Risk Control

There are three categories of controls: preventive, detective, and corrective. Preventive controls mitigate or stop a threat from exploiting the vulnerabilities of a project. Detective controls disclose the occurrence of an event and preclude similar exploitation in the future. Corrective controls require addressing the impact of a threat and then establishing controls to preclude any future impacts.

With analysis complete, the next action is to identify controls that should exist to prevent, detect, or correct the impact of risks. This step requires looking at a number of factors in the business environment that an outsourcing agreement will be applied to, factors like agreement options (e.g., co-sourcing, outtasking), core competencies, and information technology assets, market conditions, and mission-critical systems. There are many preventive, detective, and corrective controls to apply during all phases of outsourcing agreements (see Exhibit 3).

Exhibit 3. The Result of Analysis

Preventive Controls

Detective Controls

Corrective Controls

Provide ongoing oversight during the execution of the agreement

Establish minimum levels of performance in an agreement

Re-negotiating because of changing market conditions

Have the right to approve or disapprove of subcontractors

Maintain ongoing communications with the vendor

Identify conditions for discontinuing a contract

After identifying the controls that should exist, the next action is to verify their existence for prevention, detection, or correction. To determine the controls that exist requires extensive time and effort. This information is often acquired through interviews, literature reviews, and having a thorough knowledge of a subject. The result is an identification of controls that do exist and ones lacking or needing improvement.

Having a good idea of the type and nature of the risks confronting an outsourcing agreement, the next step is to strengthen or add controls. That means deciding whether to accept, avoid, adopt, or transfer risk. To accept a risk means letting it occur and taking no action. An example is to lock into a long-term agreement regardless of conditions. To avoid a risk is taking action in order to not confront a risk. An example is to selectively outsource noncritical services. To adopt means living with a risk and dealing with it by "working around it." An example is a willingness to assume services when the vendor fails to perform. To transfer means shifting a risk over to someone or something else. An example is subcontracting.

Understanding Outsourcing

Understanding Outsourcing

If you can answer yes to the following questions you'll want to get your hands on the Understanding Outsourcing Crash Course Package! Have you been looking for a great way to get more subscribers? Do you constantly seek quality information to provide to your readers? Have you been looking for a way to quickly increase awareness, traffic and profits for your business?

Get My Free Ebook

Post a comment