Here’s one example. Your company consolidated all its BPO functions into a shared services center. However, the center outsourced specific pieces of processes that it determined a service provider indeed could do better, faster and cheaper than you could.
And then one morning you wake up to discover the service provider handling your HR benefits administration had a data security breach á la Target and the social security numbers of your 80,000 workers are gone, lost in cyberspace.
You end up paying the federal fine and the cost of credit monitoring for everyone involved, suffering the brand damage when your company is on the nightly news and enduring the wrath of your employees, even though it happened under their watch.
Findings from the Consero Group’s third annual shared services study quantify this fear. The study, entitled Shared Services and Outsourcing Data Survey, found 65 percent of its respondents believe their outsourcing partners are not focused enough on minimizing their risk.
“This is an important finding. Shared services executives are concerned as the regulatory landscape becomes more complicated. After all, what good are cost savings and efficiencies if they lead to dangerous levels of legal or regulatory risk?” says Paul Mandell, Consero CEO.
The Consero Group polled the 58 shared services executives who attended a February invitation-only shared services event hosted by Consero. All came from Fortune 100 companies. Consero released the report March 28, 2014.
The risks enterprises are worried about, according to Mandell, include:
- Data breaches like the fabricated example above
- Money laundering
- Facilitation payments and bribes in emerging countries
- Regulatory risks
- HR rules
- Telecommunication rules
- IT risks
- Divorce (when a buyer changes outsourcing providers)
“Unfortunately, these risks seem to be growing,” Mandell observes.
In addition, the March survey found 52 percent of the attendees had increased the number of outsourcing service providers they had used in the last 12 months. “A growing number of service providers multiplies the problem,” he notes.
The fix so you can sleep better at night
Suzanne Leopoldi-Nichols, a 20-year shared services veteran who is currently the head of shared services at Archer Daniels Midland Company, agrees with the study’s assessment. “Managing the risks is critical for companies,” she observes. “When data breaches happen, there is an enormous amount of work to be done.”
Prior to joining ADM, I’ve seen problems. She says from day one companies “must thoroughly understand how the provider is mitigating all these risks. You have to make certain they have excellent processes in place to reduce your company’s risk.”
On the data breach side, Leopoldi-Nichols says the best way to mitigate these risks is to monitor the service provider closely. The five basic questions to ask are:
- How does the provider protect against data breaches?
- Is the provider safely segregating your information?
- Is the provider carefully screening all its employees?
- Does the provider regularly test the system for data breaches?
- Does the provider have good data recovery?
Leopoldi-Nichols mentions two things outsourcing buyers can do to protect themselves.
Plan for divorce
Many people refer to outsourcing relationships as a marriage. To continue the analogy, Leopoldi-Nichols says every outsourcing buyer should enter into an outsourcing relationship planning with caution in case the honeymoon phase doesn’t last.
Buyers change outsourcers for many reasons. The management teams don’t get along. The service provider did not do the work to the buyer’s specifications. The technology or the solution became outdated. Or the buyer’s economic situation changed.
Craft your contract carefully, she advises, because that is, in effect, your prenuptial agreement. She says a critical component in all outsourcing contracts is “knowing exactly how you are going to get your data back. Buyers have to understand that this is their data and they are entitled to it, even though it resides at an outsourcer.”
One buyer she knew got its data back on lined paper. “Make sure the data is in a readable format,” she says.
Years ago at another company, she once witnessed the ugly scene where the incumbent HR service provider refused to return the data because it was upset it was losing the company’s business. The shared services staff had to take screen shots of 8,000 employees to know which benefits they had enrolled in so they could provide it to the new provider.
Check out the SOC reports
Leopoldi-Nichols says a careful perusal of the SOC reports are a must. “They are a telling report. They evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions,” she explains. But they shine a spotlight over all internal controls.
There are two SOC reports Leopoldi-Nichols suggests every organization study:
- SOC 1. There are two types. Type 1 reports describe the suitability of the design of the controls over a service provider’s system. The Type 2 report describes the operating effectiveness of the controls to achieve stated outcomes in a specified period.
- SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy. This report also details all the testing reports.
Granted, these reports are as easy to read as War and Peace. But they are really necessary for internal peace given the risks involved.
P.S. Even though shared services executives are worried about risk, the shared services function is not going away anytime soon. A whopping 86 percent of executives in the Consero Group study found the function “has proven effective as a cost-reduction tool over the last 12 months.”
So the report is a call to service providers to start focusing on mitigating risk. Fix this!