Answer:
Organizations and business units that have successfully outsourced IT operations adopt a number of “best practices” that balance the complexity and the demands of the life cycle of the decision process. Various outsourcing strategies are possible, and suitable contracts vary accordingly. While management will select the options that serve it the best, there are no perfect deals; these decisions therefore involve risks trade-off. The following paragraphs identify some of the risk mitigation strategies that have proven effective.
Establish an IT Outsourcing Strategy
The first step in IT outsourcing is to understand well, and document, the business’ objectives and how best to meet them with supporting technologies. This lets management form realistic expectations, communicate its needs effectively to service providers, develop sound performance measures with which to benchmark the costs and benefits of outsourcing, and evaluate service proposals objectively, using established criteria.
Without understanding its outsourcing objectives, an organization may use cost reduction as its only yard- stick. If so, there is a high likelihood that expectations will not be met, since other important strategic or technological values derived from outsourcing might be overlooked.
Maintain in-house IT Expertise
Among the most important steps taken by successful organizations is to get help. They draw upon the expertise of many contributors to the outsourcing process, including consulting firms specializing in IT outsourcing agreements, legal services, auditors, human resources, finance, IT, and others as needed. They also appoint a senior executive or a senior committee to oversee all the outsourcing activities in the life cycle. This action ensures that the outsourcing decisions remain aligned with the organization’s strategy, goals and objectives and that the organization remains focused on the benefits it seeks from the outsourcing. Sufficient in-house IT expertise is needed to elaborate the IT strategic plan, monitor its progress, and keep abreast of changing business needs and new technology. Anegotiating team should also be formed when an organiza- tion decides to outsource; it should include a variety of IT specialists who understand the organization’s requirements, and a contract lawyer who can optimize the contract’s legal provisions.
Ascertain that the Service Provider Understands the Needs of the Organization
A common understanding of the organization’s business processes and systems, and of its IT objectives and expectations, constitutes the foundation of a satisfying outsourcing experience. The organization should ensure that service providers understand well its business needs and that proposal under consideration are based on appropriate assumptions.
Evaluate the Financial and Operational Well-Being of the Service Provider
Selecting the right service provider is crucial, so it is important to develop a thorough understanding of the provider’s financial and operating conditions. It is vital to undertake a due diligence review of the service provider’s processes before entering into a binding agreement. This review should examine the service provider’s operational and financial ability to meet the organization’s needs and objectives, and can include a review of audited financial statements, audit reports on internal control, insurance coverage (fire, liability, data losses, etc.) and meetings with management, as well as an on-site visit.
When the outsourcing arrangement results in services being provided in a foreignjurisdiction, the organization’s due diligence review should be extended to consider the economic and political backdrop, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s). Regulatory and other issues related to cross-border processing of data must be considered.
Determine the Experience, Expertise and Sufficiency of the Service Provider’s Resources
The organization must be diligent in evaluating the service provider’s experience and ability in the anticipated operating environment and with the types of systems and applications to be used, its familiarity with the industry’s business processes, and its ability to maintain the systems in operation and respond to service disruptions. Meeting with the service provider’s staff and its other clients may aid in evaluating the provider’s qualifications and experience, and an on-site visit can help assess how well the service provider operates and supports its clients.
Evaluate the Adequacy of the Service Provider’s Internal Controls
The responsibility for the protection, integrity and quality of corporate data and IT processes rests with management. It is therefore essential to examine and assess the internal control framework that the service provider will enforce in the outsourced environment, notably its policies and procedures relating to the protection and preservation of systems, data and software, and controls over security, business continuity and IT recovery, systems development and maintenance. The service provider should demonstrate ad- equate knowledge of laws and regulations relevant to the service, notably those specific to the organization’s industry. If available, the review of an audit report on the service provider’s internal control may help assure the organization of the design, existence and effective operation of internal controls.
Consider the Use of Third Parties
It is not unusual for service providers to engage third parties to help deliver services to their clients. The organization should understand the degree to which such third parties will be engaged to support the deliv- ery of the outsourced services and the impact, if any, that the third party participation may have on service, control or regulatory requirements.
Draft an Adequate Agreement between Parties
A comprehensive contract should be documented. Legal counsel is always advisable. The organization should seek the services of a lawyer who specializes in such contracts. Some of the issues that organizations should consider including in IT outsourcing agreements are examined in the following paragraphs.
Scope of Service :
The scope of the service, its duration, renewal terms, and the rights and responsibilities of both parties to the contract should be clearly described and supported, where appropriate, with ad- denda or schedules that define all relevant performance metrics, fees and responsibilities for the services to be performed. The agreement should also define the processes by which changes can be made to current services or new services added to the agreement.
Fees :
The contract should address the fees charged for services, including those based on volume or other variables, and fees for additional services, the costs of purchasing and maintaining hardware and software, developing and converting systems, and so on. Duration, renewal terms, the right to raise fees, and limits on fee increases should also be specified. Issues such as invoicing and payment, refunds and credits, disputed charges, sharing of unanticipated gains or shortfalls, and any incentives to reduce costs, should also be addressed.
Performance Measurements:
Setting performance measurements on service levels (for example, metrics for systems security, availability, privacy and confidentiality, as well as processing integrity and time) will ensure that the organization’s requirements are met.
Ownership of Intellectual Capital:
Development ownership and licensing are important issues. Parties should specifically state in the contract the rights and privileges related to the ownership or licensing of intellectual property, as well as acceptance criteria for any work product, such as software development or web site de- signs.
Controls and Audit:
The contract should specify the responsibility of the service provider to maintain adequate internal controls that comply with applicable operational and regulatory requirements, such as privacy leg- islation, the Sarbanes-Oxley Act, and securities commissions requirements. In addition, the audit rights of the contract should permit the organization and its management to fulfill their legal obliga- tions; for example, the public company CEO’s and CFO’s certification of internal controls, as required by the Sarbanes-Oxley Act and by the Ontario Securities Commission, and the audit requirements of regulatory third parties.
The contract should define each party’s responsibilities in the implementation and maintenance of internal controls. It should specify what is to be protected, which party has responsibility for pro- tection mechanisms, which party has the power to change control procedures and requirements, which party may be liable for losses that result from a control breach, and what the notification requirements are if there is a breach of control. It should define the records and audit trails to be maintained, the right of the organization to access these records, and the service provider’s respon- sibility to ensure their availability and preservation through the creation of back-up copies and disaster recovery plans. In sensitive control environments, the contract could even include provi- sions whereby the organization has the right to specify staffing requirements, or to approve of, or change, staff members delivering the service.
A common requirement in many outsourcing contracts is for the service provider to provide inde- pendent audit reports on financial statements or on the existence and the effectiveness of the service provider’s internal controls. In cases when information security is a high risk issue, such as in e- business operations, the organization may require periodic security testing; for example, penetration testing, intrusion detection testing, network or firewalls scanning, or disaster recovery plan testing. The audit scope, timing and frequency, the right to obtain the audit and testing results, the obligation to act upon any deficiencies reported and the bearing of the costs should be included in the con- tract.
Responsibility of the Primary Service Provider:
The contract should clearly hold the service provider responsible for the agreed service, whether the service is provided directly or through the use of a sub-contracted party. Notification and approval requirements covering the use of subcontractors by the service provider should be speci- fied.
Dispute Resolution Process:
A dispute resolution process should be included in the contract. It should define what constitutes a dispute, and identify remedies, escalation procedures, and means of dispute resolution, as well as the jurisdiction and rules under which the dispute will be settled. This provision will aid in resolving problems in a timely manner and ensure there is no disruption in service during the resolution period.
Insurance Coverage:
The service provider should be required to notify the organization about significant changes in insurance coverage and disclose general terms and conditions of its insurance coverage.
Limitation of Liability:
Liability is an important issue in outsourcing agreements. The respective liability for losses or injury of each party to the contract should be clearly defined.
Termination:
The condition under which the parties may terminate the contract is a crucial provision. It is essential that both parties define the circumstances that would warrant termination of the contract. Putting termination rights, terms and conditions (for example, notification timeframe, penalty provisions, and transition assistance provided) into the agreement might provide acceptable options in prob- lematic situations.
Expect a Transition Period:
Management should expect a transition period, effectively a learning period for both the organiza- tion and the service provider. It will take some time before either organization incorporates the cultural change that results from outsourcing and before the service provider masters the organization’s systems and business processes and it is able to deliver expected service improvements. Users should be adequately informed of this transition period and of any inconvenience it may entail.
Set and Track Performance Measurements:
It is important to set performance measures to benchmark the service provider’s performance and assess the quality of the service delivered. These measures assure the organization of a minimum service level, and should be agreed on between the parties as part of the contract.
Establish a Contract and Relationship Management Team:
Good communication between the parties, mutual understanding of business needs, and timely resolution of problems are essential to ensuring service quality. To satisfy these requirements, the organization needs a relationship management team of people and processes to manage the outsourcing contract and the overall relationship with its service provider. The size and composition of this team will vary with the type of IT service outsourced and its importance for the organization. The duties of this team should include monitoring service quality and assessing the service provider’s performance, monitoring the adequacy of its internal control and compliance with applicable rules and regulations, and resolving service or performance problems as they arise.
Establish a Business Continuity Plan:
An organization should ensure that its business continuity plan addresses situations (either temporary or permanent) in which the service provider fails to continue providing service. In particular, the plan should ensure that the organization has ready access to all records necessary to allow it to sustain business operations and to meet its legal or regulatory obligations in the event the service provider is unable to provide the service.
