Insights For Success

Strategy, Innovation, Leadership and Security

Risk Management when outsourcing (part 3)

Edward KiledjianComment

Do I own the risk for outsourced activities?

The most common misconception I have to deal with is customers that believe they “offloaded” a risk because the process or function was outsourced. Stand up and yell the following as loud as you can

“Outsourcing an activity does not mean an organization has avoided the risk”. 

Many would argue that they have SLAs and penalties so the outsourcer is responsible.
Generally penalties in a contract are motivators to perform but rarely compensate the customer for their full loss (for the occurrence of a business disrupting risk). Ultimately your are still responsible for the performance of your vendor or lack thereof. You should continue to monitor and manage risk.

Risks from outsourcing

Outsourcing does bring with it some additional risks that you should consider and analyse.  

  • Concentration Risk - This is the risk caused by concentrating too many services with a very small number of providers. You have plenty of tools to manage this risk from business impact analyses, control evaluations and business continuity plans.
  • Jurisdictional Risk - It is risk driven by the localization of service delivery. Many non American companies may be relying on US based outsourcing providers for some of their processes. What if this data is stored or backup up to one of the providers US datacenters? Does this data now become subjected to the US Patriot Act? Microsoft even admitted that data kept in their non-US locations is subject to the Patriot act. How would this impact your business decisions? It is important to consider the laws and regulations related to the business you are dealing with or the locations services are being delivered from.
  • Contractual Risk - Since it is one of my favorite risk topics, I am going to spend a little more time talking about it. When thinking of contractual risk, there are many theories that may come into play including:
    • Transaction Cost Theory – Where the decision is based on the specificity of the asset, the uncertainty of the transaction and the frequency of the transaction.  Specificity generally drives longer term contractual lock in to prevent the provider from withdrawing their services. The more a companies tries to contractually manage these risks, the more costly the contract becomes.
    • Agency Theory – This theory describes the difficulty of choosing an agent, motivating it, and managing its behaviour. The client wants the outsourcer to perform the required tasks but contracts are very rarely all encompassing. In this model, the agency costs include the cost of writing and supervising the contract, plus the cost of inadequate motivation resulting in inadequate delivery. 
    • One of the possible issues related to agency theory is called moral hazard and results from the fact that the principal (you) cannot obverse the agent’s (outsourcer) behavior at no cost (aka you can't supervise everyone all the time). Knowing this, suppliers can blame poor performance on a series of exogenous causes. Another possible issue can be conflict of interest where the agent operates in a less than perfect manner when representing the principles best interests (e.g. performing work slower to charge more).
  • Delivery Risk - This is the risk that the delivered service is deficient. The deficiency may be caused by:
    • Delivered services do not meet your requirements - This may be the result of poor Statement of Work documentation, Improper contract write-up & interpretation, etc.
    • Delivered services are of poor quality - Sometimes you may have done everything right but the delivered services are simply not up to par. 

 It is important to consider these during contract write-up and include remedy clauses to fix these issues if they occur. Many contracts I have reviewed do not include mechanisms to address these issue and the customer get's "hosed" by the provider during the contract change process.


  • Pricing / Costing Risk - It is very common for customers to sign 5-7 year outsourcing contracts and then during contract start-up, they get shocked by unforseen charges for: transition costs, switching costs, higher service delivery costs [because of improper volume or scope assumptions], etc. Make sure that the provider bears the risk for any unforseen startup costs. Make sure your contract has fair provisions for cost changes due to different [than planned] volume or scope.
  • Risk of incompetence - When an organization decides to outsource a particular service they most often terminate or transfer all of their internal staff with that specialization. Those that stay in the organization are not nurtured and their skillset will also blunt with time. Although shedding these resources is usually done by design, I have to reminder customers that when these skills are core to their business, they should keep a select group of senior resources to supervise, lead and provide backup in the event of irreconcilable differences arising. You should always be able to walk away if things go wrong. 


There is no magic bullet or rule of thumb I can share that will guarantee your outsourcing activities will be the fairy tale you are expecting. Reality is that every situation is different and every negotiation requires special analysis and consideration. I hope I have given you some food for tought. 

Overall though, my preferences have changed slightly [over the years] and there are ideas you may find helpful:

  • Move from a single sourcing model to a multi sourcing one. Force vendors to compete for each major project against your internal costs, the other vendor and the outside world. If 2 vendors have to work together, make one the main provider who is responsible for process integration between them and the other providers. If this is not possible, you have to play the role of "the glue" and ensure everyone agrees to Operating Level Agreements. 
  •  Identify the most critical clauses in the contract and negotiate to have then reviwed annually. Never fix a contract in stone for 5 years.
  • Although most vendors will try to lock you into longer term agreements, I recommend you never exceed the 5 year mark. On IT infrastructure deals, I may often recommend sticking to a 3 year deal or a 5 year one with an exit clause for major technological change (i.e. release of Windows 9 which should change the entire IT delivery model).
  • Find a low cost way to maintain control over the delivery quality of your outsourcer. Understand that the standard SLA report is a snapshot in time and is often too high level to be useful. You should find other near-real-time metrics that can be used and have appropriate leverage clauses.
  • Negotiate some of the cost risk to the outsourcer for “reasonable but unforeseen costs” to ensure they disclose any potential issues they may see but choose to keep quiet.
  • Bring on an outside expert to provide guidance and advice.