Senior executives say, “There is no need to worry about that risk – I have transferred that to the contractor.” This is not possible.
The notion that by outsourcing or contracting you have transferred your risk to another party is a myth. Senior executives, both in government and private enterprise, say, “There is no need to worry about that risk – I have transferred that to the contractor.” This is simply untrue.
If you own the consequences (or at least part of them), then you own the risk.
In the TV series "Air Crash Investigation," there is an episode titled “Dead Weight
.” In this episode, maintenance staff working for a company that is sub-contracted to conduct maintenance on behalf of Air Midwest’s primary maintenance contractor skip nine of 25 steps detailed in the maintenance manual when adjusting the tension on the elevator control cable. As a result, the cable is unable to traverse through its full range of motion.
When Air Midwest flight 5481 took off overweight, the center of gravity shifted rearward when the landing gear was raised, which pitched the nose higher. Because of the issues with the elevator control cable, the pilots were unable to bring the nose down. The aircraft stalled and crashed into a hangar on the ground, killing all passengers and crew on board.
The issue arose because there was no contract oversight/assurance by either Air Midwest or the primary contractor.
A contract is a control -- but a control is only as good as the measurement of its effectiveness. Organizations that outsource simply cannot afford to assume that, because there is a contract in place:
- They have outsourced the risk to the contractor
- The contractor’s performance will be as contracted and as reported.
This last point may seem a cynical one, but you need to accept that the primary driver for a contractor is to maximize profit. If shortcuts can be taken, they are likely to be pursued.
What is even more important for organizations to understand is that, if the function that is contracted is a compliance requirement, and if there is a compliance breach, it is the organization -- not the contractor -- that will be held to account.
So, what are the keys to reducing the outsourcing risks?
Firstly, the organization needs to ensure that, before developing the solicitation documentation for an outsourced function, the risks during the contracted period are identified and assessed and treatments (such as oversight and performance measurement) are fully built into the contract. It is absolutely critical that compliance risks with the highest-level consequences are included in this list.
Secondly, the organization needs to ensure that contract performance is actively monitored and measured (i.e. do not simply accept contractor’s performance reports as fact).
In essence, organizations need to remember that, although you can outsource responsibility for the management of functions, you cannot outsource accountability for the consequences of not managing risk. In simple terms, if the contractor fails, the organization fails. If an organization owns the consequence, it owns the risk.
If your organization is one where contact management and contract assurance are not front of mind, or yours is one where the assumption is that the risk has been transferred to the contractor, you are in a dangerous position.