In today’s world, information has become the most important and valuable strategic resource for business development (Whitman & Mattord, 2011). In order to control, operate or collect information, companies use different technologies and hardware solutions (Schermann, et al. 2014). However, with the increased globalization and rapid technological development, it is not always economically beneficial to purchase and regularly update own technological components. The most efficient solution here is an outsourcing or using of third-party technology providers. As in any other type of industry, technological outsourcing assumes cost savings and rapid accessibility of new expensive technologies. However, despite many benefits of using of third-party solutions, outsourcing potentially can lead to a rise of different types of risks. This paper aims to explore the relationship between outsourcing of technologies and its risk portfolio.
In order to find the impact of technological outsourcing on a level of risk, outline a definition of the technological risk. Renn & Benighaus (2013) state that technology has become a vital companion in all aspects of human’s life. According to the authors, there is a common misperception in the society about potentially dangerous attributes of technologies. Thus, even small technological failure usually receives a lot of attention from media and people, and can lead to the rapid denial from technology and further business failure. A good example here is a recent bad start of Google Glasses, sales of which fail after a Reuter’s review that mentions its inability to work with many apps. Every implemented technology in the system creates a level of dependency on it and has some level of vulnerabilities. Accordingly, technological risk implies an ability of technological failure and inability to fulfil assigned tasks. The results can be vital for the business, from damaging of company’s reputation to lawsuits and complete shutdown. The technological risk is something that needs to be regularly audited, monitored and evaluated. Therefore, it is important to implement a system of managing technological risks in the company.
With outsourcing of elements of company’s system to different third-party providers, the level of technological risks always grows. Despite economic benefits, such as reduction of costs and accessibility to technological innovations, outsourcing generates many risks, such as an inability of the supplier to fulfil his tasks or potential breach of company’s data. Thus, third-party providers are also vulnerable to technological risks. The main company at this time cannot manage the risks due to lack of transparency and authority of entering into provider’s system architecture.
However, if the third-party provider’s architecture is hidden for the company, there are still several ways of how these risks can be identified and managed. Warren, Varney & Horwath (2014) emphasize that there are three steps for effective third-party risk management. First is to establish the ownership of a risk management. Relationships between a company and third party provider must be constructed on a clear statement of who is responsible for which type of risks. Secondly, the company must create a portfolio of technological risks that can be expected from the provider. This is a crucial step because it will allow the company to predict potential technological failures of the provider. Thirdly, both the company and its third-party provider should monitor and audit their technological activities. It will allow to control the level of risks and support effective relationships.
When managing the risks of a third-party technological provision, there are several risk treatment options available. It is obvious that option Avoid would imply not to use service of a provider, option Reduce – to implement a mutual risk management strategy to mitigate the risk on provider’s side, option Transfer – to transfer the risk to another provider, and option Accept – to believe that nothing will happen. Thus, in the case of a third-party provider, the best options would Reduce and Transfer. However, the last one allows spreading the risks between different providers but not to decrease it.
Third-party vendors can gain a significant share in company’s operations. However, vendor management also brings different risks. First, the choice of a provider itself includes a certain level of uncertainty and requires a serious evaluation, such as due-diligence. Secondly, there are different types of vendors and different related risks. Hence, it is necessary to evaluate vendors in line with their risk levels and manage them accordingly. Information about vendor management is also very important for corporate governance of organizations. The board of directors should receive reports about the performance of vendors, their status, and inconsistencies.
Overall, both information and technology are deeply integrated in our life. Outsourcing of technological operations brings both benefits and risks for the organization. Among major benefits are cost savings and a rapid availability of expensive technological solutions. Among major risks are inaccessibility of monitoring of provider’s system architecture and possible technological failure of a provider itself. Thus, implementation of any kind of technologies in the system creates dependency on it. However, a developed risk management plan can mitigate these risks and establish strong relationships between the company and its third-party provider.
References
Renn, O., & Benighaus, C. (2013). Perception of technological risk: Insights from research and lessons for risk communication and management. Journal of Risk Research, 16(3-4), 293-313.
Schermann, M., Wiesche, M., Hoermann, S., & Krcmar, H. (2014). Information Technology Risks: An Interdisciplinary Challenge. Risk-A Multidisciplinary Introduction, 8(1), 387-405.
Warren P. D., Varney R. M., & Horwath, C. (2014). Third-Party Risk and What to Do About It. Web.
Whitman, M. & Mattord, H. (2011). Roadmap to Information Security: For IT and Infosec Managers. Independence, KY: Cengage Learning