More businesses than ever before are delegating what they consider to be noncore functions to other organizations that are ostensibly better at performing those functions, leaving the business to focus on their core competencies. Outsourcing has it place, but businesses should be sure that they properly understand who ultimately owns what in their outsourcing relationship. In other words, outsourcing has some risks associated with it, and this raises a question: Can those risks themselves be outsourced? To answer this question I turned to my friend and colleague Andrew S. Baker who has many years of expertise in this area working with organizations and businesses of different sizes. Andrew is the president and founder of BrainWave Consulting, where he provides Virtual CIO services (Information Security, IT Operations, IT/Business Strategy & Integration) for small and mid-sized businesses. For nearly 20 years Andrew has been designing, deploying, and maintaining secure computing environments for organizations of all sizes. As a trusted business partner, Andrew collaborates with business and IT leaders to develop robust technology architecture, identify and mitigate security risks, set technology strategy and direction, prepare and execute project plans, and deliver cost-effective solutions that position companies for sustainable growth. You can also find Andrew’s complete social presence at XeeMe.com\AndrewBaker. The following is an excerpt from a discussion I had recently with Andrew about outsourcing risk.
MITCH: One thing I’ve learned myself from running a small business is that a lot of it is just about managing risk.
ANDREW: Yes, I’ll just come right out and say it: As a business owner, you always own all the business risk — including all the security risk — associated with your business. This remains true even if you have outsourced some business capabilities to a third party. If your business is a small one, then the ultimate business risk owner is typically the president, CEO, partner, or other similarly named principal of the organization. If your business is a larger one, it most likely includes a senior leadership team (often C-level executives) and a formal board of directors. Business risk is ultimately owned by the board, if one exists, or by the senior leadership team, in the absence of a board. Yes, there will be other people in the organization who play a role in risk management, but ultimate risk ownership will belong to the above persons.
MITCH: Unless your organization has a chief risk officer, right?
ANDREW: Even if the CEO hires a chief risk officer — or a person with a similar title — to be the person with the day-to-day responsibility for tracking and reporting on business risk, the risk ownership, and risk decisions still rightfully belong to the CEO and to his or her board. That’s where the buck really stops.
MITCH: Agreed, the buck always stops on my own desk too for our business. But I guess we should step back for a moment and ask ourselves, what exactly is risk.
ANDREW: Yes, perhaps we should stop and properly define risk, before we go much further. According to the definition found in the NIST Computer Security Resource Center glossary, risk is:
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
MITCH: What does that mean in ordinary layperson’s words?
ANDREW: In layperson’s terms, risk is a measure of how badly your business could be affected by some potential situation, and how likely it is that the adverse effect will occur to your business. While it would be nice to get to a place of zero risk, it is not really possible. Risk management is about minimizing your losses should bad things happen. It is not about preventing every possible bad thing from happening. No one has the money or the time for that.
MITCH: So your business always faces various kinds of risks. How can you effectively manage these risks?
ANDREW: The first thing that it is necessary to do is agree that every business faces some kind of business risk. The second thing that it is necessary to do is identify what specific risks your business faces. Without a risk assessment, there is no way to properly manage risk. There are a number of ways that risk your organization faces can be managed. The legitimate options are mitigation, reduction and acceptance.
MITCH: OK, let’s look at each of these options in turn, starting with mitigation.
ANDREW: Many risks can be mitigated. Mitigated risks are those which are neutralized or eliminated. It should not surprise you to learn that very few risks can be mitigated at zero cost. Many risks require a fair amount of money to mitigate fully, but risk mitigation is not always expensive. For example:
- Hard drives fail, but this risk can be mitigated with redundant hard drives or redundant servers.
- Power can fail, but this risk can be mitigated with uninterruptable power supplies (UPS) and generators.
- Telecommunications lines can fail, but this risk can be mitigated by load-balancing network connections across multiple providers.
MITCH: Some risks can’t be effectively mitigated, though. How should you deal with these kinds of risks to your business?
ANDREW: Well, risks can also be reduced. For risks that are not possible or cost-effective to totally negate, it is often viable to implement solutions that reduce the full effects of that risk. For example:
- Perhaps you cannot afford two full datacenters, but you can contract for a warm site or cold site, or perhaps you can afford to be down for a day while waiting for restores to complete.
- Perhaps you cannot hire a full complement of 24/7 staff for your organization, but you might resort to having some staff available on-call during those off-hours.
MITCH: Somethings you have to bite the bullet though and just accept certain risks, right?
ANDREW: Yes, risks can also be accepted as a way of dealing with them. This is a viable option, as long as there is sufficient thought behind it. Risk acceptance should only be pursued upon a thorough analysis of the business risk assessment, in which the cost of adverse impact from the risk in question is found to be less than the cost to mitigate or reduce that same risk.
For example, imagine that your organization has a remote office that generates a mere $50,000 a year in income, and can afford to be offline for up to three days at a time. The cost of mitigating unstable network connectivity or server hardware failure for that office should never exceed $50,000. I’d be hard pressed to spend even $40,000 on mitigating those risks, unless the cost of downtime plus the revenue loss quite exceeded that number. Much better to accept those two risks than spend more than the value to reduce that risks.
MITCH: What about simply ignoring certain kinds of risks? Many companies today, especially fast-moving tech companies, seem to kinda have their blinders on when it comes to stepping into the risk pool associated with their new products and services.
ANDREW: Risks can also be ignored, but this is not really a viable option which is why I didn’t mention it earlier. But you might be sadly surprised by how many leaders and organizations ”embrace” this option as a consequence of them not having mitigated or reduced or properly accepted their risks.
MITCH: And they pay the price too when their disruption backfires upon themselves. But let’s now address the central question of our discussion, namely: What about outsourcing risk? Can this be done? Give us your thoughts on this matter.
ANDREW: There are many things you can outsource, such as your marketing functions, your e-commerce activities, your datacenter hosting, your web hosting, technology operations management, and even your security operations management (including the risk assessment function). You cannot, however, outsource the business risk associated with any of those things. Past experience has taught me that this is not commonly understood by many business owners and leadership teams — even fairly experienced ones. Let’s imagine that as a business owner, I make the decision to partner with an e-commerce vendor to offload the processing of credit card payments from my network. Will this significantly reduce the technical and compliance burdens on my local network and on my staff, as pertains to the Payment Card Industry Data Security Standards (PCI DSS)? Absolutely! There is nothing wrong with this decision.
Now, let’s imagine that an unfortunate breach were to occur on my vendor’s network. Is this better than the same breach on my own network? Absolutely! Does that fact that I’ve outsourced this function to a vendor allow me to tell customers, ”Sorry about your data, but we’re not the ones that lost it”? Absolutely not! My firm may not be responsible for directly implementing the technical controls in question, but I’m still responsible to my customers for ensuring that all necessary security and privacy controls are properly implemented on that partner network. My leadership team remains just as responsible for this as if these functions were occurring in our network.
If we have been negligent about ensuring that our vendor was handing security properly, then we will bear the penalties of that negligence. The EU General Data Protection Regulation (GDPR) makes this point more abundantly clear than many other regulations do, and we are seeing an increasing number of U.S.-based data privacy regulations that are following in the mold of GDPR.
Many firms look at difficult or complex areas of technology or business management, and try to outsource them away without realizing that they are still responsible for the oversight of security and privacy on their own behalf, as well as the customer’s behalf. Technology oversight doesn’t get any easier after you add another layer of management.
Please don’t forget soft costs. While it is true that you don’t want to spend $100,000 to protect a $75,000 asset, bear in mind that there may be soft costs such as reputational damage to consider as well. Don’t obsess about hard costs while ignoring soft costs.
MITCH: Wow, that’s a great analysis and some helpful recommendations. Can you summarize everything for us so we can take it home easily as technology business professionals?
ANDREW: You (business owner, senior management team, board of directors) always own the business risk. You can delegate portions of the tactical and operational risk management activities to people inside or outside your organization, but you will always be the owner, and they will only be the stewards. It is highly recommended that you be intimately involved in the risk management process on a regular basis — before something major and unpleasant occurs.
When a problem occurs — especially a significant problem — you can be sure that your affected constituents will be looking for the risk owner (you), and not the risk stewards.
- There is always risk to be managed.
- The risk owner is always the highest organizational authority at your org.
- You cannot manage risk until it has been identified and assessed.
- Total elimination of risk is not generally feasible.
- Risks often have both hard and soft costs — pay attention to both.
- The risk owner is always the highest organizational authority at your org.
- Never confuse risk acceptance with ignoring risk.
- A business owner that has successfully transferred risk to some other party is either (a) no longer the business owner, or (b) going to be unpleasantly surprised at some point.
MITCH: Thanks, Andrew! I guess it’s never too late to perform a risk assessment of one’s business, but today is always better than tomorrow.
ANDREW: Why not start today? 🙂
Featured image: Shutterstock