As outsourcing has increased, so has the presence of offshore teams with many leading and upcoming IT service providers now setting up teams at offshore delivery centers. Offshore teams have a tremendous opportunity for cost savings and scalability. However, they add a new dimension to an already complex organization structure where IT services are outsourced. While there are risks, they can be identified and mitigations can be established in advance to ensure the business case is achieved without major deviations.
How do Most Organizations Identify Offshore Outsourcing Risk?
Most organizations are required to perform at minimum a (i) country threat-risk assessment for the offshore destination and (ii) pervasive risk assessment to cover the reputation, confidentiality, integrity, availability, regulatory and loss risk areas. However, R3P also recommends the risk assessment and management to cover the operational aspects of the offshore IT arrangement. The IT offshore due diligence model that R3P uses covers 10 additional major risk areas of operational risk and produces a summary scorecard (see below). The results of the due diligence will highlight risk areas that require mitigating controls, remediation plans and document residual risk. This will allow your governance team to setup a 3rd party IT risk management function to monitor this “risk scope”, ideally from offshore with the provider. An annual evaluation against the framework is also a best practice with spot audits during the course of the year. To get better control and predictability when setting up and running IT programs with significant offshore play, we recommend following 4 additional steps:
- Cadence, Communications & Reporting: Ensure that all regular cadence meetings, reporting and communications that involve the local delivery teams, also includes the participation of the offshore leadership.
- Key Talent Retention: Make contractual provisions for the service provider to bring on and retain “named resources” in the account. As work starts, there will be a few individuals who will make more of a difference than others. Unfortunately, these are also the team members who are most sought after internally and are the first to move on once the program stabilizes. If these team members move on, your efforts to build their understanding of your business will be lost. A formal provision obligates the service provider to make every effort to retain them and make them available for your organization.
- Staff Rotation: Consider having some of your IT team members (in-house) work from the offshore location for an extended period of time. Also, build in provisions for your service provider to rotate their staff between onsite and offshore. This will help team members work closely and also provide operational insights to your direct teams on how to better engage with the extended offshore teams.
- Local Interaction: Most service providers have many clients being serviced from their offshore locations. To add to it, the leadership at the offshore facility is tasked with driving cost efficiency as their primary objective, as the client relationship is left to be the primary objective of their onsite based leadership team. This means that out of sight (from offshore) is out of mind for the service provider! Ensure that there is consistent and meaningful local interaction at offshore with the delivery team members and the leadership team. This would help them keep your account on top of their radar at all times. 3 Key actions include:
- 3rd party IT Offshore Risk Management located on-site/offshore
- Staff Bi-Directional Rotation – 90 days
- Annual trips by Client VP Owner of the service
Offshore Sourcing Programs with unforeseen or unmanaged risk can cause additional expenses, damages and loss of control. However, these programs can bring tremendous benefits if they use a strong 3rd party risk management function that follows the above tactical measures. Set a strong base foundation for the future success of your IT programs with a well-executed offshore program.
- 5-10 week timeline for pre and post work around the 1 week on-site
- A list of documents to ask for in advance of arriving for inspection
- Over 100 questions to effectively evaluate while on-the-ground
- Analysis framework with suggested mitigating controls and residual risk
- A scoring and scorecard summary
- A sample audit & risk report
At R3P Consulting, our thought leadership approach leads to IT outsourcing solutions and managed IT services that save money, reduce risk, and improve service. Contact us for a diagnostic assessment and to discuss how to get the most out of your IT providers.