Depending on your organization’s resources and size, using risk transference to mitigate your risk may be a good option.
In a recent blog we discussed the acceptance of risk. When accepting risk is not appropriate, the strategies for risk mitigation include: developing and implementing strategies in house; using third parties to develop and implement the solutions, with in-house maintenance; or turning the entire solution over to a third party. For most organizations, some use of risk transference is appropriate.
Risk Transference: Risk transference is handing risk off to a willing third party.
The most frequently used and easiest method of risk transference is insurance. Insurance is the financial transfer of risk. When using insurance for risk mitigation, it is important to remember:
- Insurance does not address brand/image impact. While the insurance may pay for financial losses, the loss of customer or public confidence may severely impact the organization. Think about organizations that lose customer data or restaurants where customers get sick.
- Insurance has conditions that must be met before the payout occurs. Ensure that you understand any conditions, notifications, documentation, etc.
- All situations may not be covered, depending on the cause. There may need to be additional riders on the policy or other mitigation solutions.
Physical security is another risk transference function that can be performed by third party companies. Economies of scale often make external security a better choice than using an internal solution.
Third parties are often used for cost containment or to allow for more focus on core competencies. These same justifications can be used in the risk transference mitigation strategy. Rather than implementing risk mitigation solutions for business functions or processes, organizations may consider using third parties to accept the risk. For example, certain business functions with operational risk – such as customer service, call center, or payroll services – can easily be performed by third parties.
Technical functions such as network and data security monitoring, first level technical support, and server administration and monitoring are also candidates for third party use. As these functions become more impactful to overall risk, and the integration of technology more complex, the use of experts who can focus on those specific items often makes the most technical and financial sense.
The use of Software as a Service (SaaS) is analogous to using third party providers. The technical risk and recovery risk is moved to the SaaS provider along with the business risk it may mitigate.
For all third party vendor engagements, understanding the services, recovery commitment, service level agreements, change procedures, and risk mitigation strategies is critical to ensuring that your risk is mitigated appropriately.
Consider your current service providers and how they might fit in to your risk mitigation strategy. They may provide services that your organization can or should move to allow for more focus on competencies that are strategic and grow the business.
By Richard Long, Senior Advisory Consultant, MHA Consulting