| Outsourcing – are you putting the continuity of your business in someone else’s hands? What measures should you take to ensure that outsourcing business functions does not put your business continuity at risk? By David Honour, editor, Continuity Central. Outsourcing is seen by many organisations as an effective way of passing responsibility for non-core business functions to third party specialists. Facilities management and IT related functions are often prime candidates for outsourcing; for many companies these are non-core activities - they are not key revenue generating areas. The mistake that some companies make is in equating ‘non-core’ with ‘not-critical’. In outsourcing non-core activities you may still be handing over responsibility for mission-critical activities to third parties. Outsourcing does not absolve you from the responsibility for managing all your mission critical risks. However, it can make it more complex. So, what measures can you take to ensure that your outsourcer will assure the continuity of your outsourced function? The first vital element in protecting the mission critical assets managed by your outsourcer is the contract agreed between the two parties. The majority of outsourcing contracts will include a business continuity clause, but it is vital that this is not just a ‘box-ticking’ exercise. The contract must deal with specifics, not generalities and this will not be a quick process. As in all things relating to business continuity, you need to go back to the risk assessment and business impact analysis. You will be aware, from having conducted these, of the critical risks which could impact upon the business function that you are outsourcing. For each of these the contract must ensure that the outsourcer is aware of the nature of the risk and agrees to take responsibility for managing it. The contract must also specify what mitigation steps will be taken. Recovery time objectives should be built into the contract, with provisions for legal liability should the RTO not be achieved. Outsourcing contracts tend to be long term, therefore, over the contract period, the risk profile of the outsourced business function is likely to change. This must be taken into account in the contract. Periodic risk assessments and BIAs need to be conducted and the responsibility for handling these needs to be made clear. Will the outsourcer manage these or will your company? If new risk controls are required who will implement and pay for these? Who will take the decision to stand-down risk control measures that have become defunct and are no-longer needed? At this stage in the contract writing process you may find the outsourcer starting to lose interest in winning your business! However, this is not the time to compromise – it is vital that your mission critical risks are fully protected and if the outsourcer is unable to guarantee this in the contract then you are talking to the wrong company. It is also important that you are dealing with an outsourcer that is prepared to be transparent in terms of the business continuity provision for their own mission critical risks. Have they a fully documented, adequately resourced and frequently tested business continuity plan? If so, you would be wise to conduct a comprehensive audit of this. If they decline this request for reasons of ‘company confidentiality’ you really must consider refusing to work with this company. Your company’s survival is more important than another’s confidential information. If the trust is not there to allow this vital audit, is the outsourcer really a suitable partner to be working with? After crossing every t and dotting every i of the way your mission critical risks will be protected by the outsourcer, the next step is to cover your own back! Despite the contract, the outsourcer could fail to manage your critical risks in a crisis. You need a contingency plan for this outcome. You will have to pick up the pieces to ensure your company’s continuity. How will you do that? Who will you call upon? Are there any additional third party recovery contracts that you need to put in place? All the above is unlikely to make you popular with your contracts and legal departments and will probably add additional costs to your outsourcing agreement. But to fail to address these issues is to fail to protect your organisation – you are putting the continuity of your business into someone else’s hands. Got any comments or additional points you wish to make? E-mail David Honour.
•Date:
28th March 2003 •Region: Worldwide •Type:
Article •Topic: BC
general |
