As firms look to save time and reduce costs, they are increasingly outsourcing work to third parties, often overseas. But outsourcing abroad also brings risks – including a loss of oversight, missed deadlines, or mistakes, and could leave firms subject to claims or regulatory punishment. Before taking the decision to outsource, firms should ensure they have a clear strategy to mitigate these risks, and be prepared to demonstrate this to insurers.
The benefits of outsourcing offshore
Outsourcing is a popular choice for businesses across industries. According to Deloitte’s Global Outsourcing Survey 2022 (opens a new window), more than half of surveyed executives indicated that business functions were outsourced to an external provider, and 76% indicated as such for IT functions.
There are various advantages to be had from outsourcing work, particularly to third parties located overseas. According to recruiter Hays (opens a new window), over 90% of employers in the financial services sector are struggling to cope with vacancies and recruitment difficulties. By outsourcing work, these firms can gain access to highly trained external staff, as well as specialised processes to help drive business efficiencies, thereby minimising costs and maximising profits.
Challenges of outsourcing work
Despite its benefits, outsourcing offshore also presents firms with various challenges. Without effective mitigation, these can increase the risk of errors, leading to potential client claims or regulatory punishments.
Challenges of outsourcing offshore include:
Lack of oversight – offshoring work inevitably results in a loss of control, compared to work carried out in-house. Without appropriate sign-off and quality controls in place, this could lead to systemic errors, causing mistakes.
Communication difficulties – outsourced workers will be based in a different country, and potentially different time zones. Communication will likely have to take place virtually, complicating efforts to provide training, assign work, and ensure errors are identified. This has this the potential to lead to errors or delays in meeting critical deadlines.
Security concerns – third parties may have different or outdated security protocols, leaving them vulnerable to cyber-attacks. If an outsourced firm has its systems compromised, this could expose sensitive client data, leading to a regulatory fine or investigation. Alternatively, hackers may be able to penetrate the systems of the outsourcing firm, leading to further disruption. In the case of a significant breach, a firm may also suffer reputational damage and loss of client trust.
Data protection protocols – while the UK has high standards of Data Protection legislation, this is not the case for other parts of the world. Outsourcing work could result in firms breaching rules regarding the transfer of data outside the UK.
Sanctions – outsourced firms may be subject to sanctions, such that outsourcing work results in a violation. Even where sanctions are not currently in force, firms located in volatile jurisdictions could see their status change quickly, resulting in potential disruption to business activities.
Risk mitigation and insurance guidance
Financial Conduct Authority (FCA) guidance (opens a new window) is instructive for any firm considering outsourcing work, either domestically or abroad. As explained within, firms must be “operationally resilient”, with complete knowledge and understanding of the people, technology, processes, information, and facilities involved in the delivery of any services. These factors are expected to be continually assessed, with special attention paid to the risks and controls in place.
Other measures to mitigate against the risks of outsourcing include:
Carry out initial due diligence to confirm third parties have the skills and capabilities required to execute work to the required standard, as well as the necessary data protection and cyber security measures in place
Implement monitoring procedures to check the quality of outsourced work and ensure all work is approved prior to signing off
Ensure expectations for the delivery of work are made clear to third parties, prioritising work as needed to ensure critical deadlines are met
Continually manage the relationship with third parties to avoid organisational leaks, including establishing communication lines for issues to be raised, and training to be provided on in-house processes
Firms should also be mindful that outsourcing work offshore could have implications for firms’ insurance coverage. Issues to consider will vary depending on the type of insurance, such as:
Professional Indemnity insurance – e.g. does the policy contain territorial limits that will extend to the locations your outsourced workers are based in? Firms will need to be clear with insurers as to how they are structuring the outsourced work – for instance, via a wholly owned subsidiary of a UK-domiciled firm, or with a complete third-party business? If the latter, does the firm have its own appropriate professional indemnity cover in place?
Management Liability insurance – e.g. could potential data breaches or lack of adequate planning lead to allegations from stakeholders? Are directors of the firm protected for the decision to outsource work?
Employers’ Liability & Public Liability insurance – depending on the contractual requirements in place with outsourced workers, firms may be required legally to have these in place with local insurance markets.
Cyber insurance – e.g. do outsourced firms have sufficient security protocols in place to prevent a data breach? If a third party suffers a breach, are there protocols to limit the extent of the damage to the outsourcing firm?
Firms have a duty to disclose changes to their business with insurers. Although a given policy may appear to provide appropriate cover, if the details are not declared to and accepted by underwriters, this could result in serious issues in the event of a claim. As such, firms are encouraged to talk to their broker from the outset if considering outsourcing.
For more information, please visit our Professional Indemnity (opens a new window) page, or contact:
Catherine Davis, ACCA Relationship Manager
E: catherine.davis@lockton.com
Steve Holland, Senior Vice President, Global Professional and Financial Risks
E: steve.holland@lockton.com