Risk Management
Risk Management when outsourcing (part 2)
Risk Management, StrategyThis is a multipart discussion that will be posted over the next several days.
Understanding how your company seems risk and the different types of risks will allow you to frame your risk management efforts with the proper light. Defining whether your risks are endogenous, exogenous or both is also critically important.
Managing Risks
The next question that comes up is “how do I handle risk?” For the purposes of our discussion:
- Do Nothing
- Hedge the risk by investing in risk mitigation processes, technologies and tools
- Transfer the risk via insurance or securitization
- Switch to a provider with a “better” risk profile
- Exit the business or relationship generating the risk
The debate about outsourcing
No matter how thin you slice a piece of bread, there are always 2 sides. Even though most business professionals believe that outsourcing is a tool that allows them better control over cost, service and risk, some still believe outsourcing is bad and should be avoided.
On one side we have a clear presentation of business benefits[1] such as:
- Lower costs
- Economies of scale
- Access to specialized resources
- New business venture opportunities
Opponents have stood their ground claiming [2]:
- Escalating costs
- Diminishing service levels
- Loss of expertise
Having helped organizations outsource for the last 15 years, trust me when I say outsourcing can deliver extremely positive returns if negotiated and implemented properly. One of the key drivers to proper implementation is a strong risk management framework. When outsourcing deals “go bad”, it usually stems from:
- The customer has not properly defined what they really wanted.
- The outsourcer did not properly understand what was being asked for.
- The contract does not properly define the agreement which leads to disagreements (both scope and financial.
All of these can be avoided if overseen by a manager that understands and is able to manage risks.
Reference:
1. Gupta, U. G. and Gupta, A., “Outsourcing The IS Function: Is It Necessary for Your Organization?,” Information Systems Management, Summer 1992, pp.44-50
2. Earl, M. J., “The Risk of Outsourcing IT,” Sloan Management Review, Spring 1996, pp.26-32
Stay tuned for part 3 tomorrow
Risk Management when outsourcing (part1)
Risk Management, StrategyThis is a multipart discussion that will be posted over the next several days.
Over the last 5 years, I have seen a huge surge in the number of companies adopting formal risk management frameworks and methodologies. This is sometimes driven by regulatory requirements and other times by experienced executives that understand the importance of risk management.
I wanted to take a quickly look at risk management in the context of outsourcing.
What is risk?
The definition of risk is intuitive but can be summarized as “an event that may have a material impact on your business and its success or desired outcome”.
How does your company view and measure risk?
Depending on your industry, you can adopt one of the following risk management models:
- Risk as a probability This applies to organizations that measure risk as a likelihood that something may occur (i.e. an insurance company determination your risk of dying early because of lung cancer). Organizations adopting this approach will collect performance data and built likelihood tables to judge risk.
- Risk as a variance This applies to organizations that measure risks as a likelihood that the outcome may differ (delta) from a distribution. This is often the approach used by banks and investment companies. Organizations adopting this approach will base their “risk tolerance” on the expected return. The higher the return, the more volatility they are willing to accept.
- Risk as an expected loss This is the most common risk model adopted by organizations and is a loss function multiplied by a probability function. As an example, the impact that your cash will catch fire in a bank's vault is catastrophic but when multiplied by the likelihood of it actually occurring, it become negligeable.
Types of risks
There are 2 types of risks that your company may be subjected to (each with its own mitigation strategy):
- Exogenous risk is risk on which we have no control. It is risk that is unaffected by our actions. Great examples of this are the revolts in Egypt, the tsunami in Japan or an earthquake.
- Endogenous risk on the other hand is risk that is influenced by our actions or decisions.
When playing Russian roulette in a casino, the actual risk related to a result number other than the one I have chosen is exogenous and out of my control. Risking my capital by playing Russian roulette is an endogenous risk because it is a result of my actions.
Stay tuned for part 2 tomorrow