Business Risks

and Mitigation
Strategies
Because it is the catalyst of such significant
changes for the organization, a BPO initiative is
also associated with business risks. The
pioneering firms that led the current wave of
interest in outsourcing were Global 2000–sized
companies with the capacity to absorb
occasional business mistakes, even relatively
large ones.
2
As the size of the outsourcing projects increases
in proportion to the size of the BPO buyer,
business risk also increases proportionately. In
order for BPO to become a source of competitive
advantage for small to medium-sized enterprises
(SMEs),proven techniques for managing and
mitigating risks must be developed.
3
 4
The discussion focuses on seven primary areas, each of
which should be addressed in a thorough risk-
management strategy developed by the Project
Management Team (PMT):
1. Human capital risks
2. Project risks
3. IP risks
4. Legal risks
5. Vendor organizational risks
6. Value risks
7. Force majeure risks
The convergence of the six major BPO drivers
was not anticipated or planned by any
government or international agency. Managers
and executives employed in organizations
seeking to outsource business processes cannot
rely on their business school education or their
experience to help them deal with BPO
opportunities and challenges.
5
Not many have led business transformation
opportunities that comprise the many facets of
BPO—technical and social. BPO managers should
actively seek to engage in continuing education
and learning about BPO even during the
execution of a real-time project. As BPO is
evolving rapidly, the pursuit of new knowledge
beyond this book will be critical to the success of
both ongoing and future BPO initiatives.
6
 1.
Human
Capital
Risks
Change management is an HR issue, involving a
well-understood pattern of overcoming
resistance, instituting changes, and
reestablishing standard operating procedures
(SOPs). Some change management consultants
have expressed this as unfreezing–moving–
refreezing the organization.
8
This section does not address the risks related to
change management; rather, it focuses on the
technical risks involved with the thorny issues of
equal employment opportunity, immigration, and
foreign trade regulations. Each of these topics
touches the BPO project on the margins and
must be understood and managed.
9
The human capital issues most likely to arise in an
onshore outsourcing project are those associated
with equal employment opportunity regulations. For
example, BPO buyers must be especially careful
when outsourcing results in reductions in force
(RIFs).Such reductions must be handled in a manner
that is transparently related to business interests
and has not selectively targeted a protected class of
individuals.
10
Human Capital Risks

Labor-Related
Risks
Other human capital risks associated with
onshore outsourcing concern those that stem
from collective bargaining and labor relations
laws and regulations. Beginning in the early
1980s, the National Labor Relations Board
(NLRB) issued several decisions that created
additional uncertainty when evaluating the
bargaining status of outsourcing or
subcontracting decisions. 12
The NLRB’s lack of clarity on the obligations of
employers in collective bargaining is unlikely to
be resolved anytime soon. To reduce risk,
companies should consult with labor attorneys
as part of the BPO opportunity analysis to
determine the likely disposition of their
preferred strategy and its implications for
possible liability exposure.
13
 Human Capital Risks

Understanding Labor
Laws in Non-U.S.
Countries
BPO buyers that use an offshore outsourcing
vendor can benefit from an absence of many of
the employment liabilities present in the United
States. Many foreign countries do not have laws
governing matters such as workplace
discrimination, sexual harassment, or privacy. At
the same time, companies must understand the
labor laws that govern their outsourcing vendor.
15
India, for example, has a radically different system of
employment law than the United States. "At will”
employment, which allows U.S. employers to easily
terminate or lay off employees, does not exist there.
Under a much more restrictive concept called termination
indemnity,” employers must follow a lengthy notification
process before letting Indian employees go. They must
also indemnify employees for some of the wages they
would have earned if they had remained on the job.
16
The more restrictive labor laws in foreign
countries can limit the flexibility BPO buyers
seek. For example, a BPO Project Management
Team may recognize the need to reorganize a
vendor’s process to improve it. In some
countries, it can be difficult for a company to
restructure or change its operating strategies.
17
Even moving an employee to a new work site
could be a challenge in the foreign vendor’s
regulatory environment. The ability to
restructure the organization—which is taken for
granted in the United States—can be more
difficult and riskier in many foreign countries.

18
 Human Capital Risks

Study Vendor Labor

Practices
The most important risk mitigation strategy
regarding human capital is to vigorously scrutinize
vendor labor practices during the selection phase.
The BPO buyer can avoid future headaches by
seeking vendors whose HR practices and policies
resemble their own. Beyond that, it is also
important to assess the professionalism of the
vendor in its HR procedures and policies
20
Human Capital Risks
Sweetshop
Risks
HR risks associated with offshore outsourcing also
include the potential implications of practices acceptable
in the foreign jurisdiction but unacceptable to consumers
in the United States. The most common example of this is
the so-called sweatshop labor practices that have
damaged the image of firms such as Nike and Wal-Mart.
Working with foreign companies whose HR practices are
patently offensive to U.S. consumer sensitivities poses
the risk of potential backlash if those practices are
exposed.
22
 2.
Project
Risks
Project risks are defined as those that have the
potential to prevent the BPO initiative from not
providing the cost savings, strategic advantages,
or productivity improvements anticipated. The
reasons for these risks are too numerous to list.
Unexpected incompatibilities between software
infrastructures could prove intractable and lead
to delays, cost overruns, and lost business.
24
 Mitigating Project Risks
To mitigate project risks, the BPO buyer should first
assess its readiness to undertake the outsourcing project
before making the leap. This includes an analysis of three
key factors:
1. Organization’s ability to adapt to change. Organizations
with a poor track record in managing large-scale change
are at a higher risk of project failure than those with a
record of successful change management
25
2. Presence of an internal BPO champion. An internal
champion, especially one with broad influence within the
organization, can reduce project risk. This person can be
relied on to work long hours and lay awake nights thinking
about solutions to project problems when other members
of the PMT are sleeping well
3. Time available to make the transition and ramp up to full
operational mode. In general, the less time available for the
transition, the higher the risk .Buyers should increase the
time available to implement a BPO transition, building on
successes along the way. 26
 Project Risks
Risk of Unrealistic
Expectations
 Risk of Unrealistic Expectations
The PMT often ignores the risks associated with
unrealistic expectations on the part of the BPO buyer’s
executive team. Expectations can be managed at four
levels:
1. Upward expectations management. Refers to the
procedures the PMT follows to ensure that the
organization’s executive team (and the BPO project
Steering Team) is informed about project risks,potential
costs,and mitigation strategies. 28
2. Downward expectations management. Refers to the
challenge of managing employee expectations as the
project unfolds.
3. Horizontal expectations management. Refers to
handling expectations of managers in no outsourced
functions.
4. External expectations management. Refers to the
process of dealing with expectations of customers,
suppliers, and other stakeholders outside the organization
who have a need to know. 29
 3.
Intellectual
Property
Risk
Most businesses have a significant amount of sensitive
information, including trade secrets, business plans, and
proprietary business knowledge. Offshore outsourcing
presents different—and in some cases, more potent—
threats than the domestic variety. Legal standards and
business practices governing whether and how sensitive
information should be guarded vary around the world

31
 IP Risks
Industry-Specific
Guidelines
Most businesses have a significant amount of sensitive
information, including trade secrets, business plans, and
proprietary business knowledge. Offshore outsourcing
presents different—and in some cases, more potent—
threats than the domestic variety. Legal standards and
business practices governing whether and how sensitive
information should be guarded vary around the world

33
To address these changes, the Working Group updated
the Framework with further considerations for disaster
recovery, security audits and assessments, vendor
management, and cross-border considerations. The
Framework is intended to be used as part of, and in
supplement to, the financial services company’s due
diligence process associated with defining, assessing,
establishing, supporting, and managing a business
relationship for outsourced IT services.
34
 IP Risks
HIPAA Raises
Concerns in Health
Care
The Health Insurance Portability and Accountability Act
of 1996 (HIPAA) has led to a host of security risk
management concerns for health care institutions that
outsource processes requiring electronic transmission of
patient information. HIPAA is designed to protect
confidential health care information through improved
security standards and federal privacy legislation.

36
 There are 18 information security standards in three areas
that must be met to ensure compliance with the HIPAA
Security Rule. These areas are:
1. Administrative safeguards. Documented policies and
procedures for day-to-day operations; managing the
conduct of employees with electronic protected health
information (EPHI); and managing the selection,
development, and use of security controls
37
2. Physical safeguards. Security measures meant to
protect an organization’s electronic information
systems,as well as related buildings and equipment,from
natural hazards,environmental hazards,and
unauthorized intrusion
3. Technical safeguards. Security measures that specify
how to use technology to protect EPHI,particularly
controlling access to it
38
 IP Risks

Best Practices and

Standards
The most effective information security risk management
strategy is to adopt and comply with best practices and
standards. Tort law in the United States includes four
possible means by which a firm may be found liable for
information security lapses:
(1) duty,
(2) negligence,
(3) damage, and
(4) cause. 40
 4.
Legal
Risks
Legal risks associated with offshore outsourcing are
legion, and their threat is made worse by the relative lack
of legal precedent. For example, there currently are no
clear legal rules governing the extent to which remedies
can be extracted from a BPO vendor in the case of a
security breach or other gross malfeasance. Countries
differ in their laws for foreign firms seeking damages
from private enterprises.
42
One technique that has been effective for avoiding legal
disputes is to split outsourcing contracts depending on
different deliverables and service-level agreements
(SLAs). For example, many firms outsource software
development as well as IT management to third-party
vendors. A BPO buyer would be wise to split the software
development contract from the IT services contract. IT
management services are generally governed by SLAs
that require regular fee payments
43
Firms should also be careful to separate continuous service
or transaction-related terms from those that concern
development of some type of output,such as software or
knowledge that is the property of the BPO buyer.The
transaction-related services are usually covered in the
SLAs and are paid on a regular basis.Development
contracts should be treated separately.

44
 5.
Vendor
Organizational
Risks
The risks associated with the BPO vendor’s
organization are perhaps the most difficult to
accept because they are not easy to control.This
risk is also enhanced when the vendor is
offshore.The risks associated with the vendor
organization can range from business practices
to authenticity of certification and reference
claims.
46
Vendor business practices can vary greatly
around the world. Practices that are clearly
prohibited or considered highly questionable in
the United States can be routine in the vendor’s
home country. The problems of bribes, kickbacks,
or money exchanged under the table have
affected U.S. businesses abroad in a wide range
of industries.
47
Another risk concerns the potential for vendors to
overstate their competencies and to exaggerate the
business and technical certifications they possess and the
clients they serve. This risk can be mitigated through
comprehensive due diligence that insists on objective
proof of certifications and permission to talk to
representatives from the vendor’s client list. Vendors
that refuse to share certification evidence or balk at
client referrals should be treated with caution.
48
Child labor, excessively long hours, and outright sexual
and other forms of harassment or discrimination are not
uncommon in some foreign labor markets. Firms
choosing to outsource business processes should
consider the labor practices of the vendor and determine
whether the risk of participating in domestically reviled
practices abroad can damage domestic reputation and
goodwill.
49
 6.
Value
Risks
Whether the rationale is cost savings or business
transformation,an outsourcing project is undertaken to
create value for the BPO buyer.With the myriad
uncertainties inherent in any complex BPO
deal,extracting anticipated value can be a challenge.This
risk can be mitigated through several techniques, most of
which center on managing the projected outcomes.

51
Working with international vendors presents
higher-value risks than does working with
domestic vendors in that the extent of potential
value is often overstated by the foreign vendor
and can take longer than expected to achieve.
Mitigation of these risks centers on the
effectiveness of SLA negotiation,
implementation, and management.
52
Working with international vendors presents higher-
value risks than does working with domestic vendors in
that the extent of potential value is often overstated by
the foreign vendor and can take longer than expected to
achieve. Mitigation of these risks centers on the
effectiveness of SLA negotiation, implementation, and
management.

53
 7.
Force Majeure
Risks
Force majeure risks are the most difficult to
quantify and specify. What is the likelihood of a
war? A hurricane? An earthquake? No one really
knows. Yet these risks can be estimated with
some measure of objectivity, and an appropriate
mitigation strategy can be developed and
enacted.
55
• Global geopolitical realities have brought the threat of war
to nearly every doorstep.At the same time,reasonable
assessments of the probability of war affecting a BPO
vendor can be made.
• The potential for political unrest exists in many countries
that are desirable outlets for outsourcing,such as India and
the Philippines.Firms outsourcing to foreign countries
should plan for the possibility of war and the impact such a
conflict would have on their business
56
Contingency plans should account for a worst-case
scenario that would address questions such as:
• What would you do if the country were attacked?
• How would you perform the outsourced functions?
• How would you protect your facility and its contents and
your IP?
• Where would you relocate your business?
57
Force Majeure Risks

Planning for
Disaster and
Recovery
If they have not already, companies that
outsource overseas need to develop disaster
recovery and business continuity plans.Such
plans force organizations to examine possible
risks and are crucial if the outsourcing firm wants
to purchase insurance to cover property, liability,
or business interruption exposures.
59
Also, it is a good idea to have a backup in place in
case anything goes wrong with infrastructure,
business partners, or distribution channels. In
addition to a backup, BPO buyers should
consider drawing up a contract with the
company responsible for securing the
outsourcing. The terms of the contract and the
shifting of the risk can be governed by that
document. 60
Force Majeure Risks

Managing
Risks Early
Outsourcing does not mean eliminating business risk; it
simply means that some risk is transferred to the BPO
vendor. BPO buyers should consider whether they could
go back to their old systems if all else failed. To be
effective, an outsourcing deal requires that each partner
has considerable benefits to be gained, and that means
sharing both risks and rewards. To make that work, the
BPO deal must fund the necessary investment and
motivate each partner’s commitment by aligning goals.
62
When thinking about using outsourcing, the
buyer must also consider the risks it brings to a
potential BPO relationship. The BPO provider’s
readiness to undertake a BPO project is a major
determinant of risks to project success. A good
starting point to a risk management strategy is
for the potential buyer to develop a risk profile of
itself.
63