Outsourcing – A modern risk dilemma

When BSkyB sign­ed a contract with EDS to deliver a system for managing custo­m­er relationships, the information technology provider promised the package would be operational within nine months.

This was in 2000 and, more than a decade later, after increasingly acrimonious litigation, EDS had to settle for £318m (€397m), including costs, after the media giant successfully sued, essentially on the grounds that the IT group had not delivered what it had promised.

As an example of some of the problems that can arise in an outsourcing contract, BSkyB’s experience is merely one of the most visible of a growing number of disputes between client and provider. Most disagreements do not reach the courts, but they are multiplying because such contracts have increased significantly as companies seek out the expertise they lack in-house.

Outsourcing problems are likely to get worse before they get better. The nature of outsourcing is changing, as companies look for a competitive edge, rather than mere cost savings, as they tended to do in the past. Many cost-cutting outsourcing contracts turned sour as client companies lost control over vital functions.

New generation of outsourcing
However, there is a new wave of outsourcing. In the past few years, so-called business process providers and information technology service companies have “grown on a phenomenal global scale”, according to Emily Freeman, London-based executive director in the Lockton technology and intangible risks practice.

Business process providers are delivering everything from data entry to medical services such as imaging and diagnosis, as well as legal services, financial processing and backroom administration. Information technology providers are helping businesses improve in application development, data storage, help desks and, particularly in the past three years, in cloud computing.

“The latest trends in outsourcing indicate that businesses are looking beyond the cost advantage,” says Freeman. “They want innovative solutions that will help them competitively.”

This new generation of outsourcing cuts across almost every business sector: healthcare, retail, financial services, transport, telecommunications and many others.

An authority on outsourcing and its hazards, Freeman has co-written a white paper with AIG head of financial lines in specialty claims division Robert Ballerini on the mutual risks of outsourcing. Moreover, as she told StrategicRISK, most companies have no option but to hire outside help in this kind of expertise. In contrast, the biggest organisations are in a position to pick and choose which services they want to retain in-house.

“For others, though, it’s a reality of modern business life,”

Freeman explains. “Most businesses will have to outsource functions offshore. For instance, the cost of an SME building a data management centre is prohibitive.”

Risky business
The contracting of outside expertise brings its own problems. The main ones are performance failure and data protection.

The former is relatively straightforward. As with BSkyB, when the provider failed to fulfil its contractual obligations, the media group was unable to connect with clients.

In an era of unforgiving regulators and angry litigants, the latter - data protection - exposes companies to the most danger. Failure to protect data has become the nightmare scenario. “This is an entirely different issue,” explains Freeman, pointing out that regulators, clients and aggrieved parties are not limited by a contract. In short, they can impose heavy fines or other penalties or, in the case of individuals, take legal action. In this case, the damage to a company’s reputation and coffers may be considerable.

‘The big three concerns for clients are due diligence, contracts and insurance’

Emily Freeman Lockton

Many high-compliance industries are in the firing line of regulators for data breaches, even if these were committed under third-party contracts. These include public utilities, aviation, shipping and other branches of the transport industry, healthcare, telecommunications and financial services. Under EU law, the client is the data owner, and it is thus liable for breaches.

Hiding breaches will soon be impossible. Mandatory notification will be obligatory under EU law by 2014 - it is the case already in Germany - and the fines are intimidatingly high. Under draft legislation, as Lockton’s white paper points out, the proposed fine is a maximum of 2% of the parent company’s global revenues.
The contracting company is therefore vulnerable to the provider. Because of the often sensitive nature of the work in question, the provider becomes almost embedded in the buying company and its client may find it difficult and expensive to repudiate the contract if it becomes dissatisfied with the provider.

To mitigate these risks, companies have become more professional in how they select their providers. However, many have approached outsourcing in the wrong way.

“The big three [concerns] are due diligence, contracts and insurance,” says Freeman. “My clients are not just signing a contract and hoping for the best.”

Kick the tyres
One element for clients undertaking due diligence is to check for high staff turnover. Many service errors result from the departure of key personnel who are replaced by others who lack experience of the contract.

On-site audits should pick up examples of inadequate data protection of customer information; for instance, if there are insufficient layers of defence against hackers or internal blunders. Particularly in the case of IT providers, research should be undertaken on their own suppliers of, for instance, software and hardware, because they may prove to be the source of future legal, operational, security or other problems.

Further, most importantly, clients should look for any examples of breaches of the provider’s security. At the very least, a potential client would want to be assured that, for example, a provider’s staff were not taking home clients’ details on laptops and similar devices except those thoroughly protected by encryption and other methods.

After “kicking the tyres”, as Freeman puts it, through on-site due diligence preferably with a formal scorecard in hand, the next step is the contract.

Contracts are getting tougher. Companies are insisting on higher penalties that implicitly recognise the risks they are running. Caps for limitation of liability have risen lately to at least double the agreed fees or, in some cases, a single specific (and large) sum. Increasingly common are uncapped indemnities for glaring failures such as infringement of intellectual property, data breaches and gross negligence.

Some companies try to pull the wool over the eyes of providers. In an attempt to push the burden onto them, they can sometimes argue in negotiations that other providers bidding for the work have agreed to uncapped liabilities for breach of contract, even when this is not the case.

Most complaints against providers are based on failures to meet the sometimes exaggerated claims of their expertise. Moreover, every now and again, as with BSkyB, some cases are based on what was deemed to be fraudulent misrepresentation.

At the same time, the client company may be well advised to conduct a kind of due diligence on itself. Underestimating the challenges of outsourcing activities that they have long kept in-house, some organisations plunge into the process without understanding what is involved.

They routinely allocate too few internal staff to manage the process and/or give the provider too much rope. Further, some organisations simply lack the technical expertise to understand what is involved.

Risk awareness
Clients also often expect the impossible, especially in terms of savings. As it happens, fixed-price contracts are rarely just that, explains the paper that studied outsourcing on both sides of the Atlantic. The cost of most projects will rise by about 10%, sometimes because the client makes changes during the process. Legally, it is notoriously difficult for clients to win these battles under professional liability policies.

In general, summarises Freeman, every company should make risk management part of its DNA. As she points out in just one example, procurement departments routinely focus on quality and price and neglect any element of risk that may be involved in dealing with a certain provider. That’s not good enough, she warns: “In any kind of dealing with a provider the issue of risk should be baked into the process.”