Outsourcing can mean entrusting your hard won customers and reputation to someone else. Can you be sure their risk management principles and processes match yours? Rosie Harrison reports.
The Arthurian legend tells of the king sending an elite band of knights to comb the world for the holy grail - a vessel of great power, able to heal and cure all ills in his kingdom. Modern business leaders have much in common with Arthur. They will often appoint a "champion" to go forth and bring the latest management initiative to the workforce in an effort to cure it of its current ills. Risk management may be in danger of going down the same path.
The latest cure all or grail seems to be the mantra "we're all risk managers now", with the underlying assumption that these managers are somehow created by installing an embedded risk management process.
Knights and champions both then and now know that it is neither that easy nor that simple. You can't just go along to your local magical emporium or software supplier and pick something off the shelf.
Our modern knights have an additional problem, Not only do they need the grail - the embedded process - but they have to make sure that everyone knows how and when to use it. Is it truly rational to expect an instant solution, some kind of technological silver bullet? My own experience is that it is not.
Having spent eight years in business risk management working with a wide variety of managers some totally risk averse and some almost breathtakingly risk dense (wouldn't recognise a risk if it bit them!), I can say with conviction that it is not so much the process that counts as the people who use it. I have also found, not surprisingly, that managers mainly used the embedded process at the regular review periods, when it provided documentation and compliance information. But now that we are extending the range and scope of the embedded process and linking it to change and configuration processes, we are finding that it is being used more regularly.
Some things never change. Managers will only use tools when the time and effort of using the tool produces positive gains over the negative consequences of not using the tool.
So do I believe that an embedded process is some kind ofgrail that will provide a magic cure? Absolutely not! There is no substitute for hard work, competence and sustained commitment from every person in the organisation.
If the processes are to be anything more than a superficial quick fix, they need to become part and parcel of the way that managers and staff perform their day to day jobs. This could entail changing their working habits and competencies. This is not an easy option, but it is one that has beneficial effects and is worth the effort.
To make life more complicated, the modern trend towards outsourcing business services means that the managers whose risk behaviours you want to change may not be in your kingdom or following your practices.
As a major business service provider, my company runs business operations on behalf of private and public sector clients, and we believe that we have a requirement to be able to demonstrate our risk management capabilities. Not only do we have to consider our own business risks, we also have to take our clients' business risks into account. After all, their customers and their reputations are largely in our hands and we want to get it right for them - and to be able to demonstrate this to them.
How can you be sure that third party outsourcing companies are not taking unacceptable (to you not them) risks with your reputation and your customers? Is it enough that they have embedded risk processes, risk champions and formal committees? I believe the answer is no. You need to go deeper, although to a large extent this depends on the level of assurance that you want or need for your business and your shareholders.
There are things that you can look for to find out if service providers' risk processes are skin deep or really embedded into their corporate culture.
First things first
Ask about their risk management principles and practices. What does the policy statement say? How is their risk work focused and validated? Who is involved? How long have they been working in this way? Do their risk principles
If answers to these questions are satisfactory, you can go a little deeper. Are the principles supported by a robust process, and are their people competent to use the processes and apply them to your business?
The process itself needs to be adaptable to suit the needs of your business and your risks. It also needs to be integrated with the service provider's other business mechanisms such as change management, process improvement and configuration management.
As a minimum, the process should cover the following.
The aim here is to identify the risks that you face, and the two key words are relevance and completeness. One of the easiest ways to ensure that identified risks are relevant is to use your business objectives as a filter. The objectives could come from your balanced scorecard or corporate business plan, but they do need to be well defined.
I often encounter objectives that say things like "Produce statements each month", which is certainly not clear enough to identify relevant risks. You need to know how many statements count as successful - all, half? For objectives to be useful, they have to be specific, measurable, attainable, resourced and timebonded, ie SMART.
Clarifying objectives serves two functions. It increases the managers' awareness of your business requirements and sensitivities and it enables them to identify relevant risks. Each manager should be able to ask himself: "If this risk materialises, which of my objectives is compromised?"
Completeness can be confirmed by looking across the objectives to ensure coherence with corporate objectives.
This allows you to assess the level of damage that would be sustained if the risk materialises. Are managers making the right estimates of how bad the risk will be when it materialises and about how often it could occur? Managers should be using a standard corporate-wide set of assessment scales to ensure consistency and comparability across different operational units.
Do the assessment scales take into account your organisational sensitivities or those of the service provider? Ideally you should be able to specify the categories that you want your risks assessed against. And you should be able to specify the values for the scales. After all, you may not both wish to operate at the same level of risk tolerance or risk appetite.
This is decision time. Do you live with a specific risk and its potential consequences, or do you do something about it? Who decides that a risk is too big to live with, or small enough to be accepted? Do you get consulted or does your service provider make these decisions? At the very least you should be satisfied that the process has good rules and is consistently applied by all managers.
A key area to ask about is escalation procedures. Can an individual manager accept all your risks regardless of their potential impact on your business? Or are there delegated levels for risk acceptance, leading to escalation of the decision level to partnership relationship managers or joint boards?
You need to establish what should be done about unacceptable risks. Do you even know what the mitigation actions are? Are you happy that the mitigation actions chosen reduce the risk to an acceptable level, and are beneficial to your business practices?
Insurance covering financial loss does nothing for your reputation if it all goes horribly wrong. At the very least you should have access to enable your experts to give an independent assurance about the suitability of mitigation strategies.
So far so good. You have identified relevant risks and know which ones you need to mitigate and how you plan to do it- but good intentions are not enough. Have the planned mitigation actions actually been implemented? Deployment of internal resources in the service provider's organisation may mean that planned mitigation actions are waiting in a queue to be developed. You may not be aware of how long it will take for them to become operational.
At the very least you need to have some kind of delivery and sign off strategy, and you should expect to see a process for monitoring and escalation to ensure that agreed mitigation strategies are implemented within an agreed timescale.
Finally, does the process provide you with evidence that it is being applied widely and consistently across your business processes? Will it supply you with evidence that supports your corporate governance requirements? Only you can tell.
Last but by no means least are the people who operate the process and use it to support decisions they make about delivering your business services. Are they good enough to be knights at your round table?
In my view, much of business risk management is less a pure science than a black art because much of it depends on the subjective outlook of the individual. To some extent, training can alter individual perceptions, but there can still be problems if the service provider is a greater risk taker than your culture caters for.
Misunderstandings here can lead to charges of "negligence, cavalier attitude" coming from one side and "stuffy, risk averse, old women" on the other. And that is just the polite stuff! Creating standardised assessment scales and agreeing business objectives can bring a degree of discipline and objectivity which can help to bridge cultural divides.
So now we know that the knights are good guys and well trained in their duties. But times change and even knightly duties need to be reviewed and benchmarked. There is still a role for the risk specialist - Merlin as adviser to the court - to ensure that best practices are cultivated and developed.
The Confederation of British Industry publishes a Guide to Outsourcing IT in association with Computacenter.
The guide provides advice on maximising the potential of outsourcing, including: