Risk management practices specify that every risk be identified and assessed. Based on the risk assessment, one or more of the following four risk management options can be chosen as the preferred method of addressing the risk:
- Risk avoidance
- Risk acceptance
- Risk mitigation
- Risk transfer/risk sharing
Each response has a clear and specific meaning.
Risk transfer, or risk sharing, occurs when organizations shift the risk to a third party. A typical example of this occurs in the domain of financial loss. The vulnerable organization can transfer its risk of financial loss to an insurance company for a small premium. In some cases, the premiums and losses of each member of a group of policyholders are allocated using a predetermined formula within the group, which is considered risk sharing, or risk distribution. Therefore, risk sharing and risk transfer are considered similar responses to risk, if not the same entirely.
Since the introduction of outsourcing practices, risk practitioners have viewed outsourcing as a part of the risk transfer/risk sharing response. This is because organizations transferred risk that was difficult to manage internally—due to factors such as cost, resources and skill requirements—to a third-party that could better manage the risk, since it was part of its routine business model built on risk management expertise. To an extent, this argument makes sense; however, in the context of the entire supply chain and its business operations, outsourcing should not be considered a viable risk sharing option.
In turn, the outsourcing organization, or the principal organization, must manage the risk associated with the third-party service provider, sometimes referred to as the vendor or supply-chain partner. For this reason, many risk professionals consider outsourcing to be a form of risk sharing. However, there have been many instances where outsourcing organizations suffered interruptions to business operations because the service provider failed to manage their risk effectively.
The COVID-19 pandemic has also highlighted shortcomings in the supply chain, resulting in organizations not receiving services or supplies in time due to pandemic containment efforts by government authorities. In addition, there have been instances where a cyberattack targeted service providers and induced the interruption of services, such as the Bank of Muscat heist in 2013. The December 2020 SolarWinds attack is another example of an attack on a service provider resulting in a data breach at principle/outsourcing organizations. These incidents have highlighted the need to reconsider if outsourcing is indeed an option of risk sharing.
Outsourcing is a business process that must be accounted for during risk identification, the analysis and assessment of risk, and, ultimately, the determination of the appropriate risk response for each vulnerability. Although it is true that most supply chain and outsourcing risk are managed through contracts and service-level agreements (SLAs), there must be a rigorous and continuous monitoring process based on key risk indicators (KRIs).
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.