The report addresses many of the concerns that currently deter organisations from outsourcing and provides a practical step-by-step guide to overcoming them.
The report shows that the complexity of managing information risk is increased significantly when the responsibility for specifying controls is separated from the responsibility for implementing and monitoring them.
Furthermore, simply assessing outsourcing risk is made more difficult because there are three types of information risk to assess: that associated with the business function, the outsourcing provider and the outsourcing process itself.
"Outsourcing is here to stay and despite increased risks, the majority of our members are already outsourcing or planning to outsource business critical functions," says Colin Dixon, senior project manager at the ISF and author of the report. "However, with corporate governance initiatives such as Sarbanes-Oxley and increasing concern about data security and privacy, there is a real need to understand, assess and reduce outsourcing risks. It is critical that risk management teams get involved at a very early stage in the process and are active in defining the outsourcing contract, which is the primary method to manage risk."
The relationship between the organisation and outsourcing provider will determine the success of the contract, and it is important to have a dynamic arrangement. "Most outsourcing relationships that fail, do so because of a lack of planning and clear communications," says Dixon.