Understanding Business Risk Posed by Outsourcing IT
According to a recent Wall Street Journal article called Outsourcing Contract Deals Are Getting Smaller, outsourcing deal sizes are falling as competition, automation and offshoring are increasing in the outsourced IT security market. In the article, IDC was cited as reporting that the top 100 outsourcing deals globally dropped from an average of $680 million in 2005 to less than $400 million in 2015. One deal that was valued at $1.9 billion in 2005 recently renewed for less than one-third its value at $600 million.
This change in revenue numbers is eye-opening, but another point to consider is how an organization can actively manage its operational risk after signing a six-year deal to outsource IT. As IT supports business operations, risks to IT, IT operations and IT-related incidents should all roll up to the overall risk management program. IT key performance indicators should be tied to the key risk and performance indicators of the organization. Senior managers and executives do not want to come into work to hear that some or all of operations are down, due to an IT incident that could have been prevented.
What does this mean for a company that is outsourcing its IT operations and for its ability to correlate IT operations and risk with its overall risk management program? Organizations that outsource IT need the following:
- A strong understanding of how IT supports the business.
- Knowledge of which specific IT operations and assets support which business operations.
- Access to the IT data in order to see how IT operations impact the business and business risk.
This is not different from if the organization kept its IT operations in house, but the outsourcing element adds complexity that must be understood.
When entering these contracts, the organization should require complete transparency regarding the data and contractually ensure timely access to it. The company must understand that it is not going to be the same business in six years that it is today. Risks, strategic goals, and operations are likely to change several times in that six-year period. One thing that will be difficult to change is a six-year outsourcing contract and the requirements for gathering IT-related data to support changing operations. In the initial contract, organizations need to be particular about the data they will need and how they will gather it; otherwise, they will be hampered for years, or pay substantially more than they should if contract changes need to be made in the interim.
Organizations outsourcing their IT should also consider how to efficiently transform that IT risk and performance information into operational risk and performance information. Tools like governance, risk management and compliance (GRC) platforms are typically managed by risk professionals with IT and operational risk backgrounds and can provide an efficient way to consume high volumes of IT metrics. GRC platforms then automatically convert the IT metrics (understood by very few) to operational metrics and tie them to operational risks (understood by much of an organization’s management and board).
Outsourcing IT might be a strategic benefit to an organization, but can potentially hamper the organization’s ability to manage strategic and operational risks if understanding of how IT supports the business and transparency are lacking.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.