Most UK companies not prepared for service provider failures

UK businesses are ill-prepared for the impact on their business resulting from the failure of an IT of business process supplier

Most UK businesses are not prepared if the actions of one of their third party service providers causes serious problems in their business, according to global research from Deloitte.

IT and business processes are outsourced on a large scale by companies in the UK, with 80% very dependent on services from outsourcing providers, according to the research.

Deloitte questioned 107 UK businesses about their third party governance and risk management (TPGRM) as part of its global research. It found that a third of UK companies have experienced  major disruption or complete failure due to the actions of an outsourced service provider in the last three years, but that only 11% were prepared for this.

Kristian Park, global extended enterprise risk management partner at Deloitte, said that the reliance on third party service providers is likely to increase, and management of these relationships is falling behind. “Management processes and technology that support the oversight of these relationships are not keeping up, creating an execution gap. While there is clear organisational commitment to address this, it is not being matched by the right skills, processes and technology to achieve intended results.”

Deloitte said most large organisations take between two to three years to develop an integrated TPGRM framework. “We predict 2017 and 2018 as the years when people will make significant strides in addressing this issue. However, it will be mostly dependent on the priorities set by individual companies,” said Park.

Brexit has added to the complexity for UK businesses. “In the current climate, some will be focusing on issues such as where they will continue to be located, or assessing talent models – particularly during the two-year timeframe in which the UK intends to depart from the European Union.”

Bob Fawthrop, an IT outsourcing consultant, said risk management should be an integral part of the supplier management function in all organisations, and not just an afterthought. He is surprised that a third of companies have experienced “major disruption or complete failure”.

“I wonder how they are measuring ‘major’. The measure should be business critical and not just inconvenience.”

Read more about IT outsourcing

Fawthrop said there were two main reasons for the inability to deal with the problems. “First not recognising or measuring the risks and where they lay, which is a fundamental flaw of a number of organisations, and then the mitigating factors if the risks are realised. But this is compounded in many organisations by the lack of effective ongoing governance of suppliers.”

The increased use of cloud-based IT services also adds to the workload of teams that manage third parties. According to recent figures from Information Services Group (ISG), cloud-based IT outsourcing contracts now make up a third of total IT contracts in Europe. As a result, more resources have to be committed to understanding the contracts associated with cloud-based outsourcing. Fawthrop said only about 25% of cloud contracts protect the customer business.

Part of the problem is that businesses feel pressure to move into the cloud, according to independent consultant Vincent Cohan, who has headed IT infrastructure and operations at a number of large global companies, including Time Warner, AXA and Thomson Reuters. He said there is increasing pressure on large and small businesses to “cloud up”, and many rush into agreements.

“I could easily imagine an organisation without tight contracting controls or cloud deal experience jumping into these agreements in the interest of saving time.”

Mark Lewis, outsourcing lawyer at Berwin Leighton Paisner, said most of the outsourcing disputes arise because of customer failings.

“You can have as much provider management infrastructure, management and governance as you like in outsourcing contracts,” he said. “But in my experience, even with these often carefully crafted elements, customers create risk for themselves by either failing to manage their providers, doing so inadequately or getting in the way of contract delivery by not meeting dependencies.”

Read more on CW500 and IT leadership skills