Risk Appetite has Evolved Over Time; But What About the Recipe for Risk Management?
It is no coincidence that in the 90’s, when the explosion of the internet forever changed the way the world communicates, the concept of sourcing services globally started scaling rapidly. While this concept was still at its nascent stage, the associated risks were drastically different from what they are today.
For example, if I were an organization looking to source or already sourcing IT services from India or BPO services from Philippines in the 90’s, I would be losing sleep over the availability of talent, their employability, access to world-class IT infrastructure, language barriers, cultural compatibility, gaps in Business Continuity & Planning and Disaster Recovery, and so on. The type of services I source would depend on my ability to control these risk factors, and so would restrict me to look at basic, low-end services that would be a lot cheaper offshore, and most importantly, not be mission critical.
Cut to today’ scenario, and I am sourcing multiple services (several of them being mission-critical) from multiple vendors (unheard of in the 90’s) and multiple geographies (thanks to the ever-increasing new and emerging sourcing destinations across the globe). But my risks are different now – I am now worried about retaining talent – not their availability; my employability risk is now about scaling up to new and next-generation skill-sets; while the infrastructure is world-class, my BCP & DR programs have changed radically because disruptions can come in many different ways now – increased intensity of natural disasters, rapid political changes, threats and attacks, to name a few.
Supplier risks have also evolved over time – monitoring only financial metrics is not sufficient anymore. Organizations are increasingly looking to strategically partner with their IT service suppliers with the end objective of transforming their customers’ experiences. Factors like ability to innovate, to be flexible and agile, to be a thought leader in next-generation technologies and so on are becoming critical in today’s constantly changing digital environment.
Risk management programs have not evolved.
Everybody in this ecosystem agrees that risk factors have changed significantly over the last few years, and everybody also agrees that they are bound to change rapidly in the future as well. But it is a bit unnerving to see that risk management systems within organizations have not kept up with this change.
This is largely because organizations still depend on suppliers to manage these risks; detailed and elaborate scenarios of downtimes and disruptions are built into service contracts. Similarly, Global In-house Centers (GICs) or “captives” are expected to manage all operational risks from a remote location.
I have seen very few organizations having a dedicated risk management group at the global level that independently and proactively manages global sourcing risks. A dedicated risk management program enables an organization to identify risks on a real-time basis, assess impact levels, make informed decisions and as a result proactively take mitigation steps. Such dedicated groups have proven to be invaluable when sourcing mission-critical services from remote locations.
Furthermore, such a dedicated group would also ensure that organizations are following all the required and relevant regulatory and statutory compliance requirements. These are already mandatory for organizations operating in BFSI and healthcare segments, and will soon be a standard requirement for all organizations sourcing globally either from 3rd party vendors or from offshore locations themselves.
Risk factors and their impact levels on your and your supplier’s business/operations are fluid and can change anytime; so risk management programs have to be real-time, agile and flexible. Let us take a few examples from recent real-life events:
- Heavy rains can cause massive flooding overnight preventing people from coming to work;
- Government regime changes can bring in work restrictions very quickly;
- A particular process may experience a sharp spike in attrition with several people resigning at once;
- Local currencies can show wild fluctuations in a very short time period; or
- There could be a data security breach within your process.
How well are you or your supplier prepared for such events?
Identify opportunities through risk monitoring programs.
A dedicated risk management group with a robust risk management program tracks and monitors risks on a real-time basis and ensures proactive mitigation steps. There is another huge advantage of having such a group within the organization. Risk management is not only about threat prevention and damage control. I have seen several instances of organizations benefiting from the opportunities identified by on-going risk monitoring programs.
Significant savings have been made by moving into Special Economic Zones at the right time. Real-time monitoring of tax policy changes and subsidies available to certain sectors in developing economies have enabled organizations to reap huge financial benefits. Procurement groups have successfully leveraged on-going risk monitoring tools for choosing the right sourcing destinations and for selecting the right set of vendors that best fit their requirements.
So, if your risk management program still assesses risks at a point in time no matter the frequency (could be once a month, quarter or year), or if your risk management programs still primarily depend on supplier inputs, and most importantly, if you do not have a centralized risk management program and still operate in silos to manage sourcing risks, it is time for a major upgrade.