Risk-mitigation practices for outsourcing for the coming year can be segmented into six categories:
- Objectives: Make sure you get what you pay for
- Service provider selection
- Proactive management of price risks
- Regulatory matters
- Global risks
While these areas may seem to be the same core risks that third-party advisors have focused on for years, there are some new nuances because the industry is changing.
As Chuck Pol, President of BT-Americas points out, "trends indicate that, although cost is still a major driver for outsourcing, companies are more focused now on using outsourcing to create strategic advantage and value creation for their businesses. Also, many companies are looking to go from international to global operations as the means to more effectively compete and grow in their market, and there's a big difference in risk between international and global."
Increased risk accompanies strategic-advantage objectives. Buyers of outsourced services cannot afford to skip over any risk-mitigation efforts in these six areas. Here are some tips.
Objectives: Make Sure You Get What You Pay For
Companies that don't discuss their plans and overall strategies with their service providers, up front as well as on an ongoing basis, cannot reap the full advantages of an outsourcing relationship.
"It is really critical that the outsourcer becomes aware of key business strategies and engages in decision points to assess requirements against the outsourced scope of services in order to ensure support for driving the business forward," warns Pol. "If a provider just does strictly what the customer asks, without fully understanding the overall business requirements, changing business conditions, and strategic direction, the customer will not get what it paid for."
Pol adds that BT (British Telecom) notes a trend of service providers "getting very close to the boardrooms of America to understand a client's ambitions and plans." Many outsourcers have broad experience across multiple companies in multiple industries and have deep insight into creative ways to enable business growth and transformation. Strategic discussions at the outset and on at least a quarterly basis can lead to competitive advantage for a buyer.
Buyers should also establish a roadmap that links business requirements to technology developments and transformational principles at the start of an outsourcing relationship--but not stop there. BT suggests risk mitigation should include buyers reviewing these requirements internally and with their service provider every six months.
Service Provider Selection Criteria
In today's outsourcing deals, where innovation is the name of the game, there are new criteria to consider when evaluating potential service providers. Look at the provider's track record in these characteristics:
- Investments in research and development
- Product development experience
- Reputation for innovation
- Global operations footprint
- The ability to test their ideas against customer requirements rather than just creating a technology and trying to market that into the enterprise space
In addition, Mark Fulgham, Vice President, IT Outsourcing at HP, observes that buyers need to ensure selected providers have "certification and pedigree relative to process compliance." COBIT (Control Objectives for Information and related Technology, a set of best-practices for IT management), he explains, is starting to interact closely with ITIL (IT Infrastructure Library, the most widely accepted approach to IT service management in the world); and the intersection of the two is coming to bear in some of the ISO 20,000 (International Organization for Standardization) capabilities. "It's also bringing in maturity model certification," states Fulgham.
Despite the fact that maintenance usually takes up 90 percent of most IT expenditures today, most organizations still aspire to a 60/40 spend (60 percent on the current installed base and 40 percent on new programs). "Some of the most profound changes begin with re-calibrating an agreed-to set of IT lifecycle processes," says Fulgham.
He continues: "ITIL version 3 (which rationalizes 60 books of processes and procedures down to two books) finally brings forward a lifecycle approach to service management processes and procedures." Of course, outsourcing to a best-in-class provider is a strategy that quickly and cost-effectively brings a client organization's outsourced IT processes to the most recent ITIL level.
HP has shortened ITIL version 3 to 20 best-in-class processes necessary to manage a business and, according to Fulgham, "only six or eight that an outsourcing service provider really needs to manage in a thoughtful way. As you go upstream and do things like IT strategy and planning for the next-generation set of capabilities, this approach allows providers to bring in the next level and next generation of innovation in a thoughtful and manageable way."
Tom Schaefer, Executive Vice President-Marketing at Digital Fuel, a provider of service management solutions and service cost management, says buyers and providers are beginning to see benefits in solutions that help automate adherence to ITIL standards, especially as they pertain to service level agreements.
"A service provider can demonstrate to its clients that not only is the provider certified as to ITIL standards but also that it applies technology that gives visibility to clients as to how it is doing across all the standards and their relevance to obligations in the service level agreement (SLA)," says Schaefer.
In addition to maturity model certification, Fulgham at HP says a provider needs to have "a track record that not only demonstrates the ability to provide quality improvements but also to report how it will improve that on a year-over-year basis."
Proactive Management of Price Risks
Mike Jones, President of ITO at Infocrossing, a provider of selective IT infrastructure, enterprise applications, and business processing services, believes buyers face a new risk that will "cause upward pressure on prices."
"Electrical costs--cooling and power for data centers--are going up," notes Jones. Providers will need to deploy a lot of capital for data-center improvements, and that will cause them to push pricing up a bit."
Jones advises that buyers that sign contracts for new outsourcing relationships, add scope to existing contracts, or renew a deal at contract-renewal time should ensure the contract includes a cap or index on rates. "This is particularly important in deals where there are fewer services in scope, especially the more facilities-based or hosting deals," he says. "To the extent that there are more services in scope in the deal, then decreases in unit cost in the services could offset the increased facilities cost."
Schaefer at Digital Fuel says both buyers and providers need systems that "enable playing 'what-if' scenarios to better manage actual costs versus budgets more proactively." This type of technology solution can be especially helpful in mitigating risks by indicating necessary price adjustments for service dips when providers bring more services online. He says it's also helpful in a buyer's decision-making to "turn down the use of some services while increasing the use of other services to deliver the most value to the business."
In another proactive price management scenario, Schaefer explains that buyers can mitigate risks by using software that allows tracking of service costs by business-unit consumption, providing more visibility and accountability. He says understanding the hidden costs in offshoring is also critical to ensuring return on investment, and software solutions can manage this risk.
Failure to understand and comply with regulations like the Sarbanes-Oxley Act of 2002 will create risk for an enterprise. Pol at BT advises that it's critical for organizations preparing for outsourcing to understand how a potential provider manages and supports regulatory compliance. In addition, he advises that a buyer "needs to be clear as to its responsibility for regulatory compliance processes versus the outsourcer's responsibility."
As outsourcing increasingly becomes key to enabling and supporting globalization initiatives, organizations need to ensure they select a service provider that understands the risks of doing business in emerging markets, such as the BRIC countries (Brazil, Russia, India, China). "Buyers need to select a provider with proven experience in dealing with the rules, regulations, and compliance areas in the market from which services will be delivered," Pol explains.
Sunil Chitale, Senior Vice President of Patni Computer Systems, a global IT consulting and services provider headquartered in India, says buyers' desire for risk-management strategies regarding process knowledge loss is starting to be a big factor. This is especially true in offshore outsourcing, where the knowledge shifts thousands of miles away from the client organization.
The traditional way of managing this risk, he says, has been buyers dictating to providers something like: "We want these 30 employees of ours to shift over and be on your team for the outsourced services, and you can't let them go." Chitale believes this practice should shift to an up-front discussion that includes the following questions of the provider:
- How are you capturing knowledge?
- How are you retaining knowledge?
- How are you passing knowledge from one team to another?
- If we decide to bring the process back in house, will you make that knowledge available to us, and how?
Buyers need to reduce their focus on people-retention as a risk-management strategy for knowledge loss, Chitale advises, because "it takes away a primary objective for outsourcing--to create an efficient organization and efficient resource management."
Instead, he says buyers need to handle their knowledge-loss risks through infrastructure and other IT solutions that providers bring to the table. "Telling a provider to keep certain people on the contract will not preserve knowledge," Chitale warns. "If after a time you decide to move the process to a different service provider, you can't switch those people to the new provider."
Infrastructure outages (even in New York City) and geopolitical risks should also figure into effective risk-management strategies in an outsourcing relationship these days. Chitale advises using an offshore provider that has service-delivery capabilities from more than one city within a country, or from multiple countries, in case something breaks down.
Bret Allinson, Senior Vice President, Global Delivery, HP Services, adds that "security is unquestionably the biggest threat of globalization. Companies must select service providers that can ensure the safety of the client's critical business data and underlying IT, whether the threat appears in the form of a geopolitical or natural disaster."
Another offshore risk is the shrinking talent pool in India. (For background on this issue, see the discussion in "Seven Trends in Offshore Outsourcing for 2007 and Why They Matter" in this issue of Outsourcing Journal) Tony Viola, Vice President, Marketing, at Patni Computer Systems, says buyers need to ensure their providers will continue to have the necessary talent. He suggests buyers' due diligence should include questions about a provider's toolsets and automated delivery capabilities, as well as its position on initiatives such as Software-as-a-Service (SaaS). "Find out what the provider is doing in these areas instead of being completely dependent on manpower," he advises.
Establishing a mutually beneficial and effective relationship-governance structure has always been a critical key to success in outsourcing. Pol at BT advises that buyers can avoid many risks by ensuring the following components are included in their governance agreements:
- How the provider will handle processes and procedures regarding regulatory requirements (such as Sarbanes-Oxley) and ensure auditability of processes
- Review of current assets and how to optimize them for the future
- How the parties will work together to drive for efficiency and improvement in services as they move down the road
In addition, Pol says BT has noticed a trend of client organizations serving as the integrator in a multisourcing environment. It is critical that governance agreements include a focus on operational standards to support a multi-sourced environment. For example:
- What are the lines of distinction between the service providers?
- How do the hand-offs play to each other; how will the providers execute the hand-offs; which provider is responsible for each hand-off?
- What is the client's role in the hand-offs?
Schaefer at Digital Fuel says there is a trend of both buyers and providers wanting more visibility and a common way of managing all the providers in a multisourced environment. Digital Fuel's software is one example of such a solution. "It transforms obligations in the agreement into a digital form so that all parties have a single version of truth," Schaefer explains.
This is especially crucial in offshoring, Schaefer notes. "Buyers are learning that realizing the benefits of offshoring requires more effective management processes. They must ensure that governance includes frameworks and tools that ensure the offshore provider understands the impact of how its service delivery works in concert with other process services delivered by other providers."
Allinson at HP adds that, as companies scale, they have an increasing critical need for real-time data to ensure consistency in services, product development, and effective collaboration across time zones. "To maintain a competitive advantage, a governance framework for how data gets captured and exposed around the world will be needed in order to make the best business decisions and to adjust outcomes daily," says Allinson.
Joe Hogan, Vice President of Strategic Outsourcing Programs, Unisys, comments that buyers need to "hedge their risks with a visibility model. Because outsourcing relationships extend over time, the parties will introduce change into the environment and need to understand what the effect of the change will be."
He compares it to a car manufacturer creating a simulation of its factory floor to see the impact of proposed changes in a model line before it spends the capital. Similarly, outsourcing providers should be able to provide a model that makes visible the impact of change introduced to the client's process, applications, and infrastructure. Some providers, such as Unisys with its 3D Visible Enterprise approach and 3D Blueprinting methodology, have software tools that create such a model, which then helps a buyer and provider understand the governance and SLAs that need to be in place for the impact of change.
"With such a model, the buyer can get more predictable in terms of what it needs to do and whether or not its sourcing strategy coincides with its competitive imperative or business plan," Hogan explains. "Companies that take more time to do this modeling ahead of time will be better off."
And the Bottom Line in Risk Management is...
Ultimately, warns Pol of BT, organizations "run a risk if they are not actively considering or evaluating outsourcing solutions. We've noticed that companies that outsource really do have more competitive advantage within their markets. We believe that companies not currently considering how to act on outsourcing have real potential to negatively impact their businesses in the next three-to-five years as others take advantage of the opportunity."
Furthermore, Fulgham at HP warns against delaying outsourcing decisions. Given that technology and markets can change dramatically in the average 18-36 months it now takes just to negotiate an outsourcing arrangement, delaying the decision to outsource by several months will cause a company "to lose out on a lot of opportunity and could cause a company to be uncompetitive in a new market."
Lessons from Outsourcing Journal:
- Unless a client keeps its service provider abreast of key matters such as strategic direction, changing business requirements, and changing business conditions so that the provider can determine how its expertise and resources can enable the client's objectives, the client will not get the competitive advantage it pays for in an outsourcing strategy.The parties should develop at the start of the outsourcing relationship a roadmap that links business requirements to technology developments and transformational objectives and review it every six months.
- Because of the emphasis on innovation for continuous improvement in service delivery, provider-selection criteria should include a track record in: investments in research and development, product development experience, reputation for innovation, a global operations footprint, and the ability to test their ideas against customer requirements.
- Buyers need to ensure a provider has certification relative to process compliance (COBIT, ITIL, etc.). A provider should also be able to demonstrate the ability to provide quality improvements and how it will improve that on a year-over-year basis.
- Because the cost of cooling and power for data centers is increasing, providers will need to deploy a lot of capital for data-center improvements, and that is likely to cause them to increase their prices. To mitigate this risk, buyers should ask for price protection, such as a cap on rates, at contract-renewal time or when signing a contract for a new relationship.
- It's critical for buyers to clearly understand the differences in their own responsibility for regulatory compliance processes versus the outsourcer's responsibility.
- Buyers need to reduce their focus on people-retention as a risk-management strategy against knowledge loss, instead ensuring the provider has adequate IT and other process knowledge-management solutions in place.
- If offshoring, choose a provider with service-delivery capabilities from multiple cities in a country or from multiple countries in case of power outages, geopolitical issues, etc.
- Buyers can avoid many risks by ensuring the governance agreement includes clauses for how the parties will handle processes and procedures regarding regulatory requirements (such as Sarbanes-Oxley), ensure auditability of processes, review assets and how to optimize them for the future, and how the parties will work together to drive for efficiency and improvement in services over the long term
- In a multi-sourcing environment, risks can be mitigated with a governance structure that includes operational standards such as the lines of distinction between the service providers; how the providers will execute hand-offs, which provider is responsible for each hand-off, and the client's role in the hand-offs.