With every outsourcing opportunity comes a new contract. In drawing up such agreements, it’s essential to include specific procedures, provide detailed plans in the event that things go wrong and make sure your security is up to snuff.

Things get even more complicated when offshoring comes into play. While many of the same contract rules still apply, you’ll also have to take into consideration local customs and legal standards, and treating employees fairly across the board, whether they’re in Baltimore or Bangalore.

After all, consider what’s at stake.

According to Forrester Research, Inc. in Cambridge, Mass., global spending on IT services and outsourcing was estimated at $488 billion in 2007 and is predicted to rise an additional 9% in 2008. At $120 billion, IT outsourcing constitutes roughly 25% of this spending. Forrester estimates companies can expect to save roughly 12%-17% by outsourcing operational activities.

Jeff Gordon, a professional negotiator, said a contract should contain many elements aimed at ensuring that the outsourcing company will put a good face for your organization.

For starters, mandatory provisions for training, process and procedures should be written into the contract. “What a lot of companies fail to do is properly plan,” Gordon said. “They fail to document procedures and policies, and expect the outsourcing company will just know what to do.”

Also important is your ability to manage the contract and ensure that it provides the opportunity “to smoothly transition to another idea or solution if the company isn’t able to do what you want them to do,” Gordon said.

If you are outsourcing your IT functions to India, for example, you want to make sure you’re covered if you start hearing from customers that they aren’t getting the information they need. According to Gordon, there are generally three procedures you should account for in your contract:

• Fixing what’s wrong: Outline how and within what time frame problems will be fixed, and what financial penalties will be leveraged if they’re not.
• Replacement: If the problem can’t be fixed, detail provisions for a seamless transition, carried out by the company to which you are outsourcing, to alleviate the problem without negatively affecting your own company’s operations.
• Pulling the plug: Although an undesirable solution, there should be language in the contract providing for a complete pullout if the outsourcing company is not doing its job properly.

Gordon said it’s also very important to assign accountability in each of these scenarios, so individuals in each company know to whom to turn when problems arise.

Security considerations should also be at or near the top of any outsourcing contract, said Khalid Kark, an analyst at Forrester.

Whereas, a few years ago, security heads in large U.S. companies tended to have trouble handing their technology over to somebody else, now “security people are realizing the value of integrating security capabilities, in addition to other IT outsourcing capabilities,” Kark said.

As outsourcing such functions becomes more common, Forrester is seeing U.S. firms become more knowledgeable in their approach to security in contracts, Kark said.

“Now many outsourcing contracts include very strong security requirements,” he said. “We were surprised at the maturity of companies’ outsourcing, understanding security and risk requirements, and being able to put those thoughts into [contracts].”

Although your firm’s legal counsel will likely play a central role in your contract, “all groups need to work together to manage security and risk in an outsourcing contract,” Kark said. From IT to audit to compliance to security and others, “no single entity is responsible — you need to have these groups work in concert with each other … and that is missing in a lot of the organizations we’ve worked with.”

Companies often struggle with compliance, which varies from place to place, Kark said. “Although vendors claim that they’re covering all of the requirements, it’s important to articulate that in the contract,” he said. “If you don’t, the vendor is going to do the bare minimum.”

There are challenges specifically related to offshoring IT functions that U.S. firms must take into account, Kark said. He noted that he has spoken to several clients who have worked with Indian firms that have moved some of their offshoring capabilities to Mexico “because they wanted people to be present in their time zone to address things right away.” If this interests your company, make sure you seek out a firm with these capabilities or provide for them in the contract.

It’s also important that a contract include the proper language to straddle cultural boundaries. Kark said he spoke to one company that claimed to practice the same policies across the globe. In Singapore, however, 40% of the security policies were misunderstood — even though the staff was bilingual.

In another case, a company that outsourced to India had problems with employees not wearing their security badges during the workday. Posting a security guard to check really didn’t improve the situation because “in India, the security guard can’t really ask a manager of a company [for his or her badge],” Kark said.

Thus, in drawing up contracts, “you need not only to translate policies, but to bring in local contacts” who understand regional customs, Kark said.

He said your contract should also protect you if people in the company conduct themselves inappropriately or participate in illegal activities.

“India is pretty decent, but others might not have as strong a legal jurisdiction for companies to apprehend people who have gone through and done something outrageous,” he said. Some companies would not allow a U.S. lawyer to function in India, for instance, “so your legal team needs to get involved to figure out if something bad happens, what the repercussions will be.”

Gordon also advises making sure the company with which you are contracting has insurance in the jurisdiction in which it is operating. Finding local counsel is extremely important when drawing up this sort of country-specific contract.

“In doing that, what you’re really looking for are answers about all of the things that would go into a standard U.S. contract, and finding out if such sections would even be applicable in a foreign jurisdiction,” Gordon said.

He added that, ideally, your company will plan for risks associated with outsourcing long before the contract stage. “Risk management in outsourcing is planning for things that your contract can’t even come near touching,” he said. “If I’ve done my job correctly, we never pull that contract out again because of the way we’ve written and planned it.”