Offshore Outsource Risk Mitigation Strategies

March 8, 2009

The global recession has made many companies to start considering Offshore outsourcing to reduce cost and increase their competitive advantage. Though the current Obama administration has some policies against sending work to offshore location, the trend is unstoppable as US companies find more value from their outsource vendors. As more and more companies, use the offshore outsource providers for their daily business operations it becomes critical for the businesses to understand the risks associated with offshore outsourcing. Understanding the offshore outsource risks is only the first step, companies must take proper steps to avoid it and have proper risk mitigation strategies to handle it as it arises in the projects. In this article we will explore common offshore outsource risks and discuss effective risk mitigation strategies to avoid it.

Common Offshore Outsource Risks
Following are some of the common risks faced by the companies in their offshore outsource initiatives:

  • Project risks
  • Business Value risks
  • Intellectual Property (IP) risks
  • Legal risks
  • Offshore Personnel risks
  • Offshore Vendor operational risks

Some of the risks like IP, Legal risks can be mitigated through offshore outsource contracts, however, contract alone cannot solve all the offshore outsource risks. You need to manage and monitor the risks during outsource project execution. In the next section, we will explore each risk in detail and present different risk mitigation strategies for each one of them.

Project Risks
There are several project risks are associated with the offshore outsourcing like unrealistic cost saving, internal organization readiness, poor planning, improper integration of in-house business processes with outsourced business processes, transition time, training, etc. Any new initiative will come with risks; working with offshore vendor is no different. Offshore vendor location, cultural, and time differences make it project management even more difficult in comparison to working with inshore outsource vendor. All the outsource project related risks can be mitigated by assessing the organizational readiness, creating internal organizational structure and having an outsource business champion coordinating the outsource initiative between the internal teams and the outsource vendor.

Many organizations successfully managed the BPO project related risks by creating proper organizational changes to succeed in outsourcing. Executive group, governance group, in house business process group, and outsourced business process groups. Similarly, in IT outsourcing projects, these groups can work together to manage the project risks successfully. These groups manage the risks by working with internal employees; outsource vendor employees, and customers on regular basis. Any time an issue arises in the project; appropriate steps are taken by properly communicating and fixing the issue with all the affected parties.
For BPO projects, you can use the BPO feasibility framework to manage all of the projects related risks successfully. In addition, you can create an offshore project risk matrix and engaging both your internal members and offshore vendor in the process will help you in mitigating the risks.

Business Value Risks
Before you start your offshore outsourcing initiative, you need to answer the question clearly.

What is the business value of offshore outsourcing for your company?
It may be cost saving, innovation, operational efficiency, better utilization of in-house resources or all of the above. Without clearly defining the business value, you are in risk of failing in your outsource initiative. Without defining the business value how do you measure the success of your outsource initiative to your company’s management? You can mitigate the business value risk by clearly identifying the value of outsourcing and identifying how long it will take to achieve it. For example, while working with offshore vendors, you may have to include costs associated with travel, remote project management, in-house and offshore personnel training, etc. This extra cost will increase your offshore budget and this may cause your (cost savings) business value goals not achievable in the short-term but in longer-term you may achieve it. In any case, you need to educate your peers and your executive management team about the business value risks up-front so that they can be aware of the “value model” of offshore outsourcing.

offshoreRiskMitigation Offshore Outsource Risk Mitigation Strategies

You can also mitigate business value risks in other ways like proper SLA negotiation in outsource contract and monitoring it effectively throughout the outsource project. The outsource project management can also be used as an effective tool in identifying and fixing the value risks as it arises in the outsource projects. For example, the outsource project plan should have specific items to satisfy the SLA and it should make people accountable for not meeting those SLA on the projects. The outsource project plan should have proper escalation procedure and emergency meetings in case the outsourced project value goals are not reached regularly.

Intellectual Property (IP) Risks
Organizations have several sensitive business data, proprietary business processes, custom technical solutions, etc, protecting critical business information is a great concern for all businesses. You need to make sure the offshore vendor has proper security policies and procedures in place to protect your business IP from theft by employees, computer hackers, exposure by error or negligence, and corporate espionage. You also need to be aware of legal standards and business practices governing the protection of business data, which varies around the world. For example, Gartner research gave Mexico very good, India Good, Brazil fair and China poor ratings for data and IP protection.

You can mitigate the IP risks of offshore outsourcing by assessing their security capabilities, checking if they follow any industry security consortium, security certifications etc. Following are some the industry consortium and certifications that are popular in various industries.

Some industries like financial institutions have industry consortium, banking Industry Technology Secretariat, BITS have developed several security guidelines and best practices for managing and safeguarding financial business data. BITS also have recommendations for disaster recovery, periodic security audits, lawful treatment of data, etc.

The U.S. government has created Health Insurance Portability and Accountability Act, HIPAA that has exhaustive list of policies, processes, data confidentiality, disaster recovery, encryption standards and other safeguards that is applicable to all health care industries.

The ISO 2700 is a certification that is given to organizations that has strict information security policies and other security controls in their organizations. All the major Indian based outsource companies has secured the ISO 27001 certification.

The SANS (SysAdmin, Audit, Network, Security) is another source where you can find information about security policies and guidelines.

If the offshore vendor follows the industry standards or has certifications then it is a good sign that they have good security policies in place. However, having the security certifications and industry compliance guidelines for security are only the first step; you need to make sure that the security risks you most value are part of the certification process. You also make sure that the offshore vendor follows your industry’s best practices and compliance guidelines of your home country. The industry best practices and certifications cannot eliminate the security breach in your offshore vendor’s company; you need to assess your offshore vendor’s security contingency and disaster recovery plans and procedures.

Legal Risks
Numerous legal risks are associated with the offshore outsourcing, there are no clear rules exist to make the offshore outsource firm liable for security breach or other contract violations. Countries differ in their local laws for foreign firms seeking damages from outsource firms. You must work with a law firm specialized in drafting offshore outsource contract and have significant working knowledge with the laws of the country where the outsource work will be performed. As a outsource buyer, you may not get all the legal disputes to be resolved in your country’s jurisdiction. You need to make a compromise with the outsource vendor to use various forums like domestic, international arbitration, etc to resolve the legal disputes. Simple approach to mitigate the legal risks are asking the right questions, working with your legal department to answer the questions so that you can understand the difficulties and educate your management about it. Following are some of the legal questions you need to understand and find answers for it. Not all the questions might be applicable for your offshore outsource needs. But generally, you need to be aware of these questions so that you can plan to mitigate the legal risks in your offshore outsourcing.

  • Can the offshore vendor use the technology developed for you to other companies?
  • Who owns the IP of technology developed by the offshore outsource vendor?
  • How the IP of the business process and technology is protected in offshore location?
  • What are the milestone achievements? How are it measured and what legal actions you can take in case the offshore vendor misses it?
  • What liabilities the offshore vendor exposes your company both in your home country and in the country where the outsourced work is performed?
  • Is there any export control that needs to be addressed in your home country and where the work is performed?
  • Where will the disputes be resolved and who owns the cost of it?
  • What taxes your company and the offshore vendor’s company is responsible?
  • Is the outsourced work is performed by the outsource vendor you signed the agreement or the outsource vendor subcontracts the work to different vendor?
  • Under what circumstances you can terminate the outsource contract?
  • What are the accounting practices offshore vendor has so that corporate accounting fraud like Satyam can be avoided?
  • What types of insurances the offshore vendor has and how it protects their work?
  • What are your enforcement options for contract breach, IP, theft, or negligence of trade secretes?
  • Will the judgment against the offshore vendor enforceable in your home country or the country where the offshore vendor is located.
  • When and how can you terminate the offshore outsource agreement?
  • How the disputes are resolved? What laws are used to resolve it?

By understanding above questions and have attorneys draft the offshore outsource contract; you can protect your company and have proper legal risk mitigation in place for your projects. This will also help you to educate your management about the legal risks of offshore outsourcing and the precautions you have taken to address them.

Offshore Personnel Risks
Before you start working with offshore vendor, you need to understand the labor laws and other regulations of the foreign country. Even though you may not be directly responsible for labor law violations of the offshore vendor, you may be indirectly responsible for your offshore vendor’s actions. Many foreign countries do not have laws for employees like workplace discrimination, privacy, sexual harassment, etc. For example, India has different laws than US for terminating the employees. In India, you cannot terminate an employee without following a lengthy termination process. Failure to follow the process can result in fines for an employer operating in India. Even though you may not be legally bound to the labor laws in foreign countries you need to understand it so that you can use the offshore resources effectively by restructuring or changing it as it fits your project needs without violating the labor laws of the foreign country.

Offshore personnel risks are mitigated by understanding the offshore vendor’s labor practices, by visiting the vendor’s offshore location offices and meeting with their employees you can understand their HR policies, professionalism in dealing with employees, etc. More over how the offshore vendor treats their employees might be acceptable in their country but may not be acceptable in your country. The most common example is “sweatshop” working conditions, though not common in IT and BPO projects. Nevertheless, you need to do proper due diligence in mitigating the risks by regularly monitoring the HR practices of offshore vendor and putting the minimally acceptable working conditions of the offshore personnel in the outsource contract.

Offshore vendor operational risks
Identifying and assessing operational risks of offshore vendor is the most difficult task for you. Offshore vendor business practices vary from country to country. Business practices like bribes and other financial transactions that are questionable in western countries can be a routine in the offshore vendor’s home country. You need to be careful and identify if you violate any regulatory requirements in your home country, for e.g., violating U.S. Foreign Corrupt Practices Act will incur significant fines and other legal ramifications to your company. First step in mitigating this risk is having proper written policies that strictly prohibit any conduct that is considered as a statutory violation. Proper implementation of the policy requires ensuring that you continuously monitor the activities of offshore vendor and take appropriate actions in case of violations of the policies.

Some times offshore vendor may exaggerate their business expertise, process and quality certifications, technical skills, etc. This risk can be mitigated simply by verifying their claims and talking with their existing customers and other industry references. You can also visit their offshore locations, discuss with their employees and assess their internal operational capabilities.

Before you begin the offshore vendor selection process, you must consider the risks of having a business relationship with a vendor in a different country. A good risk assessment strategy is to develop an offshore vendor risk matrix for each offshore vendor in consideration during the vendor selection process. The offshore vendor risk matrix can have outsource vendor industry maturity, market goodwill, access to credit, and financial stability etc.

Offshore outsourcing does not eliminate your business risks; it moves some of the risks to offshore vendor. You need to have proper contingency plans to go back to your old systems and business processes if everything failed with the offshore vendor. Developing a contingency plans and processes might be more expensive than the actual outsource project expenses itself but you must have the fallback plans to protect your company from the offshore outsourcing failures.

Finally, all the offshore outsource risks mentioned in this article can be managed effectively by doing proper due diligence in the offshore vendor selection process and assessing each one of the risks carefully and continuously managing the risks will ensure success in your offshore outsource initiatives.


5 Responses to “Offshore Outsource Risk Mitigation Strategies”

  1. Growth of Remote Infrastructure Management Outsourcing | Outsource Portfolio on April 4th, 2009 5:31 pm

    [...] other offshore outsourcing risks and anti offshore outsourcing sentiments that comes with [...]

  2. Human resource outsourcing (HRO) is the sensible thing to do | Outsource Portfolio on April 4th, 2009 5:37 pm

    [...] to offshore locations then you need to know the risks of offshore outsourcing and have proper offshore outsource risk mitigation plan to resolve [...]

  3. Ten Minutes with Frank Casale – Industry Expert « on August 9th, 2009 11:56 am

    [...] to consider are not to put your eggs all in one basket. It’s no different than a stock portfolio strategy -you want to diversify a bit. Most organizations I’m speaking to are doing some things in [...]

  4. Tweets that mention Offshore Outsource Risk Mitigation Strategies | Outsource Portfolio -- on January 28th, 2011 4:24 pm

    [...] This post was mentioned on Twitter by emctsprime, CEEOA. CEEOA said: Offshore Outsource Risk Mitigation Strategies – [...]

  5. information security policy dude on April 24th, 2011 5:08 pm

    I definitely wanted to make a small comment to be able to say thanks to you for these nice pointers you are showing on this site. My rather long internet look up has at the end been recognized with incredibly good strategies to exchange with my close friends. I would believe that most of us readers actually are very lucky to live in a fabulous network with so many lovely professionals with interesting plans. I feel rather privileged to have seen the website and look forward to really more brilliant minutes reading here. Thanks a lot again for all the details.

Got something to say?