Know the Risks Before Outsourcing Business to Contractors

If your business is particularly busy, you may temporarily outsource some of its work to third-party contractors. Hiring contractors can be a cost-effective way to manage seasonal — or even ordinary — customer demands without hiring new employees or making other long-term investments. However, third parties can introduce some financial, legal and reputational risks. So it’s important to recognize potential threats and take steps to head them off before engaging contractors.

2 scenarios

Consider the following example: A company employs an overseas trucking company to transport goods from a port to a customer’s warehouse. The driver, unfortunately, isn’t very honest and he pays a kickback to customs personnel to release the shipments quickly. This action subjects the company that hired the contractor to bribery and corruption charges locally — and in the United States.

Here’s another scenario: A remote contract worker hired to perform data-entry tasks lacks a robust cybersecurity program on her home network. Her computer is hacked, cybercriminals find their way into the company’s network and they steal confidential employee and customer information.

Neither of these scenarios is far-fetched — foreign bribes and inadequate cybersecurity put companies at risk every day. Due diligence is a cornerstone of reducing such risk.

Containing threats

Before hiring a third-party contractor, be sure to identify all applicable laws and regulations. Your company’s operating footprint will determine which ones govern third parties. Anti-bribery and corruption laws often cover third parties and hold companies that engage them liable for their actions. It’s especially important to understand the laws in foreign countries where your business has a presence.

Mitigating risk requires a detailed understanding of third-party contractors. So collect all relevant information, such as incorporation and registration documents, explanations of ownership structure, insurance coverage proof and cybersecurity reports. Also classify third parties based on their inherent risk. Risk usually corresponds to the scope of services a third party provides. In general, the more access a third party has to your company’s IT environment, the greater the threat.

Increase due diligence efforts for third parties with higher risk profiles. For example, scrutinize a cloud computing provider or physical security system service more rigorously than a landscaping company. Some companies outsource their due diligence investigations. Such professional services range from researching publicly available information to performing onsite inspections of potential business partners.

But regardless of the risk level third-party vendors represent, you should review them at least once a year. After all, software, processes, personnel and even a company’s ownership can change over time. For the riskiest contractors, an executive in your organization with authority to approve or reject contracts should conduct the review.

Rigorous defense

Contractor risk is only one of many threats companies routinely encounter. Review your internal controls and risk-management efforts and to help ensure they’re providing you with a rigorous defense.

(This is Blog Post #1681)