Principles for outsourcing mission-critical business processes.

• Author: Gable, Julie
• Position: THE PRINCIPLES

Organizations that outsource mission-critical business processes have a distinct challenge ensuring their information is properly managed, as service providers are not just storing the organization's information, they are using highly automated processes to create, process, and use it. This article discusses how it must also be governed.

Cloud-based services such as storage, software-as-a-service, and infrastructure-as-a-service have made it possible to outsource almost anything. Although it has been common to outsource paper and electronic records storage, as well as back-office business processes such as HR benefits administration or payroll processing, organizations now are also outsourcing mission-critical functions and services.

For example, a county government might decide to outsource turnkey social welfare, human services, and correctional functions, while a pharmaceutical company might decide to outsource a regulatory function such as adverse event reporting.

This so-called "second tier" outsourcing is in response to the more recent availability of large service providers offering sophisticated technology and tools, such as big data, business analytics, and industry-specific processing services.

While the traditional rationale for outsourcing has been cost savings, operational flexibility, off-loading non-core competencies, and the short term tax advantages of outsourcing versus making capital investments in specialized systems, the rationale for outsourcing mission-critical functions is more about gaining access to providers' technology and expertise.

In outsourced customer-related processes, for example, organizations may glean competitive insights through using the service provider's data manipulation capabilities.

Shared IG Responsibility

What happens to information governance (IG) when mainstream business processes are transferred to a service provider (SP)? Because IG is about how an organization handles information that arises from its business processes, regardless of where or how those processes are completed, IG principles must apply to how the organization's SPs handle its information, as well.

For this reason, mission-critical outsourcing is becoming a topic for discussion at the enterprise level by the legal, records, and IT members of the IG council or among senior management in consultation with an IG officer.

As the trend to outsource business operations continues--a trend IDC predicted in its "Worldwide and U.S. IS Outsourcing Services 2013-2017 Forecast" would grow 6% per year worldwide, reaching $209.4 billion organizations need to be aware of how these third parties accomplish their tasks and how they treat the records that are created as part of outsourced business processes.

Tools for Evaluating Providers

The bottom line in this age of compliance, litigation, and operations concerns is that it is reasonable to expect that when SPs create and manage an organization's information, they will do so to the contracting organization's standards.

The Generally Accepted...