Managing the risks within the supplier domain: black-box versus white-box

-

Not all risks related to outsourcing can be mitigated in the same manner. Some risks and its mitigation are fully retained within the client company while others can only be mitigated with the cooperation of the external vendor. SAS70, due diligence and audit rights are the most commonly used assurance mechanisms, but are:

  • limited in their use (e.g. SAS70 focuses on controls for IT systems which function can have a material effect on financial statements and is thus of limited use to mitigate other types of risks).
  • expensive (e.g. both auditing by the companies own auditors or SAS70 statements requires the vendor (and third party auditor) to invest a lot of hours in collecting and presenting evidence. The bill for an SAS70 type II can easily end up in the area of $100-200k.
  • showing a snapshot of the situation (e.g. due diligence is typically a one-off exercise which is performed typically as part of the selection or contracting phase, same applies for a SAS70 type I report).
In order to have a more efficient and effective control framework the company should use a combination of expensive assurance mechanisms like third party statements like SAS70, ISA 402 and ISAE 3402 for the area’s of high risk and cheaper alternatives for areas of medium and low risk. See also this post in which I describe at a high level how to the costs related to managing regulatory risk in outsource engagements can be reduced. Part of creating a holistic control framework to manage risk it is important to constantly balance cost and effectiveness.
Describing in contract schedules exactly how the vendor has to execute certain activities prevents the vendor to use its own best practises and is thus expensive. Describing how the output (‘evidence’) for a certain control objective should look like and letting the vendor decide how to come to the result is consequently cheaper than the first option. In other words:

Telling how long and in which pan the cook has to boil the egg versus ordering a half boiled egg
Mitigation of some risks can be done using a ‘black box’ while others cannot. Looking at risks from a ‘black box’ perspective means the client organisation defines requirements or controls that the vendor must adhere to and report on, but with no need to know the internal means of operation.

However, not all risks can however be managed this way. Certain risks require in-depth knowledge of the inside structure and workings of the vendor (medium/high risk) to ensure an acceptable risk level for the client organisation. This is known as a ‘white box’ or ‘glass box’ approach. The two examples below make it more tangible:

  • A technology risk is the quality of data that is sent from the vendor to the client organisation. The client organisation cannot handle the quality of data purely as the vendors’ problem as that would lead to a ‘garbage-in/garbage-out’ scenario. The client organisation, however, should look at the quality of data in functional terms (e.g. accuracy, integrity, availability, completeness, and timeliness) and define thresholds or service levels for them. It should be left up to the vendor to operationalise the requirements. In this case, manage this risk as a black box.
  • A vendor-related risk is the turnover of its key employees. Key employees possess skills, knowledge or expertise that are so valuable to the client organisation that the client should be able to influence the decision making process of the vendor when it comes to replacing them. Influencing the internal decision-making process of the vendor on this point means managing the risk as a white box.

Managing a risk as a black or white box needs to be reflected in a) the way it is translated into contract clauses and b) the way the vendor is controlled by the retained organisation of the client organisation. Benefits of this differentiation are more focused management attention, less 'control waste' and thus ultimately lower cost—lower cost due to a smaller retained organisation and lower charges from the vendor for risk management related services.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

Beyond Two-Speed IT – Part 1

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. This blog is the first in a series covering the third principle of the Digital Manifesto.   When in New York, searching for a restaurant on your mobile yields those nearest to your current location. If your search history indicates you like Chinese food, the results will highlight those. To create this kind of personalized experience, Google Now, Cortana and Siri combine several data sources, such as location and past usage patterns, to deliver a personalized experience. The capability to show the restaurants in New York instead of Moscow reduces the ‘search stress’ faced by customers and the saved time is a source of customer benefits. The business has a similar expectation. When requesting a new IT solution, the context, such as stable versus emerging market, or having little or intense competition, is at least as rel
Read more