The Institute of Enterprise Risk Practitioners (IERP®) is the world’s first and leading certification institute for Enterprise Risk Management (ERM).

Image Alt

IERP® International Institute of Enterprise Risk Practitioners

  /  Blog   /  Pro and Cons of Outsourced vs In-house risk management function

Pro and Cons of Outsourced vs In-house risk management function

Risk management is best done in-house. Why?

Because regardless of whether administrative risk management activities are contracted out to a third party or not, the practical management of risk will ultimately still have to be conducted by the organisation. However, this does not mean that companies should start from scratch where risk management is concerned, particularly if they have no experience of it. They may want to consider availing themselves of risk management consultants’ expertise if they want to establish risk management systems in their organisations. This inevitably begins with collecting information about the organisation; an activity which underpins risk management training and execution.

In order to understand the organisation’s risk management requirements, a clear picture of the organisation needs to be drawn up, indicating its aims, objectives, resources, challenges, strenghts and inadequacies. This necessitates a great deal of information, from as many areas as possible within the company, from Board level to pantry personnel, across departments and business units, from subsidiaries, contractors and suppliers up and down the chain. Feedback from stakeholder groups cannot be discounted, and the company needs to also be sensitive to what is trending in the general business environment.

Consultants can tell you what to look for, and maybe even where to find it, but how exactly to access it is another matter. Data gathering is crucial to the success of risk management but gathering it requires a certain level of human interaction that a consultant, with limited engagement with the organisation’s staff, may not have. Even with the best intentions, consultants may find themselves being thwarted at every turn. Data-gathering efforts may be further complicated by the silos which exist within the organisation. Staff who have been operating within silos may not even know how to operate outside them.

A major part of risk management also involves modifying organisational behaviour so that a risk management culture can develop in the long term. A consultant is inevitably viewed as operating outside this organisational culture. Because of the nature of risk management and the processes which it involves, a company has to “own” it, for it to be effective. Risk management is not a one-off exercise; it is an ongoing one that necessitates long-term commitment. For this reason, it is aligned with strategy, and has to provide the necessary support for the Board and management’s decision-making activities.

Some companies do outsource certain areas of risk management such as staff training in risk management frameworks and processes, or initial awareness-raising of the need for risk management but the company has to undertake its implementation and subsequent updating and improvement itself. This is a particularly useful thing because it allows the organisation to learn about itself in an organic way. The information which emerges comes from the parties directly concerned; it is not second-hand information – this is complete, concise data with integrity. It shows the organisation’s unvarnished realities, the challenges which confront it, and where its shortfalls lie.

Even in the best, most supportive environments, effective risk management takes time to develop. It isn’t something that happens overnight. The people who make it happen have to feel invested in what they do. They need to feel that they are making a difference, and that what they are doing has value. They cannot do this if risk management is outsourced. The organisation may experience another disadvantage eventually: no internal risk management talent will be successfully developed because the organisation’s people will not feel invested enough in it. Considering that risk management is a long-term proposition, the organisation may well be short-changing itself if it decides to outsource instead of doing things in-house.

    Name (required)

    Email Address (required, business email address only)

    Mobile Number (required)

    Company (required)

    Designation (required)

    Preferred Contact Method: (required)

    CallEmail

    What is the biggest challenge in your job/industry

    Which modules are you interested in? (required)

    Managing ESGMechanics of ESGEnterprise Risk Management

    Message

      Name (required)

      Email Address (required, business email address only)

      Mobile Number (required)

      Company (required)

      Designation (required)

      Preferred Contact Method: (required)

      CallEmail

      What is the biggest challenge in your job/industry

      Message

        Name (required)

        Email Address (required, business email address only)

        Mobile Number (required)

        Company (required)

        Designation (required)

        Preferred Contact Method: (required)

        CallEmail

        What is the biggest challenge in your job/industry

        Which modules are you interested in? (required)

        Evaluating Risk and Internal ControlCorporate GovernanceEstablishing a Cybersecurity FrameworkEnterprise Risk Management

        Message

          Name (required)

          Email Address (required, business email address only)

          Mobile Number (required)

          Company (required)

          Designation (required)

          Preferred Contact Method: (required)

          CallEmail

          What is the biggest challenge in your job/industry

          Message

            Name (required)

            Email Address (required, business email address only)

            Mobile Number (required)

            Company (required)

            Designation (required)

            Preferred Contact Method: (required)

            CallEmail

            What is the biggest challenge in your job/industry

            Which modules are you interested in? (required)

            Digital Risk Management and DisruptionMechanics of CyberSecurityEnterprise Risk Management

            Message

            User registration

            Reset Password