What are the risks of outsourcing during Covid-19?

Last year was a roller coaster ride for organisations around the world. While everyday life seemingly changed overnight, organisational risks were being triggered all over the world. The move to remote working enabled many organisations to truly test out the resilience and security of their infrastructures, with many lessons learnt as a result.

Some of these lessons have accelerated organisations’ adoption of ‘cloud first’ or outsourced strategies. While these are excellent strategies to help an organisation be lean and agile, they also carry a number of risks with them. What are the risks of using outsourced or cloud solutions during the pandemic?

Cutting IT spend

When businesses are forced to cut any and all costs, it’s tempting to look at IT spend. In many organisations, a potential quick-win is to evaluate the spend on IT, whether their spend provides value for money and whether there is an opportunity to restructure what they do by outsourcing IT, systems or business processes to third parties and/or cloud providers. Third-party providers can often achieve greater benefits of scale where they serve multiple customers and can afford to invest more in technology. This can make outsourcing to cut IT spend an attractive offering for organisations.

Increased cyber attacks

If there wasn’t already enough to deal with, there is also the increased frequency in which organisations are now being targeted by cyber attacks. In some cases, the fact that an organisation uses a third-party provider has been an advantage because those areas have been ‘carved out’ and isolated away from cyber attacks in the organisation itself. Meaning that in the event of a cyber attack, there would be areas of the business left untouched and therefore mitigate some of the risk. On the other hand, if the third-party provider is subject to an attack, an attack on them is an attack on the organisations using them as well, and the organisations’ data would be compromised in the process. Third-party providers that serve multiple customers often invest in perimeter security that includes intrusion prevention and detection systems as well as incident logging systems and a range of firewalls, all of which drive efficiencies for their customers and greater investment in technology and monitoring than what they may have in-house.

Reduced focus on controls

Remote working has had an impact on how controls are performed and evidenced. Traditionally manually operated processes have had to be redesigned and in many cases audit approvals and records are now electronic. Consistent operation of controls have also suffered for the sake of expediency. This is of a particular concern where controls and processes have been outsourced.

Many organisations have shifted towards outsourcing over the last year as a way to increase agility and reduce costs. There is an adage that you can outsource a process but not a risk. To mitigate this risk, outsourcing involves a good relationship and trust, but it also needs verification. This includes ongoing assurance which can be either a direct activity between the supplier and the organisation – a good method but one which consumes valuable company time and money – or an independent report that is delivered using recognised set of standards, such as Systems and Organisation controls (SOC) reporting.

SOC reporting helps identify and mitigate risks, but it also has a number of other great benefits. Service organisations / outsource providers use these assurances to provide transparency over their controls to their existing customer base but can also use them as a marketing tool when seeking to grow the business. It shows potential customers that risk and controls are being considered and helps their customers make an informed choice as to whom they are entrusting with their reputation and business. It also increases efficiency as you will not have to divert in-house attention to the task, and saves money by providing the most cost- efficient approach. Organisations that outsource their services to third-parties benefit from a SOC report as it gives them and their key stakeholders, such as auditors and regulators, comfort over their outsourced processes.

Looking to implement SOC reporting at your organisation, or want to talk about third party risks? Get in touch with a member of the team below to find out more about how we can help. 

Get in touch