How to Limit Your Outsourcing Risk

Experts offer advice as companies around the world reel from the scandal at India-based Satyam. High on the list for CFOs: paying careful attention...
Sarah JohnsonJanuary 15, 2009

U.S. and global companies had a serious wake-up call last week when Satyam Computer Services’ founder confessed to accounting abuses that included making at least one false $1-billion cash entry on his company’s books.

Among the concerned corporations were customers directly affected by the scandal — which also brought the resignation and arrest of Satyam ex-CEO B. Ramalinga Raju and CFO Srinivas Vadlamani, and led to the naming of two auditing firms, KPMG and Deloitte, to help with restatements. (Price Waterhouse India, a separately owned affiliate of PricewaterhouseCoopers, was said to be retained by Satyam as auditor.) Satyam claims to have 185 Fortune 500 clients, including Cisco Systems, Caterpillar, Ford Motor, and General Electric.

Those companies that didn’t retain Satyam, however, also have deep concerns about the use of outsourcers, and the outsourcing industry as a whole.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Satyam’s competitors and advisory consultancies have been fielding calls since the news broke last week about Raju’s four-page confession to his board. Their clients had been asking for reassurance about their vendors’ corporate governance, and were rethinking the assessments they made before moving technology and back-office work overseas. “It’s causing a lot of people to pause for a second, and say, Oh my God, there are more unknowns and risk than I thought,” says Robert E. Kennedy, executive director at the University of Michigan’s William Davidson Institute, and author of an upcoming book about offshoring called The Services Shift.

When customers sign up for a three-, five-, or even 10-year contract, they want to know that “their service provider will continue to provide such services over a long period of time,” says Rohit Kapoor, chief executive at EXL Service, a New York company that provides business process outsourcing in India and the Philippines.

To be sure, the Satyam scandal creates concerns that go beyond the potential low-wage outsourcing partners in India or other developing countries. It affects all types of service providers. “We don’t want to paint one brush on the industry … it was one incident, and a completely isolated case,” says Surjeet Singh, CFO of outsourcer Patni Computer Systems.

In response to the worried calls, outsourcing experts are reminding clients to conduct strong due diligence, and to balance cost savings against the serious risks presented by moving work beyond internal corporate walls. “You have to treat third parties as if they were part of your institution,” says Nick Benvenuto, a managing director at risk advisory firm Protiviti.

Indeed, companies should consider the possibility that a vendor will have a rogue employee — or even a renegade CEO — just as they would factor in that risk for internal workers. Other what-if questions should be contemplated as well. At the top of list: What if the vendor goes out of business? What if the service provider slacks? What if you decide to change your business strategy half-way through the contract? What if confidential information is stolen?

Business as Usual?

Satyam’s clients are considering whether to pull out of their existing contracts — some of which have a few years left — as the shaky future of India’s fourth largest software-services provider has put some of their current projects at risk.

For example, even though Satyam has guaranteed that Nestle’s three-year contract for software development and maintenance won’t be disrupted, the Switzerland-based food company is considering “alternative solutions,” says Ferhat Soygenis, a spokesman. “No disruption of Nestle’s IT operations is expected.”

Other big-name Satyam clients are acknowledging the fraud but deflecting any notion that it will create a blip on their daily operations. A Cisco Systems spokesman tells the scandal will not have “any material impact” on the company. And Nissan North America and Ford Motor are closely monitoring the matter but declined to comment further.

Smart companies have contingency plans to prepare for problems at service providers, including performance problems, power outages, terrorism, and fraud, say outsourcing advisers. Qantas has five years remaining on a seven-year, multimillion-dollar contract under which Satyam provides IT application maintenance and support. A spokesman for the airline tells that Qantas believes any risks to its business are “manageable,” and a team has been monitoring the situation daily. “In the event that Satyam is unable to continue services, Qantas has the ability to activate alternative internal and external arrangements to enable the continuation of seamless services,” he says.

Depending on the wording of their contracts, existing customers of Satyam may be able to legally backtrack on the agreements, say outsourcing experts. But the practicality of doing so is another story.

Services limited to off-the-shelf software projects may be annoying to move. More painful to uproot are more-customized jobs that involve less tangible skills, such as knowledge about the company’s general ledger and accounts receivable and payable.

To mitigate the risk of business disruption, David Rutchik, a partner at outsourcing advisory firm Pace Harmon, cautions that companies should always closely watch their vendors and keep updated documentation about their work. Still, he acknowledges, knowing everything another company is up to — and assessing its financial stability — is difficult: “If you look at WorldCom, Enron, and the Madoff scandals, there is no way to completely protect oneself against individual fraud.”

Broken Trust

The enormously inflated cash balances at Satyam have popped a hole in the reputation of the outsourcing market, which has grown from business offering solely tech business, to back-office work such as finance and accounting. “This has really shaken up the outsourcing industry,” says Peter Allen, a partner and managing director for outsourcing advisory firm TPI. “The industry is built on relationships that imply some level of trust and confidence and integrity.”

Allen says there’s now “nervousness” about the industry that will prompt companies to relook at their deals with outsourcers. Some of these agreements have ballooned over time without reassessments of their inherent risk, from, say 10 people working on one project to 1,000 contracts working on many services.

Of course, advisers say companies are better off assessing the risks involved with a particular vendor before signing a contract. But they also say that assessments should continue throughout the outsourcing agreement. During the hiring process, companies should conduct due diligence on at least one other vendor, suggests Benvenuto, so the client has a provider to fall back on if something goes wrong.

The vetting process can take companies from three months, to more than a year, before a good decision is possible on whether to hire a service provider. During that time, say outsourcing experts, the companies should check customer references, make onsite visits, and get to know the vendor’s leaders and its employees to be assigned to the specific client work. “It’s surprising how many companies will sign on to an offshoring agreement without a company visit or more than just a perfunctory, one-day visit,” Kennedy says.

In addition, companies should use their internal experts to assess the vendor’s resources. Have your IT staff look at the contractor’s infrastructure. Ask internal auditors look at the vendors’ financial records. And CFOs, too, should meet with their counterparts to confirm that finance executives of the potential contractor have principles that mesh with their own, suggests Singh, who as Patni’s CFO regularly meets with prospective clients. Singh further recommends that companies get to know the vendor’s board members, and review their independence and governance policies.

Outsourcers are also promoting their competition, to some degree. They recommend that their clients spread their risk among geographies and vendors. Singh notes that this option may not be available for smaller companies that need to consolidate their services with one vendor to get the best prices.

Experts also advise sticking with well-known brands that trade on the U.S. exchanges, and are subject to the U.S. securities laws. That could help, as far as it goes. However, Satyam is registered with the U.S. Securities Exchange Commission, because its American depository shares trade on the New York Stock Exchange, and it files financial statements with the regulator in U.S. GAAP. Both Raju and Vadlamani certified the company’s most recent annual report, as required under the Sarbanes-Oxley Act.

Another data point to consider when hiring an outsourcer is a SAS 70 audit. One type among these reports provides insight into a service provider’s controls; however, reports often are limited in scope, and driven by the vendor itself rather than its audit firm, notes Benvenuto. “SAS 70s are a good starting point, but they’re only one of the tools of good practice,” adds Robert Stroud, international vice president of ISACA, a trade organization for IT governance professionals.

To manage the many aspects of assessing vendor credibility, and whether there is a good fit, Kennedy recommends that companies hire advisory firms, such as Equaterra or TPI. These consider themselves unbiased mediators that record vendors’ hang-up rates, likelihood of meeting service-level-agreement terms, and the number of renegotiated contracts, among other measurements.

They also act both as matchmaker and marriage counselor, before and after an outsourcing contract is signed. They’re not auditors, however, and they don’t audit the financial statements of the service providers — in fact, such a request that would probably be denied by a vendor, says Rutchik. “Nobody expects a cooking-the-books problem,” he tells “It would have been impossible to detect unless you were one of the people involved in the fraud.”

Understanding Which ERP Modules Your Business Needs – And When