Due diligence is essential when choosing an outsourcing partner, says Sean Holohan

The British Airways catering dispute throws a stark light on the issues companies can face from outsourcing. In this case, thousands of airline passengers have had to forego their in-flight meals, stock up in restaurants at terminals, or bring the Tupperware sandwich box.

In truth, few flyers may look forward to their in-flight meal, but the end results for British Airways are more significant: damage to reputation, question marks over its management and a bigger public relations bill than usual.

This situation should prompt every company that engages in outsourcing to examine what lessons can be learned and whether their relationships are as secure as they would hope.

Good relationships are not hard to find in my experience. The key issue, when deciding to outsource, is not just to focus on the ability of the supplier to do the job within budget, but also to conduct effective due diligence. Moreover, this due diligence process should be revisited on a regular basis, to ensure that standards have not slipped.

Sadly, most companies fail to perform this latter function. In so doing they eschew the essential, three-fold process of supplier audit:

- researching the supplier's background and reputation
- enquiring how it screens and trains its workforce
- considering the provider's controls, especially its ability to monitor access to electronic information.


Reputation

Ultimately a firm needs to know it is choosing an outsourcing provider that is financially stable and has a coherent strategy to remain so. Research should focus on its financial performance, strategy, geographic or product line expansion, management changes, legal or regulatory threats that may affect its business viability and market views on the supplier in question.

A thorough researcher will also obtain research reports on the state of the company and the sector it operates in from organisations such as Datamonitor, and from the house broker or other investment analysts. It is also worth noting that IT consulting firms, such as Gartner and Forrester, may also have covered the company in recent research.

The firm should then employ this information to help develop a risk profile of a supplier and to plan its strategy for examination.

Risks from employees

The first step of the auditing process is to ask the outsourcing provider a series of direct questions about its employees and its employment policies.

What measures does the provider take to screen its workforce? What training is given to the workers in understanding the importance of confidential data?

As with most things, prevention is better than cure. Extra effort spent in preventing dishonest workers from coming through the doors of your company will be well spent.

Risks to information

The misappropriation of personal data by an Indian call centre employee, according to recent allegations by British newspapers, showed the potential for information security breaches. If a firm wishes to avoid the attendant damage to reputation and customer confidence that follows such situations it should focus its due diligence on the outsourcing provider's systems.

The crux is to map an outsourcing provider's internal controls. This is an essential element of the corporate governance system of a company and its subsidiaries, and plays a key role in identifying, curtailing and managing risks that are significant for the company. Properly established and managed, controls should minimise the possibility of poor decision making, human error and fraud.

The potential supplier should be asked these questions:

- what controls are in place to ensure the security of confidential information?
- what measures are taken to test those controls on a regular basis?
- what procedures are in place to deal with suspected wrongful access and misuse of confidential client data?
- how is access to electronic information monitored and tracked (is there an adequate audit trail)?
- what does the track record look like? - have there been any incidences of theft of client data?


Japanese lessons

These due diligence processes should significantly reduce the likelihood of the risks normally associated with suppliers. That they should be successful should not come as any great surprise to business risk specialists, nor indeed to anyone with an eye on Japanese business culture.

Japanese thinking about supply chain management broadly states that before any company takes on a new supplier to provide just-in-time goods or services, it will audit that supplier to make sure it can deliver as promised. The simple rationale is that if the supplier fails, then so does the company.

Outsourcing is an essential component of the business process. In our experience of providing outsourced internal audit and business risk services, an effective outsourcing arrangement can work well. It can save a business time and effort and, most importantly, it can allow a company to focus on what it does best.

If businesses were to take more responsibility, it can be said with confidence that less highly confidential information would be likely to go astray, the risk of messy industrial disputes should be reduced and risks would be categorised according to their intrinsic relevance, and not according to newspaper headlines.

- Sean Holohan is director, business risk, Protiviti www.protiviti.com