IT Managing and Outsourcing Risks
Information Technology (IT) outsourcing carries a number of risks; careful risk management is therefore essential before appointing a service provider and throughout the duration of the contract. Effective outsourcing management aims to ensure that the outsourcing contract meets its cost and performance objectives with minimal risk to an organization's data security, compliance and business continuity.
Other People Are Reading
-
Decisions
-
Identify the services to outsource. Organizations decide to outsource infrastructure or IT-related services primarily to reduce costs or utilize skills and resources that they do not have in-house. According to "CIO" magazine, the most popular choices for outsourcing are network services, internal help desk, servers and maintenance. Research firm Protiviti recommends allocating a risk ranking to outsourcing plans. The more strategic the service, the higher the risk to the organization.
Service Provider
-
Check suppliers' credentials carefully before selecting a service provider. Suppliers should be financially viable with the resources to handle current outsourcing tasks and the capacity to meet any increased requirements in the future. Review suppliers' security policies and their service level agreements. Organizations considering outsourcing offshore also should assess any local risk factors, such as reliability of communications, together with any economic or political concerns.
-
Security
-
Identify any security and compliance risks in the outsourced service. An organization is responsible for data compliance, wherever the data is located. Outsourcing does not remove that responsibility. To maintain compliance with any relevant legislation, ensure that the service provider's security policies and procedures provide the right level of protection. It's also essential to protect data in transit between the organization and the service provider by applying appropriate network security.
Performance
-
Negotiate stringent service-level agreements (SLAs) to ensure that the outsourced service meets its performance objectives. As with security, SLAs should be tighter for mission-critical services. Establish key metrics and a process for measuring and reporting performance. Hold regular reviews to monitor progress and consider penalty clauses for underperformance. A research study by ESI International found that 75 percent of respondents do not always clearly define requirements of outsourced projects, while only a third claimed to clearly articulate and define financial goals to service providers.
Risk Management
-
Appoint a team to manage outsourcing. The team should include a member responsible for risk management, as well as technical and operational specialists. Ask the service provider to nominate a team and set up communications channels and procedures to ensure smooth operation of the contract. The ESI International study found that almost 95 percent of respondents purchased or provided outsourced services that featured risks created by new and unforeseen challenges. However, 45 percent of respondents felt that they lacked a strong risk management culture. Improving risk management is key to effective outsourcing.
-
References
- "CIO"; Outsourcing: The Pros and Cons of Offshore Remote Infrastructure Management; Stephanie Overby; March 2008
- Protiviti: Managing the Risks of Outsourcing: A Survey of Current Practices and Their Effectiveness; 2004
- ESI International; Risky Business: Organisational Effectiveness at Managing Risk of Outsourced Projects; 2010
