When it comes to outsourcing a company’s IT operations to an offshore provider, risks abound. Global economic volatility, geopolitical issues, and at least one major scandal in India have some corporate finance executives asking their CIOs and sourcing teams to strengthen risk management around overseas IT outsourcing (ITO) efforts.

Here, David Shpilberg, vice chairman of CPM Braxis, the largest Brazil-based IT Services company, explains what risk means in terms of IT outsourcing and shares a checklist that companies considering a multicountry ITO approach can use to help manage risk.

Eric Krell: How do you define risk mitigation as it applies to global IT outsourcing?

David Shpilberg: The key to risk mitigation as it applies to global IT outsourcing is to decentralize and diversify to reduce the overall risk or, to put it another way, to spread the risk around.

This means using different outsourcing providers in different geographies and with different skills and strengths and different approaches. Essentially, you want to avoid the getting into the all-your-eggs-in-one-basket trap. In that case, no matter how low a rate you may get from that single vendor, you have increased your risk substantially.

In fact, a single outsourcing vendor may not even be acceptable at the corporate governance level, where the trend is toward multiple providers, whether it is hardware, software, networks, or services, to avoid vendor lock-in and spread the risk. more

To what extent does risk management need to be better aligned with internal control?

That’s the essential question within a new survey you can complete in 15 to 20 minutes.

The survey represents a joint effort among The Professional Accountants in Business (PAIB) Committee of the International Federation of Accountants (IFAC) and the Committee of Sponsoring Organizations (COSO).

The objectives of the research are threefold:

• Investigate how risk management and internal control frameworks, standards, and/or guidance are being used around the globe;

• Identify the strengths and weaknesses of existing risk management and internal control systems; and

• Determine the need for international alignment among the various national frameworks, standards, and guidance that already exist in this area. ###

I saw a new survey on the evolution of Sarbanes-Oxley compliance and my first reaction was: How quaint – do people really still do that?

First, I apologize for my removed insensitivity. I am removed for a couple of reasons, including the fact that I’ve invested the vast majority of my research time in the past 18 months on risk management: enterprise risk management (ERM), risk culture, risk committee, human risk, model risk, scenario planning, etc.

Also, the term “SOX” sparked a little nostalgia for someone who started writing about SOX compliance the day the act appeared … well before everyone and their mom started writing (or, in many cases, “typing”) about GRC.

Despite the onslaught of GRC content and my own personal focus on risk management lately, SOX compliance continues to evolve, particularly for folks in the trenches who are too busy adding value (the survey suggests) to blog about their process, technology, and relationship work. more

Here’s how Deloitte & Touche LLP principal Rick Funston defines the concept of “risk intelligence” in five words: “Managing risk before it manages you.”

Not bad for someone who recently invested tens of thousands of words on the same topic in his and co-author Stephen Wagner’s new book, “Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise” (Wiley, 2010).

I asked Funston about various elements of risk intelligence in this Q&A chat that I conducted for Business Finance. ###

Fraud lurks everywhere these days, especially in my inbox.

This spring, accounting firms, consultancies, and professional forensic associations are harvesting seasonal fraud surveys packed with criminal amounts of eye-opening information.

Whether or not North American risk management efforts – and the rise (or rebirth) of formal enterprise risk management programs – are putting a crimp on the corporate fraud crop remains to be seen (and will be something I blog on soon).

In the meantime, the results from Ernst & Young’s “11th Global Fraud Survey” and The Association of Certified Fraud Examiners (ACFE) “2010 Report to the Nations on Occupational Fraud & Abuse” are available to prying eyes. more