I’ve been
thinking about something the last several days, you know I sit on the board of
a couple of non-profit organizations, and we’ve been looking at outsourcing
services to other organizations. I also had a discussion about outsourcing with
a lunch partner today, and this thought cropped up again.
As outsourcing
of mission critical services becomes more and more commonplace, especially in
small business where business owners don’t have the means to maintain a
dedicated technology staff, I have a question about how service organizations mitigate financial risk from service failures.
In
businesses that build and sell widgets, you would typically carry a warranty
reserve as a liability on the balance sheet to compensate for the cost of
returns from the field. But that doesn’t work in a services business that hosts
and maintains mission critical applications (and quite often sensitive private information). What happens if there is a failure that causes a service outage
for a length of time (which in many cases isn’t very long) creating a financial
impact on the business that relies on the service?
I mean,
I’m sure the company backs up, and I’m sure they co-locate their sites.
I’m
talking from a financial responsibility perspective, how they carry a loss of
service/information liability on their books.Even a publically held company’s
10Q mentions service disruption risks as part of their operating model, go ask
your CFO if your financial processes account for those service disruption risks
on the balance sheet.
Here’s
the reason why; any business that provides goods or services has some type of
reserve on their balance sheet to cover the liability of a failure in either
goods or services.
As part
of the T&C of the service agreement, they will make some claim regarding
confidentiality, integrity and availability of the information and service. If
they fail to meet those T&Cs they’re going to experience a liability. How
do they carry that liability (and how much) on their balance sheet?
It’s
important to know because we’re entrusting our very private and critical
information to a service outside of our control. I’m sure they do their due
diligence on backups, but it’s easy in a fast growing business to not keep up
with the controls necessary to protect the C/I/A of the information (both from
a process and infrastructure perspective).
The single failure cost of loss to a small business could be
catastrophic (think loss of either information or unintentional divulgence of
information). The company you contract with has some financial responsibility
to make you whole (at least in part) because you have the SAME responsibility
to your community (think about it this way, if your credit card information was
left out on someone’s desk, the cleaning crew came by, took it and ran up
thousands of dollars on www.myporn.com, you’d expect the company to attempt to
fix the problem, wouldn’t you?).
So the
question is how does the company mitigate that risk? In similar cases the way
to transfer the risk is through the purchase of insurance, but you can’t insure
against that. So the company has to self-insure by carrying a liability reserve
account on their balance sheet. Ok, so now, the company has thousands of
clients, right? *IF* there is a failure (in service or process) and *IF* the
company doesn’t carry enough of a reserve on their books to compensate their
clients for a claim, they can’t (or won’t) attempt to make things right without
a fight.
Now, I’m
not so naive to think that we’re going to change anybody’s mind about how any company
does their internal risk mitigation or accounting. But if a company has shown
enough foresight to put internal controls in place to mitigate financial
liability against these types of risks, then there is a good chance that they
have enough foresight to place control in other parts of their corporate
governance. And, if they’re a publically held company, then SOX applies, and
they’re being audited on GCC anyway.
Now
before all y’all think that this makes no difference, and that I’m tilting at
windmills, consider that just in the last couple of weeks, that Home Depot had
a laptop stolen with "the names, home addresses and Social Security
numbers of 10,000 employees," AND Iron Mountain a DATA PROTECTION SERVICES
COMPANY admitted it lost a decade’s worth of bank account data and Social
Security numbers for almost all Louisiana college applicants and their parents
during a move when a driver apparently failed to follow company security
procedures.
All of
these weren’t malicious attempts at terrorism, they were simply part of the
category of sh** happens.
At the
end of the day how a company’s internal processes address these types of risks
is a barometer of where their focus sits.