Many of us have experienced frustration when we stand in front of an ATM or try to access our online banking service at home when we realise the system is down due to a serious IT outage in our bank provider. Even worse was the severe disruption experienced by airline passengers in recent times being stranded at airports across the world due to severe IT outages in airlines that are taking days in a number of cases to fix. As customers, we understandably focus our frustration and disappointment on our direct provider but in many cases, the root causes of these severe disruptions in our service are in 3rd party providers, often in distant geographies and time-zones, which significantly impacts on our provider’s ability to rapidly diagnose, fix and restore service to its customers.
Board teams across the world are increasingly realising that while outsourcing key services provides a lot of benefits in terms of cost and flexibility, there is a serious downside to this in terms of the special oversight needed and more importantly the ability to respond to a serious crisis impacting key services or a sudden realisation that due to a series of ongoing crises with a particular 3rd party provider that either the capability needs to be brought back in house or moved to another outsource provider. Outsourcing, particularly of IT services, has become a fundamental component of the company/organisation business/operations model. In some cases, outsourcing to a specialist 3rd party provider is the only way for organisations to access and bring complex technology and services to support both its own operations and that of its clients. In many cases however, outsourcing to 3rd parties was driven by major cost reduction initiatives and very often board teams didn’t fully appreciate the downside consequences of losing for example all of the critical expertise and deep experience of their own teams as well as the serious consequences of a major outage in service provision and the major lack of control over the restoration of that service to your customers.
In reality many board directors today do not fully understand the scale of services outsourced to third parties, the special approach needed by the board to the oversight of these services and the implications for crisis management and business continuity if serious problems develop within the 3rd parties. Many executives have commented to me that 3rd party services are no different to internally provided services so they just come under normal operations reporting to the board. Ask any executive who recently has had to stand in front of a board to explain that they are struggling to deal with getting the attention of their 3rd party provider who is prioritising other clients in restoring a critical service and they will explain very effectively to you that there is a fundamental difference when it comes to downside scenarios !
The scale of outsourcing in today’s enterprises is very well illustrated by an excellent report from the Irish Central Bank in November 2018 ( Outsourcing - Findings and Issues for Discussion ) which examined the critical outsourced provider dependencies for leading regulated firms in Ireland and the implications for governance, risk management and board oversight. Figure 1 below illustrates a very concerning insight into the extremely high-level of dependency financial services firms have on outsource providers. The following commentary from the report illustrates the depth of concern around outsourcing and the oversight by board teams. “The level of board awareness and quality of governance and risk management remains far from satisfactory. Significant and proactive action is still required by boards and senior management of regulated firms across all sectors to meet minimum supervisory expectations in relation to Outsource Provider (OSP) governance arrangements and risk management controls. Strong business continuity plans which incorporate the activities of OSPs, must also be maintained and managed to ensure outsourcing by a regulated firm of any activity does not compromise that firm’s resilience. Findings from the Survey and our supervisory engagements suggest that this is not the case in many regulated firms.”
While the financial services sector is uniquely dependent on outsourced providers, I believe that outsourcing, particularly of IT and technology services, is embedded in the fabric of the majority of organisations and the level of outsourcing is only heading in one direction, upwards. I strongly believe based on our board engagements that the findings of this report mirror the findings of any similar report anywhere around the world and that outsourcing has become a major oversight blind-spot for a significant number of board teams. Many board directors I have engaged with over the years have indicated that they honestly only realised the extent of 3rd party outsourcing when something actually went wrong. Many other board directors would also honestly admit that they struggled to fully understand the ramifications of IT outsourcing due to their own lack of IT and technology expertise.
We are also starting to see an increasing number of 4th party problemswhereby a serious outage in the service provision by a 3rd party provider to an enterprise is actually due to an outage in a 4th party that they outsource a key part of their service to. In some cases the 4th party may be a small provider that was never visible in the SLA negotiations with the main third party provider. This starts a very serious compounding problem in times of crisis as the enterprise can really struggle and be powerless to control the timing and prioritisation of the chain of outsource providers who themselves have multiple clients who may also be experiencing an outage.
So what are the best practices that strong board teams use to ensure that they have the proper levels and approaches to oversight when it comes to outsource providers ?
Board Awareness and Control – ensuring the board is fully aware of the scale of outsourcing dependencies and associated risks.
Outsourcing strategy and policy – ensuring that the executive team have a clear strategy and policies in place to enable the board understand, approve and monitor the performance of the outsourcing arrangements
Responsibility and oversight – ensuring that the executive team have a coordinated risk management approach to the responsibility for and oversight of outsourcing arrangements
Contractual arrangements – ensuring the board is fully briefed and signs off on key contractual outsource arrangements with the appropriate robust SLAs in place and serious downside scenarios properly explained to the board prior to SLA signing
Risk assessment – ensuring the executive team implement comprehensive initial outsourcing risk assessments and ongoing periodic risk assessments
Due diligence – ensuring that the executive team conduct and refresh periodically, appropriate due diligence, both financial and operational, in respect of third party OSPs
Assessment of Criticality or Importance of Outsourced Functions - ensuring executive team determine and track the criticality or importance of proposed outsourcing
Monitoring & Management – ensuring the executive team devote appropriate resources to suitable monitoring, management and on-site inspection arrangements relating to outsourced activities
Skills & Knowledge – ensuring executive team retain appropriate skills in house for oversight of outsourcing arrangements and or repatriation or substitution of services, if required
Partnership with the 3rd party provider - ensuring the executive team have built and continue to nurture a genuine partnership at both senior and operational levels with the 3rd party provider which would be critical in a crisis scenario
Business Continuity Management
Business continuity testing – ensuring the board is fully aware of the structures in place to test and periodically re-test business continuity arrangements
Follow-up on business continuity deficiencies – ensuring that the executive team follow-up and address key issues identified in business continuity testing
Exit strategies – ensuring the executive team devise, document and test effective ‘exit strategies’ or repatriation contingency plans
Flag serious outsourcing issues early – due to the additional complexity of a serious crisis involving 3rd parties ( and potential 4th parties ), to ensure that the executive team flag serious issues early to the board
Outsourcing is a fundamental component of many enterprises and organisations today, particularly in the IT area. Levels of outsourcing continue to increase across all sectors and with that comes additional challenges for executive and board teams in overseeing the outsourced function and relationship from initial negotiations, due diligence to SLA agreement signing right through to handling a serious crisis and in some extreme cases, the enterprise having to take the radical step to either move the service back in-house or switch to another service provider. There are plenty of cases of high-quality outsource partnerships where there is high-quality oversight, monitoring and strong well-thought out SLAs underpinned by a proven ability of the outsourced provider to handle unforeseen crises.
There are however, an alarming increase in the number of board teams left flat-footed by a serious outage impacting customers that is caused by an external 3rd party that the enterprise has very little control over. Shareholders and stakeholders have entrusted a critical oversight responsibility to boards and from both their vantage point and importantly the vantage point of the customers, blaming a 3rd party provider either directly or indirectly for a serious outage or degradation of service, both externally to customers and internally, rings very hollow as an excuse for a poor level of oversight by the board !