When and Why to Look Outside

Outsourcing Is a Means, Not an End. Your Business Strategy Must Remain Your Own

The outsourcing market is growing, by some estimates, to $123 billion worldwide in 2002, at a compounded annual growth rate (CAGR) of over 16 percent, with the United States representing around 40 percent of that. Outsourcing is a category of broader IT services that includes standard consulting, system integration, custom application development and maintenance, hardware and software installation and support, network and desktop integration and consulting, and IT education and training.

An outsourcer takes on a function that is usually performed by the organization’s internal personnel. The major types of outsourcing include information technology, business process and application.

Information Technology Outsourcing

In information technology outsourcing, a service provider takes over the day-to-day operation of the organization’s IT operation and systems, either on-site or at the outsourcer’s facility. Determining where the function is performed is driven to some degree by whether the technology is centralized or distributed. Service level agreements (SLAs) detail system availability and performance metrics. Improving service levels is a key market driver for this form of outsourcing.

Varying degrees of outsourcing are possible, and require cooperation between the organization’s and the outsourcer’s personnel. The systems’ operation and their integration with local area networks (LANs) and wide area networks (WANs) are the most typical areas to be outsourced. Other operational areas include disk backup, archiving, recovery, application development, application maintenance, application operation, system maintenance, disaster recovery and help desk operations.

The ability to provide 24x7 support is another driving factor behind information technology outsourcing, as well as in other forms of outsourcing. It can take up to five individuals to provide around-the-clock operation, monitoring and support, when weekends, holidays, vacations and overlap are taken into consideration. In addition, broad geographic coverage spanning multiple time zones is a factor.

Another valuable reason to outsource the information technology function is to allow the organization to focus on its core business competencies, rather than on day-to-day firefighting, thereby enhancing the overall effectiveness of the IT staff. This allows the IT staff to proactively align the IT strategy more closely with business goals. Network and desktop outsourcing is usually included in this category.

Business Process Outsourcing

Business process management and outsourcing is defined as taking over a business or operational function, including the IT operation that supports it. It is growing between 15 and 25 percent annually, depending on the area.

This area has a long list of subjects, including finance, human resources, supply chain, administration, telemarketing, marketing, customer support, manufacturing, logistics and processing services, such as check, claims and payment processing.

A principal interest in these services stems from difficulties associated with the globalization of markets – everything from price pressures to deregulation to competition.

Application Outsourcing

Application outsourcing and management is not application development. Application development is developing, modifying, troubleshooting and delivering a custom application, while application outsourcing is deploying, managing and enhancing custom, off-the-shelf or Web applications. The outsourcer manages the infrastructure, connectivity, changes and operation of the application.

A good example of this is e-mail outsourcing. This example points to the latest trend in application outsourcing: managed application services provided via application service providers (ASPs) across the Internet. Since the Internet is now generally considered secure, reliable and inexpensive (in spite of stories widely publicizing outages and breaches), this application delivery mechanism provides high-end applications in an affordable manner. Areas where this phenomenon is already making inroads is in the publishing, freight management, finance, travel reservations and public sector markets.

The ASP sector is one of the hot Internet markets, growing from around $150 million in 1999 to more than $2 billion in 2003. In fact, Jamcracker, a company launched in February 2000, hopes to bring together multiple ASP offerings into a single integrated service. These aggregated ASP services will be bundled into one bill, so customers do not have to pull together separately hosted applications.

Successful ASPs providing multiple-client access to hosted applications via the Internet will have well-developed and maintained relationships with application developers and network providers, while drawing strength from vertical market expertise.

Network and Desktop Outsourcing

The network and desktop outsourcing market, growing in excess of 16 percent CAGR, will be over $30 billion by 2003, with the United States accounting for half. An organization must decide whether to outsource just one network and desktop segment or the support and management of its entire networking infrastructure. The networking equipment, such as routers, hubs and switches, is monitored and managed, and so are servers, PCs and remote-access technology.

Closely related services are usually also appropriate, including network and security design and management, installation and configuration of upgrades and migrations, project management, asset management, backup, archiving, recovery, capacity and performance planning, and fault isolation, resolution and recovery. Thin-client infrastructure requirements are another area of consideration.

Network security must be considered, especially in an Internet-connected environment. A sampling of these topics are firewalls, intrusion detection and antivirus software.

Also gaining prominence, particularly in an Internet-based paradigm, is remote network management and monitoring. It is growing at a 20 percent CAGR and projected at $4.7 billion in 2002. Network monitoring and management accomplishes three objectives: reactive fault monitoring for when a component fails; proactive monitoring for when components begin to reach maximum utilization; and predictive monitoring for when growth trends require future network enhancements.

Security Outsourcing

Do you know what "FUD" is? It stands for fear, uncertainty and doubt, and it is used by every salesperson in the universe, to their advantage, to sell their product or service. By carefully crafting phrases such as, "Are you sure you have considered this other factor…," and "Is that other solution certified by the international standards body…," a salesperson can usually create enough doubt to derail or delay a deal, and hopefully, turn your attention to his or her product.

These phrases portray FUD as something negative. And sometimes it is, as in, "chasing a red herring." But, in actuality, it is an important part of the sales process. This type of back-and-forth forces purchasers to truly consider factors that they may not have thought of. Without FUD, consumers would not make the most informed decision; however, the incumbent must sort through the red herrings to find the true issues.

Take a guess what class of products is ripe for FUD. You probably did not have to think long to come up with security-related products. Why? Because there are a myriad of security news stories relating to hackers, breaches, losses, denial-of-service attacks, embarrassments, and their associated damages. The most recent ones include the denial-of-service attacks on E*Trade, Yahoo! and others.

Some security-related FUD is not a big concern (such as transmitting your encrypted credit card number across the Internet). On the other hand, some FUD you should be concerned about (such as failing to monitor your firewall and intrusion detection devices 24x7 for alerts).

Security outsourcing is growing at a 34 percent CAGR over the next five years, having started at only $400 million in 1998. The remote network security monitoring outsourcing segment is growing even faster, at almost 50 percent annually.

How should an organization decide whether to outsource portions of security? The two significant factors are whether the function is strategic (e.g., end user authentication for stock trading) and whether it is already a core competency. When the answer to both is yes, then outsourcing is probably not recommended. Additionally, never outsource your security strategy or ownership of your security policy.

A key driving factor in security outsourcing is cost, which is very compelling in this case. Information security experts are in particularly short supply and are consequently difficult and expensive to hire and retain, with their mean salary exceeding six figures. If an organization decides to train internal personnel, it is expensive, and these individuals become immediately marketable. Furthermore, these newly trained individuals are inexperienced, and they will make the mistakes of the inexperienced that might be particularly costly, given the areas they touch.

Related to the difficulty in, and cost of, obtaining experienced security experts, a recent survey points out that around half of all organizations plan to use an outside vendor for the design and implementation of their security system. Additionally, almost two-thirds of all organizations will outsource to a 24x7 network security monitoring service (for the firewall and intrusion detection devices).

Look for a monitoring service that is bundled with some form of value-added security assessment, architecture design, and implementation service. This is because adding a firewall and intrusion detection device requires proper placement in the network, along with network changes and possible redesign. Doing this before implementation makes it much easier than after everything is installed.

Another reason for choosing an architecture and audit service is the security principle that no group should audit itself, and the perception that a third party is impartial. This also adds "political" clout to security-related issues. Unisys itself, for example, is certifying its Security Command Center with the International Computer Security Association (ICSA), even though it has the expertise in-house to perform the same evaluations.

The monitoring service should accomplish four objectives on behalf of the organization: 24x7 monitoring of the firewall and intrusion detection solution for suspicious activity and faults; notifying and taking action (e.g., firewall shutdown) upon detection of hacking; managing operating system, firewall, intrusion detection and utilities patch updates as they are released, thus closing exploitable known holes; and handling configuration activities, such as adding new employee browsing access or a new application (e.g., e-mail).

Although it is a good idea to outsource the monitoring of the firewall and intrusion detection solution, an incident-response program should not be outsourced, due to its critical nature and impact on an organization’s assets and reputation. Unfortunately, many companies lack both a comprehensive response program and the expertise required to respond to critical incidents, according to security experts. An incident response plan is mandatory, however; when an incident does occur, there are very few minutes to react, and it is best to have the steps to be taken already understood and in place.

An incident response plan should focus primarily on quickly restoring operations, then on prosecution issues. Relevant data must be collected and preserved.

Outsourcing companies usually take prospective clients through a cost analysis that shows how much it would cost for the client to do what the outsourcer does, typically as high as five to six times more expensive. These dramatic reductions in transaction and monitoring costs result from economies of scale by, and higher processing volumes of, the outsourcing vendor. If an organization does not already have a fully staffed 24x7 data center, and they wish to establish an e-commerce Web site, the gains can be even higher. Factors include constructing, staffing and operating a 24x7 data center, physical security, power, UPS, fire suppression, firewalls and intrusion detection.

The When and Why

An organization’s business strategy must be owned by the organization, and outsourcing, per se, does not replace it: Outsourcing is complementary. When complementary, there are many good reasons to outsource. The biggest reasons are scarcity of technical skills, Web-enabling everything and increasing costs.

Outsourcing supplies critical skills, when those skills are difficult or expensive to hire or train; this is the number one reason for choosing outsourcing, especially in small- to mid-sized organizations. The skill-scarcity has been exacerbated because virtually every corporate IT resource had been mired in old technology working out Y2K compliance issues. Now that Y2K is successfully behind us, many employees have still not had the time to upgrade their skills.

Outsourcing also bolsters staffing on large individual projects, short-term projects, and geographically dispersed projects. It allows an organization to take advantage of and incorporate leading edge technology, especially when those technology skills are not present in the organization. Moreover, it can be used to establish a new IT paradigm and the processes required to implement it.

As companies are increasingly forced to work in "Web time" – Web-enabling everything in sight as quickly as possible with innovation – many organizations simply do not have the skills or depth of skills necessary. Nor do they have the luxury to take the time to develop the in-house skills. Outsourcing allows the internal IT organization to focus more on the business objectives rather than the implementation details, also leveraging their industry and enterprise (domain) expertise.

Outsourcing is not a panacea. It may or may not reduce costs. In one published report, about one-third of organizations selecting outsourcing were looking for cost reductions. Of those, sadly, only around half actually reported reduced costs.

A normal target cost reduction should be 15 to 20 percent of the original cost. Multiyear contracts are the norm. This is because an outsourcing vendor usually expects payback of the initial investment to occur in 24 to 36 months for large deals.

In large deals, penalties, tied to SLAs, are sometimes included in the contract. When they are, the penalties need to reflect the true business costs to the organization. Also, for fixed or capped penalties, ensure that, for example, a poor first week of a month, that causes the maximum penalty to be reached, does not remove all incentives to perform for the rest of the month.

Even more importantly, make sure you select the right SLAs, tied to business requirements. For example, a 99.9 percent availability SLA can mean something completely different when an outage occurs in the middle of the night with no one online, versus in the middle of the day during the heaviest peak.

To maximize cost reduction, look first for poorly managed or inefficient functions, and recognize that sweeping infrastructure modifications and stabilization can be a sizable investment, regardless of whether they are outsourced or not. However, it can actually reduce infrastructure costs – fixed IT costs – by allowing those fixed capital assets to be sold.

It is very difficult to quantify costs, especially when they are intangibles related to suspected or perceived personnel inefficiencies. Outsourcing provides a more definitive way to determine costs, since there is a specific budget allocation for the project being outsourced, versus depending on the individual to track individual activities and report them in a companywide time-reporting system.

Organizations that consider IT a core business competency should use less outsourcing than ones that focus more on costs. Larger organizations generally have larger IT budgets and can therefore more easily absorb the costs and time required to train individuals. Regardless, however, a sizeable outsourcing deal not directly linked to the enterprise’s business strategy is more likely to fail.

One of the dangers of outsourcing is that it can result in increased IT staff turnover. So, keep the IT organization informed of transition plans. Furthermore, identify indispensable personnel and make the effort to retain them. Particularly difficult issues to resolve during transition include geographic relocation, pensions and union representation.

An advantage of outsourcing is that it can reduce or even eliminate internal political squabbling and serve as a rallying point for activity. This can be very helpful following a merger or acquisition, facilitating the integration and standardization of multiple infrastructures, especially by further avoiding partisanship.

Thumbs Up or Thumbs Down?

Outsourcing is a means, not an end. To decide whether to outsource, consider the following. First, costs. General cost categories include hardware and software, personnel, facilities and outside services. More specific costs that apply across these categories include leases, depreciation, maintenance, expenses, and salaries and related expenses.

Some costs will remain regardless of whether you outsource. For example, IT management and planning functions, inter-business-unit interfacing, security management and quality assurance are all likely to remain.

On the flip side, there will be new costs associated with outsourcing, aside from the immediately quantifiable contractual negotiation and legal costs. These include the often contractually buried vendor and early-termination fees, as well as move/add/change (MAC) implementation functions. There are also personnel costs associated with an outsourcing transition plan.

By one report, up to half of all outsourcing deals are considered not successful by senior management because they have not delivered the expected business value or IT effectiveness. The two most likely reasons for this are initially setting or having unrealistic expectations, and unclear contractual SLAs. However, improperly managing the relationship with the outsourcing vendor can also be a factor; it is crucial to closely manage outsourcing projects.

The outsourcing contract must clearly establish scope, objectives, responsibilities, SLAs, rules for MACs, prices, penalties, escalation, termination, etc. The negotiation of the contract is a most important factor in the overall actual and perceived success of the deal. Just like a software project, where the cost to fix a problem increases exponentially as the discovery point moves through the design, coding, testing and field phases, so, too, do outsourcing success factors, as the outsourcing activities move from contract negotiation and signing to implementation to ongoing management and measurement.

You should plan to take your time during vendor evaluation and negotiations. Remember that lack of clarity in the contract is usually sorted out during execution, affecting everyone associated with the project and potentially impacting the project schedule and cost.

The contract can only be clear if the objectives of the outsourcing are also clear and contingencies accounted for. Therefore, risks that could affect outsourcing must be evaluated. Scenarios should be created. A sampling includes corporate mergers and acquisitions (both external acquisitions and internal reorganizations), changes in government regulations, major changes in market price dynamics, the impact of foreseeable emerging technologies or processes (especially those that are Internet-related), changes in the distribution channel, and changes to the national and international regulatory environment. All of these influence an IT organization’s requirements and impact its outsourcing strategy. A "politically correct" action is to include senior management in developing the risk factors and their scope.

Sufficient technical staff that understands the organization’s business requirements must be retained. Their new role is to map evolving technology to the organization’s architecture based on the business requirements. There is an old software development adage that says adding people to a late project makes it later (impacts of training, etc.). The same applies to outsourcing: Outsourcing can exacerbate existing problems. This makes unambiguous communications extremely important.

The task of monitoring vendor performance is often the IT manager’s responsibility, and the manager ultimately bears the risks. Standard management skills apply, where the situational management style must be appropriate to the circumstances. This progresses from micro-managing the vendor, when the vendor is just getting up to speed, to macro-managing, where the vendor is completely capable of and willing to perform the work.

Even when "delegate mode" is appropriate, and regardless of whether you are outsourcing just a piece or an entire operation, regular performance meetings should be held. All topics, without recriminations, must be fair game for discussion, such as vendor and in-house staff cooperation, vendor understanding of business requirements, and vendor staff loyalty to the organization’s goals and objectives. However, do not miss the forest (e.g., are strategic goals being met through this outsourcing contract?) for the trees (e.g., tactical issues and firefighting).

Use a virtual team approach, if necessary, that includes finance, contracts, business-unit interfaces and operations (facilities, systems, applications, network and desktop). An organization should plan on spending 3 to 7 percent (or more) of the outsourcing contract’s value to perform the monitoring. Effectively staffing this team, especially during any transitional phases, will be an essential success factor for the outsourcing deal.