Risk Management in Outsourcing: From the Board to the Contract Administrator and Back
Outsourcing involves operational risk in a company’s supply chain. But it also plays a role in other risk parameters that an enterprise’s board of directors has fiduciary and regulatory responsibility to manage. This article addresses a holistic risk management framework for board members as well as senior executives and in-house lawyers. This article does not address the Board’s internal governance structure that defines whether the entire board, or subcommittee dedicated to risk management, will be considering initially the adoption of risk management polices and procedures and responding to management’s proposals on outsourcing.
Board’s Role. In the modern corporation, the board of directors is responsible for managing the enterprise for the benefit of the shareholders. Modern principles of brand management and corporate social responsibility expand the constituencies to employees, suppliers, customers and the community. Management responsibility includes planning and execution of business strategies. Risk management responsibility includes planning and execution of strategies to mitigate, eliminate or shift risks arising from business operations. Since non-executive board members are not involved in day-to-day implementation of business strategies, the question for outsourcing planners is to determine what type of risks pose sufficient threats that the Board should consider and manage them.
Board Subcommittees. Most major corporations use subcommittees of the Board to identify special concerns and bring them to the attention of management and the board. These may include:
- Corporate Governance and Nominating
- Audit (including or excluding Internal Control and Disclosure)
- Ethics and Compliance Oversight
- Strategy and Risk Oversight
Risk management from outsourcing comes under review by the Board committee that addresses risk management.
Types of Risks. At the board level, classic risk theory identifies many types of risk for the business enterprise in a global marketplace.
- Marketplace risks concerns include
- Market risk (the competitiveness of the enterprise’s goods and services in its markets, based on the attractiveness, functionality and fitness for customer needs and wants); and
- Reputational risk (the loss of goodwill in the company’s trademarks and customer loyalty that underpin repeat business and annuity revenue)
- Operational risks involve non-financial resource management.
- Internal Operational Risk (the inability to obtain or deliver internally the necessary people, processes and technologies that drive the company’s competitive advantage); and
- Supply chain risk (the lack of business continuity and loss of goodwill due to failure of suppliers to deliver goods and services to meet customer demand and expectations.
- Financial risks include three core components:
- liquidity risk (insolvency by lacking adequate operating capital sufficient to pay financial obligations when they become due, including the failure of customers to pay when due, and includes, for purposes of outsourcing analysis, the long-term financial impact of outsourcing on cash flow, pension liabilities, environmental impact management and infrastrastructure investment, maintenance, depreciation and amortization);
- credit risk (lack of access to credit markets and thus dependency on cash flow from operations and shareholder capital);
- financial market risk (the risk of volatility in financial markets that impact the prices of commodities and services purchased and sold and the company’s financial portfolio as a basis for implementing overall business strategies including mergers and acquisitions, capital investment in property, plant and equipment and human resource investment in hiring, training and deploying human resources globally.
- Governance risks concern the effectiveness of the company’s policies and practices in governing itself with respect to its constituencies in government, investors, employees and the local community as represented by government (and laws). These can be broken down into two components:
- legal liability (the risk of liability to third parties for breach of legal contract and for civil responsibility (tort liability) under common law, statutes and regulations and the company’s responsibilities in its interactions with suppliers, distributors and its other business relationships);
- legal compliance risk (the failure to comply with all applicable laws, regulations, binding legal principles and contractual obligations of the company, including the failure to adequately respond to challenges that impair the company’s ability to govern itself);
- internal governance risks (the failure to respond adequately to the company’s duties to its shareholders, management and employees); and
- accounting risk (failure to correctly identify, characterize, evaluate and disclose the company’s financial condition and the resulting impact on credit risk and inability to pursue operational goals; and
- Unmanageable risks arise from forces that are nearly always outside the enterprise that affect its viability:
- Systemic risk (the risk that the economic system will collapse due to wars, global illiquidity, hyperinflation and similar massive episodes);
- Regulatory risk (the risk of new regulations that may impact the enterprise’s viability and profitability as well as the manner in which it conducts business, its strategy and its competitive positioning); and
- Concentration risk (the risk that the enterprise’s business might be concentrated in an unprofitable business segment, and that such concentration might not be escaped in light of barriers from the marketplace or legal frameworks).
Impact of Risk Analysis on Outsourcing. Outsourcing involves some form of risk across each of the core risk matrices – marketplace, operational, financial, governance and unmanageable risks. Outsourcing lawyers understand the impact of outsourcing on such risk matrices and assist the parties by identifying and allocating risks for a transparent, enforceable and effective relationship. Unlike a secured loan with security in the form of a mortgage, pledge, security interest or guarantee, outsourcing involves continuing risks that are unsecured and require ongoing planning and relationship management to ensure the contract is honored and that the obligations – even in cases of disagreements between customer and service provider – are defined and respected.
Service Offerings. Not surprising, business process service providers have developed suites of services that support the enterprise’s ability to assume, mitigate, manage and/or shift risks. For example, operational services for mortgage applications, credit applications, lending functions and employee benefits administration typically encompass both the delegated functions and critical elements for reporting, audit and assurance of compliance with laws, contracts and operational procedures. Some service providers include data warehousing and analytics services for all their BPO services to help companies identify, measure and manage risks.
Vendor Selection. As in any prudent portfolio investment, the process for selection of approved vendors can narrow the risks of outsourcing. If the enterprise has not had extensive experience in outsourcing, or if it has had some experience but wants leverage to avoid making some well-known risks that were not managed in an existing outsourcing relationship, an experience consulting firm and an experienced lawyer can help assist in needs assessment, risk assessment, due diligence, competitive bidding and the process of narrowing down the field of vendors.
Contract Development. Enterprises hiring others to perform essential services will enter “master services agreements” supplemented by “statements of work,” pricing schedules and other exhibits to manage risk. The business design in the contracts must anticipate marketplace risks, operational risks and even unmanageable risks. The boilerplate in the contracts must include compliance with applicable laws generally, the laws governing the enterprise’s business (including specialty regulations and even licensure and registration), legal liability, legal compliance risk, internal governance risk and accounting risk.
Review and Approval by the Board of Directors; Board’s Role. When reviewing a proposed outsourcing contract for approval by the board, each director should have an understanding of the risk matrix and how the business relationship will affect the key risks. The deal should enable management to make changes peremptorily, without consent of the service provider, as business requirements, market conditions, regulations and business strategy evolve. However, the board should appreciate that outsourcing relationships are sticky like glue, and untangling a failed relationship can be costly, diverting both cash and limited management resources to remediation. The prudent director will thus focus on cost, effectiveness, credibility of the service provider, business resiliency across all risk matrices and flexibility. In deciding to approve an outsourcing, the board should balance risk against cost and other benefits, just as in any joint venture, acquisition, divestiture or other strategic change.
Relationship Governance in Outsourcing. The law of entropy (and basic business management) states that, over time, disorder in the universe will increase unless managed. Accordingly, effective outsourcing requires a team to ensure appropriate governance of the relationship and that, through such governance, the generic and special risks are identified, evaluated and managed on a continuous basis. It is one of the ironies of relationships that by assisting and collaborating with a service provider, the customer is serving the customer’s own purposes. Effective governance requires a flow of performance data, analysis of effectiveness of the services and a plan for integration of external services with internal services. It is a best practice in outsourcing to adopt a detailed plan for relationship governance that addresses key risks and helps facilitate pursuit of emerging key business opportunities.
Contract Renewal and Renegotiation. At the renewal of an outsourcing contract, risk management considerations will dictate whether the incumbent service provider will be considered for renewal and what new contract changes will change the allocation of operational, financial and legal risks between the parties.
Risk Management at the Board Level. Outsourcing is no longer a tool for a line-of-business manager to use to obtain operational services for one line of business. Rather, outsourcing transcends lines of business and all levels of management, administration and operations. In fulfillment of its fiduciary duties including its responsibility to manage risks, the board cannot delegate management of the in-house operations, and it cannot delegate management of outsourcing either. In light of the increasing use of outsourcing and shared service captives across borders, the board might delegate initial analysis and oversight of management sourcing strategy to a subcommittee, such as a “Strategy and Risk Oversight” Committee, or a “Compliance Committee.” The board (or its delegate, such as the CFO, CCO or General Counsel) should monitor the outsourcing by:
- adopting policies and procedures for managing the outsourcing phenomenon;
- getting regular reports from management (including the CFO, the CIO, in-house counsel and compliance officers); and
- using that knowledge to plan for strategic opportunities and managing risks.
Like any other form of risk management, risk management in outsourcing requires continuous monitoring and administration, as well as periodic review for overall assessment of effectiveness and suitability. Effective risk management in outsourcing will permeate the entire organization, from the board to the C-suite and operational managers.
Risk Management in the C-Suite: The CFO’s Role. The Chief Financial Officer is responsible for risk management in many ways. The CFO’s biggest job is to manage for growth and value. Other typical responsibilities include company strategy and business reviews, financial reporting, human resource development, investor relations and board relations, information technology and management information systems and mergers and acquisitions.
- In a company reporting to the U.S. Securities and Exchange Commission, the CFO is responsible for compliance with the Sarbanes-Oxley Act, Section 404, requirements on internal audit and controls, and Section 902, requiring the CEO and CFO to each individually certify the adequacy of internal audit and controls in the company.
- In the regulated company, the CFO is responsible for filing financial reports with the regulators. For banks, financial services and insurance companies, the CFO is responsible for compliance with financial regulations, including measuring and reporting on minimum capital requirements, credit risk and operational risks.
- In private companies, the CFO is responsible for financial administration and generally for risk management.These responsibilities put the CFO at the center of any outsourcing.