Outsourcing In A Complex Regulatory Environment Without Insourcing Additional Risks

In the most recent presidential campaign, outsourcing was a hot-button issue. Accusations were bandied about by both parties about how one group was “outsourcing jobs” and reaping grotesque profits at the expense of the U.S. worker.[1] However, and notwithstanding the political gamesmanship, more and more companies – regardless of size, geographical location or ownership structure – continue to utilize outsourced relationships to improve the bottom line. Regardless of the public perception, outsourcing service providers regularly deliver the promised economic benefits of outsourcing: improved operations, lower costs, enhanced shareholder value. So it's not surprising - particularly in tough economic times – that outsourcing remains not only a viable option, but a frequently used solution for companies looking to reduce overhead and grow profits.

But a stagnant economy isn't the only thing that keeps a company's COO up at night. In today's business environment, where new government regulations seem to pop up every day, a company's compliance and governance policies and structures are subject to frequent and sometimes intense scrutiny. Consequently, management is continuously searching for cost-efficient ways to ensure compliance and reduce the risks inherent in these regulations. Because many of these organizations regularly use outsourcing to improve their bottom line, the capability of the outsourcer to meet a company's compliance requirements (or even, in some cases, to improve an organization's compliance) has become a primary focus (and indeed, is more and more a key differentiator in an organization's decision in selecting an outsourcer). This is particularly important where a company decides to outsource business functions that involve sensitive data.

Cost-cutting while still ensuring compliance in an increasingly complex regulatory environment sounds daunting. Everyone enjoys receiving financial benefits[2] but reducing costs without risking regulatory penalties or – worse yet – lawsuits is a challenge. Now layer into the mix the use of an outsource services provider that in many instances will have control of protected information – including personal information of the company's customers – and one begins to understand why folks in the C-Suite are suffering sleepless nights.

So now that we've painted a bleak picture, the question is how does a company garner the benefits of outsourcing without insourcing more risk? While a comprehensive answer to that question would take more time and space than what's allotted for this discussion, following are a handful of key steps that should be taken and key issues that should be considered. Remember, while a company can outsource some of the responsibilities for ensuring compliance, it can never outsource its accountability.

Choosing The Outsource Services Provider – The RFP

Many of us consider the RFP/RFQ/RFI process to be not only cumbersome but far too frequently a waste of time. On the one hand there is the overly constrictive format utilized by the company issuing the request that prevents even a minimal explanation of a response, while on the other is the “canned” snippets offered by the respondents that seem to condition more detailed information on being down-selected. That being said, when it comes to an outsourcer's compliance/data protection/information security areas, the RFP can prove to be a very useful tool.

One thing to stress here is the need for the company considering outsourcing to carefully examine the business processes, the type of data or information that is involved, and the applicable internal structures in place that have been developed and implemented to address compliance concerns. The company will want to verify that an outsource services provider will at a minimum maintain the same levels of security. After all, a company's base case -- and how the internal costs for that base case measure up against an outsourcer's solution – includes all of the investment and ongoing costs that the company has incurred and will continue to incur to sustain its data security infrastructure. On the other side of the equation, any outsourcer worth engaging will go to great lengths to drill down on the specific requirements being imposed so that it understands its obligations and can adequately bake the costs of those obligations into its pricing models. Using a “cookie-cutter” approach when it comes to the data security/compliance portions of the RFP does a disservice to both sides. A little effort at the front end to classify the data at issue and the company's current data security environment will go a long way to ensure that the RFP responses are useful and targeted to the peculiar issues inherent in outsourcing the particular business process.

Minimizing Risks Via The Contract

While some might say that some of us put far too much stock in the “Ts and Cs” of the outsourced services agreement, the fact remains that defining the party's respective rights and obligations at the outset, particularly in those areas of the relationship that involve data privacy and data protection, will minimize the risk that there are gaps in the processes. Experience tells us that putting effort towards drafting specific provisions in the following areas of the contract will pay dividends throughout the term of the relationship:

• Comprehensive Data Security Audit Rights. It goes without saying that no one – on either side of the table - enjoys audits.[3] Under most contracts, the expense of the audit is generally borne by the company/customer. As for the outsource services provider, an audit can be disruptive and time-consuming. Nonetheless, because outsourcing engagements typically run for a period of years, it's not enough to simply ensure that the company's chosen outsourcer has appropriate data and information security measures in place as of contract signing. Well-crafted agreements incorporate ongoing covenants by the outsourcer to maintain the level of data/information security throughout the term of the engagement. Indeed, many agreements impose obligations on the outsourcer to improve and enhance its processes to keep those processes in line with industry standards. Certifying that those standards are being met – not only at the onset of the engagement but throughout the term – can only be achieved by periodically auditing the outsourcer. And while generally it's a good idea to limit the frequency of the audit (e.g., once annually), be sure to incorporate the right to conduct follow-up audits (at the outsourcer's expense) if material non-compliance issues are uncovered during the scheduled audit, as well as clarify that the audit frequency limitation will not apply to examinations mandated by government or regulatory bodies.
• Robust Governance Provisions. Governance is a topic that justifies an article of its own. Suffice it to say that many companies that utilize outsourcers will tell you that a detailed and disciplined governance process will often be the difference between a successful engagement and one that ends poorly. Because business functions within an organization invariably overlap, and because it's more and more likely that companies utilizing outsourcing will have more than one provider, it's more and more important to ensure cooperation and collaboration between vendors (as well as between vendors and internal personnel) is critical, especially where those vendors have control over or access to sensitive data and information. Contractually mandating cooperation between vendors is essential. But governing a portfolio of vendors isn't the only thing to be addressed in a governance process. Indeed, governance between the company and each individual outsourcer is equally, if not more important. Recognizing at the outset that change is inevitable in today's volatile regulatory environment and crafting a comprehensive but still manageable governance process to address those changes is key. At a minimum, acknowledge that changes in regulations are sure to come and put in place the kind of process that can quickly address and equitably and reasonably allocate responsibility for compliance with those changes.
• Mandatory Technology Refresh. Data and information security is one area that is inextricably tied to technology. While use of clauses that mandate maintenance of security processes to stay apace with “industry standards” are useful (and recommended), it's not unusual for the company and its data security personnel to have a distinctly different perspective from the outsourcer on what is meant by “industry standard” and how one meets that benchmark. To avoid this, the contract should incorporate specific technology refresh protocols that require the outsourcer to maintain its software and systems within certain release/version parameters.

Several other contractual provisions can impact or address compliance concerns and the parties' objectives of protecting sensitive data. Clear language that deals with a data breach and the parties' respective obligations, disaster recovery plans, and meaningful indemnification language and liability limits and exceptions are important. And obviously, requiring an outsourcer to contractually commit to ongoing compliance with law is a must-have. But while this language is essential, establishing a mechanism for verifying that the outsource services provider is actually meeting all of those contractual standards is vital.

The outsourcer's central business proposition is that its expertise and experience allow it to perform critical business functions more efficiently and more economically than the company itself. When using an outsourcer, a company must balance its financial goals with its obligation to comply with an ever-changing regulatory world. Due diligence at the front end and a well-crafted agreement that clearly allocates responsibility, coupled with a disciplined process to verify ongoing compliance, will help to ensure that the outsourcing customer reaps the promised financial benefits without incurring expanded or additional risk.