Managing risk

In today’s business world, organisations rarely go it alone.

Joint development and strategic alliances are buzzwords often used to describe the formation of relationships amongst organisations.

In addition, corporate growth and business success are increasingly supported by outsourcing and licensing.

Although these extended business relationships lead to significant success and growth for thousands of organisations, they also carry significant risks.

Complex financial and legal agreements implemented to govern these transactions and to mitigate against such risks are often contracts, which are poorly monitored or enforced.

Frequently, little more than faith and trust form the foundation of these crucial contracts and business relationships. By neglecting to identify and manage risks associated with outsourced activities, or extended relationships, organisations may fail to capitalise on opportunities to create value whilst they jeopardise the viability of the enterprise as a whole.

Fortunately, programmes specifically designed to monitor and evaluate contract risk and compliance present a practical solution to this conundrum.

For a contract risk and compliance programme to be effective, it must incorporate a blend of preventive and detective activities to monitor and test controls over outsourced processes and relationships. In accordance with such, the following four key elements must be investigated to determine the effectiveness of controls over outsourced processes.

First, the organisation must consider whether it has effectively maintained a complete inventory of all of its outsourced relationships. By maintaining a complete inventory of service contracts and providers, an organisation can more confidently evaluate the risks involved with various outsourced relationships.

Next, the organisation must consider whether the business units and departments enter into outsourced activities independently of central management. By using a common framework of corporate standards for entering into, managing and reporting on outsourced relationships, an organisation can better control basic elements of risk that are inherent to many business contracts.

The third key element that must be addressed regarding extended business relationships and outsourcing contracts is the right to perform an internal control audit or request a SAS 70 or equivalent report. Businesses today are recognising the need to include a ‘right to audit’ clause, and are making this a requirement for all outsourcing contracts. Alternatively, businesses can gain further comfort over the controls in place at their outsource provider by requesting a SAS 70 Report.

Finally, a company must implement procedures to monitor the level of service that it receives. Such procedures are designed to monitor changes to the outsourced provider’s environment as well as monitor vendor compliance with service level agreements.

These monitoring procedures should include reviews of the vendor’s internal control processes and the associated costs. These procedures are critical to the organisation’s ability to detect any deterioration in service or controls over the course of the contract.

An effective contract risk and compliance programme is good business. Not only can this type of programme demonstrate to both current and potential business partners that an organisation is exercising proper diligence to remain competitive in today’s ever-changing business world, but it can also foster trust amongst business partners as it monitors all partners at varying degrees. More importantly, an intelligently run contract risk and compliance programme can send a valuable message to both the marketplace and investors about the organisation’s commitment to good corporate governance and strong internal control.

It is also imperative that partner relationships are preserved whilst these programmes are in progress.

Engaging an outside party to help establish and conduct the programme in conjunction with clear communication of the programme objectives are two proven methods to efficiently and effectively execute the reviews. Additionally, establishing and maintaining a comfortable distance between partner companies in the extended business relationship is an added benefit of employing an objective party to collect information and/or perform the inspections.

A well-tailored programme to monitor contract risk and compliance can help organisations to proactively manage the unique risks of the extended enterprise in order to create opportunities which optimise their contractual and business partner relationships.

The resulting benefits of revenue expansion, cost reduction, controls enhancement, compliance, and relationship enhancements, may lead to new and innovative ways to view compliance efforts.

Next week’s article will focus on some of the available options for third party reporting from suppliers to customers/clients.

Janelle Mills is a manager in Internal Audit as part of Deloitte (Cayman) Enterprise Risk Services, where she leads and participates in Internal Audit engagements across the Caribbean. She is a Certified Public Accountant and a Certified Internal Auditor with over nine years experience in both private and public practice, including a Fortune 500 Company and in a consulting environment providing services including accounting, financial analysis, and internal control assurance. Her background includes internal control reviews, Sarbanes Oxley 404 reviews, financial reporting, financial planning, and business modelling. Ms Mills is a member of the American Institute of Certified Public Accountants, the Illinois CPA Society, the Institute of Internal Auditors and Cayman Islands Society of Professional Accountants.

Ms Mills