Especially if the second risk is just as risky, or, even worse, more risky than the first.
After reading a number of articles that claim IT Outsourcing reduces cost AND risk, including this recent piece over on Global Services on Operational Risk, IT, and Outsourcing, I am getting nervous about the mad dash to the cloud that these articles are directly or indirectly promoting.
While SaaS is often the best choice for many SMEs and large scale industries without a lot of technical know-how, it’s not always the best choice, and some systems are a lot safer to outsource than others. It’s one thing to outsource an ERP/MRP, especially if you don’t store your bank account access information in the ERP/MRP, but another thing to outsource user account management if such management contains credit card information and/or detailed financial profiles that are sufficient for an average criminal to commit identify fraud in his sleep. In the first case, just about any SaaS provider will do. In the latter, you need one who not only hosts in a secure data centre, but understands security and built security (and encryption) into the application (and database) from the ground up — especially if they are hosting in a shared data centre that uses a true multi-tenant architecture. Otherwise, a hacker could break in through a weakness in the application layer, dump the database, and get unencrypted credit card numbers, bank account numbers, SINs, etc. if the application wasn’t designed right from the bottom up. This could be financially devastating to you and your customers (who, for starters, would never buy from you again and who would probably take you to court).
The requirements for outsourcing and maintaining financial systems are much greater than for Supply Chain and Inventory Management. So what if they get your inventory database. Unless you’re storing nuclear material, who cares if they know for sure that you have 250 outdated PCs, 100 rolls of steel, and a warehouse full of binders. If they were doing a competitive intelligence project and really wanted to know that much about you, they’d check one of the import/export trade data monitoring services (or just watch what went in and out of your warehouse from across the street) and know it anyway.
Before you outsource financial systems, you have to be sure that the provider and the hosted application is at least as secure as the applications and environment you’d build in house, or the outsourcing effort will come at the expense of increased risk. And if risk increases, the decrease in cost may be inconsequential.
And if you don’t have the technical savvy to make a fully informed decision, bring in a consultant who has that knowledge. Trust me when I say it will be one of the best investments you ever make.