Events in Egypt: A not-so-subtle reminder on the importance of actively managing geopolitical risk in global sourcing
While Egypt today is still a bit player in the global sourcing market, recent and ongoing events in the country are a reminder that monitoring and managing the risks associated with offshore and global sourcing – tasks often discussed but occasionally underestimated and neglected – are a critical and ongoing effort for all buyers and providers of business and IT services. The sudden rapid escalation of political strife in Egypt, and shortly before it in Tunisia, remind us all of the geopolitical volatility that exists in the world today, just as the Indian terrorists attacks of 2008 and the events of 9/11 were abrupt and unexpected (to many) fatal reminders of the potential rapid economic and political disruption that all countries and markets are at risk of experiencing.
Unfortunately, political upheaval, terrorism and troubled global economic conditions are permanent and ongoing threats in general and when it comes to the global sourcing efforts. Further, it is not just mega-events or perils that can compromise global sourcing success. More mundane problems associated with client or provider financial problems (think Satyam), corporate espionage, cyber crime and routine IP theft are all dangers against which all participants in the global services market must prepare for and guard against.
There are many dimensions to this effort. One is to define a risk profile for global sourcing through which sourcing strategies and operating models, as well as terms and conditions, are filtered. A second is to gain a clear understanding of how current contractual sourcing arrangements call out and account for various risk elements identified in the profile.
Sourcing risk profile
Buyers themselves are ultimately responsible for assessing and managing risk, and ensuring adequate security and regulatory compliance. EquaTerra consistently advises clients buying third-party services to conduct a thorough risk assessment and develop an organisational risk profile before outsourcing work or establishing offshore captive operations. This organisational risk profile should include any relevant regulatory and compliance requirements along with a specific threat profile, whether the work is to be done across town or across the world.
Obviously, the details of an organisational risk profile will vary with specific business and outsourcing objectives, but such a risk profile should address the following questions:
- What functions and processes are suitable for outsourcing or an offshore captive?
- How will probabilities, risks to success and failure modes be established? How will severity ratings to risks (e.g., poor service delivery, loss of flexibility, interruption of services, loss of productivity, knowledge capital, etc.) be assigned?
- What potential benefits and costs are associated with the outsourcing effort in the context of the defined risk profile? A more rigorous approach to security, for example, can drive up outsourcing costs, as can sourcing only with premier, top-tier providers.
- Which service providers and geographic locations are viable, given the buyer’s risk profile and the services in scope? What is an acceptable financial profile (e.g., profitability, cash flow, debt rating, country of origin for regulatory requirements/filings) for a candidate service provider, and how is it populated and validated?
- What service levels, controls, oversight models, security programs and contingency plans are required to safeguard, to the extent possible, the work being performed?
- What level of investment in outsourcing management and governance activities is needed to support the required control models? Are these models capable of adequately responding to worst-case scenarios?
Sourcing engagement and contact reviews
Buyers must routinely conduct thorough reviews of all existing global sourcing contracts and arrangements. Such a review should focus on geopolitical, market and supplier financial risks. There are five major components to this review:
- Assess current contracts. This requires a combined effort from all relevant parties – the outsourcing governance group, corporate governance and risk teams, the internal retained organisation, and potentially external sourcing, legal advisors and auditors – to gather and review all clauses within retained services and outsourcing contracts pertaining to risk management, security and financial exposure. Buyers need to assess all policies, procedures, service levels and other contractual commitments designed to address issues such as disaster recovery, failover and redundancy, physical and network security, emergency response plans and related communication plans. It is important to thoroughly examine and understand the requirements and obligations of both the buyer and the service provider in each area, paying special attention to the risk management and security elements currently in place.
- Update risk profile models as needed. Given fluid global geopolitical and economic events and conditions, it is important to determine whether existing terms and risk mitigation plans remain adequate. If not, buyers must identify all existing exposure and gaps and then establish going-forward assessment checkpoints, rather than wait for a disruptive event to trigger a review.
- Develop a remediation plan where warranted. Next, buyers must determine what changes to current state operations are required to achieve a tolerable level of risk. This may involve improved physical security, more comprehensive disaster recovery and work transition plans, shifting some outsourced work to a different geographic location or bringing it back in-house. The remediation plan should define the degree to which these changes fall within the current contract scope, and include a calculation of the costs required to implement changes and any potential disruption to service delivery.
- Engage with the relevant service provider(s) to implement the remediation plan. Any significant changes to current operating models will impact existing service levels and contract terms and conditions. Buyers may need to pay more for increased or more comprehensive levels of service. Service providers may agree to fund certain changes, such as improved physical security, but costs for other enhancements will legitimately fall to the buyer. This is especially true if the buyer did not initially undertake an adequate risk assessment/threat profile either to keep costs down or due to insufficient foresight and planning.
- Change the service delivery model, if needed. In some situations, a buyer and its service provider may be unable to come to terms on a remediation plan, and the buyer may elect to bring the work back in-house or shift to another provider or location. Buyers should not underestimate the complexity of undertaking this step, but in some cases it may prove the most appropriate option.
Global sourcing of business and IT services offers many benefits. It also entails many associated risks, as does any form of global business. Buyers must address, understand and manage these risks as part of the normal course of business, both when entering into new sourcing efforts and as part of a regular and routine reassessment process.