How to Offload Your Risk to a Third Party

Risk transference is one of the four main strategies organizations can use to mitigate risk. It’s a powerful tool, but one that must be used with care to avoid unpleasant surprises.

Related on MHA Consulting: Global Turmoil Making You Ill? Try a Dose of Risk Management

Wise organizations determine how much risk they will accept then make conscious efforts to bring their risk down below that threshold.

There are four main strategies for mitigating risk:

· Risk acceptance: Making a conscious decision to remain vulnerable to a potential harm, usually based on a cost-benefit analysis.

· Risk avoidance: Altering organizational behavior to eliminate a given risk.

· Risk limitation: Taking measures to reduce risk, short of completely eliminating it. Incorporates a combination of the strategies of risk avoidance and risk acceptance.

· Risk transfer: Passing risk on to another organization, such as by hiring a third-party vendor to perform the associated function.

(These definitions are taken from our recent free ebook, Strong Language: The MHA Guide to Essential Business Continuity Terminology. If you don’t have a copy, you should grab one.)

In this post, we’re going to look more closely at the strategy of risk transfer, a potent and popular tool but one that has hidden risks of its own.

Here are the things you need to know to be successful in offloading your risk to a third party.

There are two main types of risk transference: 1) buying insurance and 2) hiring a third-party vendor to perform an activity and passing on to them the risks associated with that activity. Both can bring benefits but both have potential pitfalls.

The Promise and Pitfalls of Insurance

Insurance is the most frequently used and easiest method of risk transference. It is certainly convenient to pay a relatively modest, known sum in order to receive potentially substantial financial compensation in the event of an unexpected major loss. However, as many claimants have discovered to their pain, the insurance market is a place where the advice “buyer beware” goes double.

Here’s a run-through of some common insurance pitfalls:

• Many organizations think that if they have business-interruption insurance, they don’t have to worry about business continuity. The fact is, this type of insurance will do nothing toward helping you get your business back up and running. You still need to have a program to ensure the continuity of your business.
• Insurance will not protect you against damage to your brand or image if something goes wrong and the public loses confidence in you.
• Insurance policies come wrapped in caveats and conditions. You will need to demonstrate you meet them before any payout will occur.
• Many carriers are now requiring business customers to demonstrate that they have sound business continuity programs in place.
• Insurance carriers are extremely reluctant to take on cyber risk. If you buy this type of insurance, expect high rates, stringent conditions, limited payouts, and frequent claim denials.
• If something happens and you make a significant claim, expect to be subject to a proctology-level investigation into why the problem happened, whether you were negligent, and so on.

The bottom line is, don’t make the mistake of looking at the insurance company as your helpful friend—and make sure you have all your ducks in a row.

(While we’re on the subject, here’s something about business insurance that I think is overdue for a change: With other types of insurance you get rewarded in the form of a discount if aspects of your situation correlate with making fewer and smaller claims (like the safe driver discount for good students). A good BC program has the same protective effect, and it should receive the same type of reward.)

Offloading Risk to Third-Party Vendors

The next type of risk transference is when an organization hires a third-party vendor to take on an activity and its associated risks. The benefits can be substantial but it’s critical that you do your due diligence. The key questions to ask here are: 1) Is the vendor competent? 2) Is the vendor resilient?

There’s been a tremendous increase in outsourcing over the past several years. Companies often hire third parties to take on activities that are outside their core competencies, freeing them to do what they do best. This option can also promote cost containment since the third party specializing in the activity might be able to do it more cheaply.

The desire to transfer risk can also factor into the decision to outsource, especially for business functions that can easily be performed by third parties, such as customer service, call centers, payroll services, and logistics.

One function that is frequently performed by third parties is physical security. Economies of scale often make this a better choice than using an internal solution. Just make sure the company you hire is worthy of your confidence. (There are some physical security outfits I wouldn’t trust to look after my dog, much less my company.)

Certain technical functions are also candidates for outsourcing. These include network and data security monitoring, first level technical support, application development and maintenance, and server administration and monitoring. As the risk associated with these functions grows, and the integration of technologies becomes more complex, the use of experts who can focus on those specific items often makes the most sense technically and financially.

The use of Software as a Service (SaaS) is analogous to using third-party providers. The technical risk and recovery risk is moved to the SaaS provider, along with any associated business risk.

With all third-party providers, the key to successfully offloading your risk to them is due diligence on your part. Make sure they are capable of performing the service you require and that they will be able to continue to do so in the face of disruptions. For all third-party vendor engagements, you must understand the services, service-level agreements, and their recovery commitment to ensure that your risk is mitigated appropriately.

The Secret to Success Is Diligence

Risk transference is one of the four main risk mitigation strategies. It involves passing risk along to a third party, either by buying insurance or hiring a third-party vendor to perform an activity.

Provided that due diligence is exercised in using it, risk transference can bring significant benefits to almost every organization looking to intelligently manage its risk and bolster its resilience.

Further Reading

For more information on risk mitigation and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting:

• Don’t Just Hope: Choosing Strategies to Mitigate Risk 
• Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask 
• Risk Mitigation: The Four Types 
• The Risk Management Process: Manage Uncertainty, Then Repeat 
• Enter the Matrix: Why You Should Employ a Risk Management Matrix   
• Global Turmoil Making You Ill? Try a Dose of Risk Management