By Werner Verlinden, CIRM, FBCI.
Cost reduction is a key business consideration in these difficult economic times and it is one of the key reasons (1) why outsourcing is being pursued. This makes it a good moment to have a look at outsourcing from a business continuity management perspective; because as well as the potential major business benefits, outsourcing also brings significant risks to continuity of business.
Definition of outsourcing (2):
Outsourcing is about the transfer of the management and/or day-to-day execution of an entire business function to an outsourcing provider (OP), whereby the outsourcing organization (OO) and OP enter into a contractual agreement that defines the transferred services. Under the agreement the OP often acquires the means of production in the form of a transfer of people, assets and other resources from the outsourcing organization; which agrees to procure the services from the OP for the term of the contract.
When looking at BS25999-2:2007; the specification 184.108.40.206 states:
“Top Management shall appoint or nominate a person with appropriate seniority and authority to be accountable for BCM policy and implementation.”
Based on this specification, it seems clear that the business continuity manager should be involved in any outsourcing project, since it represents a significant change in the way business is conducted. In reality, however, this is not always the case.
Outsourcing as a practice is surrounded by good practices, standards, principles and regulatory requirements (especially in the banking environment (3)). Depending on which regulatory requirements are consulted, one or more of following example specifications can be found:
* Outsourcing must be based on a written contract (3).
* The outsourcing organization must have an outsourcing policy covering procedures and continuous follow-up of the risks involved in outsourcing (4).
* In outsourcing one must include the establishment of ongoing and effective business continuity and information security monitoring programs (5).
So hopefully the OO’s that do not involve their business continuity managers up front in the outsourcing project, have an adequate outsourcing contract template in place. Once more, in reality it is often not the case or it might even be that the OP imposes its own outsourcing contract.
In either case, the following list of items should be addressed:
* Definitions: as business continuity professionals we should ensure that contractual definitions regarding business continuity management are those as used in the BCM standards we adhere too (e.g. BS25999-2:2007, SS540:2008, NFPA1600:2007, etc). Reality shows that there is often room for confusion (e.g. The meaning of incident management as used in ITIL is not at all the same as what meant in BS25999-2, where an incident is considered to be a major operational disruption).
* Lifecycle: typically outsourcing contracts span multiple years (five to ten are not unusual!), hence a management system approach should be installed. It does not really matter whether this is the six-step lifecycle from BS25999-1 or the Plan-Do-Check-Act model as found in ISO standards, the key is that business continuity management is being appropriately addressed for the entire term of the contract.
The outsourcing project will also go through a number of phases (pre-outsourcing, transition, outsourcing, and post-outsourcing), during all of these phases clear agreements need to be made about roles and responsibilities, so that optimal service provision can take place and continuity can be guaranteed.
* Liability: typically OP’s will, for obvious reasons, try to limit their liability. This could be related to a fixed financial amount or to the level of service fees paid, or any other limiting condition for that matter.
* Terms and conditions: outsourcing contracts typically contain a clause for Service Non-performance or Force Majeure. When analyzing the definitions of Force Majeure we often find that situations like fire, flood, explosion, social event, etc are included as part of the definition. Being business continuity professionals this is obviously unacceptable to us; one of the key reasons to set up a business continuity management system is to build a response and recovery capability which is able to handle major operational disruptions.
Another observation is that OO’s do not yet systematically take advantage of the (auditable) business continuity standards that are available. Rather than referring to the business continuity standard of choice and impose a certification process on the OP, the OO’s try to describe what the OP should be doing with regards to business continuity management (e.g. plans that need to be written, tests that must be executed, etc).
* Subcontracting: the OO is obviously keen to access vital skills and a pool of experts within the OP’s organization. Nevertheless it does happen that the OP will subcontract specific pieces of the outsourcing contract. The OO must obviously be aware of this potential situation and should take appropriate measure so that the OO’s interests are preserved. Similarly the regulator may want to exercise audit rights on the OP’s environment, and that of subcontracted parties.
* Incident management: (and here we clearly assume the BCM definition). Outsourcing providers are often dealing with very complex technical solutions and, by design, build in significant resilience and redundancy into the solutions offered. However, because of the attention paid in the area of prevention, it may be found that the response and recovery measures of the OP are often not of the same quality as the OO’s.
The above list of items is obviously not exhaustive, nevertheless some significant strategic issues around contractual risk in outsourcing are being addressed.
It should be noted that a strategic check of the outsourcing contract for BCM considerations is just a first step. This should be followed by a tactical and operational check, during which the outsourcing contract with all its schedules/appendices needs to be verified in detail.
Based on the above, it can be concluded that introducing the business continuity manager in an outsourcing project is highly recommended. Risk management and continuity of services are clearly within his/her domain of responsibility. In the end, the responsibility for services (and their availability/continuity) remains with the outsourcing organization, regardless whether these are outsourced or not (6).
Werner Verlinden, CIRM, FBCI, principal consultant BCM and director, Ascure.
Ascure is a qualified and independent operational risk management services provider, specialized in consultancy, training and staffing. Operational risk management, information security and business continuity are major cornerstones of Ascure’s services. Ascure provides education and awareness, through the Ascure Academy and BCM Academy.
More information about Ascure’s services can be found at www.ascure.com and you can see the company at stand 41 of the BC World Conference in London on November, 11th and 12th 2009.
(1) European Central Bank 2004, 89% of questioned banks mention cost saving as outsourcing reason
(2) Wikipedia, http://en.wikipedia.org/wiki/outsourcing
(3) The joint Forum, Outsourcing in Financial Services, Feb. 2005
(4) DNB, Regeling Uitbesteding Verzekeraars, 2004
(5) FFIEC, Outsourcing Technology Services Booklet, June 2004
(6) CEBS, Guidelines on Outsourcing, Dec 2006, Guideline 3
•Date: 6th November 2009• Region: World •Type: Article •Topic: BC general
Rate this article or make a comment - click here