-
The categorisation of risks below is a starting point for preparing the detailed risk analysis of an offshore contract. They should not be considered as either a complete or accurate reflection of all of the risks and mitigations that might exist in the unique circumstances relating to an agency's decision about an offshore contract. Instead, agencies should build on and amend the identified risks through internal and external consultation to capture all relevant risks and mitigations.The risks discussed on the following pages are:
Read more
-
Agencies are required to take a risk management approach when considering any outsourcing, including sending government ICT services or data outside New Zealand. The New Zealand Government's standard for risk management is AS/NZS 4360 supplemented by HB231 (Handbook 231) which is a guide to applying this standard. Both of these documents may be purchased through Standards New Zealand. ISO/IEC27005 is expected to supplement these documents at some point.
Read more
-
The same risks to personnel security, physical security and ICT security exist in foreign jurisdictions as in New Zealand. However, the likelihood of those risks occurring in some places can be significantly higher because of economic, social and legal differences. Furthermore, the ability of a New Zealand government agency to manage those risks or an actual security breach can be frustrated by distance, language, contractual provisions and the absence of legal authority.
Read more
-
Training and Resources in Risk ManagementGovernment Technology Services (GTS) provides risk assessment, risk management and security expertise.
Read more
-
How government is seen to treat personal information contributes significantly to government's reputation as fair, transparent and trustworthy. In New Zealand the protection of personal information is provided for by the Privacy Act 1993. The international context of that legislation is generally irrelevant to its domestic operation. However, that context becomes important when offshore ICT services are considered. It is not as simple as saying that any transfer or collection by offshore agencies is bad or inherently risky to the privacy of New Zealanders.
Read more
-
It is legally and practically more difficult for a New Zealand government agency or the New Zealand courts to enforce a contract with an offshore service provider, compared to a contract with a local provider. This is to some extent due to the potential difficulty in enforcement of the contract or some intervention by authorities in the offshore provider's home jurisdiction. Furthermore, it may require the government agency to obtain specialist legal advice in that foreign jurisdiction with consequent substantial costs and timeframes.
Read more
-
Offshore outsourcing can present unique financial risks. Contracts that include future payments in a foreign currency can be subject to exchange rate fluctuations. Financial hedging or limiting contracts to New Zealand dollar terms can help mitigate this risk. Offshoring contracts might also incur unexpected liabilities in the foreign jurisdiction (e.g. taxes).
Read more
-
This section details specific key risks and provides example mitigations. The following areas of risk are described:
Read more
-
When contemplating contracting for services with an offshore supplier, agencies may wish to discuss the following issues with their legal advisors. The list below is not intended to be exhaustive and the importance and negotiability of such issues is likely to depend on the magnitude of risk and value of the contract.
Read more
-
Q: So what is this new policy about using offshore ICT service providers? A: It's not new policy. It's not formal enough even to be guidelines. Our only strong recommendation is to take a risk management approach. But you can learn from the Advice about the risks around offshore contracting and how to manage them.Q: What is in the Advice? A:There is:
Read more
-
Some risks are sufficiently serious to warrant being described as "show stoppers". These would typically relate to the integrity and reliability of the legal system in the target jurisdiction. One guide to the relative risk of countries' integrity can be found in the annual Global Corruption Report at Transparency International's website. A second would be any formal advice from the Government Communications Security Bureau (GCSB) or the New Zealand Secu
Read more
-
"Trusted State Services" is one of the Development Goals for the New Zealand State Services. This goal is: "New Zealanders have confidence in the people, systems and processes of the State Services and the way services are delivered. They trust that agencies will deliver the services they need to go about their lives."
Read more
-
Agencies are not released from their obligation to obey New Zealand law and policy because they have outsourced data or operations to contractors in New Zealand or beyond.Digital information created as part of an agency's functions is part of the public record to which the Public Records Act 2005 applies. Agencies are also responsible for their handling of personal information under the Privacy Act 1993.
Read more
-
When services are hosted offshore, the government agency's management staff may be geographically remote from at least some of people who actually deliver the service. Similarly, business owners and governance groups for projects may be distant from the developers.
Read more
-
Sending government data and data processing and management overseas could pose risks to New Zealand's economic wellbeing and these may need to be weighed in the cost benefit assessment of the anticipated financial benefits of an initiative.
Read more
-
It might be argued that sending some services offshore can offer benefits in terms of capability such as access to offshore expertise. However, this needs to be seen against the risk of failure in a foreign operation causing service delivery failures in New Zealand.The Reserve Bank has considered the risks of offshoring banking services and has established policyaimed at ensuring the continuity of banking services in the event of a service failure in a foreign jurisdiction:
Read more
-
The State Services Commission, with the support of the Office of the Privacy Commissioner, Archives New Zealand and other agencies, has developed advice for government agencies on managing the risks around the use of offshore ICT service providers. Stewardship requires an informed balance between sometimes competing drivers.
Read more
-
Purpose
The New Zealand government is a steward of information and data on behalf of all New Zealanders. Stewardship requires an informed balance between sometimes competing drivers.
Read more
-
Government agencies considering the use of ICT service providers for data processing and management services or government data storage should assess the risks of doing so and compare those risks against any potential benefits. Some risks may be trivial, such as when an agency chooses to make older publications available electronically. Others may be such as to preclude any consideration of permitting the information to be stored offshore, such as national security information or sensitive personal information such as criminal records.
Read more
-
Glossary of selected terms from HB 436:2004 and HB 167:2006Risk The chance of something happening that will have an impact on objectives.Risk analysis A systematic process to understand the nature of and deduce the level of risk.Risk management framework The set of elements of an organization's management system concerned with managing risk.
Read more
Printer-friendly version
Send by email
RSS Feed
