Companies often outsource various functions such as IT, logistics, human resources, sales and marketing, customer call centers, and accounting. Outsourcing can offer a number of benefits including cost savings, gaining efficiencies, and focusing on core competencies. While all of these benefits lead to a stronger competitive advantage, it’s also important to be aware of the risks associated with outsourcing and the steps needed to manage those risks, including data security and business continuity.
One major risk associated with outsourcing involves the access you give a service provider to your company’s confidential data. This may include personal information about customers or employees which would have significant repercussions if made public. If data security is not managed properly, it can adversely impact your company’s reputation and financial performance.
When working with an external service provider, ask for their SSAE16/SOC (service organization control) report. This report focuses on their controls, which should include security and data protection. It also includes details about the testing of these controls and the results of the tests. And it includes an auditor’s opinion on whether the service organization’s description of controls is fairly presented, whether the controls were suitably designed, and whether the controls operated effectively.
A typical SSAE16 report will also include complementary user entity controls or controls that the service organization assumes will be implemented by user entities. When you review the SSAE16 report, it is critical to gain an understanding of these complementary user entity controls because it is necessary for them to function properly and to achieve the control objectives stated.
While the SSAE16 report may show that the service organization has all the correct controls, they may not operate as designed if the complementary user entity controls are not in place. For example, a payroll provider can take all the essential steps for providing data protection but if the company only grants and revokes access to the payroll system as needed, confidential data may land in the wrong hands.
Another important area to review when working with a service provider is their disaster recovery and business continuity plan. Outsourcing a function will only lead to increased efficiencies if your service provider is available when needed. If their operations are negatively impacted by a natural disaster, cyber attack, or a change in the political climate, how will it impact your company’s operations? Ensuring that your service provider maintains an up-to-date business continuity plan, as well as maintaining your own business continuity plan (including a plan in case the service provider’s strategy does not work), are critical.
A business continuity plan must not only be maintained, but it must also implemented and tested. A plan which has been tested and allows a company to recover quickly will limit the amount of time, money, and customers lost in the case of a catastrophic event.
To ensure your service organization is implementing the controls mentioned in the SSAE16 report and
maintaining a proper business continuity plan, consider visiting their operations. During this visit, review and evaluate their controls and business continuity plan as well as their team members and any tools they are using. Simply meeting the team members assigned to your account may determine whether their experience, expertise, and culture will benefit your company. This visit will also allow you to discuss possible issues that may arise and see how the service organization would handle these problems.
While outsourcing’s benefits may be tempting and encourage a company to move quickly, allowing adequate time for risk identification and management at the beginning of an outsourcing relationship will ensure the benefits will outweigh the managed risks.
Katie O. Galaska can be reached at firstname.lastname@example.org or 215.441.4600.