Managing the risks of offshore IT outsourcing

While cutting costs by outsourcing internal IT processes to contractors as far away as India or Eastern Europe may offer significant cost advantages, the savings can prove illusory if the company doesn't recognize and actively manage the risks involved. Beyond cost, companies need to consider operational risks such as service quality and data security, as well as potential legal liabilities and insurance coverage.

As with other IT-related products or services, the business risks inherent in IT outsourcing arrangements are managed primarily by written contracts between the contractor and end user. Outsourcing contracts need to be comprehensive in scope and detail exactly what work is going to be done, how it will be done, who will do it, who is responsible for supervising the work, and what milestones and performance criteria must be met. If there is a transfer of equipment or employees to the contractor, those details need to be spelled out. To the extent possible, a company should transfer liability to the outside contractor but recognize that the principal difference between these contracts and more standardized IT contracts is the laws and regulations guiding how and where disputes are resolved.

Management and counsel must be prepared to spend the time necessary to review the contract before negotiations are complete. Prior to finalizing an agreement, managers should do the following:

• Examine their businesses carefully to identify which processes are good candidates for outsourcing.
• Determine how an IT outsourcing deal will enhance value and offer quality improvements, such as higher speed or greater accuracy.
• Consider the direct and indirect effects on human resources and morale.
• Perform due diligence on potential contractors.
• Be prepared to dedicate sufficient time and resources to create a transition team and manage the relationship on an ongoing basis.
• Seek guarantees for dedicated hardware and software resources to better protect business continuity.
• Ensure that each generation of data is being saved in a remote and secure environment.
• Review the contractor's disaster recovery plan to ensure business continuity.

Service quality. Handing over IT functions, let alone an entire IT operation, to an offshore contractor thousands of kilometres away poses a significant operational risk. A three-day delay in securing manufacturing parts may not be critical, but failure to perform real-time data processing can cripple a business and compromise the company's reputation for service. To maintain business continuity and quality of service, companies should select reputable, experienced contractors with a view toward establishing long-term relationships.

Data security and intellectual property. Companies considering outsourcing need to protect themselves against potential lawsuits directed at them because of their contractors' actions. For example, if an employee of the contracting firm steals or misuses confidential or personal information that causes a violation of privacy regulations, the client might be the target of any lawsuits. Outsourcing contractors must meet mandates relating to privacy legislation and public disclosure laws.

Companies also need to protect their intellectual property from misuse by the offshore contractor. An example might be when an organization provides the contractor with proprietary technology or know-how that is later disclosed to others. Although security and intellectual property details will be outlined in the contract, companies should provide the contractor with the minimum amount of proprietary technology or information needed to perform the work. This will minimize the exposure, while maximizing the inherent benefit of the reduced cost structure offered by such arrangements.