Protiviti: Companies highly exposed to outsourcing risks

15 July 2014 3 min. read

Organisations are taking large risks in the manner with which they work with external parties. A new research from consulting firm Protiviti reveals that risk management practices for external vendors are still far off best practices, exposing the business and outsourced functions to unwanted risks.

Over the past decades outsourcing has grown to become one of the most important business themes for global businesses. Driven by the ambition to gain a competitive advantage, in particular in the area of costs and service quality, large companies have decided to outsource key business processes to mainly low cost labour countries. According to the latest data from analysts, the global BPO and IT Services market is estimated to be worth a massive $952 billion, of which IT Services represents roughly two-thirds of the market*.

Global Size of the BPO and IT Outsourcing Market

In addition to the outsourcing trend, the past years has seen a large increase in cooperation among firms or networks of firms. The number of partnerships with external partners either per line of business or functional area (e.g. research & development, innovation, etc) has grown rapidly.

Vendor Risk Management
Against the backdrop of these two developments the management of risks associated with external partnerships – known as Vendor Risk Management (VRM) – has becoming an increasingly important focus area for executives. As running the day to day operations of companies is more and more reliant on external partners, a shortfall in the partnership could potentially have a disastrous effect on business. As a result, managing vendor risk has become a key priority for departments that have outsourced services (IT, Finance, etc) and departments that are responsible for the performance of the cooperation such as Legal and Procurement.

Despite the importance, a new report from Protiviti, labeled ‘Vendor Risk Management Study 2014’, reveals that companies are not performing too well in terms of vendor outsourcing risks. Earlier this year the consulting firm asked nearly 450 IT and risk management professionals to rate their organization against a best practice model, known as the Vendor Risk Management Maturity Model**. For each of the eight categories, the average score did not surpass a 3.0 on a scale of 5.0, implying that Vendor Risk Management has been established (maturity of 3.0) but not yet fully operational (maturity of 4.0), and nowhere near a state of continuous improvement (maturity of 5.0).

Maturity of Vendor Risk Management

“Many companies aren’t adequately or effectively protecting themselves from exposure to vendor outsourcing risks. This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations,” says Rocco Grillo, Protiviti’s global leader for incident response and forensic investigations.

* Analysis from, based on data from HfS Research, 2013.

** The Vendor Risk Management Maturity Model (VRMM) is a maturity model that measures the quality and maturity of risk management activities associated with working together with external vendors. The model consists of five maturity levels: 1. Initial visioning. 2. Determine roadmap to achieve goals. 3. Fully defined and established. 4. Fully implemented and operational. 5. Continuous improvement – benchmarking, and moving to best practices.