Outsourcingany part of your business
is a risky step, as it means handing over control to another
company. The outsourcing supplier may do a better job of the
outsourced process than you could, and for a lower cost, but there
is also a chance it will get things wrong. And if something goes
wrong, it is your company's name that will feature in the
headlines.
So, anyone looking at
outsourcing needs to think carefully. It is essential to
understand the risks, and to take all reasonable steps to keep them
to a minimum.
It is also worth keeping the risks in perspective. Since the
days of the computer bureaux in the 1970s, companies have given
payroll processing to outside suppliers to handle, and for the most
part those specialist companies carried out their task without a
problem.
But IT is now much more than payroll and accounts. It is
intrinsic to the running of the business. Everyone has a screen on
their desk, and IT supports virtually all business activities and
provides vital links to customers and suppliers. Handing all that
over to an outsourcing supplier needs careful thought and
planning.
The lure of outsourcing
The attraction of outsourcing, whether locally or overseas, is
that it can help cut costs and make them easier to manage and
predict. In some cases, outsourcing may also be seen as a last
resort to solve an intractable problem - in other words, leaving
someone else to sort out the mess.
Outsourcing can be effective, but the people who do it
successfully all agree that thorough preparation is essential.
Rushing into an outsourcing deal to solve a problem is likely to
lead to more trouble.
Paul Simmonds, global information security director at
chemical supplier ICI, says outsourcing should not be an excuse
to walk away from a task. "The biggest mistake people make is not
managing the outsourcing supplier properly," he says.
When Simmonds joined ICI, it had outsourced most of its IT to a
range of suppliers around the world, with the majority going to IBM
Global Services and Atos Origin.
Simmonds has continued the trend by outsourcing the majority of
ICI's security processes. For example, he uses IT security supplier
Qualys to check that ICI's desktop systems are being properly
patched, thereby getting one outsourcing supplier to monitor what
another is doing.
He also outsources e-mail management to
MessageLabs, and is on the verge of going to another supplier
for web filtering.
Outsourcing security might seem a bridge too far, but he says
the move raised no eyebrows among senior management. "The corporate
culture is to outsource key non-essential services. It is all a
question of assessing the risk, and asking if an outsider can do it
better than we can," he says.
He says outsourcing works best when you can ring-fence the task
and have a clear interface with the outsourcing supplier.
"You have to know the boundaries. It fails if the company does
not define its interface. If they do not understand the problem,
then they will not be able to manage the process. If you have an
understanding of the problem and plan the outsourcing properly,
then your chances of success are greatly increased," says
Simmonds.
The planning process should involve spending time to get to know
the outsourcing supplier and making sure you are compatible, says
Donal Casey, a principal consultant with IT consultancy the Morse
Group.
"It is almost like a marriage," he says , adding that it is
essential to get an understanding of how the supplier works, rather
than accepting its marketing messages at face value.
Recognised working standards, such as ISO 27001 for information
security, are a good indicator that the outsourcing supplier takes
security seriously, but they are not a guarantee.
Marcus Alldrick, a principal advisor with consultancy KPMG, says
some certifications are less reliable than others. "There are some
fast-track certifications, so it is worth checking who did the
accreditation," he says.
It is also crucial to check what part of the business the
certification covers. If it covers HR and you are looking to
outsource firewall monitoring, it is not much use, he says.
Conduct a risk assessment
So begin with a risk assessment, look at the potential business
impact if the process in question goes wrong, and assess whether
outsourcing would make you more vulnerable.
The higher the risk, the more checking you will need to do with
the prospective supplier. In all circumstances you need to get to
know them and how they work.
It is essential to carry out due diligence on site, says
Alldrick. Work with the outsourcing supplier's people to gain an
understanding of their processes, and check the company's controls
are embedded in its processes, whether procedural or technical.
For example, check to see if staff try to bypass controls, such
as by sharing passwords. Also, check how the company manages
starters and leavers, and how quickly the process happens.
"When someone leaves, is their user ID reallocated, and what
controls lie behind it? Can you gain accountability for any user ID
for any given time, because that is what it is there for," says
Alldrick.
Get to know your supplier
Depending on the level of risk, this process of getting to know
the supplier may take weeks or months. "You are relying on the
outsourcing provider to manage aspects of risk on your behalf. You
need to recognise that, and so does the outsourcing supplier. You
need to engage with them and take time to perform due
diligence.
"You need to make sure they practise what they preach. Just
because you outsource, it does not mean the problem has gone away.
So you must build a proper relationship," he says.
Alldrick suggests assigning people in your company to work with
their counterparts in the outsourcing supplier, so that a proper
relationship can be built and maintained over time.
"Relationships are important, because if and when things go
wrong, you need to work together. A close working relationship is
essential when it comes to incident management," says Alldrick.
The dangers of poorly managed risk are particularly evident in
the energy industry. Ian Campbell, chief information officer for
British Energy and chairman of the Corporate IT Forum, lives with
the risks all the time, and so any outsourcing has to be done with
caution.
"We have to go through all the checks. We vet the outsiders in
the same way as we vet ourselves, and that includes penetration
testing," he says.
As with many industries, most of these measures are prescribed
by industry regulators, which will view the outsourcing supplier as
part of the wider virtual organisation and subject to the same
standards.
"We ask suppliers to sign up to certain standards, levels of
vetting for staff, guarantees about how they run their operations,
and whether they have the right physical security, even down to
password protection.
"If I get it wrong I go to jail, so it is a strong incentive to
make sure I know for sure, rather than just assuming they have it
right," Campbell says.
Offshoring risks
However, the need for a strong working relationship may close
off one popular route for those looking to cut their costs to the
bone - offshoring.
Moving to a low-wage economy such as India may make financial
sense, but companies need to factor in the different working
culture, and also realise other new risks.
"If you move to another country because costs are lower there,
the value of your information will be lower because people earn
less," says Bill Rann, global head of BT's governance practice.
In other words, it will cost less to bribe staff at an Indian
call centre or business process outsourcing operation than it would
in more prosperous countries.
"You open up a new set of opportunities for the criminal
fraternity. You have devalued the information in the context of the
local economic situation. A few hundred dollars will buy a lot of
information in India, while it would cost more in the UK or US,"
says Rann.
Some companies try to mitigate the risk - and comply with the
Data Protection Act - by adopting a thin-client approach, keeping
files stored back in Europe. But as Alldrick says, if the terminals
in India are connected to a local printer, there is still potential
for data loss.
Beyond security
Although customer details being stolen from an Indian call
centre may grab the headlines, there is another more basic risk
inherent in outsourcing, and that is the loss of competitive
edge.
Rann cites the example of investment broker Charles Schwab,
which started out offering cheap services to traditional brokers,
and eventually entered their market as a direct competitor. Many
outsourcing suppliers, especially those in emerging economies, have
ambitions to move up the value chain as they learn more about how
developed companies operate.
For organisations that outsource parts of their business, there
is a risk of losing their core skills as they become more reliant
on the outsourcing supplier.
Rann says it can easily happen. "Companies need to know where
their sources of competitive advantage lie, and should deepen their
skills in those areas. Third-parties can then build up their own
core competencies. If you get it wrong, then you can be caught by
surprise by someone who builds a good relationship with your
customers, delivers strong value, and moves into your space from a
different direction," he says.
Campbell says, "It is worth bearing in mind that many companies
use outsourcing as a way of learning in order to compete at a later
stage. You could be arming another company or country to compete
with you."
His advice is to identify and retain your own special core
skills and keep control of technical roadmaps and design. In that
way, you can keep control and retain influence over what you want
to achieve.