much discussion about the need to get risk management involved in the outsourcing process at an early stage so that it can be fully effective.

There was wide agreement that too often the board considers the risk aspects at a late stage. Risk management in these circumstances starts on the back foot, with the outsourcing seen purely as a contractual issue driven by the desire to reduce costs.

As one audience member pointed out, lobbying the board can be an essential part of the risk manager’s job so that risk management is given due attention. “It’s largely a question of lobbying in the right area. If necessary I go to board members, by-passing the more junior people.”