Third Party Services: Ease or Risk?

September 9, 2015 • Published Categories Best Practices Tags ,

While assessing one of the largest public sector enterprises recently, I asked for the routine maintenance reports and records for IT, Human Resource & Facility Administration. The auditee promptly dug out the files and presented the requisite records. While reviewing the records I noticed that many of the maintenance activities were carried out by the sub-contractor which the organization’s original vendor had contracted. When I probed further, the client executive told me that they were never informed about this and neither did the contract say anything about such provisions!

Outsourcing business activities due to lack of resources, expertise, cost constraints etc. is a common trend today. I well and truly endorse the idea of some non-core activities being outsourced. However, I am a little sceptical about how they are being managed by the enterprise which decides to outsource. Seldom does the entity realize the risks involved in it.  One needs to understand that outsourcing an activity is “an activity” and needs to be monitored to get the benefits and reduce risks.

While conducting assessments for variety of compliances over the years I have come across many concerns which are not dealt earnestly by the entities when they plan to outsource to the third party.

Following are my TOP 5 recommendations to curb the risks and get factual benefits:

  1. Ask Yourself if There is a Real Need to Outsource: Reasons to outsource to a third party can be many. Most commonly quoted are lack of resources, expertise and cost benefit. If the enterprise decides to outsource because there is no expertise within, then how would they effectively monitor the performance? Evaluate the idea of developing your gene pool to reap the benefits over a period of time. Arguably, the cost benefit analysis says that developing entity’s own competency fetches much better results and proves economical. My mantra – Do your SWOT analysis and then take a conscious call. Just think, if you are outsourcing because it’s your weakness, it could well lead to threat as well!
  2. Conduct Your Due Diligence: Recently someone had posted a picture on the social media. It said – “If Emperor Shah Jahan had asked for 3 quotes for building “Taj Mahal” and selected the lowest one, Taj Mahal would have never been built.” This is exactly what we need to consider while outsourcing – cheapest is seldom the best. I won’t say never- but seldom. I understand that the procurement & spend guys have their own so called budgetary constraints and pressure from the management – still, cost being the solitary or a major deciding factor while selecting a third party vendor is misleading and does not bear fruits over the long run. When you negotiate, evaluate the cost-versus-risk matrix and then select.
  3. Build Well-Crafted Agreements: It’s a common observation that the kind of work agreements and so called Non Disclosures we sign with third party vendors can seldom stand in the court of law, if something goes amiss or in case of a major incident. So deftly defined scope of work, right to further sub-contract the work, renewals of agreements (and its due adherence), educating the vendor on your policies and procedures, sharing and disposal of confidential information and the responsibilities, competencies of the vendor resources, authorized signatories from both sides, right to audit clause, response and resolution time in Business As Usual or in case of Incidents, communication matrix are the least minimum pointers to consider in an agreement.
  4. Create Finely-Defined Service Levels: Unless there is an absolute clarity on the deliverables and expectations from the third party vendors it becomes difficult to measure their performance. Ambiguity may lead to a disaster. If the administration feels happy penalising the vendor for breach of service levels, they are misguided. My take – Spend time, brain storm, have multiple discussions with the stakeholders involved and then arrive at the SLA pointers. Have the RACI Matrix (Responsible, Accountable, Consulted & Informed) defined. Remember – vendor is not for paying penalties but to perform and reduce the work pressures and also the risk.
  5. Execute the Right to Audit Clause: It’s good to be friends with all vendors and occasionally have a cup of coffee in their office. Further, when it comes to routine evaluation checks, the “Right to Audit” clause in the agreement may prove and play a vital role. Depending upon the feasibility and the criticality, it is always a worthy practice to conduct periodic informed and / or surprise audits. Especially with the vendors where there is a lot of information exchange either in soft / hard copy formats. It is recommended to meticulously check the sanity and security of such information by visiting the vendor premises. Many unforeseen risks may pop up and it is good to mitigate those diligently.

As a final note, outsourcing of activities to a third party is a task and needs to be dealt with due attention. So let’s not be in the “Utopia” and take the necessary measures to get the best out of it!

Subscribe to this blog for additional tips and webinar announcements.

Leave a Comment