You usually don’t have to dig too far to find instances where third-party service providers are involved in compliance issues. Qantas are not the only ones to endure cyber threats in recent times, with it being a common occurrence for businesses to have to outsource work related to their vulnerable data, which inevitably complicates risk management. As much as we would like to think otherwise, we all rely on others to some extent.

I lived in a remote part of Australia for a few years with limited food supplies, so we instigated a routine of Saturday night pizzas. The pizzas were all home made and cooked by us. But not every part of it was ‘homemade’. I did not grind the flour or make the tomato paste myself; this had to be bought from a shop.

So, lets run with Pizza as an example of outsourcing. This is not an original idea of mine, but something I picked up at a Risk Seminar many years ago.

Say we are having pizza tonight, our choices, and the resources we need are:

The simple process of eating a pizza can be seen on a continuum across a range of carrying out functions completely in-house, to complete outsourcing the meal. In the workplace, we can consider some of the functions or services we require in the same way. Any form of information technology, financial, legal or other services could be performed inhouse or outsourced. A cost benefit analysis will help identify the pros and cons of outsourcing, but a word of warning against using financial cost as the only measure. Quality, security of data and other relevant criteria needs to be considered. This is why a weighted scoresheet approach to rank criteria is so important. Just relying on cheapest cost never ends well.  

There are risks in outsourcing, but there are also risks in doing everything inhouse. Lack of expertise is the obvious risk, but, as we learnt from the Banking Royal Commission, vertical integration and other steps to keep everything in house can create its own problems. Suffice to say there are always risks, but they can be managed.

There are many practical steps to help manage risks associated with third party service providers. As mentioned in my article Get intimate with your chart of accounts, it is worth compiling a register of your suppliers, including your third party service providers. You can then determine the relevant documents you should hold of your third-party service providers. Privacy policies, codes of conduct or other documents may be relevant dependent on the type of service provided.

Your own policies should also be prepared with third party service providers in mind. Your procurement policy should consider how suppliers are determined (back to the earlier point of establishing criteria other than just cost). You can also specify what research or documentation is appropriate depending on the type of service and the information they may hold on our behalf.

In many instances, third party service providers should be on your strategic risk register, with stakeholder management, appropriate documentation and business continuity plans being among the mitigators.

In summary, risks associated with third-party service providers should not be ignored, but they can be managed.

·       Select providers based on relevant criteria

·       Keep a register

·       Be informed about their policies that are relevant to your organisation

·       Manage relationships appropriately

·       Develop back up plans in case they can no longer provide services

Remember even if services are outsourced, you still own the risks, so know how to manage them.