Managing Risk in Outsourcing: The Strategy

When evaluating a proposed solution for outsourcing all or part of an organization’s IT functions, it’s important to perform active risk management throughout all stages of the outsourcing lifecycle. This article, the first in a series, will focus on the first stage of the outsourcing lifecycle: strategy development.

Managing project risk is a process of identifying potential failure points in a plan, determining the probability of occurrence, and then estimating the impact of each. With that information in hand, an organization can move to the next step of actively managing risks by deciding which risks are tolerable and which ones need mitigation. IT continuity is a classic example of this balancing act whereby a company can choose to spend several thousand dollars to have spare servers that can be loaded to replace a failed system within a few days (leaving business processes to be completed manually somehow in the meantime); or the same company can instead choose to mitigate the risk by spending millions to have redundant systems that can come online within moments of a critical failure.

Applying active risk management to an IT outsourcing project starts with the scope and complexity of the solution itself. Typically, an organization will find that outsourcing standard desktop and email support for 5,000 users will be easier and have less risk than outsourcing support and maintenance of a customized ERP solution for 500. Age, uniqueness and stability of systems will all play a role in the risk calculation.

For example, if you're running an enterprise application that is multiple release versions behind what the software vendor is currently offering, it's unlikely that any IT outsource provider will offer a solution with Service Level Agreements (SLAs) when they can't be sure they'll get adequate (or any) support from the software company. As a result, the proposed cost solution you receive will essentially be fixed and won't take advantage of a variable cost structure that an SLA can provide.

Next, are the systems being considered for outsourcing commercial-off-the-shelf or are they heavily customized and known only to a handful of developers who come down from the mountains in Wyoming every spring? Custom tailoring can be wonderful for suits, but will certainly raise risk and cost if a service provider needs to replicate unique talent and knowledge. Custom systems will always cost more to outsource than plain vanilla ones. Here is a great example of where a risk can be mitigated: Outsourcing almost always involves some amount of business process engineering, so an organization may choose to take this opportunity to restructure business processes in line with the best practices already defined and built into most leading enterprise applications.

Moving on to stability, one of the benefits to outsourcing is that you are looking forward to making the vendor take all the midnight calls to reboot the servers and clear out caches, etc. The vendor however, is not that altruistic and enjoys a good night's sleep as much as the next person. As a result, if the systems being considered for outsourcing take more than a reasonable amount of effort to support and maintain, that cost will either be charged back to you or the vendor will simply choose to place that particular poor-behaving application out of scope for the agreement. Vendors expect to get a certain amount of headaches and are counting on their strength in numbers and a deep technology bench to be able to overcome those headaches; but an unstable system will always cost you more to outsource than a stable one. In keeping with the concept of mitigation, this presents an opportunity for you to evaluate whether to keep that old, expensive architecture or move to a newer paradigm.

In closing, risk costs money. The more risk that can be driven out of an IT outsourcing solution, the less a vendor will charge you and the greater the chance for a successful outsourcing initiative.

Reprinted with permission from Alsbridge.

Useful Links


Read Part 2, selecting service providers to bid:

Read Part 3, evaluating service provider proposals:

Read Part 4, covering disputes in the contract

Read Part 5, a guide to setting SLAs

Read Part 6, managing outsourcing after the contract is signed