Managing the Risks of Offshore IT Outsourcing

May 22, 2006 (Computerworld) Gartner Inc. estimates that global spending on offshore IT services will reach $50 billion by 2007. But caveat emptor! While cutting costs by outsourcing internal IT processes to contractors as far away as India or Eastern Europe may offer significant cost advantages, the savings can prove illusory if the company doesn't recognize and actively manage the risks involved. Beyond cost, companies need to consider operational risks such as service quality and data security, as well as potential legal liabilities and insurance coverage.

As with other IT-related products or services, the business risks inherent in IT outsourcing arrangements are managed primarily by written contracts between the contractor and end user. Outsourcing contracts need to be comprehensive in scope and detail exactly what work is going to be done, how it will be done, who will do it, who is responsible for supervising the work, and what milestones and performance criteria must be met. If there is a transfer of equipment or employees to the contractor, those details need to be spelled out. To the extent possible, a company should transfer liability to the outside contractor but recognize that the principal difference between these contracts and more standardized IT contracts is the laws and regulations guiding how and where disputes are resolved.

Management and counsel must be prepared to spend the time necessary to review the contract before negotiations are complete. Prior to finalizing an agreement, managers should do the following:

• Examine their businesses carefully to identify which processes are good candidates for outsourcing.
• Determine how an IT outsourcing deal will enhance value and offer quality improvements, such as higher speed or greater accuracy.
• Consider the direct and indirect effects on human resources and morale.
• Perform due diligence on potential contractors.
• Be prepared to dedicate sufficient time and resources to create a transition team and manage the relationship on an ongoing basis.
• Seek guarantees for dedicated hardware and software resources to better protect business continuity.
• Ensure that each generation of data is being saved in a remote and secure environment.
• Review the contractor's disaster recovery plan to ensure business continuity.

Service quality

Handing over IT functions, let alone an entire IT operation, to an offshore contractor thousands of miles away poses a significant operational risk. A three-day delay in securing manufacturing parts may not be critical, but failure to perform real-time data processing can cripple a business and compromise the company's reputation for service. To maintain business continuity and quality of service, companies should select reputable, experienced contractors with a view toward establishing long-term relationships.

Data security and intellectual property

Companies considering outsourcing need to protect themselves against potential lawsuits directed at them because of their contractors' actions. For example, if an employee of the contracting firm steals or misuses confidential or personal information that causes a violation of U.S. privacy regulations, the U.S.-based client would be the likely target of any lawsuits. Outsourcing contractors must meet U.S. and foreign mandates relating to privacy legislation and public disclosure laws, such as the Sarbanes-Oxley Act.

Companies also need to protect their intellectual property from misuse by the offshore contractor. An example might be when an organization provides the contractor with proprietary technology or know-how that is later disclosed to others. Although security and intellectual property details will be outlined in the contract, companies should provide the contractor with the minimum amount of proprietary technology or information needed to perform the work. This will minimize the exposure, while maximizing the inherent benefit of the reduced cost structure offered by such arrangements.

Purchasing insurance

It is important to engage the company's risk manager or insurance buyer in the contract process from the beginning. Otherwise, outsourcing contracts are likely to be negotiated by IT people and corporate attorneys with little regard to insurance ramifications. Before signing an offshore outsourcing contract, companies should look at the exposures raised by the agreement, compare them with their insurance protection to find any gaps in coverage and take appropriate steps to address them. Because companies are not likely to recover losses from a faraway contractor's insurance, management should purchase as much insurance as possible for exposures arising from outsourcing. Here are three major areas of exposure companies need to consider.

• Dependent business premises: Property, data or information may be affected by direct loss or damage to a dependent business premise by a host of traditional property perils, such as fire, flood or windstorm, as well as less traditional perils, such as terrorism. The contractor's ability to quickly migrate business operations to another location is critical. Companies should obtain adequate limits of business interruption and extra expense insurance for this exposure from their property insurer.
• Security breach: Theft, disappearance or disclosure of trade secrets, intellectual property, proprietary know-how or nonpublic personal information represents legal and operational exposures for the client organization. Although not all of these exposures are insurable, there are elements that can be insured. Most general liability policies offer a level of protection should the publication or disclosure of nonpublic personal information result in a privacy lawsuit. A few property policies offer protection for risks stemming from computer virus and other acts of malicious programming. Directors and officers policies may respond to shareholder lawsuits involving a security breach, regardless of where the breach occurred. Also, specialized media liability policies provide protection for suits involving intellectual property infringements.
• Negligence or failure to perform: In addition, companies should require foreign contractors to obtain technology errors and omissions insurance. This will provide protection for economic loss caused by the contractor's negligence or failure to perform in accordance with contract terms.

Achieving long-term value

In today's hypercompetitive world, companies want to move quickly to cut costs, and foreign IT contractors can offer significant cost advantages. It takes time, however, to set up an IT outsourcing arrangement that offers true long-term value. Companies need to make sure they enter into a comprehensive outsourcing agreement with a reputable IT firm. Prudent companies will take time to evaluate the exposures created by such arrangements and make sure they are protected with adequate insurance coverage. Organizations that base their decision solely on cost, without carefully weighing the risks and exposures, may find they have been penny wise and pound foolish.

Steven Pozzi is chief underwriting officer at Chubb Commercial Insurance.