The Importance of Risk Management in Large Scale IT Outsourcing Arrangements
Author: Dean Sleigh
A number of organisations continue to face challenges managing their own IT service delivery. In response, it appears increasingly popular for organisations to consider the outsourcing of large components of their IT environments. This popularity extends not only to application support but infrastructure management. The rapidly changing landscape of IT has meant it has become increasingly difficult and complex to exclusively manage IT as a strategic asset in house and hence the appetite to outsource is borne out of three dominant reasons:
Cost Profile
It is presented that many outsource arrangements should reduce or give greater certainty to the cost profile of IT service delivery. It is very common to see resources priced ‘per unit’ and able to be flexed up and down to cater for changing demand from the client. In addition, large IT vendors represent that hardware can be purchased using their volume discounts, resulting in material cost savings. Furthermore, significant economies of scale are also possible as outsource providers have pools of talent and resources available, often on a lower cost basis (particularly when resources are located in low-cost countries).
Access better service
In Australia it can be particularly challenging to have a full compliment of experienced resources available in house. Given the peak and flow nature of company investment in IT systems, this tension is complex for an in house environment. The outsource model often provides access to a deep global pool of experienced personnel who are available on demand. Naturally, the provision of these services is the core business of the vendor organisation; hence access to better tools, processes and practices should be easily obtained.
Passing risk but not responsibility
Outsourcing is clearly an attractive tool for many CIO’s (perhaps naively for some) to manage down their risk profile. Arrangements can be struck on fixed time and fixed cost profiles thus passing delivery and operating risk (within ranges) to the outsource provider. A fully in house model does not easily allow such risk mitigation.
Despite the compelling reasons for considering outsourcing IT services, a number of significant challenges emerge. As IT environments are become more complex, intricate and important to organisational success, the challenges are substantially greater. Few organisations are well prepared to manage these challenges and even fewer fully appreciate the extent of the challenges until calamity strikes
Key challenges
Many of the large IT outsourcing arrangements involve contracts that extend to thousands of pages, involve many individuals within the vendor and client organisation and an extensive list of assets. Clearly this cocktail of components increases the inherent complexity of the arrangement.
The key questions that many organisations need to address is do they actually (and with precision) know what is being outsourced and what is being retained? Further, consideration should be given to future state needs and ensuring the vendor organisation can flex with client needs.
Whilst this may seem a straight forward question on first pass, when whole of enterprise arrangements are struck it can be complex to have clarity around what is included and what is not – particularly when clients seek broad ‘catch all’ contractual statements that bring unforseen items in scope for the vendor. Satellite and joint venture operations often make this understanding even more complex. New ventures being undertaken in a Business As Usual (BAU) environment, are they in or out? Legacy, bespoke or boutique infrastructure, is it in or out? These are typical questions that are often poorly addressed.
Transparency in Billing
With service schedules frequently extending to hundreds of line items it is often difficult to get the vendor organisation to accurately invoice for each service. Additionally, many vendors have substantial time lags before costs are actually invoiced. Vendors often show a scant regard for the problems that arise as a result of this issue. Cash flows and budgets need to be managed within the client organisation and downstream cost centre managers have little regard for the poor billing practices of a distant vendor. The CIO office ends up having to justify why material invoices have taken months to arrive for services people were never sure were actually delivered or for what cost. More broadly, the CIO office needs to change from a technology focus to a service delivery and supplier management focus, with the requisite skill changes to support. The examples are plentiful. Clarity between in scope and out of scope add on services is also an area that can cause confusion. Responsibility for engaging the vendor organisation for new or out of scope services can also be unclear. Clear delegations are critical.
Enterprise Wide Change
It is not uncommon for the large scale outsourcing arrangements to have enterprise wide implications. Desktop support is the classic example of an IT service that is enterprise wide and often included in the bundle of services outsourced. While the business case may make great sense at the CIO level, the users are rarely engaged to get their perspective and endorsement. Any change is difficult, if service standards differ or a new process is required, staff can quickly dismiss the outsourcing as deficient and “nothing to do with me”. This sets up tension from day one and is difficult to correct as it gathers momentum. When suppliers are introduced to strengthen process in a company, further difficulty is typically encountered when more robust processes are implemented and enforced. For this reason, it is critical that processes work seamlessly from day one. Adequate on boarding processes need to be established to ensure the vendor team can be imbedded into the client organisation (and visa versa) as soon as practicable, avoiding an uncomfortable honeymoon.
Vendor Delivery
Despite the impressive sales process and an even more impressive pre bid process this can quickly dissipate if the delivery team are slow on the uptake or simply not able to deliver the required services. Vendors have a very real reputation for the over promise or over sell condition. Due diligence is important;however even the best due diligence and support from experts cannot eliminated vendor delivery failure. This issue is especially relevant with large multinational contracts involving elements of off shoring. Cultural, geographic and language differences all contribute. Further complexity arises around defining the standard to which services are to be delivered and how this plays into natural process improvement or decay. Is it clear that organic process improvement is expected? How is this to be assessed and measured?
Transition to the to be environment
With the best intent in the world, CIO’S (encouraged by vendors) often see transformation of their environments and outsourcing as a task that can be undertaken contemponeriously. When this issue is better explored it is difficult to support. Presumably a few dominant reasons exist to support the outsourcing, very few is even better. Is it not best to focus on these first and transform once steady state has been achieved? The safe and conservative case is to assume it will take time, often considerable time, to get to steady state once the outsourcing has taken place. Depending upon the legacy environment this could extend to years. Wholesale transformation is clearly risky in this situation. Perhaps small piecemeal improvements are a more realistic way to go – although sometimes accelerating periods of change by implementing as rapidly as possible can ensure that change fatigue does not become a problem.
Regulator concerns
Regulators, in most first world environments, have significant and legitimate concerns regarding how organisations are going to manage the risks attaching to outsourcing. Data privacy concerns are growing by the day and in many industries the regulators fully understand the system wide implications should major organisations be unable to operate as a result of the failure of a critical outsourced provided.
In Australia, APRA Prudential Standard CPS 231 Outsourcing provides guidance for Financial Institutions on this issue. The standard aims to ensure that all outsourcing arrangements involving material business activities entered into by regulated institutions are subject to appropriate due diligence, approval and ongoing monitoring.
All risks arising from outsourcing material business activities must be appropriately managed to ensure that the regulated institution is able to meet both its financial and service obligations to its depositors and/or policyholders.
The key requirements of the standard include that a regulated institution must:
- have a policy, approved by the Board, relating to outsourcing of material business activities;
- have sufficient monitoring processes in place to manage the outsourcing of material business activities;
- for all outsourcing of material business activities with third parties, have a legally binding agreement in place, unless otherwise agreed;
- consult with APRA prior to entering into agreements to outsource material business activities to service providers that conduct their activities outside Australia; and
- notify APRA after entering into agreements to outsource material business activities
Visibility into the vendor control environment
On occasion, outsourcing can be seen as a straight forward way to address long standing control concerns in client environments. Attaching to globally robust process and capabilities has great appeal. Vendors are generally keen to promote the extent of training and
assurance they put into ensuring they are consistent globally and these standards are best in breed. The reality, however, can be difficult to evidence as it relates to individual client situations. While right to audit clauses are not uncommon, the precision within which they
can be invoked is often not addressed. Plenty of examples exist where, even for the most basic audit test by regulators or external audit; vendors seek to charge a substantial fee for or
are unable to meet the required timetable. A trend emerging is the for the vendor organisations to first point to their substantial quality assurance process, comfort letters and the like. While these artefacts appeal, it is far from certain how they actually relate to the environment attaching to the client’s IT environment. One notable example I am aware of relates to the vendor seeking to pass reliance on their help desk process to an AGS style comfort letter that was exclusive to another client using a separate stand alone and unique environment…in another location!
Transitioning staff
Transition to any new environment is difficult. This difficulty is only compounded by scale. When hundreds of assets, people and applications are involved, the extent of transition risk is increased. The full spectrum of human emotion is also to be expected. Some team members will be excited, while others will resist. The ability of the vendor organisation to be across these issues can be challenged. What is often forgotten in this space is the impact the transition to the vendor can have on the retained organisation. People are leaving, uncertainty surrounds who is responsible for what, and cut-off challenges emerge. The opportunity to press the reset button is attractive. Transitioning back, or to additional vendors also involves many of these complex issues. It is important to remember that ultimately success or failure of an outsource is dependent on the people involved.
New frameworks required
Despite the long list of challenges associated with large scale IT outsourcing, many opportunities exist to simply and easily manage them better once the contract is in place and the services are being delivered. In its 2007 Better Practice Guide the Australian National Audit Office considers this issue. In summary the key elements include:
Element | Key Considerations |
---|---|
Identify and manage risks | Capture and understand the risks involved in managing the contract including ensuring roles and responsibilities are understood, delegations in place and the importance of the contract is clear. |
Assign responsibilities | Clear responsibility should be allocated and a range of skills draw from and called upon at different states of the contract life. Document and publish the various roles within both teams. |
Identify and access skills needed | Recognise that not all skills are necessarily available in house or reside in one individual. Typical skills needed would include: * Interpersonal and relationship * Subject matter/industry knowledge * Project management * Performance management * Problem solving * Negotiation * Accounting/Finance |
Involve stakeholders | A key role for the team is to ensure stakeholders are kept informed about relevant matters and contract developments. Regular meetings/communications should be scheduled. |
Manage start up | The client team must ensure delegations are in place, issues unresolved prior to signing the contract are addressed and the transition plan is in place and working. De-risk the attraction of the all in process by transitioning component by component. Only progress when success has been demonstrated. |
Manage relationships | Relationship management underpins overall success with large contracts. A structured approach needs to consider: Overall responsibility Each entity needs one individual with day to day responsibility. Performance review meetings Formal meetings where performance is discussed, standard agenda and structurewith papers and appropriate attendees, held at least monthly for big contracts. Stocktake meeting Senior team leads from both organisations meet to discuss overall performance and unresolved issues, suggest each quarter. Senior relationship Six monthly or annual discussions between the most senior leaders in both organisations to discuss relationship status. |
Administer the contract | Contract administration is an important component to success. The cost of which should be factored into the business case. Key responsibilities include retaining relevant documents, ensuring delivery and acceptance criteria are met and ensuring only approved invoices are paid. Do not assume vendor billing processes are always reliable. |
Manage contractor performance | Performance management should be undertaken throughout the life of the contract and include: * Performance monitoring; * Performance assessment; and * Taking action to address under and over performance. |
Negotiate disputes | While always preferable to resolve matters informally at a local level, where this is not possible, rapid acceleration to the formal dispute process should be considered. Disputed items will not get resolved by ignoring them. There is always give and take in dispute management, which is why the maintenance of a ‘goodwill register’ can be an important tool to balance outcomes. |
Negotiate contract variations | With large complex contracts it is possible to inadvertently amend the contract by conduct and agreement. Changes to the arrangements can materially impact the initial scope and viability of the original agreement. This is to be avoided and only variations that do not materially impact the initial contract should be processed. |
Behave ethically | All organisations have standards by which they stand. All dealings including those by the vendor organisation should be within the boundary of such rules, policies and legislative requirements. All parties should recognise this obligation. |
Keep records | All relevant documents should be retained by the contract administrator. They will not only support the ongoing body of knowledge about the contract but help inform future directors/lessons learned. |
Source: Adapted from Developing and Managing Contracts, Getting the Right Outcome, Paying the Right Price, Australian National Audit Office, February 2007
Back Testing Business Case
While the above outlines a framework that should support the ongoing management of the outsourced relationships, it is critical that some type of back testing is undertaken to ensure the expected benefits have been realised.
This review, depending upon the size of the outsourced relationship, should be presented to the governing authority in the client organisation on a periodic basis. Should this control exist it would require:
- A clear articulation of the business benefits expected and realised;
- A clear timeline over which they were to be achieved; and
- The financial outcomes expected and realised.
It’s on this basis that the success or otherwise of the outsourcing relationship should be assessed. The erosion caused by scope changes often clouds the capacity to undertake this type of analysis. Strong control needs to be exercised to ensure scope creep can be adequately carved out of the base case assessment.
Conclusion
As the dominance of technology as the fundamental business tool grows, outsourcing will continue to represent an attractive option for many organisations. Whist vendors promote the benefits of an outsourced model; organisations need to have in place stronger governance and control mechanisms to ensure value is derived from these relationships. Fundamental to this is tight control over what is outsourced and then how delivery is managed. A considered and transparent framework should go some distance to supporting this objective.