06 April 2005

Operational Risk: BPO Relationships...

Researchers at the McCombs School of Business are working on empirical studies ("Global Sourcing and Value Chain Unbundling", "An Empirical Analysis of Information Processing Requirements in BPO Relationships") that investigate key decision variables in the choice of BPO relationship structure and form. They argue that the primary questions that managers must address to design and effectively manage a BPO relationship include the following:

1. What are the unique operational risks and challenges associated with outsourcing a particular business process? What demands does the outsourced process place on agent capabilities?

2. What governance model will help the firm address these challenges and architect a sustainable relationship that meets its outsourcing objectives?

If you are like most organizations you rely on a portfolio of 3rd parties to supply you with products, services and labor. These supply chain relationships are a key aspect of effective risk mitigation in your enterprise. Here are a few BS 7799 controls to consider:

Section:10.5.5 Outsourced Software Development
Description: Where software development is outsourced, the following points should be considered:
a. licensing arrangements, code ownership and intellectual property rights (see 12.1.2);
b. certification of the quality and accuracy of the work carried out;
c. escrow arrangements in the event of failure of the third party;
d. rights of access for audit of the quality and accuracy of work done;
e. contractual requirements for quality of code;f. testing before installation to detect Trojan code.

Section:11.1.2 Business Continuity and Impact Analysis
Business continuity should begin by identifying events that can cause interruptions to business processes, including suppliers, e.g. equipment failure, flood and fire. This should be followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). Both of these activities should be carried out with full involvement from owners of business resources and processes. This assessment considers all business processes, and is not limited to the information processing facilities.Depending on the results of the risk assessment, a strategy plan should be developed to determine the overall approach to business continuity. Once this plan has been created, it should be endorsed by management.

Section:12.1 Compliance with Legal Requirements
Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and for information created in one country that is transmitted to another country (i.e. trans-border data flow).

Strategic Impact: An important concept that binds the above process attributes is the strategic impact of the outsourced process. It is likely that a strategically important business process shares strong interdependencies with other business processes in the firm and is marked by relatively higher volatility and specificity. A process of strategic importance enables the company to provide a "fundamental customer benefit" and make a contribution to perceived customer value. Such processes in the firm are substantially superior to those of competitors and help the firm create new products, services and process improvements in the future. The risks associated with such information- and knowledge-intensive business processes include information poaching and loss of competitive advantage. This is especially pronounced if the provider services other clients in the same business domain as the outsourcing firm.

No comments:

Post a Comment