Outsourcing: Effective Management or Business Risk?

In an effort to standardise and centralise processes, as well as minimise costs, many companies turn to outsourcing some or all of their IT processes. However, this introduces new and challenging risks to the business environment that, if not planned for and managed correctly, can end up costing the enterprise more money than it saves.

Getting the most from an outsourcing agreement means determining up-front the objectives of outsourcing as well as which activities can be outsourced without significantly increasing operational and reputational risk to the business. Companies often outsource ‘non-value-add’ or high-volume transactional processing but do not consider the consequences of some of the decisions that get outsourced along with this. As a result, more and more organisations are looking at bringing elements of their outsourced activities back in-house. Having a robust internal governance model in mind when drawing up the contract with the outsourcing provider is critical to ensuring that key decision-making is retained in-house. Even moving to a managed services model does not transfer all risk and risk ownership to the outsource provider.

Can you really afford to outsource?

Take for example the case whereby user provisioning in core systems is managed by a third party. The user fills out a form requesting access, which is approved and the third-party provider performs the provisioning activities in the system to present the user with access to the information they required. Whilst the form and the actual provisioning activity are the responsibility of the service provider, the customer is still accountable for approving the access request as the customer owns the data. Whether this is pre-approved or point-in-time approval, the customer is ultimately responsible for protecting the data contained in their systems.

This is particularly true where confidential information is available, which may be covered by the Data Protection Act, or business sensitive information that would have a reputational impact if it were released (financials leaked to the market ahead of formal release, for example).

Understanding the business process to be outsourced and mapping out the key decision and control points will help to ensure that the organisation retains ownership of these steps. Business gatekeepers should be established with sufficient knowledge to act as approver for key points in outsourced processes (e.g. revisions to the change management process, new or changed system access, business process controls). This may change the view of what processes are core to the business and therefore retained in-house or, it may just highlight activities that have integration points and consequences that had previously been hidden and that need to be better managed in future.

Outsourcing IT – particularly when this is to cloud suppliers – creates additional compliance challenges. Often the outsource provider is located in other country to reduce costs, and cloud computing can introduce further cost savings. However, this approach may increase the compliance risks because of complex data privacy requirements and legislation that exist around the world. If the outsourcer’s data is held in another jurisdiction it may be subject to regulatory requirements that the organisation is not aware of and may also mean laws are breached in the organisation’s home locations.

Legal advice regarding local employment laws, IT regulation and data privacy is essential during the due diligence phase, to reduce the risk of issues occurring once a contract has been signed.

Including a regular compliance audit of the outsource provider in the contract, either by the organisation itself but more likely through a third party, also provides some comfort that compliance requirements are being met. Ensuring penalties are incorporated for failure to meet requirements is advisable, but the organisation should also take some responsibility for notifying the provider of regulatory changes that may have an impact.

Creating and maintaining quality requires ongoing effort from both parties

Levels of service quality often initially drop when switching from one provider to another, or from in-house to third party, but then pick up again as the transition period comes to an end. However, sometimes the service never seems to improve or it drops off again over time, as the organisations involved become more complacent.

Organisations typically outsource to reduce costs and because other companies have a particular expertise that the customer does not want to develop in-house. This positions the outsource provider as the ‘expert’ in IT support for example. In practice, many outsource staff are junior resources who are trained in a very narrow field and who are expected to follow scripts to perform activities. This means that anything that falls outside what has been defined as ‘the norm’ can take a long time to resolve and eventually ends up costing more, because of the number of phone calls and tickets raised to fix the problem. Most people have encountered something similar in either a business or personal context when calling a helpdesk.

Outsourced staff capability and capacity is usually outside of the control of the customer organisation. Many providers utilise large teams to service multiple clients, in order to maximise their skills and experience, however this is not always a positive experience for the customer, especially when there is no clear accountability for the account, or clarity over who is supporting it and what qualifies them to do so. It is possible to enforce training for support staff before they can access systems and service the account: the costs of this should form part of the contract negotiation, but it is recommended that third-party staff become familiar with the organisation, its systems and processes as part of that training.

Another option is to introduce periodic reviews of service provider personnel: this may be more appropriate where staff turnover is high.

Defining specific quality and performance related service level agreements (SLAs) will help to ensure that quality levels are maintained. However, SLAs must be carefully considered to avoid driving the wrong behaviours. Setting an SLA that requires a helpdesk ticket to be closed within four working days may result in the ticket being closed without the issue actually being resolved, culminating in yet another ticket being raised. This problem is exacerbated when the provider is paid on a ‘per ticket’ basis.

Performance measures should contain an element of quality in them to encourage the behaviours that the organisation wants to see – e.g. the number of events that have occurred without appropriate business approval. Performance reviews should take place regularly with representatives from both parties: in the previous example it may be that the customer can implement improvements to avoid a breach, such as providing the third party with the most up-to-date list of approvers.

TAGS:
CATEGORY: Useful Articles
 
 

Popular posts

Related posts