Are you Prepared for an Outsourcing Code Red?

By Steve Martin

(Back to article)

The Satyam scandal earlier this year put a spotlight on the outsourcing marketplace and gave many CIOs pause with regard to their own outsourced operations. At the time, Satyam, an Indian-based outsourcing provider of application development and maintenance (ADM), infrastructure management, and business process outsourcing (BPO), was serving corporate customers in more than 60 countries and over a third of the Fortune 500. The event had all the trappings and urgency of a major catastrophe for Satyam’s customers.

Even though it was an isolated incident, it illustrated the vital importance of preparing for potential crises―whether it be a financial fallout or a natural disaster. When it comes to outsourcing, there are a number of lessons learned for CIOs as a result of the Satyam incident. CIOs can and should protect their organizations from future outsourcing calamities by implementing various contingency plans, contractual protections and other overall operational best practices.

So, just what was the reaction of Satyam’s customers? It ranged from the systematic triggering and execution of well-planned disaster and recovery processes to sheer panic. What did those companies that had a handle on the situation possess that the other companies did not? Simply put, the IT organizations that weathered the scandal without a hiccup had a number of practices in common. In general, they implemented some or all of the following “Five Basic Rules of Engagement” for outsourcer disaster preparedness:

Rule # 1 – Know your supplier inside and out through due diligence and research.

Become familiar with the supplier’s owners, investors and its leadership team before executing an agreement with them. Learn as much as possible about situations that raise a red flag, ranging from questionable or unusual business transactions to past fraudulent or criminal behavior. Understand the supplier’s “deals gone bad” and go beyond the references offered by the supplier. Talk with other customers (both satisfied and dissatisfied).

As a further step, kick the tires by making site visits to the outsourcer’s facilities, talking with the management team who will be directly leading your outsourced services, checking for standards compliance, and validating the use of other best practices relating to software development and disaster preparedness.

Rule # 2 – Document everything!

Whether outsourcing infrastructure or ADM, whether in a staff augmentation or managed services environment, or whether on-shore or offshore, documentation is an essential pillar of IT operations. In fact, documentation should be given the same high level of priority for both outsourcing and insourcing. While the cost of creating, maintaining version control, and managing documentation is not trivial, the consequences of foregoing these practices can be financially catastrophic.

Documentation includes cataloging hardware and software agreements, requirements, application and infrastructure designs, implementation (plans and outcomes), test scripts and results, and change control logs. Moreover, in an outsourcing agreement, your supplier should be held to the highest standard with respect to the completeness and integrity of their documentation on your systems and operations from the day they commence providing your services. Best practices in this area include SLAs to measure document currency and accuracy, implementation of formal document management systems (with clear and traceable history and application-to-application as well as application-to-infrastructure relationship management maps), and dedicated program management.

Rule # 3 - Design your supplier agreements with a clear exit strategy from the start.

A solid exit strategy needs to contemplate a wide range of triggers, ranging from termination of the agreement under the normal course, to natural disasters, to terrorism, to fraud. This practice is imperative for outsourcing in India as well as other countries. By being prepared at all times to quickly transition to another provider (which can include transitioning services back in house), companies have a naturally higher degree of leverage over the incumbent providers and are prepared for a wide range of scenarios that could necessitate an unexpected and immediate transition.

The exit strategy starts in the procurement and contracting process, where key terms must be negotiated with your supplier. These include the ability to terminate without penalty under a broad range of conditions, the right to retain key and specified non-key personnel that are serving your account (either through direct hire or the ability to have transferred to another outsourcer), and an obligation for the supplier to provide transition assistance, secured through fees held in escrow.

Rule # 4 – Develop a sound play book for contingency planning and disaster recovery.

There are two approaches for the “post-exit” game-plan in the ADM outsourcing world:

The former leverages other outsourcers’ ability to quickly scale up to absorb additional work and is considered the safer bet, particularly if the assuming outsourcer is already providing other ADM services. The latter would require a combination of retaining key and non-key personnel from the exited outsourcer (again, assuming the ability to do so was negotiated in the agreement) and hiring new staff to perform the work (again, typically a riskier bet and certainly more costly, particularly if the ADM services were originally leveraging offshore resources).

In the infrastructure world, both a back-up resource plan and a back-up technology plan (e.g., data center, help desk facility, telecommunications network) need to be in place. As in the ADM case, decisions need to be made up-front on whether the work would be shifted to another outsourcer (generally one that is already engaged to provide other towers) or brought back in house.

Rule # 5 – Governance and supplier management should underpin the plan.

Tight governance and supplier management must be at the center of disaster preparedness. Governance folks should report directly to the CIO and be accorded the same level of visibility and attention as overall application management or infrastructure services. Recognizing that an outsourcer meltdown may not always be the result of a classic force majeure event, the governance organization should routinely monitor SLAs, other KPIs, and supplier related press coverage in order to anticipate events that could lead to a disaster, (e.g., mass exodus of outsourcer employees to higher paying competitors, scandalous or suspicious press concerning your supplier). And in the case of the unanticipated disaster, the governance organization should be at the controls, ready to assist in all aspects of the recovery operations.

As no CIO would be caught without a back-up data center plan or without back-up versions of their applications and data, nor should they be without a readily executable disaster recovery plan in the event the company’s IT outsourcer is unable to continue providing service. In outsourcing IT services, an organization’s vulnerability to disasters is profoundly more serious as it affects not only the infrastructure, but the entire human resource dimension of the operations.

Steve Martin is a partner with Pace Harmon, an outsourcing advisory firm providing guidance to Fortune 500 and other large organizations on complex outsourcing and strategic sourcing transactions, process optimization, and vendor program management. With more than 25 years of industry and consulting experience, Martin specializes in outsourcing and strategic sourcing and is a recognized authority in the areas of contract negotiations and structuring transactions for technology related products and services. He has provided advisory services to more than one-third of the Fortune 100.