Risk Control

There are three categories of controls: preventive, detective, and corrective. Preventive controls mitigate or stop a threat from exploiting the vulnerabilities of a project. Detective controls disclose the occurrence of an event and preclude similar exploitation in the future. Corrective controls require addressing the impact of a threat and then establishing controls to preclude any future impacts.

With analysis complete, the next action is to identify controls that should exist to prevent, detect, or correct the impact of risks. This step requires looking at a number of factors in the business environment that an outsourcing agreement will be applied to, factors like agreement options (e.g., co-sourcing, outtasking), core competencies, and information technology assets, market conditions, and mission-critical systems. There are many preventive, detective, and corrective controls to apply during all phases of outsourcing agreements (see Exhibit 3).

Exhibit 3. The Result of Analysis

Preventive Controls

Detective Controls

Corrective Controls

Provide ongoing oversight during the execution of the agreement

Establish minimum levels of performance in an agreement

Re-negotiating because of changing market conditions

Have the right to approve or disapprove of subcontractors

Maintain ongoing communications with the vendor

Identify conditions for discontinuing a contract

After identifying the controls that should exist, the next action is to verify their existence for prevention, detection, or correction. To determine the controls that exist requires extensive time and effort. This information is often acquired through interviews, literature reviews, and having a thorough knowledge of a subject. The result is an identification of controls that do exist and ones lacking or needing improvement.

Having a good idea of the type and nature of the risks confronting an outsourcing agreement, the next step is to strengthen or add controls. That means deciding whether to accept, avoid, adopt, or transfer risk. To accept a risk means letting it occur and taking no action. An example is to lock into a long-term agreement regardless of conditions. To avoid a risk is taking action in order to not confront a risk. An example is to selectively outsource noncritical services. To adopt means living with a risk and dealing with it by "working around it." An example is a willingness to assume services when the vendor fails to perform. To transfer means shifting a risk over to someone or something else. An example is subcontracting.

The Essential Guide To Outsourcing

The Essential Guide To Outsourcing

Discover How To Use Outsourcing To Grow Your Online Business and Free Up Your Time. You can also greatly benefit from the skillset of other people. The fact is that we just can't be good at everything, so does it really make sense to spend 8 hours designing an amateurish looking header for your website when you could outsource the task to a professional graphics designer? By outsourcing certain tasks in your online business you'll be able to accelerate your growth, as well as freeing up more time to concentrate on the important stuff.

Get My Free Ebook


Post a comment