Managing Outsourcing and Offshoring Risk

Managing Outsourcing and Offshoring Risk

In the last issue of The Bulletin, we noted that audit committees should make it a point on their 2009 agendas to understand how outsourced/offshored operations are being managed. This issue of The Bulletin explores the advantages, disadvantages and risks associated with outsourcing and offshoring, and how those risks can be managed when decisions are made to outsource and/or offshore business activities.

As companies focus on managing their operations in a difficult economic environment, they seek to become leaner and more focused, efficient and effective. Over the last decade, many international companies have offshored work to other countries with a view toward achieving these objectives.

Some have set up captive subsidiaries, while others leverage third-party outsourcing service providers.

According to research firm Gartner, Inc., the entire outsourcing market is projected to grow at an 8 percent clip year over year through 2012. While the growth rate for business process outsourcing (BPO) may be slowing (approximately 4 percent to 6 percent growth), IT outsourcing is expected to hold steady through 2012 at a level of about 7 percent. Therefore, the prevalence of outsourcing – particularly offshoring and BPO – is expected to continue.

These activities are not without risk. Outsourcing requires investment, contractual obligations in new geographical locations and structural changes across the outsourcing entity.

When outsourced functions and processes have financial reporting implications, public reporting risks may arise. When operational processes are outsourced and/or offshored, customer satisfaction and product failure risks may exist. This was illustrated by the 2007 product recalls of Chinese-made toys because of lead paint hazards and tiny magnets that could be swallowed. In addition, as the Satyam scandal continues to unfold and the eventual impact of the fraud on the Indian company’s operations remains in question, attention has been drawn to the importance of an outsourcing provider’s reputation and reliability. Notwithstanding the risks, the cost advantages are hard for companies to ignore.

What Are Outsourcing and Offshoring, and How Do They Differ?

Outsourcing is subcontracting a process, such as product design or manufacturing, to a third-party company. The decision to outsource is often made in the interest of reducing firm costs, redirecting focus on the competencies of a particular business, or making more efficient use of HR, IT and other resources. Indeed, many BPO organizations optimize processes to realize world-class efficiencies, which can provide a compelling value proposition for companies to consider. Therefore, it is not surprising that outsourcing has become a generally accepted management tool for redefining and re-energizing the corporation. The availability of the outsourcing option challenges executives to rethink the traditional vertically integrated firm in favor of a more flexible organization structured around core competencies and long-term external relationships.

By contrast, offshoring describes a company’s decision to relocate a business process from one country to the same or another company in another country – typically an operational process, such as manufacturing, or a supporting process, such as accounting. Offshoring is often discussed in the context of either production offshoring or services offshoring. The economic justification is usually to reduce costs through lower labor costs.

Due to the increased globalization of outsourcing companies, outsourcing and offshoring are sometimes used interchangeably even though they are different activities. Outsourcing involves contracting with a supplier, which may or may not involve offshoring. And offshoring is the transfer of an organizational function to another country, regardless of whether the work is outsourced or stays within the same company.

What Drives Decisions to Outsource/Offshore?

Companies outsource for many reasons: to reduce internal head count, resolve the inability of existing capacity to meet increasing demand, address substandard internal performance and improve the strategic sourcing process. There may be other pragmatic reasons as well. Required resources may not be available internally, or the organization may desire to free up resources for other purposes. A particular function may be difficult to manage internally. Or the outsourcing company desires to gain access to world-class capabilities and/or share risks with an entity more capable of managing them.

As noted earlier, offshoring decisions are often driven by cost advantages through reduced operating and infrastructure costs, particularly in the IT and business process areas. The cost savings from offshore outsourcing increase with the extent of activities outsourced, the percentage of work performed offshore and the duration of the outsourcing contract.

The benefits of outsourcing and offshoring are dependent upon the nature of the organization, its specific situation and the activities it wishes to address. Traditionally, the benefits have been about realizing lower costs due to economies of scale, enabling internal resources to concentrate on core activities that are fundamental to the execution of the business model, and gaining access to talent.
Over time, however, benefits have become more targeted and strategic. For example, information-processing outsourcing enables companies to streamline their internal processes, reduce the ongoing investment required in internal infrastructure, and optimize their revenue streams from business conducted using electronic media, such as Internet technology. From a supply-chain standpoint, strategic sourcing may provide higher-quality service, improved security, better continuity and other specific supplier benefits. In addition, outsourcing may help a company streamline the processes of its HR function and better control legal risks.

In today’s tough economic environment, the dialogue about outsourcing and offshoring may be shifting. Rather than evaluating whether to outsource and/or offshore, managers may have to justify work they are doing internally that could be done better, faster and at less cost outside of the organization and/or possibly in another country. As companies focus on rightsizing their operations, they need to ensure that the differentiating capabilities emphasized by their corporate strategy are the right ones and the infrastructure and processes delivering those capabilities are best-in-class. If they don’t, they may not survive.

As companies focus on their strategy and market positioning during tough economic times, noncore activities are likely to receive short shrift. Because conventional wisdom suggests it is impossible to be best-in-class in everything, many noncore activities may become candidates for outsourcing and offshoring. That is why, in a highly competitive environment, organizations may continue to consider outsourcing and/or offshoring of noncore activities by engaging specialized providers who are best-in-class at what they do.

Risks of Outsourcing/Offshoring

Though outsourcing has proven to be an effective management tool, it does bring significant risks that must be recognized and managed. If not properly managed, outsourced functions may adversely affect operations. Customers, regulators and other stakeholders may be indifferent as to whether functions are outsourced. The ultimate responsibility to protect the company’s brand and reputation lies with management. Thus, the processes for manufacturing products or delivering services can be outsourced, but the risks to brand and reputation cannot.

Some of the more specific risks include:

  • Competitor risk – Because offshoring is often enabled by the transfer of valuable intellectual property and other information to another country, it can create unwanted competition. For example, over the past 20 years, American automakers increasingly turned to China to create vehicle parts. By 2006, China leveraged this know-how and announced it would compete with American automakers by selling Chinese-manufactured automobiles in the U.S. market. When a company offshores the production of goods and services to another country, the investment it would otherwise make in the domestic market is transferred to the foreign market. That practice can backfire. Therefore, it is important that the outsourcing/offshoring decision be considered carefully with respect to the longterm impact it might have on the company’s source of competitive advantage.
  • Risk of delays – On-time delivery performance and customer satisfaction levels can decline because of delays in the supply chain. This risk can be severely aggravated as a product/service is outsourced. According to a recent survey by InformationWeek, 58 percent of respondents indicated their Indian service providers fell short of expectations in delivering projects quickly. Delays can be caused by many factors outside the outsourcing company’s control, such as port/customs delays and delays caused by labor disputes, weather and political unrest. The lack of scalability of a country’s infrastructure and the existence of regulatory requirements can also create delays. As lead-time and variability increase and overall confidence deteriorates, the outsourcing/offshoring company may be forced to compensate with higher stock levels and other costly buffers.
  • Performance risk – In addition to the risk of delays, companies may lose control and visibility across their extended supply chain. An outsourcing arrangement can result in a loss of flexibility in reacting to changing business conditions. For example, if a provider is affected by a terrorism-related delay or interruption, or if there is uncertainty resulting from a pandemic outbreak at an offshored location, the outsourcing/offshoring company may be unable to take corrective action as quickly as it would like. In addition, according to InformationWeek, time zone issues and cultural and dialect differences are creating difficulties in communication with customers.
  • Financial viability risk – Providers may not be financially viable, thereby exposing the customer to supply interruption risk. For example, the provider may be exposed if a dominant customer were to withdraw its outsourcing business. Also, the outsourcing arrangement itself may not be financially sound because of hidden costs and risks; for example, costs driven by legal issues related to negotiating a contract and management time required to oversee and coordinate the relationship, iron out contractual misunderstandings, and resolve problems during contract renewal. As important as financial viability is, it is sometimes overlooked.
  • Transition risk – The outsourcing transition phase may also fail if schedules and budgets are not achieved due to insufficient planning and/or resources. For example, an IT outsourcing project requires the same discipline and planning as a well-run, large-scale systems implementation. If outsourcing is a replacement of production or service functions, it may have a direct bearing on the company’s ability to meet its commitments to customers and shareholders. Therefore, discipline and planning are important.
  • Security and confidentiality risk – If a company is outsourcing processes like payroll, medical transcriptions or other confidential information, it must choose with care the processes it wants to outsource and to which provider.
  • Political and reputation risk – Offshoring has been a controversial issue spurring heated debates among economists, politicians and policymakers over who wins and who loses when companies offshore functions and processes. Political opponents of offshoring often argue that jobs in developed countries lost to outsourcing are being replaced by jobs that are lower in quality and pay. Whether or not this argument has merit, companies choosing to offshore to a significant extent are exposed to the public relations aspects of this ongoing debate.

The message is clear. Companies must carefully select, qualify, contract with and manage their outsourcing partners to ensure both product and service quality are enhanced, or at least do not deteriorate. Adequate transition periods and/ or parallel production processes, as well as effective cross-training between companies, help manage the risks. However, these critical aspects are often neglected because of an emphasis on cost savings.

The Decision-Making and Risk Management Process

When determining what should be outsourced and/or offshored, companies often consider their core competencies, the quality of the product or service to be outsourced, a comparative analysis of internal costs and external costs, and the need for specialized capabilities. The nature of this decision is strategic rather than tactical. It is our experience that executive management often views outsourcing as a means to achieve strategic objectives, such as increasing capacity to support market share expansion or to manage risks associated with constrained capacity.

That said, cost is almost always a major consideration in making the decision to outsource. It is common to find that the total costs of the targeted outsourced functions are not well understood. Many companies struggle to identify the actual tasks performed by the functions being outsourced. These unknowns may affect the cost of the outsourcing or the level of satisfaction on with the end product or service. They may also have an impact on the enterprise’s total costs, which are affected by the functional interdependencies that can drive costs indirectly related to the outsourced function if the interdependencies are not understood and managed. Therefore, the outsourcing quantitative analysis should be inclusive of all costs.

After addressing the “what” and the costs of outsourcing, management must select the country to which to outsource or offshore and, if a third-party vendor is to be used, determine which one. There also are risks to consider, so companies should adopt a thorough risk analysis process. This is typically a point-in-time assessment performed either before provider selection or as a periodic reassessment of a provider’s risk profile. Risk analysis is a process by which potential or current providers are compared to a set of risk criteria established by the outsourcing company. As potential providers are filtered through the criteria, a risk ranking of providers is developed. Criteria may include criticality of the product or service, high dollar/transaction volume, reliability of past provider performance and provider financial wherewithal.

By identifying outsourcing contracts of the highest risk and importance, companies can segment the various contracts into risk categories and manage them accordingly. For example, if the best provider is rated as high-risk, management is aware of the factors driving that rating and can deploy appropriate strategies. High-risk contracts should be set on a more continuous review cycle because they provide a mission-critical product or service or have a high dollar or transaction volume. Medium-risk contracts might be actively monitored and reviewed on a frequent but not continuous basis (e.g., quarterly). As for low-risk contracts, a set of metrics might be tracked, triggering a review only if deviations to contracted service levels occur.

As an ongoing process, management of outsourcing risks consists of three key elements: provider management, the service level agreement (SLA) and billing accuracy. Provider management keeps track of the statistics or historical performance of the outsourcing relationship over time. These statistics are continually monitored to improve the performance of the relationship for both the outsourcer and the outsource provider. The SLA provides the context for provider management by establishing the metrics for evaluating performance and stating the requirements of both parties. The SLA should be reviewed and updated periodically, as defined in the contract terms. Billing accuracy is a separate concern because many issues with outsourcing revolve around billing. Accordingly, the outsourcing party must continually review billings to ensure compliance with the contract terms.

Managing Project Risk

Project planning and management are critical disciplines that enable successful outsourcing initiatives. While PERT or Gantt charts and critical-path analyses are important tools for completing work on time and on budget, so too is the effective use of personnel who possess the appropriate project and risk management skills and experience.

Members of outsourcing teams should have specific knowledge regarding the outsourced product or function, as well as an understanding of the relevant business objectives. In addition, they must be able to assess what could go wrong and put the appropriate sourcing, risk mitigation and contingency plans in place to handle those scenarios.

Once risk management strategies are in place, control mechanisms are implemented and monitored to ensure strategies are followed. Feedback from monitoring activities helps identify opportunities to improve risk management capabilities. In summary, effective project risk management can help to predict – and prevent – major implementation problems from occurring.

Managing Provider Selection Risk

One of the easiest management actions to put into practice is a rigorous selection process. The primary attributes of this process include identifying best providers, using a comprehensive RFP/RFQ process facilitating a meaningful comparative analysis, evaluating provider financial viability, performing a technical evaluation to understand vendor expertise in delivering similar services to other companies, and assessing country/third-party risk. Reputation and integrity should be considered a prerequisite when identifying the best providers.

Managing Contracting and Negotiation Risk

Use of a contracting and negotiation plan is a best practice that helps organizations consistently develop and negotiate sound, competitive and enforceable deals. It enables the outsourcing team to prepare for the contracting and negotiation process. Price and total cost are typically major factors in any negotiation plan; however, the planning process also can identify, document and address other key objectives on a proactive basis.

For example, other objectives might include (1) defining and documenting a clear and precise understanding of management’s expectations of the outsource provider (such as product specifications and performance standards and SLAs); (2) discussing and confirming the contract terms and conditions the company needs to negotiate to govern provider performance; and (3) reconciling any key exceptions noted in the potential provider’s response to the RFP/RFQ. Other key considerations include regulatory, privacy, IT and security requirements, intellectual property protection, and various transition requirements and provisions.

The contracting and negotiation plan should leverage documentation and information from the analysis phases and related activities in the outsourcing process that the outsourcing team has worked through to this point in the process. With the benefit of a comprehensive, overall contract plan and a well-defined and agreed-upon negotiation plan preapproved by the appropriate executives and/or stakeholders, the outsourcing project team will be prepared and empowered to negotiate and agree on the contract within preapproved parameters. Bottom line: All members of the team must be clear as to what is negotiable and what is not.

Managing Transition and Start-up Risk

One of the most critical phases in outsourcing, the transition process, is the point when dialogue and direct responsibility shift from the deal-makers to the operators. Thus, it is a time when issues – such as employee resistance – that have not been anticipated or contractually addressed may surface for the first time. These issues may cause business disruption as well as an unhealthy animosity between the parties. Building transition requirements and provisions into the outsourcing agreement can greatly ease this transition process and put the appropriate focus and expectations on this aspect of the arrangement.

Effective communication and change management plans should target specific audiences through the proper communication channels, with tailored messages and appropriate timing. The change process should address compensation and incentive plans during the interim transitional period.

The problem escalation process is an important component of the outsourcing implementation process and, often, a source of ineffectiveness. The change management plan should address roles, responsibilities, resource needs and training requirements, among other things. All of these elements must be present to minimize inevitable resistance and begin outsourcing effectively.

Managing Performance Risk

Three critical areas for successful outsourcing are (1) provider performance and compliance, (2) assignment of company and provider roles, and (3) establishment of a performance feedback loop and controls. Effective and efficient performance and compliance controls and monitoring must be in place to manage performance risks. The outsourcing team should have well-defined procedures, reporting matrices and meeting schedules, and should document in detail the roles and responsibilities for all parties. Also, given the recent Satyam fraud, provider transparency around financial information, governance processes, HR policies and internal controls is likely to become more important. Provider integrity and financial viability are vital areas to watch when monitoring performance.

To manage outsourcing performance risks, management controls should be established and executed to address such issues as: the analysis and resolution of performance issues; internal and external customer issues; personnel issues; crisis prevention and contingency planning; third-party provider issues; forecasting and demand planning issues; recommendations for changes, and review of major changes, to either party’s processes or technology; and billings and payments. Periodic audits of provider processes, documents and data may be necessary to provide assurance to the outsourcing company’s management regarding provider performance.

Managing Financial Reporting Risk

When transaction processing is outsourced, management must assess the input, processing and output controls over the processes and systems affecting financial reporting and disclosures. IT and other risks exist, regardless of whether the processing occurs internally or externally. Under the provisions of Section 404 of the Sarbanes-Oxley Act of 2002, management must evaluate the controls over these risks if they are critical to the company’s internal control over financial reporting. This evaluation should be directed to both the processes and applications the company operates and the processes and applications it outsources to external service providers. Receipt of an SAS 70 letter, or its equivalent, from the service provider’s auditors does not absolve management of this responsibility.

Use of an SAS 70 letter from a service organization’s auditor requires careful planning and, in some cases, effective negotiations and contracting to ascertain that the assurances in the letter are relevant to the service organization’s internal controls over the outsourced processing. Because the scope and coverage of the letter are decided by the service organization and its auditor, user organizations cannot assume the letter addresses the controls germane to their processing.

In addition, user organizations relying on an SAS 70 letter must (1) address user control considerations identified in the letter, (2) assess any control deficiencies identified in the letter through the same assessment process applied to all other deficiencies, and (3) consider the implications of the gap between the point in time addressed by the letter and the user organization’s financial statement report date.

Avoiding Failure

Many reasons exist for the failure of outsourcing arrangements. Based on our experience, some common outsourcing failure points include:

  • Outsourcing a broken function
  • Not understanding the “total cost” structure and financial goals of the outsourced function
  • Misunderstanding the service levels articulated by the SLA
  • Not performing an up-front risk assessment
  • Failing to execute the strategic sourcing process, such as the planning, supply market analysis, risk analysis, strategy selection and provider selection processes
  • Not using an ongoing contract management process to ensure the outsource arrangement is designed, negotiated, managed, controlled and executed effectively

Discipline and planning are both key to avoiding failure.


Outsourcing and offshoring initiatives can help an organization fine-tune its business model to become more resilient and profitable. At the same time, these initiatives present challenges. Simply stated, it is more difficult for a corporation to manage outside service providers or foreign employees than its own employees working in the same building as management. If the challenges we have discussed in this issue of The Bulletin are met, outsourcing and/or offshoring initiatives can be highly effective. If the challenges are not met, it is likely these initiatives will fall short of management’s expectations. Companies need to think of their outsourced and/or offshored operations as extensions of their business.

Watch for the hidden terms, conditions and costs that may affect management’s assumptions underlying the decision to outsource. Use the SLA to articulate the contractual requirements, performance metrics and targets linked to customer service goals. Measure and monitor the performance of the outsourced operation against the stated SLA metrics. Finally, make sure everyone understands the value to be generated through the outsourcing duration, and quantify and communicate the true value realized.

Key Questions to Ask

Key questions for board members:

  • When management is considering outsourcing, are the reasons, advantages and disadvantages discussed in a timely manner with the board?
  • Are you satisfied with management’s articulation of the expectations and goals for the company’s outsourcing initiatives? Are the expectations and goals clearly linked to the company’s strategy and performance goals?
  • Is there periodic reporting on the performance of significant outsourcing initiatives to lengthen the board’s memory with a periodic “look back” to the original expectations and goals that provided the impetus for management’s decision to outsource? Is there evaluation of actual performance against those expectations and goals?
  • Does management have sufficient transparency into the financial performance, governance processes, HR policies and internal controls for the company’s significant outsourcing providers?

Key questions for management:

  • Is there a periodic risk analysis process whereby potential or current providers are compared against a set of risk criteria established by management? Is the risk analysis conducted prior to selection of a provider for new outsourcing initiatives? Is it used to assess risks for ongoing initiatives?
  • For outsourcing initiatives currently in play, have you evaluated the effectiveness of your monitoring processes to ensure that outsourced processes/ functions run smoothly and that the company’s outsourcers perform in accordance with the respective SLA specifications?
  • Are you satisfied that the company is actively managing the project, contracting and negotiation, transition and start-up, and performance-related risks associated with outsourcing initiatives, including obtaining sufficient transparency around provider governance processes, financial performance, HR policies and internal controls? If outsourced ser vices fall short of management’s expectations and performance goals, is there a timely evaluation of the company’s options for actions to take to rectify the situation?

    Cost and Working Capital Optimization with Protiviti

    At Protiviti, our more than 3,000 professionals have partnered with companies around the world to manage risk in every facet of their business. As described in this issue of The Bulletin, companies are aggressively pursuing efficiencies and cost savings in these challenging economic times, but this pursuit must be strategic or it will create more problems than benefits.

    The professionals of Protiviti can help you optimize your business operations. We help you to:

    • Improve working capital and cash flow, control and optimize costs, and manage risk in your operations
    • Drive performance of the supply chain through operations process improvements, strategic sourcing strategies, inventory management, contract management and enhancements to working capital
    • Identify and prioritize the areas of your business that may be appropriate for outsourcing or offshoring and then help you manage the process to mitigate risk and maximize performance

    Our professionals deliver insightful solutions for the following areas:

    • Capital Projects and Construction
    • Global Sourcing
    • Loss Prevention 
    • Revenue Risks
    • Supply Chain

    For more information about the areas discussed in this issue of The Bulletin or other Protiviti solutions, please visit or call us at 1.888.556.7420.

    The Bulletin (Volume 3, Issue 8)

    Click here to access all series