Do outsourcers protect the continuity of YOUR business?

Some thoughts on outsourcing risk management, by Colin Roe, MBCI.

In this financially unstable credit crunched period that we are experiencing, the protection of your most critical functions has never been more important.

All organizations strive to be cost effective and always look for opportunities to save money whilst maintaining or improving the levels of service. A widely used component to expedite a cost effective solution is to outsource some or all of your critical functions to a medium to large service company either within the same country or via offshore partners.

In my experience, a fundamental concern lies with the due diligence performed (or not) both by the prospective outsourcer when determining the viability of taking on that service, but also by the organization inviting the tender for the required managed service.

The prospective outsourcer, by definition, a service company, would, no doubt, perform a full and appropriate risk assessment and due diligence exercise to ensure they are not risking their business in managing yours whilst making a profit from managing your services.

However, a lot of the detail of how the outsourcer proposes to manage your service is returned to you in nothing more than the statutory response document stating the prospective outsourcers’ intentions and how it expects to manage your requirements going forward with a cost effective solution whilst improving your service and its availability.

Fair enough, this may instil a certain amount of confidence, but remember this is about the continuity of your business and your livelihood. How robust will you be in ensuring that you and your outsourcer can maintain availability of your critical services, whether they are hosted on your premises or the outsourcers, and if necessary recover those services enabling you to maintain and continue your business?

Let us assume you are now outsourced and your outsourcer has allayed your concerns by formulating business continuity and ITSC plans and you are now embarking on an exercise schedule to prove your critical systems (and people) are available within your recovery time objectives.

That’s great, but how many outsourcers perform exercising of customer business continuity plans in conjunction with their own corporate plans? For instance, do you have assurance and evidence that your outsourcer has the ability to recover multiple clients should they experience a disaster at one of its hosting sites!

And, as we delve deeper, a number of outsourcers may contract support requirements to offshore partners. The partner business continuity plans require exercising too. If a catastrophe occurred and the partner became unavailable would your outsourcer be in a position to revert those offshore services back to onshore support? (Bearing in mind the initial objective of moving support offshore is to save money and onshore headcount!) Would there be sufficient onshore support available to cope?

Your outsourcer may provide continuity of service integral to the managed service or the service may be negotiated separately. Either way, you should be proactive in ensuring your outsourcer applies all aspects of the business continuity management life-cycle in protecting your business from interruption or disruption.

An outsourced managed service can be a valuable cost effective asset in ensuring your services are available when they are required and are recovered successfully should they fail. However, be careful that complacency does not set in by assuming the outsourcer has all your bases covered.

They may not and it may only come to light when it is too late.

Some outsourcers procrastinate on their service provision and corporate business continuity but in reality can you really be sure that they practice what they preach without physically auditing those plans and exercise results?

For the protection and continuance of your business it is imperative you conduct appropriate due diligence and if necessary seek independent impartial advice and guidance prior to taking the outsourcing route.

Remember, it is still YOUR business!

My suggestions for successful outsourcing are:

* Due diligence and risk assessment on both sides prior to the contract;
* Ensure your prospective outsourcer conforms to the controls of BS 25999 or better still are certified (or are progressing) to that standard;
* Engage a Business Continuity Institute accredited consultant to oversee your relationship if you do not have a full time business continuity manager;
* Ensure you audit your outsourcers BCM Plans including incident and crisis management and appropriate 3rd party business / IT continuity plans;
* Demand to see your outsourcer’s business continuity and disaster recovery exercise results;
* Ensure you regularly exercise your business and IT service continuity plans with your outsourcer and include their own corporate plans in the exercising schedule.

Author:
Colin Roe, MBCI
Independent Consultant
TRaP5 Business Continuity Management
www.trap5bcm.eu
colin.roe@trap5bcm.eu

•Date: 12th Dec 2008• Region:UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here