Outsourcing, Due Diligence and Dependencies

Outsourcing, Due Diligence and Dependencies

 

Outsourcing is, for many organisations, the only way to access some services. Nowadays businesses simply cannot be so integrated that they can do everything themselves. There is a reasonable assumption that some outsourced service providers (OSPs) are best in class and the experts in their fields but…

If any of your key business objectives or any of your customer obligations depend on an outsourced provider, you will need to be as familiar with aspects of that provider as you are with your own organisation.

Some years ago, we were engaged to conduct a risk assessment on a client’s business continuity arrangements. As part of the assessment they looked at their primary customer service objective; they realised that ‘what mattered’ most was availability. Internally, they were well prepared for the risks identified and had, for the most part, credible plans in place to protect their business objectives in the event of any of the envisaged failures.

However, their service depended on a banking system that was externally hosted in a data centre. Their customers utilised the system’s online portals to buy goods and services such as airline tickets, health and general insurance, groceries and also, among other things, to gamble. Successful completion of those transactions depended on the availability of our client’s process. Therefore, communication with the hosting data centre was critical.

Our client had developed a recognised dependency on (and a very good relationship with) the hosting service provider. They had written a four-second response time objective into the service level agreements coupled with a Six Sigma uptime clause and, for three years, performance was satisfactory. During that time not only did our client’s business grow significantly but their dependency on the outsourced provider had grown in parallel.

The business continuity due diligence risk assessment that we conducted on their OSP showed them to be an excellent risk through all of its key aspects until we got to this question:

Their ‘Don’t Know’ answer set off alarm bells within the OSP’s technical community.  The data centre was using two key telecom service providers and our question provoked an internal discussion about the fibre route maps of the connectivity providers in and out of their facility. They had discovered a single point of failure. The different fibre trunks ran within a foot of one another for almost fifty metres underground near the building’s carpark, meaning the backup resilience of their connectivity was compromised and they risked a total service failure from a single ‘Black Swan’ event.

The data centre and its telecoms providers worked quickly to mitigate the risk and reroute the cable ducting to re-establish the standard separation required. But our client, though appreciative of the immediate rectification and the speedy response to the identified risk, made the strategic decision to second-source. They added another data centre to their network and in doing so built resilience into the whole of their business process. While this decision resulted in additional cost, it facilitated further growth and represented their coming to a serious understanding of outsource or third-party dependency risk.

You cannot be naive about the risk outsourced service providers represent to your business. You will always retain the responsibility for any consequences of their failings. Continuous monitoring of your providers is extremely important; keep in touch, understand how they are doing, monitor the detail of your service level agreements. You can do this by measuring KPIs and / or KRI’s, or by any other method that will allow you to understand the level of your exposure. The point is not to worry unnecessarily but it is to be as prepared as possible for a potentially disruptive event – a withdrawal from a market; a major price change; a service interruption; an industrial relations issues; a change in ownership; reduced flexibility; or the ever-increasing risk of skill shortage.

One of the great indicators is how well prepared your key providers are for a business disruption event… Do you know?

For details on how CalQRisk can benefit your organisation, contact us today.

Recent News

CalQRisk Shortlisted as Best Technology Partner in Housing Digital Innovation Awards

CalQRisk has been named a finalist in the Housing Digital Digital Innovation awards. CalQRisk is nominated as best ...
Read More

CalQRisk Achieves G-Cloud 14 Approved Supplier Status

Delighted to confirm that following on from our GCloud 13 supplier status, that CalQRisk has been listed as ...
Read More

CalQRisk named as Finalist for Cyber Security Provider of the Year at the Cyber Insurance Awards Europe

CalQRisk are thrilled to be finalists for the Cyber Security Solution Provider of the Year at the Cyber ...
Read More

Volunteer Succession Planning – ‘Tomorrow’ has arrived.

Strong succession planning is critical for the viability of all businesses but can be particularly challenging for volunteer-led ...
Read More

What is CSRD?

The Corporate Sustainability Reporting Directive (CSRD) is a framework for non-financial reporting which is mandatory for large companies ...
Read More

CalQRisk Triumphs at the 2024 FS Awards, Winning Compliance and RegTech Award

At a distinguished ceremony held at the iconic Mansion House, CalQRisk emerged as the proud recipient of the ...
Read More

NoFrixion Selects CalQRisk for its DORA Compliance Efforts

NoFrixion, the Embedded Banking company based in Dublin, Ireland, has announced its partnership with CalQRisk to ensure compliance ...
Read More

CalQRisk is a finalist in the FS Awards

CalQRisk has been named as a finalist in the competitive and prestigious FS Awards for the Compliance and ...
Read More

CalQRisk Customer Support Manager wins Rising Star at Irish Early Career Awards 2024

Congratulations to our Customer Support Manager, Eimear Farrell, who was named as a Rising Star in the Fintech ...
Read More

CalQRisk wins Pitch Competition at ESCO Cyber Solution Days Event, Kilkenny, September 2024

The Cyber Ireland (CI) CISO Forum and ESCO Cyber Solution Days event took place in the Lyrath Hotel, ...
Read More