How to manage outsourcing risks

If you think managing the risk of IT projects is all about throwing everything over the fence to an external supplier, think again.ContentsHigh-risk areasMitigate don't hesitateWritten in ink?



If you think managing the risk of IT projects is all about throwing everything over the fence to an external supplier, think again.


Contents
High-risk areas
Mitigate don't hesitate
Written in ink?
IDC: Loss of control the biggest risk
Gartner's Oz VP sourcing

It is no longer the norm to enter into a single, gigantic, all-encompassing outsourcing deal, and as selective sourcing takes on a greater popularity, you might find your company has dealings with a myriad of external service providers (ESPs) and consequently more complex internal relationships -- a recipe for more headaches if ever there was one.

Iain Blacklaw, vice president of service delivery at EDS Asia Pacific, says if you look at the "catastrophic" outsourcing contract failures to date in Australia in which projects were way over time and budget, and he says there has probably been one in every major bank, insurance company, and manufacturing company, the reasons were the same.

"Lack of scope, lack of good people, and lack of process and checks and balances to see what's going on. There are very few people who understand how to manage projects well, to successfully complement business processes, and allow business processes to be derived," says Blacklaw.

With outsourced deals generally becoming more fragmented, the effect of getting things wrong is increasing. James Longwood, research vice president, sourcing, at Gartner Asia Pacific says any cross-ESP issues are becoming more difficult to manage as companies move towards more selective sourcing contracts. "For example there might be boundary problems -- is it the database, the central application, the network or the desktop the real problem and what happens when each ESP points the finger at the other ESPs in the service delivery change?" he asks.

On the flip side, from a contractual perspective, flexibility when things go wrong is a possible upside of selective sourcing, says James Hunter, head of outsourcing at Cap Gemini Australia.

"The very fixed, very robust contracts offered very little in the way of flexibility and there were all these issues about what the contract said and what was actually happening. The dilemma was between staying with a contract or not complying with it and trying to deliver something that makes sense," he adds.

Blacklaw says the positive slant of outsourcing is that an ESP "might have the testosterone or the commercial backing to just say no to a suggestion, and give reasons." But that's the positive slant, he says. "The negative slant is that by having an outsourced contract in place there may be an expectation that the corporation has transferred accountability which clearly lies within their responsibility. The provider might say 'you outsource to me, I do all this stuff, and then let's test it,' but if the client has put together a poor test case they might not find any errors in the solution," says Blacklaw. And whose fault is that?

High-risk areas


Contents
Outsourcing risk
High-risk areas
Mitigate don't hesitate
Written in ink?
IDC: Loss of control the biggest risk
Gartner's Oz VP sourcing

Risk is most common when you outsource a major business process or combine offshore and local service providers, says Andrew Richardson, managing director of KAZ Technology Services. "By doing this you introduce more potential points of failure and increase the impact of downtime. The more critical a process is, the more careful you have to be about choosing your partner," he says.

Gartner's Longwood agrees that business process outsourcing (BPO) offers more risks than other kinds of IT outsourcing. "If an organisation outsources its IT infrastructure management and operations function, then typically the IT staff, usually five to 10 percent of the organisation, are directly impacted by staff transfer to the external service provider, whereas for BPO, 30 to 60 percent of staff could be affected by the staff transfer. So its easier to manage downsizing 200 IT staff to 20 or so internally to downsizing say 2000 business staff say to 600," he says.

Longwood says when it comes to BPO, often the service providers understand delivering business services but not the IT sides of things. "They often have poor SLAs and don't have good interface specifications between their systems and clients. For example, they might do accounts payable and receivable well for you but are slow or inaccurate at transferring the general ledger transactions to your internal ERP system negatively impacting the accuracy and timeliness of an enterprises profit and loss statement," he says.

Geography also plays a role, particularly on offshore outsourcing. "We see lovely figures of 40 or 50 percent cost reduction when it comes to offshoring, but unless you fully understand the risk of offshore locations, and that each one has different risk dynamics, the cost differential won't be realised," says Capgemini's Hunter.

Offshoring throws up significant extra project management overheads, with risks coming from all directions -- political unrest, socio-economic factors, terrorism, relationships with other countries, border tensions, Government policies with regards to taxes, duties and other regulations. In addition you might have to deal with cultural, language and communication issues, security and privacy, knowledge transfer, business continuity and change management, as well as the financial viability of the supplier and price inflations.

Mitigate don't hesitate


Contents
Outsourcing risk
High-risk areas
Mitigate don't hesitate
Written in ink?
IDC: Loss of control the biggest risk
Gartner's Oz VP sourcing

Longwood says that typically risks are classified into likelihood of occurring (high, medium, or low), degree of impact (critical, high, medium, or low) if it occurs, and likely scale of cost of rectifying (high, medium, or low) to enable an assessment of likely mitigation tactics. He says that typically measurements involved are often "judgemental" and "experiential" based.

Jon Marks, deputy director, sales and marketing at Getronics says his company uses methodologies such as ITIL (The IT Infrastructure Library) to ensure Getronics has been able to clearly articulate what the company can offer and how an outsourced relationship is going to be managed.

"Also key are relationship management programs and we've run some relationship management training internally to make sure we and the client are both speaking a common language," he says. "Other than this, flexibility is key and enabling the customer to say 'I have this issue, I know it's not part of the agreed service but I need assistance'. By the same token from our side we need to be available when help is needed if it's something we can help on, and not take advantage of a situation," he adds.

The biggest risk associated with outsourcing is not achieving the desired business benefits and SLAs. However, a less obvious, and potentially more severe, risk is when an outsourcing decision damages your business, so that, in extreme cases, you are no longer able to respond to changing market needs.

KAZ's Richardson strongly recommends that if you haven't done any formal business risk audits of your outsourced project, you should invest the time and money to do so, to give you a characterisation of risk in terms of severity. "Do it before the contract if possible to provide ammunition," he says. If you have done an audit and have a trusted partner, as business changes happen you can move much faster. This is especially true as companies move towards selective sourcing contracts.

Blacklaw believes there are two major risk mitigation strategies. "Firstly, for large projects spanning years, you need to have an independent quality assurance assessment (QA) done. If I'm building a $25 million system, I would need, every six to 12 months, to have independent QA done of my program, and I would want to know what the program director was doing every six to eight weeks to check whether he or she is pulling anything over my eyes," says Blacklaw. "It's important for the project manager to get into the discipline of reporting to stakeholders, and the CFO, who can sit there and ask the dumb ass question of why certain things are being done a certain way," he adds.

Finally, there is often a mistaken view that a fixed price contract manages risk, says Blacklaw. "You get a fixed price but not a fixed quality. It's impossible to fix the price from inception, because things change every single day, and if variations and changes are required, it forces the organisation to make guesses and the project may end up costing more," he says. "Seven years ago companies like IBM and EDS were moving into fixed cost deals, but there are have been some infamous examples of major losses incurred over fixed price contracts because the scope is never clearly defined, there is scope creep, and the customer thinks he or she has paid for X plus two and the vendor thinks its X minus one," he adds.

Written in ink?


Contents
Outsourcing risk
High-risk areas
Mitigate don't hesitate
Written in ink?
IDC: Loss of control the biggest risk
Gartner's Oz VP sourcing

Getronics's Marks says that although risk management is not often written into contracts, there is some evidence that this is about to change. "Some Government organisations, for instance, are starting to identify the requirement to put it into the contract. This means valuing the risk to the customer, passing that onto the supplier, and where there is an attempt to make that a mutual issue, identifying how we jointly go about ensuring that these risks don't happen and who will take responsibility if they do," he says.

Marks says some organisations spend a lot of time understanding what could go wrong but it's only once you start to deliver a service that you are able to measure what it is you are doing and how you are providing that service.

"We use a scorecard system, where we look at how we are doing in terms of SLAs, if we are losing money, whether the customer is trying to include more services than first scoped, and we do this on a regular basis during monthly meetings, with "red" cards being dealt with as early as possible rather than being allowed to accumulate and blow up," he says.

Dimension Data's general manager of service delivery Karen James says if you spend a lot of time mitigating risk, it doesn't need to be written into a contract.

"We involve ourselves in a lot of risk mitigation, rather than putting it into the costing, which we believe is not an effective approach," she says. James says some penalties are just there to crawl back money but are not in the supplier's control. She uses the example of outages per month at a site or a device. "There are a lot of possible reasons for this, but do you write this all up or do you ask if this is a realistic measure of performance," she says. "If a vendor has a problem, is that the service provider's fault?"

James says that in some cases, even if an SLA is in place and is met, the client might still penalise the supplier. "If you go into those sort of agreements, the risks aren't in your control, so you could fix the problem but there might be an overriding clause that says the client can penalise the supplier. It sounds crazy, but there are service contracts out there that do that," she adds.

Marks says people have become better at accepting or mitigating risk and that has made it more comfortable to manage the process before signing the contract and during delivery. There has also been a greater focus on delivering best practice and on using methodologies such as ITIL.

"There is a greater understanding that the supplier's business might change during a contract and adjustments need to be made," he says. "We capture details in one engagement and constantly learn from it. With the ongoing threat of new types of security attacks, we've got to be clear that when we identify one risk, the lessons can be applied across all our other engagements," he adds.

So important is the increase of risk, it's something that should be considered at the top level of the business, says KAZ's Richardson. "Information and communication technology is becoming ever more pervasive and more mission critical, and as this happens, dependence on effective risk management increases," he says. "This is a boardroom issue, fair and square."

IDC: Loss of control the biggest risk


Contents
Outsourcing risk
High-risk areas
Mitigate don't hesitate
Written in ink?
IDC: Loss of control the biggest risk
Gartner's Oz VP sourcing

In early 2004, IDC conducted a demand-side survey of 204 organisations to analyse their perceptions and concerns of the IT outsourcing market. IDC interviewed IT decision maker professionals (CIOs, MIS Directors and business executives) in Australia. The research showed that loss of control still posed the biggest risk to most organisations. Unrealised cost savings was perceived as the second major risk and this could be attributed to poor cost estimates at the outset of the contract along with unclear customer and vendor expectations.

End users felt that over a period of time the service levels degrade. The reason for this again could again be a lack of clarity in agreements at the outset of the contract and with the demanding end users expecting more for less over the period of the contract, the vendors are sometimes forced to protect their bottom line margins and this could lead to a reduction in service levels.

In contrast, a look at the 2003 survey showed that potential loss or reduction in service levels was the second major risk of outsourcing followed by unrealised cost savings. The 2004 survey places unrealised cost savings at the second place and potential loss of service levels has been pushed further down. There is a positive indication in this, which shows that vendors have definitely focused on improving their service deliverables to their customers and defining strategies for reducing risk before the outsourcing contracts are signed off.

Some of the other risks associated with outsourcing were:

  • Maintenance of third-party relationships

  • Security issues with revealing internal processes

  • Lack of staff continuity resulting in disruption of service

  • Response times not as per expectations

  • Financial viability of the service providers

When compared to the 2003 survey, other pitfalls such as the outsourcer not saving an understanding of the customer's business, needs or the culture, or hidden surprises in the contract, are missing from the 2004 survey.

This might indicate that the outsourcing vendors are focusing on equipping themselves with vertical domain skills to understand the business requirements of the customers and the deliverables of the contract in terms of business value. Both the vendor and the customer are undertaking due diligence to define better processes and measure performance with tools like balanced scorecard metrics.

IDC suggests the following strategies for reducing risks:
  • Decide on a nearshore, offshore, or onshore strategy after a due diligence specific to a company's individual situation.

  • Both vendor and the end user should formulate a business continuity plan at the very outset of the contract in case of a disaster.

  • Analyse risks objectively and do an impact analysis of the various kinds and levels of risks from a country, vendor, and delivery model perspective.

  • Have a good market intelligence of the country you are planning to offshore.

  • Education to understand cultural differences and developing team building exercises to encourage intercultural liaisons and personal relationships.

  • Choose vendors with lower employee turnover and with PCMM (People capability maturity model) certifications.

  • To avoid disruption it is extremely important to understand the communication , redundancy and, infrastructure setup in the country you are planning to offshore to. So devising an effective disaster recovery plan integrated with that of the vendor is critical.

  • Transitioning process has to be monitored very closely with a good mix of the onshore and offshore delivery model. This should include processes for knowledge transfer and incorporating an effective knowledge management system.

  • Devise a change management strategy and communicate the changes, benefits, and staff redeployment plans openly to all employees.

  • Develop a proper reporting structure with program managers and project managers from both the vendor and the end user side to have a clear responsibility matrix.

  • Research the vendor's financial viability through offshore third parties and secondary research through case studies.

  • Handle unexpected inflation in prices by specifying the uppermost limits during contract negotiations keeping in consideration the local inflation rates.

  • Understand the total cost of ownership of the entire project at the very outset.


Gartner's Oz VP sourcing: mitigating the major risks


Contents
Outsourcing risk
High-risk areas
Mitigate don't hesitate
Written in ink?
IDC: Loss of control the biggest risk
Gartner's Oz VP sourcing

Risks vary according to type of outsourcing deal.

James Longwood, vice president, sourcing, Gartner Asia Pacific outlines a few below:




Typical Risk / CSF Approach to Mitigation
Project doesn't meet business goals. Develop a sound business case, including risk and cost benefit assessment. Include costs for go to market, transition and on-going sourcing management.
Wrong services are outsourced or wrong ESP is selected. Develop a sourcing strategy analysing internal versus market capability. Properly assess sourcing models available.
Services are not clearly defined resulting in poor service deliveries. Develop a comprehensive statement of service / project requirements, into a formal Statement of Work with appropriate service levels.
Internal staff may be un-co-operative in efforts to outsource. Establish an organisational change management strategy early in the piece with a very good and open communication approach.
Deal becomes quite inflexible over time. Ensure appropriate mechanisms to change base line of services and to introduce new innovative technologies or services.
Early cost savings followed by unexpected cost blow outs. Ensure appropriate mechanisms for changes to base line services, that pricing is visible and fair for changes in scope of services.
ESPs buy the business and then can't deliver and ask for an increase in fees. Enterprises must learn to evaluate costs last and not first when evaluating and selecting ESPs. Evaluate their service delivery capability and track record and service delivery / SLA management capability first and eliminate ESPs who can't meet your requirements before comparing prices. Understand that ESPs must make a profit in order to continue to deliver a high quality of service and invest in process improvement programs.

This article was first published in Technology & Business magazine.
Click here for subscription information.