Properly assessing service providers’ safeguards affords outsourcing buyers degrees of protection against data loss.

by Karen Ikeda

In today’s challenging business climate, every organization needs to get more out of the resources at its disposal. And nowhere is this more true than in the CFO’s office and the F&A organization. In fact, IDC projects FAO to grow at a 9.6 percent compound annual rate and top $27.6 billion by 2008, with the fastest growth in transaction management, followed by other components including general accounting, treasury and risk management, tax management, and finance.

Often with FAO, very vital and sensitive information such as social security numbers and credit information is handled by the service provider. So how risky is FAO? Does an off-shore solution mean greater risk? What security issues and risk mitigation strategies should be considered?

The following details a process to increase value in your sourcing relationship and mitigate the security risks associated with FAO:

• Define and secure the scope of services. The success of a sourcing relationship hinges on a clear understanding of what services are to be outsourced and what security risks might exist. Many security risks are a result of inappropriate access to confidential information, improper disclosure of confidential or sensitive information, or inappropriate use of confidential information; so it should be determined and spelled out exactly who will have access to the organization’s information and systems and for what purpose.

For example, some BPO contracts may exclude all IT elements; thus, much of the IT security responsibilities have not been transferred to the service provider and still reside within the organization. It is also important to know what risk tolerance will be acceptable—keeping in mind there will be several ways to mitigate risks, both operational and legal. Additionally, it’s imperative to have key security, audit, and legal staff participate in business and legal meetings and to have all security issues “front and center” throughout the process, including solutioning, evaluation, due diligence, and negotiations.

• Understand a service provider’s business solutions and practices. In many cases, companies have the ability to influence and jointly develop the solution that can meet their business requirements and to mitigate risk, either real or perceived. Companies interested in outsourcing F&A should also inquire about what risk mitigation features automatically come with the service provider’s solution and centers. Some service providers operate highly data-sensitive processes in paperless environments (e.g., healthcare claims processing, personal tax information) with dumb terminals. This prevents sensitive information from being printed, written down, or copied onto desktop hard drives or removable drives. Also, many providers may have much more stringent policies and procedures associated with personal bags, desk phones, and cell phones with digital cameras in the work areas. Many companies find they are stepping into a more controlled physical and processing environment using a service provider than with their own captive centers or offices.

• Service provider evaluation and selection. Many companies get emotional when they think about their data being somewhere else, yet service providers often have more robust data security, disaster recovery, confidentiality controls, and influence over who can access information than most companies can achieve in-house. Performance, reputation, and integrity are essential to the service provider community. The key is to choose the correct partner.

On the IT side, most providers follow industry standards and have achieved higher certification levels such as BS7799 and COBIT. They bring a strong technology backbone, capable of optimizing and integrating the discrete applications running within your enterprise across various platforms and versions.

In addition to ensuring that the service provider has the required IT capabilities, executives must understand that standard, out-of-the-box security solutions will not be optimal when regulations and legislation vary greatly between industries and locales. Service providers should have the infrastructure and scalability to customize security solutions that can accommodate and grow with your organization. Several pressing privacy and security issues common in the global outsourcing arena should also be addressed, including the Gramm-Leach-Bliley Act, the European Union Data Protection Directive, and the Health Insurance Portability and Accountability Act, which impose strict privacy requirements and liability for breaches on transmitting personal data. Additionally, the provider’s capabilities with respect to the Patriot Act, which requires that certain disclosures and representations be made with respect to certain types of cross-border financial tractions, be thoroughly evaluated.

• Negotiating contract terms. Once it has been determined to move forward with a sourcing partnership, a contract should clarify the outsourcing provider’s responsibilities, and all key legal terms should be drafted. The organization must know what legal and regulatory obligations it is under and then contractually ensure these obligations are met by the service provider. The contract should address the appropriate safeguards over the company’s information and confidentiality, as well as audit rights and regulatory compliance. Companies can also specify code-of-conduct procedures that must be followed with formal sign-off by the service provider.

Outsourcing F&A is not always an unqualified success, but there is a reason why so many companies are making the transition. If done properly, FAO works: it offers substantial cost savings, enables CFOs and F&A staff to focus on core competencies, and provides access to best-of-breed talent and technology. By taking some time to understand what risks you may have, researching the capabilities of service providers, working together to develop a solution that meets your needs, and building in the right legal protection, organizations can mitigate their security risks associated with their sourcing initiatives and enjoy a successful relationship.