Lesson 2: Assess underlying outsourcing risks across the supply chain. Document plans and outcomes to industry standards.
Case example: B-Source SA provides bank back office and IT services to insurance and private banks in Switzerland and selected other countries. As a Swiss service provider for the financial industry, B-Source does not, in fact, require a specific authorization, as the financial supervisory body mandates that clients remain fully responsible for the outsourced activities, “as it would operate themselves.”
Therefore, a major challenge for a client with multiple outsourcing service providers is to ensure best practice internal controls, risk management, security and a business continuity framework are in place. Key to this is a common global language/framework that is communicated at all levels and interested parties (international regulators, boards of directors, auditors, other stakeholders).
In response to a recent pandemic threat, B-Source SA undertook a review and risk/compliance analysis of its BCM readiness, which included its stakeholders and suppliers. As an international multi-outsourcing service provider relying on a variety of sub-contractors and vendors this proved to be very challenging. A widespread use of a standard benchmark like the BS25999 would have helped immensely in evaluating the state of readiness of its suppliers and subcontractors. As a direct result of a detailed BCM review, plans were made to enhance and improve communication around BCM involving all staff.
For B-Source SA the H1N1 pandemic provided the opportunity to adapt their crisis scenarios, in order to avoid disruption to services due to the physical nonavailability of a potentially great number of key people. Following the publicity and the official announcements around this crisis, it was difficult to hide problems behind a contractual “force majeure” clause, as the unforeseen nature of the event was not relevant anymore.
From a reputation point of view, it also could have been very damaging not to have been prepared for this pandemic. Therefore, the impact on the company of the loss of key people was reviewed and the most common mitigation measure implemented. As in many other companies, the solution was to provide remote access working places to ensure a certain level of business continuity for certain processes, at the same time avoiding contacts between staff. A staff sharing concept was implemented for the most critical processes.
Business Process (BPO) and IT Operations (ITO) service companies require efficient and standardized processes based on widely recognized frameworks. This is especially true for the financial industry, where internal control, risk management and compliance must be formally and extensively implemented and audited. A service provider such as B-Source is obliged to communicate regularly on the adequacy and efficiency of its internal control activities.
Today, most of the service providers have adopted the Statement on Auditing Standard (SAS) 70 reports. Thus the controls performed can be officially audited and communicated to a large audience of stakeholders, including clients. However, plans are not controls, and a Business Continuity Plan (BCP) does not form part of the description of controls performed. Rather, in an SAS 70 report, it constitutes merely part of the general information provided by the service provider. In this sense, a BC plan is not officially audited, only communicated.
Clients need reassurance. In order to reinforce the credibility of the BCM organization of a service provider or a sub-contractor, a recognized certification like the BS25999 will reinforce that its business continuity organization will meet a measurable standard, has been described in an internationally recognized way, and can be benchmarked.
Note that, because B-Source had to carry out the same analysis with many different sub-contractors, it was very difficult to evaluate the level of readiness of these companies. Although all had already confirmed that they had a functioning BCP, it really was difficult to achieve a quick and efficient evaluation of their level of preparedness.