How to manage outsourcing risks
If you think managing the risk of IT projects is all about throwing everything over the fence to an external supplier, think again.
Contents  High-risk areas Mitigate don't hesitate Written in ink? IDC: Loss of control the biggest risk Gartner's Oz VP sourcing | ||||
Iain Blacklaw, vice president of service delivery at EDS Asia Pacific, says if you look at the "catastrophic" outsourcing contract failures to date in Australia in which projects were way over time and budget, and he says there has probably been one in every major bank, insurance company, and manufacturing company, the reasons were the same.
"Lack of scope, lack of good people, and lack of process and checks and balances to see what's going on. There are very few people who understand how to manage projects well, to successfully complement business processes, and allow business processes to be derived," says Blacklaw.
With outsourced deals generally becoming more fragmented, the effect of getting things wrong is increasing. James Longwood, research vice president, sourcing, at Gartner Asia Pacific says any cross-ESP issues are becoming more difficult to manage as companies move towards more selective sourcing contracts. "For example there might be boundary problems -- is it the database, the central application, the network or the desktop the real problem and what happens when each ESP points the finger at the other ESPs in the service delivery change?" he asks.
On the flip side, from a contractual perspective, flexibility when things go wrong is a possible upside of selective sourcing, says James Hunter, head of outsourcing at Cap Gemini Australia.
"The very fixed, very robust contracts offered very little in the way of flexibility and there were all these issues about what the contract said and what was actually happening. The dilemma was between staying with a contract or not complying with it and trying to deliver something that makes sense," he adds.
Blacklaw says the positive slant of outsourcing is that an ESP "might have the testosterone or the commercial backing to just say no to a suggestion, and give reasons." But that's the positive slant, he says. "The negative slant is that by having an outsourced contract in place there may be an expectation that the corporation has transferred accountability which clearly lies within their responsibility. The provider might say 'you outsource to me, I do all this stuff, and then let's test it,' but if the client has put together a poor test case they might not find any errors in the solution," says Blacklaw. And whose fault is that?
Contents Outsourcing risk High-risk areas Mitigate don't hesitate Written in ink? IDC: Loss of control the biggest risk Gartner's Oz VP sourcing | ||||
Gartner's Longwood agrees that business process outsourcing (BPO) offers more risks than other kinds of IT outsourcing. "If an organisation outsources its IT infrastructure management and operations function, then typically the IT staff, usually five to 10 percent of the organisation, are directly impacted by staff transfer to the external service provider, whereas for BPO, 30 to 60 percent of staff could be affected by the staff transfer. So its easier to manage downsizing 200 IT staff to 20 or so internally to downsizing say 2000 business staff say to 600," he says.
Longwood says when it comes to BPO, often the service providers understand delivering business services but not the IT sides of things. "They often have poor SLAs and don't have good interface specifications between their systems and clients. For example, they might do accounts payable and receivable well for you but are slow or inaccurate at transferring the general ledger transactions to your internal ERP system negatively impacting the accuracy and timeliness of an enterprises profit and loss statement," he says.
Geography also plays a role, particularly on offshore outsourcing. "We see lovely figures of 40 or 50 percent cost reduction when it comes to offshoring, but unless you fully understand the risk of offshore locations, and that each one has different risk dynamics, the cost differential won't be realised," says Capgemini's Hunter.
Offshoring throws up significant extra project management overheads, with risks coming from all directions -- political unrest, socio-economic factors, terrorism, relationships with other countries, border tensions, Government policies with regards to taxes, duties and other regulations. In addition you might have to deal with cultural, language and communication issues, security and privacy, knowledge transfer, business continuity and change management, as well as the financial viability of the supplier and price inflations.
Contents Outsourcing risk High-risk areas Mitigate don't hesitate Written in ink? IDC: Loss of control the biggest risk Gartner's Oz VP sourcing | ||||
Jon Marks, deputy director, sales and marketing at Getronics says his company uses methodologies such as ITIL (The IT Infrastructure Library) to ensure Getronics has been able to clearly articulate what the company can offer and how an outsourced relationship is going to be managed.
The biggest risk associated with outsourcing is not achieving the desired business benefits and SLAs. However, a less obvious, and potentially more severe, risk is when an outsourcing decision damages your business, so that, in extreme cases, you are no longer able to respond to changing market needs.
KAZ's Richardson strongly recommends that if you haven't done any formal business risk audits of your outsourced project, you should invest the time and money to do so, to give you a characterisation of risk in terms of severity. "Do it before the contract if possible to provide ammunition," he says. If you have done an audit and have a trusted partner, as business changes happen you can move much faster. This is especially true as companies move towards selective sourcing contracts.
Blacklaw believes there are two major risk mitigation strategies. "Firstly, for large projects spanning years, you need to have an independent quality assurance assessment (QA) done. If I'm building a $25 million system, I would need, every six to 12 months, to have independent QA done of my program, and I would want to know what the program director was doing every six to eight weeks to check whether he or she is pulling anything over my eyes," says Blacklaw. "It's important for the project manager to get into the discipline of reporting to stakeholders, and the CFO, who can sit there and ask the dumb ass question of why certain things are being done a certain way," he adds.
Finally, there is often a mistaken view that a fixed price contract manages risk, says Blacklaw. "You get a fixed price but not a fixed quality. It's impossible to fix the price from inception, because things change every single day, and if variations and changes are required, it forces the organisation to make guesses and the project may end up costing more," he says. "Seven years ago companies like IBM and EDS were moving into fixed cost deals, but there are have been some infamous examples of major losses incurred over fixed price contracts because the scope is never clearly defined, there is scope creep, and the customer thinks he or she has paid for X plus two and the vendor thinks its X minus one," he adds.
Contents Outsourcing risk High-risk areas Mitigate don't hesitate Written in ink? IDC: Loss of control the biggest risk Gartner's Oz VP sourcing | ||||
Marks says some organisations spend a lot of time understanding what could go wrong but it's only once you start to deliver a service that you are able to measure what it is you are doing and how you are providing that service.
"We use a scorecard system, where we look at how we are doing in terms of SLAs, if we are losing money, whether the customer is trying to include more services than first scoped, and we do this on a regular basis during monthly meetings, with "red" cards being dealt with as early as possible rather than being allowed to accumulate and blow up," he says.
Dimension Data's general manager of service delivery Karen James says if you spend a lot of time mitigating risk, it doesn't need to be written into a contract.
"We involve ourselves in a lot of risk mitigation, rather than putting it into the costing, which we believe is not an effective approach," she says. James says some penalties are just there to crawl back money but are not in the supplier's control. She uses the example of outages per month at a site or a device. "There are a lot of possible reasons for this, but do you write this all up or do you ask if this is a realistic measure of performance," she says. "If a vendor has a problem, is that the service provider's fault?"
James says that in some cases, even if an SLA is in place and is met, the client might still penalise the supplier. "If you go into those sort of agreements, the risks aren't in your control, so you could fix the problem but there might be an overriding clause that says the client can penalise the supplier. It sounds crazy, but there are service contracts out there that do that," she adds.
Marks says people have become better at accepting or mitigating risk and that has made it more comfortable to manage the process before signing the contract and during delivery. There has also been a greater focus on delivering best practice and on using methodologies such as ITIL.
"There is a greater understanding that the supplier's business might change during a contract and adjustments need to be made," he says. "We capture details in one engagement and constantly learn from it. With the ongoing threat of new types of security attacks, we've got to be clear that when we identify one risk, the lessons can be applied across all our other engagements," he adds.
So important is the increase of risk, it's something that should be considered at the top level of the business, says KAZ's Richardson. "Information and communication technology is becoming ever more pervasive and more mission critical, and as this happens, dependence on effective risk management increases," he says. "This is a boardroom issue, fair and square."
Contents Outsourcing risk High-risk areas Mitigate don't hesitate Written in ink? IDC: Loss of control the biggest risk Gartner's Oz VP sourcing | ||||
End users felt that over a period of time the service levels degrade. The reason for this again could again be a lack of clarity in agreements at the outset of the contract and with the demanding end users expecting more for less over the period of the contract, the vendors are sometimes forced to protect their bottom line margins and this could lead to a reduction in service levels.
In contrast, a look at the 2003 survey showed that potential loss or reduction in service levels was the second major risk of outsourcing followed by unrealised cost savings. The 2004 survey places unrealised cost savings at the second place and potential loss of service levels has been pushed further down. There is a positive indication in this, which shows that vendors have definitely focused on improving their service deliverables to their customers and defining strategies for reducing risk before the outsourcing contracts are signed off.
Some of the other risks associated with outsourcing were:
- Maintenance of third-party relationships
- Security issues with revealing internal processes
- Lack of staff continuity resulting in disruption of service
- Response times not as per expectations
- Financial viability of the service providers
When compared to the 2003 survey, other pitfalls such as the outsourcer not saving an understanding of the customer's business, needs or the culture, or hidden surprises in the contract, are missing from the 2004 survey.
This might indicate that the outsourcing vendors are focusing on equipping themselves with vertical domain skills to understand the business requirements of the customers and the deliverables of the contract in terms of business value. Both the vendor and the customer are undertaking due diligence to define better processes and measure performance with tools like balanced scorecard metrics.
IDC suggests the following strategies for reducing risks:
- Decide on a nearshore, offshore, or onshore strategy after a due diligence specific to a company's individual situation.
- Both vendor and the end user should formulate a business continuity plan at the very outset of the contract in case of a disaster.
- Analyse risks objectively and do an impact analysis of the various kinds and levels of risks from a country, vendor, and delivery model perspective.
- Have a good market intelligence of the country you are planning to offshore.
- Education to understand cultural differences and developing team building exercises to encourage intercultural liaisons and personal relationships.
- Choose vendors with lower employee turnover and with PCMM (People capability maturity model) certifications.
- To avoid disruption it is extremely important to understand the communication , redundancy and, infrastructure setup in the country you are planning to offshore to. So devising an effective disaster recovery plan integrated with that of the vendor is critical.
- Transitioning process has to be monitored very closely with a good mix of the onshore and offshore delivery model. This should include processes for knowledge transfer and incorporating an effective knowledge management system.
- Devise a change management strategy and communicate the changes, benefits, and staff redeployment plans openly to all employees.
- Develop a proper reporting structure with program managers and project managers from both the vendor and the end user side to have a clear responsibility matrix.
- Research the vendor's financial viability through offshore third parties and secondary research through case studies.
- Handle unexpected inflation in prices by specifying the uppermost limits during contract negotiations keeping in consideration the local inflation rates.
- Understand the total cost of ownership of the entire project at the very outset.
Gartner's Oz VP sourcing: mitigating the major risks
Contents Outsourcing risk High-risk areas Mitigate don't hesitate Written in ink? IDC: Loss of control the biggest risk Gartner's Oz VP sourcing | ||||
James Longwood, vice president, sourcing, Gartner Asia Pacific outlines a few below:
| Typical Risk / CSF | Approach to Mitigation |
| Project doesn't meet business goals. | Develop a sound business case, including risk and cost benefit assessment. Include costs for go to market, transition and on-going sourcing management. |
| Wrong services are outsourced or wrong ESP is selected. | Develop a sourcing strategy analysing internal versus market capability. Properly assess sourcing models available. |
| Services are not clearly defined resulting in poor service deliveries. | Develop a comprehensive statement of service / project requirements, into a formal Statement of Work with appropriate service levels. |
| Internal staff may be un-co-operative in efforts to outsource. | Establish an organisational change management strategy early in the piece with a very good and open communication approach. |
| Deal becomes quite inflexible over time. | Ensure appropriate mechanisms to change base line of services and to introduce new innovative technologies or services. |
| Early cost savings followed by unexpected cost blow outs. | Ensure appropriate mechanisms for changes to base line services, that pricing is visible and fair for changes in scope of services. |
| ESPs buy the business and then can't deliver and ask for an increase in fees. | Enterprises must learn to evaluate costs last and not first when evaluating and selecting ESPs. Evaluate their service delivery capability and track record and service delivery / SLA management capability first and eliminate ESPs who can't meet your requirements before comparing prices. Understand that ESPs must make a profit in order to continue to deliver a high quality of service and invest in process improvement programs. |
This article was first published in Technology & Business magazine.
Click here for subscription information.