Generic Risk Mitigation Framework for Business Process Outsourcing Nanayakkara B.S 1, Hirano.M 2, Waseda Business School Abstract Business process outsourcing risk mitigation is a popular topic among the outsourcing companies as well as service providers. While the BPO and ITES market is well positioned for rapid and continuous growth, the widespread fear about its inherent risks can be detrimental to the success of this multibillion dollar industry. As many developed and developing nations place a significant emphasis on the BPO industry as a major contributing factor of their economies, BPO risk mitigation has become a priority in the national level too. However, identifying risks alone is insufficient to safeguard the healthy growth of the BPO industry. A systematic method to mitigate the risks is mandatory and is a timely requirement of the BPO/ITES industry today. The objective of this paper is to present one such generic BPO risk mitigation framework. Keywords: BPO, ITES, Risk Mitigation 1. Introduction BPO risks are numerous and their management is complicated. This complexity in risk management affects SMEs more than large corporations because of their ability to absorb potential losses due to risks without too much damage. Rather than following a reactive approach to manage risks and losses, companies will be better positioned in the outsourcing environment if they have access to a proactive risk mitigation framework to use in the BPO lifecycle. In the work that follows, one such generic risk mitigation framework is presented, which can be easily customized to the nature of the outsourced business function. The framework can help both the outsourcing company as well as the service providers for maintaining a successful and healthy BPO relationship. 2. Setting up an Effective BPO Project Team The project team is responsible for the analysis of opportunities presented by the outsourcing initiative and drive the outsourcing decision especially during the beginning of a BPO venture. According to the studies conducted in this research, we found that most of the outsourcing organizations either do not employ a project team or vest the sole responsibility of the project in a few individuals selected from relevant departments without a sound criterion. The BPO project team that we propose consists of all required elements in the organization hierarchy who has a direct stake in the BPO venture. Therefore, the strategic level management should be a part of this team in the capacity of a top-level steering group. The steering group is responsible for initiating the outsourcing venture, justifying the alignment of the BPO decision with the corporate strategy and overall supervision to ascertain the delivery of expected project goals. Ideally, strategic level managers from HR, Finance and IT should fill this steering group. A BPO analysis team which reports to the top level steering committee is also required in order to critically investigate the benefits of outsourcing an internal process and to provide the results of the investigation to the steering committee in an unbiased manner. AT&T has used this approach to outsource its HR function to Aon Consulting, which now provides AT&T with HR administrative, transaction and payroll services [1]. The BPO analysis team at AT&T asked respective HR managers why their activity should continue to function as an in-house operation. This approach lets managers view their functions in a critical manner, convince them of the benefits of BPO, makes them less adversarial to the BPO strategy and creates new project champions to take the word to the dissenting employees. Beside the steering and analysis teams, the most important role in a BPO venture is played by the project management team. The project management team should be responsible for the overall progress of the BPO initiative. Further, the responsibility of risk mitigation and the handling of the risk mitigation framework presented in section 3 are significant duties of the project management team. Other parts that 1
comprise the proposed BPO team are the provider selection team and provider side interfacing team. The proposed team layout is illustrated in figure 1. Top Level Steering Group Business Analysis Team Provider Selection & Monitoring Team Provider Side Interfacing Team Project Mgmt Team Figure 1: BPO Project Team Structure 3. Proposed Risk Mitigation Framework The objective of this section is to present the proposed generic risk mitigation framework in the light of the BPO project team structure (the users of the framework) described earlier. In the abstract level, the framework works in five steps. The abstract representation of the framework is shown in figure 2. Risk Identification & Assessment Device Risk Management Strategy Implement Risk Mitigation Methods Monitor Risk Mitigation Processes Evolve Risk Mitigation Processes Figure 2: Main Steps of the Risk Mitigation Framework Even though not shown in the figure, the risk identification and assessment should be preceded by the all important exercise of setting BPO goals and objectives. This is the responsibility of the top level steering group. Steps two to five are carried out by the project management team relying on the information received from the provider selection and monitoring team. In the first step, risk identification could be dealt with simple process classification [2] and assessment could be realized through risk-probability matrices. A sample risk-probability matrix is given in figure 3. Risk Probability Cost Mitigation Tactics Implementation Time Overrun 95% 10% Bonus Plan Key Staff Turnover 60-70% 2% Retention Program, Training Hardware & Software 30-40% 5-8% Vendor Agreement to Absorb Cost Inadequacies Customer Dissatisfaction 10-15% 5% Customer Training, Vendor Monitoring Legal Issues 2-5% 10-15% Empowering the Legal Team Mission Critical Data Loss 1% NA Quality Control, Backups Political Instability <1% 50% Disaster Recovery Methods Figure 3: BPO Risk-Probability Matrix [5] The determination of the risk management strategy (step 2) has to be inline with the categorization of BPO risks. Although there are a number of classification schemes for BPO risks [2], this study uses a seven segment BPO risk classification scheme. The seven segments are HCM, Project, IP, legal, provider s organizational, business value and external environmental risks. Potential risk management strategies include avoidance, abatement, retention, transfer and allocation. Risk avoidance and abatement are self explanatory. Out of the five risk management strategies, risk transfer is being used by many outsourcers [3]. Risk transfer is shifting the risk burden from one party to another which is mainly realized through insurance schemes and guarantees in the contract with providers. Risk retention is in fact a fall back strategy when it is impossible to transfer a risk. Moreover in certain instances the expenditure to transfer a 2
risk can be higher than the cost of the damage due to that risk. Therefore, retaining the risk and absorbing the damage is a better option than trying to transfer it. Risk allocation is a viable option for the business receiving party (provider) to share the risk burden by further outsourcing the received business process to a third party. However, the outsourcers should be extra careful about such level two outsourcing arrangements that introduce further risks, even though such arrangements can mitigate risks for their service providers. The step three deals with implementing risk mitigation methods according to the selected strategies. Human capital risk mitigation methods first have to address the change that is taking place internally. Seeking ways to overcome resistance by effective communication [4], establishing changes and reestablishing Standard Operating Procedures (SOPs) are some of the tasks of change management related to BPO. Then project risks prevent the outsourcer from achieving the cost savings, productivity improvements and certain strategic advantages [2]. Project risks arise mainly due to two reasons; incorrect assessment of the BPO project and unrealistic expectations of the top level steering group. Some risk mitigation methods that address project risks can be structured as shown in figure 4. Project Risk Category Mitigation Method The project management team ensures that the Incorrect assessment 1. Assess readiness to outsource steering group and the top level executives of the of BPO readiness 2. Appoint a strong BPO champion 3. Step by step transition organization are well-informed of project risks, Unrealistic 1. Upward expectations mgmt costs and mitigation strategies. Downward expectations 2. Downward expectations mgmt 3. Horizontal expectations mgmt expectations management focuses on employees, 4. External expectations mgmt Figure 4: Project Risk Mitigation Methods horizontal expectations management handles the expectations of managers in non-outsourced processes and external expectations management deals with customers, suppliers and other stakeholders. Risk mitigation methods for countering IP and legal aspects can be graphically illustrated as shown in figure 5. IP Check Complaince with Industry Specific Guidelines Legal Set service specification & performance standards Establish administrative safeguards (documented policies for daily ops) Document SLAs Establish physical safeguards (protection of data, IS and equipment) Design clear project termination scenarios Establish technical safeguards (how to use technology to control access) Communicate legal obligations and penalties to the provider OR Outsource IP and Legal risk mgmt to a third party provider Figure 5: Methods to Counter IP and Legal Risks Devising provider organizational risk mitigation methods is the responsibility of the service provider, although the outsourcer could exert pressure on the provider to adopt good industry practices. These methods can also be interpreted as operational risk mitigation techniques [2] that deal with people, technology and process of the provider. Some of these risk mitigation methods are given in figure 6. The sixth segment of the BPO risk classification scheme is business value risks. Due to inherent problems of any given BPO venture, achieving the expected business value maybe difficult and hence methods should be formulated to mitigate this risk. One method is to manage projected outcomes of the project which may seem as a hard line cost-cutting approach to many. Another method is to empower the project management team to leverage opportunities that spawn during the BPO lifecycle [5]. This is called the pressing the value model. Sometimes, the project management team should try to outsource further non-core functions to existing providers under this method. Business value risks can arise in the case of 3
providers who overstate potential values and value delivery time frames. In such circumstances, effective SLA negotiation, implementation and SLA management can help. In fact many service providers have Risk Mitigation Method People 1. Constant stream of new recruits 2. Fast track training programs 3. Bonus plans and incentive packages 4. Clear career advancement paths etc Technology 1. Seamless ICT infrastructure 2. Adequate and easy to maintain software applications portfolio etc Process 1. Customer satisfaction surveys 2. Set targets to increase throughput etc Figure 6: Provider Organizational Risk Mitigation already adopted extreme value risk mitigation techniques. Then the seventh segment of the risk classification scheme, external environmental risks are extremely difficult to tackle. For example, political instability could be predicted using the history of events in the BPO service provider s locale. The risk mitigation plan in such cases should address what, how, who, when and where questions pertaining to relocation and continuation of outsourced services. Not only political instability, but also natural disasters, outbreaks of pandemics and global economic fluctuations should also be taken into consideration. The fourth step of the framework in figure 2 addresses the monitoring aspect of risk mitigation exercises. The purpose of introducing a risk mitigation monitoring phase is to measure the effectiveness and applicability of employed strategies and techniques since risk mitigation itself is a useful, yet costly process. The monitoring and benchmarking of many types of risk management strategies are not so difficult thanks to intelligent and automated continuous monitoring systems available today. These systems provide improved consistency, coverage, sophistication, timeliness and additional controls and can monitor risks in real time. In essence, these risk monitoring solutions can be generalized as decision support systems for BPO ventures. The last step of the framework ensures that the risk mitigation processes are evolved over time, learning by previous mistakes and successes. 4. Conclusion and Future Work In this paper, a generic risk mitigation framework for BPO/ITES industries was presented. The target users of the framework are the BPO project team from the outsourcing company s end and the outsourcing account managers and their teams from the service provider s end. The framework which works in five steps as explained in the paper equips the concerned parties with effective risk mitigation strategies to handle scenarios ranging from HCM related issues to external environmental risks. As a next step, the framework is to be presented together with a questionnaire to a selected group of outsourcing companies and their service providers to measure its applicability and effectiveness. References [1] Stone.L, Brown R.H, AT&T's Relationship with Aon Is an Exemplar of Comprehensive Human Resources Business Process Outsourcing, Gartner Research, 2004 [2] Nanayakkara B.S, Hirano.M, Business Process Outsourcing Risk Mitigation, In the proc. of Japan Society for Management Information, 2009 (Autumn) [3] Downey J.M, Risk of outsourcing applying risk management techniques to staffing methods, Facilities Journal, 1995 [4] Offshore outsourcing management - How to manage your business for successful outsourcing, Outsource to India, http://www.outsource2india.com/why_outsource/articles/managing_outsourcing.asp [5] Duening T.N, Click R.L, Essentials of Business Process Outsourcing, John Wiley & Sons, Inc, 2005 4
Generic Risk Mitigation Framework for Business Process Outsourcing Nanayakkara B.S 1, Hirano.M 2, Waseda Business School Abstract Business process outsourcing risk mitigation is a popular topic among the outsourcing companies as well as service providers. While the BPO and ITES market is well positioned for rapid and continuous growth, the widespread fear about its inherent risks can be detrimental to the success of this multibillion dollar industry. As many developed and developing nations place a significant emphasis on the BPO industry as a major contributing factor of their economies, BPO risk mitigation has become a priority in the national level too. However, identifying risks alone is insufficient to safeguard the healthy growth of the BPO industry. A systematic method to mitigate the risks is mandatory and is a timely requirement of the BPO/ITES industry today. The objective of this paper is to present one such generic BPO risk mitigation framework. Keywords: BPO, ITES, Risk Mitigation 1. Introduction BPO risks are numerous and their management is complicated. This complexity in risk management affects SMEs more than large corporations because of their ability to absorb potential losses due to risks without too much damage. Rather than following a reactive approach to manage risks and losses, companies will be better positioned in the outsourcing environment if they have access to a proactive risk mitigation framework to use in the BPO lifecycle. In the work that follows, one such generic risk mitigation framework is presented, which can be easily customized to the nature of the outsourced business function. The framework can help both the outsourcing company as well as the service providers for maintaining a successful and healthy BPO relationship. 2. Setting up an Effective BPO Project Team The project team is responsible for the analysis of opportunities presented by the outsourcing initiative and drive the outsourcing decision especially during the beginning of a BPO venture. According to the studies conducted in this research, we found that most of the outsourcing organizations either do not employ a project team or vest the sole responsibility of the project in a few individuals selected from relevant departments without a sound criterion. The BPO project team that we propose consists of all required elements in the organization hierarchy who has a direct stake in the BPO venture. Therefore, the strategic level management should be a part of this team in the capacity of a top-level steering group. The steering group is responsible for initiating the outsourcing venture, justifying the alignment of the BPO decision with the corporate strategy and overall supervision to ascertain the delivery of expected project goals. Ideally, strategic level managers from HR, Finance and IT should fill this steering group. A BPO analysis team which reports to the top level steering committee is also required in order to critically investigate the benefits of outsourcing an internal process and to provide the results of the investigation to the steering committee in an unbiased manner. AT&T has used this approach to outsource its HR function to Aon Consulting, which now provides AT&T with HR administrative, transaction and payroll services [1]. The BPO analysis team at AT&T asked respective HR managers why their activity should continue to function as an in-house operation. This approach lets managers view their functions in a critical manner, convince them of the benefits of BPO, makes them less adversarial to the BPO strategy and creates new project champions to take the word to the dissenting employees. Beside the steering and analysis teams, the most important role in a BPO venture is played by the project management team. The project management team should be responsible for the overall progress of the BPO initiative. Further, the responsibility of risk mitigation and the handling of the risk mitigation framework presented in section 3 are significant duties of the project management team. Other parts that 1
comprise the proposed BPO team are the provider selection team and provider side interfacing team. The proposed team layout is illustrated in figure 1. Top Level Steering Group Business Analysis Team Provider Selection & Monitoring Team Provider Side Interfacing Team Project Mgmt Team Figure 1: BPO Project Team Structure 3. Proposed Risk Mitigation Framework The objective of this section is to present the proposed generic risk mitigation framework in the light of the BPO project team structure (the users of the framework) described earlier. In the abstract level, the framework works in five steps. The abstract representation of the framework is shown in figure 2. Risk Identification & Assessment Device Risk Management Strategy Implement Risk Mitigation Methods Monitor Risk Mitigation Processes Evolve Risk Mitigation Processes Figure 2: Main Steps of the Risk Mitigation Framework Even though not shown in the figure, the risk identification and assessment should be preceded by the all important exercise of setting BPO goals and objectives. This is the responsibility of the top level steering group. Steps two to five are carried out by the project management team relying on the information received from the provider selection and monitoring team. In the first step, risk identification could be dealt with simple process classification [2] and assessment could be realized through risk-probability matrices. A sample risk-probability matrix is given in figure 3. Risk Probability Cost Mitigation Tactics Implementation Time Overrun 95% 10% Bonus Plan Key Staff Turnover 60-70% 2% Retention Program, Training Hardware & Software 30-40% 5-8% Vendor Agreement to Absorb Cost Inadequacies Customer Dissatisfaction 10-15% 5% Customer Training, Vendor Monitoring Legal Issues 2-5% 10-15% Empowering the Legal Team Mission Critical Data Loss 1% NA Quality Control, Backups Political Instability <1% 50% Disaster Recovery Methods Figure 3: BPO Risk-Probability Matrix [5] The determination of the risk management strategy (step 2) has to be inline with the categorization of BPO risks. Although there are a number of classification schemes for BPO risks [2], this study uses a seven segment BPO risk classification scheme. The seven segments are HCM, Project, IP, legal, provider s organizational, business value and external environmental risks. Potential risk management strategies include avoidance, abatement, retention, transfer and allocation. Risk avoidance and abatement are self explanatory. Out of the five risk management strategies, risk transfer is being used by many outsourcers [3]. Risk transfer is shifting the risk burden from one party to another which is mainly realized through insurance schemes and guarantees in the contract with providers. Risk retention is in fact a fall back strategy when it is impossible to transfer a risk. Moreover in certain instances the expenditure to transfer a 2
risk can be higher than the cost of the damage due to that risk. Therefore, retaining the risk and absorbing the damage is a better option than trying to transfer it. Risk allocation is a viable option for the business receiving party (provider) to share the risk burden by further outsourcing the received business process to a third party. However, the outsourcers should be extra careful about such level two outsourcing arrangements that introduce further risks, even though such arrangements can mitigate risks for their service providers. The step three deals with implementing risk mitigation methods according to the selected strategies. Human capital risk mitigation methods first have to address the change that is taking place internally. Seeking ways to overcome resistance by effective communication [4], establishing changes and reestablishing Standard Operating Procedures (SOPs) are some of the tasks of change management related to BPO. Then project risks prevent the outsourcer from achieving the cost savings, productivity improvements and certain strategic advantages [2]. Project risks arise mainly due to two reasons; incorrect assessment of the BPO project and unrealistic expectations of the top level steering group. Some risk mitigation methods that address project risks can be structured as shown in figure 4. Project Risk Category Mitigation Method The project management team ensures that the Incorrect assessment 1. Assess readiness to outsource steering group and the top level executives of the of BPO readiness 2. Appoint a strong BPO champion 3. Step by step transition organization are well-informed of project risks, Unrealistic 1. Upward expectations mgmt costs and mitigation strategies. Downward expectations 2. Downward expectations mgmt 3. Horizontal expectations mgmt expectations management focuses on employees, 4. External expectations mgmt Figure 4: Project Risk Mitigation Methods horizontal expectations management handles the expectations of managers in non-outsourced processes and external expectations management deals with customers, suppliers and other stakeholders. Risk mitigation methods for countering IP and legal aspects can be graphically illustrated as shown in figure 5. IP Check Complaince with Industry Specific Guidelines Legal Set service specification & performance standards Establish administrative safeguards (documented policies for daily ops) Document SLAs Establish physical safeguards (protection of data, IS and equipment) Design clear project termination scenarios Establish technical safeguards (how to use technology to control access) Communicate legal obligations and penalties to the provider OR Outsource IP and Legal risk mgmt to a third party provider Figure 5: Methods to Counter IP and Legal Risks Devising provider organizational risk mitigation methods is the responsibility of the service provider, although the outsourcer could exert pressure on the provider to adopt good industry practices. These methods can also be interpreted as operational risk mitigation techniques [2] that deal with people, technology and process of the provider. Some of these risk mitigation methods are given in figure 6. The sixth segment of the BPO risk classification scheme is business value risks. Due to inherent problems of any given BPO venture, achieving the expected business value maybe difficult and hence methods should be formulated to mitigate this risk. One method is to manage projected outcomes of the project which may seem as a hard line cost-cutting approach to many. Another method is to empower the project management team to leverage opportunities that spawn during the BPO lifecycle [5]. This is called the pressing the value model. Sometimes, the project management team should try to outsource further non-core functions to existing providers under this method. Business value risks can arise in the case of 3
providers who overstate potential values and value delivery time frames. In such circumstances, effective SLA negotiation, implementation and SLA management can help. In fact many service providers have Risk Mitigation Method People 1. Constant stream of new recruits 2. Fast track training programs 3. Bonus plans and incentive packages 4. Clear career advancement paths etc Technology 1. Seamless ICT infrastructure 2. Adequate and easy to maintain software applications portfolio etc Process 1. Customer satisfaction surveys 2. Set targets to increase throughput etc Figure 6: Provider Organizational Risk Mitigation already adopted extreme value risk mitigation techniques. Then the seventh segment of the risk classification scheme, external environmental risks are extremely difficult to tackle. For example, political instability could be predicted using the history of events in the BPO service provider s locale. The risk mitigation plan in such cases should address what, how, who, when and where questions pertaining to relocation and continuation of outsourced services. Not only political instability, but also natural disasters, outbreaks of pandemics and global economic fluctuations should also be taken into consideration. The fourth step of the framework in figure 2 addresses the monitoring aspect of risk mitigation exercises. The purpose of introducing a risk mitigation monitoring phase is to measure the effectiveness and applicability of employed strategies and techniques since risk mitigation itself is a useful, yet costly process. The monitoring and benchmarking of many types of risk management strategies are not so difficult thanks to intelligent and automated continuous monitoring systems available today. These systems provide improved consistency, coverage, sophistication, timeliness and additional controls and can monitor risks in real time. In essence, these risk monitoring solutions can be generalized as decision support systems for BPO ventures. The last step of the framework ensures that the risk mitigation processes are evolved over time, learning by previous mistakes and successes. 4. Conclusion and Future Work In this paper, a generic risk mitigation framework for BPO/ITES industries was presented. The target users of the framework are the BPO project team from the outsourcing company s end and the outsourcing account managers and their teams from the service provider s end. The framework which works in five steps as explained in the paper equips the concerned parties with effective risk mitigation strategies to handle scenarios ranging from HCM related issues to external environmental risks. As a next step, the framework is to be presented together with a questionnaire to a selected group of outsourcing companies and their service providers to measure its applicability and effectiveness. References [1] Stone.L, Brown R.H, AT&T's Relationship with Aon Is an Exemplar of Comprehensive Human Resources Business Process Outsourcing, Gartner Research, 2004 [2] Nanayakkara B.S, Hirano.M, Business Process Outsourcing Risk Mitigation, In the proc. of Japan Society for Management Information, 2009 (Autumn) [3] Downey J.M, Risk of outsourcing applying risk management techniques to staffing methods, Facilities Journal, 1995 [4] Offshore outsourcing management - How to manage your business for successful outsourcing, Outsource to India, http://www.outsource2india.com/why_outsource/articles/managing_outsourcing.asp [5] Duening T.N, Click R.L, Essentials of Business Process Outsourcing, John Wiley & Sons, Inc, 2005 4