Once upon a simpler time, when bulls roamed on Wall Street and Ken Lay had a job, outsourcing-services vendors worried that customers might run into financial trouble and not pay their bills. In 2003, though, it's the corporate executives who do the outsourcing who need to worry about the risks related to the business, financial, and operational viability of their vendors. In every outsourcing contract today, executives need to identify these risks and deploy mechanisms to minimize, mitigate, and manage them.
Strategically, a main goal of outsourcing has always been to shift risk from the customer to the vendor. But while the risks arising from implementing new technologies and labor markets can be shifted in this way, CIOs know that not all risk can be handed off. A broad spectrum of risks involving finances and goodwill can arise from failures in outsourced functions. Simply put, operational risk always remains with the customer. You're always responsible to the marketplace for your own performance.
The global economic downturn and the turmoil in technology markets in particular have led to an increased focus by executives, as well as regulators, on operational risk associated with outsourcing. The U.K. Financial Services Authority's proposed guidance on operational risk, for example, recognizes that while outsourcing may reduce a company's level of risk, careful management is required to yield benefits. Vendor instability is a harrowing new source of operational risk. Like any company, an outsourcing-services vendor faced with poor performance, an earnings meltdown, or a scandal will suffer an increase in its cost of capital and constraints on its ability to obtain financing. That, in turn, will translate into a smaller pool of resources for providing services and, therefore, diminished performance. The financial stability of highly leveraged outsourcing vendors also is threatened by the instability of their large customers.
Outsourcing is very capital-intensive. When a new outsourcing relationship requires a vendor to spend large amounts of capital at the outset, either to build new infrastructure or to purchase assets from the customer, the deal may not yield a profit for several years. That's the case, for example, with the 10-year, $2.2 billion outsourcing deal EDS signed with Sabre in 2001, in which it paid $670 million for Sabre's IT assets. The failure of a large customer before an outsourcing vendor has had time to recoup such a large capital investment can have dire consequences for the vendor's financial strength and capability, and a cascading effect on other customers.
The growing trend to outsource to offshore locations also increases risks of many types: geopolitical or country risk; infrastructure risk; logistical risk because of the remoteness of the service provider's location; and risk related to the protection of intellectual property, and the privacy and security of sensitive data. The convergence of these issues has led to increasing regulatory oversight of the operational risk associated with outsourcing. The May 2002 Bulletin on "Bank Use of Foreign-Based Third-Party Service Providers" (OCC 2002-16) issued by the U.S. Comptroller of the Currency provides guidance to national banks on managing the risks arising from outsourcing relationships with foreign-based providers; the Basel II Capital Accord will require banks to set aside capital for operational risks, including outsourcing; and the U.K.'s Financial Services Authority has proposed guidance on risk systems and controls.
Customers in outsourcing transactions face both direct and indirect risks. If your outsourcing vendor fails to perform, you may suffer direct damages in the form of out-of-pocket expenses incurred to perform the function yourself or hire another vendor, and lowered profits caused by lost business and harm to your reputation.
The U.K. Financial Services Authority noted that "the increasing automation of systems and our reliance on IT has the potential to transform risks from minor manual processing errors to major systematic failures." That's particularly true in the banking industry, where the outsourcing of check processing is a widespread practice. A major failure in the process would bring a bank to its knees in just a few days.
Modern service agreements, including outsourcing contracts, typically limit vendors' financial responsibility. They commonly limit both the type and the amount of damages you can recover if a vendor fails to perform. It's routine to exclude "consequential damages," such as your lost profits, and to cap other damages at a figure based on the fees you pay the vendor, rather than how badly your business is hurt. Even worse, recovering large sums often requires lengthy and expensive legal proceedings.
A new approach
Forward-thinking CIOs and CEOs recognize that managing operational risk requires that they and their counsel look at commonplace parts of outsourcing transactions in new ways and incorporate new philosophies into their deals. They understand the need to ensure that outsourced functions get performed regardless of unforeseen events. There are four layers to sound operational risk mitigation in the outsourcing context:
* Mitigating risk in day-to-day, "normal" operations.
* A sound structure for addressing serious unexpected operational problems.
* Advance planning for the end of the outsourcing relationship.
* Providing in all cases for the financial protection of the customer.
Mitigating operational risk in the context of normal operations means having robust service levels, efficient governance procedures, and visibility into the vendor's operations. Every outsourcing contract should detail objective service levels that provide a basis for measuring the vendor's performance. Performance credits payable by the vendor for its failure to meet agreed-upon service levels should be structured to protect against both major, single-performance failures and chronic smaller failures--to protect against death by a shark bite as well as death by 1,000 piranha bites.
In an IT context, this means service-level agreements (SLAs) should address not only a system failure that lasts an hour, but also the greater harm of 10-minute outages on four consecutive days. Beware of averages as well; if what you need is a consistent two-second response time, an SLA requiring an average response time of 1.5 seconds isn't helpful if the response time to 30% of your peak-hour transactions is greater than 10 seconds.
Monitoring, measuring, and reporting on service levels directly and in near real time enhances your ability to mitigate operational risk by identifying potential problems before they become catastrophic. Envision the difference real-time access to the performance data of your outsourcing company can make. Even if it's not possible to do this in every instance, CIOs should do their best to track the most timely information on their most critical outsourced functions. Where possible, require that your vendors implement automated tools to provide this visibility.
Because performance credits for SLA failures are unlikely to fully compensate for your losses, they should be structured to get the attention of the vendor by reducing or eliminating its margins.
The outsourcing agreement also should contain rectification obligations and escalating remedies to ensure that the vendor doesn't make the strategic decision to provide poor service and pay the credits as a cost of doing business. In one recent contract, a smart CIO negotiated a larger credit if SLAs were missed by larger amounts, performance credits that escalated for SLA defaults in consecutive months, and the right to terminate without charge if the vendor failed to meet SLAs in three months out of any six.
A well-thought-out and clearly articulated governance model is also a key building block in managing operational risk. A proper governance model guarantees you access to the right people and information at the right time, so you can be proactive when things start to go wrong. At the same time, the model should be flexible enough to allow for changes in circumstances. One contract we know requires that the vendor CEO pay a personal visit if customer-service responses fall below a certain threshold.
Visibility into the vendor's overall operations and financial condition is also vital to managing operational risk in the day-to-day context, as it lets you anticipate negative impacts from constraints on the vendor's capital or cash flow. Audit rights, with respect to financial matters as well as the data underlying performance reports, are important. Finally, billing for outsourced functions can be complex. Prebilling meetings of members of the two management teams can help avoid disputes and over-or underpayments.
Tackling the unexpected
The second layer of mitigating operational risk pertains to the unexpected. In a crisis, the strategic goal is to have immediate upper-level management review, the right to obtain outside expert assistance, and step-in rights.
When serious performance failures are detected, it's time to bypass the usual governance model and have upper-level management of both parties address the emergency quickly. You'll need access to raw data to speed resolution. It's often advisable for the CIO to engage an outside expert to review and report on significant performance failures. This can help level the playing field by providing both sides with the same relative level of information and expertise. It's also important that the vendor be obliged to implement any recommendations the expert makes and, in certain cases, pay the expense.
Step-in rights let you take over performance of the outsourced function. They're difficult to negotiate and execute, but the importance of having the right to "send in the cavalry" can't be overstated. Even if never exercised, they motivate the vendor and put boundaries on your risk.
The third layer of mitigating risk involves new ways of thinking about termination rights and planning for an orderly end to the relationship. Every customer should retain the right to terminate for chronic performance issues--remember the 1,000 piranha bites--as well as for failure to perform critical services or to implement an expert's recommendations after a major performance failure. You also should have the right to terminate within a reasonable period after exercising step-in rights if the vendor doesn't resume satisfactory performance.
Just as in a marriage, planning for the end of the outsourcing relationship is best done in the early stages, when everyone's mood is cooperative. Though pre-nuptial agreements may seem morbid in both contexts, they're very important in mitigating risk. If things go wrong, such agreements ensure that the outsourced function will be performed, and performed well, during the disengagement. And because the disengagement plan will closely resemble the transition and implementation, only in reverse, it makes sense to create the two plans together, while all the tasks that have to be performed are fresh in everyone's minds.
While the relationship is at its most positive, negotiate the assistance to be provided by the vendor, the penalties for not providing the assistance, and your exit rights. Remember that your goal is to ensure that the outsourced function is performed well, come hell or market turmoil. Consider options and rights to take over the premises the vendor used to perform the outsourced function, to buy its equipment and assume its leases, to hire its employees, and to use its software and methodologies.
The fourth layer of protection involves financial exposure. The potential instability that vendors face from large up-front capital expenditures in the current volatile market is causing them to try to shift the capital burden to the customer. You need to ensure that repayment of any such up-front investments is adequately secured, along with all the other aspects of the vendor's performance. Performance bonds and letters of credit can be used to guarantee technology-refresh obligations, as well as the details of disengagement at the end of the relationship. Also consider protecting your access to the assets that support your operations in case of vendor bankruptcy.
Finding the best-of-breed technology and the smartest partners are important steps to guaranteeing the success of IT outsourcing agreements. But the job isn't finished until you also ensure that the outsourced function is performed, in a good economy or a bad one, in a world at war or at peace. A proactive approach that incorporates these new philosophies into your relationships and real-time information into your processes will narrow the gap between the projected benefits of an outsourcing relationship and the benefits actually realized.
John Funk and David Sloan are partners in the Technology Transactions and Outsourcing Practice of Jones Day, a law firm based in Cleveland, Ohio. Scott Zaret is an associate in the firm.
The complete article, from the April 2003 issue of Optimize magazine, is available at: optimizemag.com/issue/018/law.htm
This article originally appeared in the April 2003 issue of Optimize, which provides 70,000 Business Technology Executives with business thought leadership and practical knowledge to bridge the gap between business strategy and execution. To subscribe: www.optimizesubscriptions.com/customerservice/