Although reconciliation of the key terms has been a best practice for over-the-counter derivative trades for some time (particularly with collateralised trades), the scale of the reconciliation exercise imposed by forthcoming regulations in the EU and U.S. has caused many market participants to undertake a fundamental review of the systems and processes in place. For many, compliance can only be achieved by utilising a third party for provision of an appropriate technology platform or an end-to-end service. With imminent compliance deadlines and the late development of the requirements themselves, functionality has understandably been the focus of any sourcing process. However, from a supply chain and outsourcing perspective, a key challenge remains the manner in which the financial services-specific regulations are applied to this type of third-party arrangement.
a fixed monthly charge for applications maintenance and support;
a fixed monthly charge for a baseline number of application enhancements hours (typically included as part of the fixed fee for applications support) with authorized incremental hours charged on a time and materials basis; and
a framework for pricing significant development work on a project-by-project basis on a fixed fee, capped time and materials, or straight time and materials basis.
This is the third of three blog postings that describes the basic features of each of these pricing components, and discusses some of the key considerations in structuring and negotiating them. The first and second postings discussed pricing for applications support and applications enhancements. This posting focuses on the framework for pricing applications development projects.
You're a CIO and a major software publisher proposes an "enterprise" or an "unlimited" license arrangement. Having made its way up the chain to your desk, you are told the deal looks promising. There can be pitfalls in any software deal. In "enterprise" or "unlimited" license arrangements the pitfalls can be devastating.
Asking yourself (and your staff) four basic questions may help you ferret out the risks and reduce your exposure to many of the big problems.
This is the first of four installments identifying and explaining each of these four questions. The first question is:
What does "enterprise" or "unlimited" really mean?
"The details are not the details. They make the design." - Charles Eames
Indiana vs. IBM
In 2006 Indiana awarded IBM a contract for more than $1 billion to modernize Indiana's welfare case management system and manage and process the State of Indiana's applications for food stamps, Medicaid and other welfare benefits for its residents. The program sought to increase efficiency and reduce fraud by moving to an automated case management process. After only 19 months into the relationship, while still in the transition period, it became clear to Indiana that the relationship was not going as planned. The expected levels of automation were not being realized. Instead, the program reverted back to a caseworker process, and performance was consistently slower than agreed to levels.
In October 2009, Indiana terminated the contract claiming that IBM committed a material breach. The claim relied primarily on a showing that the coalition of vendors led by IBM consistently missed the key performance indicators (KPIs) for Call Center abandonment rate, timely processing of applications and redeterminations, and service level metrics (SLMs) for adherence to proper processing procedures. IBM claimed that only a limited number of KPIs applied during the relevant period, and IBM already fulfilled their performance obligations by paying liquidated damages as a penalty for these KPI failures.
This case is interesting because it is rare for material breach claims such as this to be decided by a court. Typically, these cases involve messy arguments of cause and effect, and so most are settled by negotiation. Outsourcing practitioners should take this opportunity to learn from a judge's perspective on materiality and the meaning of these complicated contractual arrangements.
The court found that Indiana failed to prove that IBM materially breached its contract with the State. The Marion Superior Court in July 2012 held that widespread performance failures by IBM did not constitute a material breach when certain program objectives (e.g., increased efficiency, reduced fraud) were being realized by the State. Judge Dreyer also held that IBM's ongoing improvement precludes a finding of material breach within the short nineteen month period between service commencement and termination, and that payment of liquidated damages fulfilled IBMs performance obligations. In summary, the court found that IBM "substantially performed" its contractual obligations to the State, precluding a material breach award. IBM received a damages award of $52 million for subcontractor fees and equipment being used by the State. The State of Indiana is appealing this decision in the Indiana Court of Appeals, where various briefs by IBM and the State are due between now and the end of July 2013.
In Part 3 of "It's 2013. Do You Know Where Your BYOD Policies Are?" we will address developing BYOD trends and best practices. Please check out Part 1 and 2 of this 3-part series addressing employee and employer concerns, respectively.
Given that BYOD has become the norm even across sensitive industries, it is troubling to learn from the Cisco study that 40% of workers do not use even basic password protection, and 50% report accessing unsecured Wi-Fi networks. These loose security practices may be the result of lax management. A recent report commissioned by the Logicalis Group showed that only approximately 30% of BYOD users in the U.S., and 20.1% worldwide, signed a mobile device policy. Unconstrained digital activity poses a real threat to an organization for all of the reasons described in Part 2 to this series. A properly enforceable and enforced corporate BYOD policy may be the best strategy to balance corporate security interests with the privacy interests of employees and third parties.
Overriding Theme: Security-Privacy Balance
Appropriate BYOD policies must strike a balance between security and privacy interests. This balance can be achieved, for example, by requiring segregation of personal data from work data on a device, selective wiping, and requiring employees to frequently back up device content. Security measures should be proportional to the security risk and target corporate, not private, content whenever possible. Finally, privacy provisions of a BYOD policy must be clearly communicated to employees, and their consent obtained. An employee's reasonable expectation of privacy can only be overcome with clear notice. Clear notice is more important than ever when BYOD blurs the line between personal and work spaces.
What exactly is the '"best" solution for an international business needing to handle and transfer personal data across borders?
This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.
There has been a lot of discussion, not least in the context of the European Commission's proposal for the new EU regulation to replace the EU Data Protection Directive and the EU Article 29 Data Protection Working Party's push towards ''privacy by design'', about the best way for companies to adequately safeguard personal data which is transferred out of the European Economic Area, thereby ensuring that their transfers are compliant with EU data protection laws relating to extra-EEA transfers.
Many commentators, including some of the key EU regulators, have noted that there remains a lot of confusion, and a fair amount of misinformation, surrounding the pros and cons of the various routes used to ensure that extra-EEA transfers are compliant. It is certainly true in the authors' experience that even quite sophisticated companies and knowledgeable data protection officers can many times have an out of date view, and better solutions are indeed available.
This article looks at some of the common misconceptions and takes a fresh look at the key routes to ensuring compliance. As will be seen, for various reasons, Binding Corporate Rules 2.0, as we might call them, are worthy of fresh consideration, even where they may have been overlooked or discounted as a way to ensure compliance only very recently.
Why BYOD Keeps CIOs Awake at Night
Security management becomes much more difficult the less control an IT department has over the relevant data and hardware. BYOD by its very nature makes control a challenge. Security breaches may result from inadvertent action. For example, sensitive information could be accessed by unauthorized individuals who are using a friend's iPad, or sensitive data may be inadvertently placed in a shared cloud folder. The proliferation of cloud-based services such as Dropbox and Siri make this accidental leakage all the more concerning. A security breach can also result from active external penetration, through theft, hacking, malware, or espionage. Finally, intentional leakage of information by authorized employees poses a third category of information security risk.
Information Security Strategies
To prevent the various types of breaches described above, IT departments will generally employ a range of tools and practices. Security tools include password protection, forced disabling of certain applications, and remote wipe controls. A growing number of companies provide mobile device management (MDM) solutions to help manage BYOD programs. These solutions typically manage devices by enforcing security policies, managing password controls, controlling the installation of applications, and remotely wiping a device. In addition to these technology-based controls, policies and practices may prohibit or require certain activity from employees.
Security Strategy Example: Cloud-Application Risks
As an example of a BYOD security strategy, IBM prevents its employees from using many cloud-based applications, including Apple's Siri. In response to concern by IBM and others, Apple revealed this Spring that user data generated through the use of Siri remains in cloud storage for 2 years. Dropbox and similar cloud-based storage services are frequently used by employees even though the risks have been widely reported. If employees will be handling sensitive information regularly, then tools and policies must be in place to ensure that this information is not sitting unprotected in a cloud environment.
Imagine you grab your phone only to find it locked, with all of your applications, pictures, and contacts permanently deleted. Imagine your employer's IT department remote-wiped your phone because they mistakenly believed it was stolen. Better yet, imagine your Angry-Birds-obsessed child triggered an auto-wipe with too many failed password attempts (don't laugh - it's based on a true story!). Can your employer really do this to your phone?
Imagine instead that you are the CIO responsible for protecting sensitive corporate and third party information. How can you ensure information security when your employees carry sensitive data in their pocket everywhere they go, and let their friends and family play with these devices?
The use of user-selected personal mobile devices for work (often called "Bring Your Own Device" or "BYOD") is undoubtedly delivering benefits for employers and employees alike. Yet, competing employee-employer interests and related risks must not be ignored. Remarkably, only 20.1% of companies surveyed globally have implemented signed BYOD policies according to a recent study (Ovum Research Shows U.S. Ahead of Other Countries in Asking Employees to Sign BYOD Agreements). This three-part series will outline competing interests and risks, and will suggest that the best way to manage these risks is through the drafting and enforcement of proper BYOD policies.
Many years ago, I walked through a client's IT development organization where all the "Onshore" resources from the client's ADM provider sat in a sea of cubicles. I was there to identify the causes of some issues that had been troubling the relationship and recommend solutions. Having reviewed the contract before the walkthrough, I wasn't surprised to see a large supplier team present at the client. What did surprise me was how all of the "Onshore" resources appeared to be from the same offshore location where the supplier was based.
Prior to this encounter, my previous experience was that "Onshore" rates typically applied to the client's former US-based, rebadged resources or other U.S. based employees assigned to the client's account by the supplier. But something was different this time. It turned out to be my first introduction to "Landed" resources - foreign workers performing onsite work under short term visas.
Given the cost of transportation, visas and temporary living arrangements, I assumed that in order to compete with U.S. Based resources, the supplier must be paying a lot less for these resources. Otherwise, why would 100% of the resources be from offshore? When I asked about the salary cost differential, the supplier said that there wasn't any and that "by law" they had to pay a prevailing comparable salary.
Fast forward many years and the idea of Landed resources is well recognized (though probably no less controversial). Outsourcing suppliers do it all the time. "Onshore" and "Landed" have become interchangeable terms for many suppliers.
Some suppliers have implicitly acknowledged that the cost of their Landed resources really is lower than U.S. Based resources as they offer their clients a three tiered rate structure: U.S. Based, Landed and Offshore. The rate differential between the U.S. Based and Landed resources can be significant. For example, it is not unusual to see hourly rates for U.S. Based developers offered at $80 to $90 or even over $100, while the same supplier provides Landed developers in the $60 to $70 range.
Now, according to an article by Peter Wallesten in The Washington Post, a bipartisan group of eight senators working on the immigration bill have "tentatively agreed to impose stiff fees on some outsourcing companies that hire H1B workers." Further, the article goes on to say that while there was a push "to increase the lowest wage levels permitted by the visa program, it's likely that only certain firms would be required to pay more."
Perhaps that means the rate differential between U.S. Based resources and Landed resources is about to come to an end and that could result in outsourcing customers that have benefited from the three tier rate structure seeing their costs move up as the rate gap closes.
Some outsourcing firms could benefit from changes that put Landed and U.S. Based resources on the same footing. Those firms that really do pay their Landed offshore resources compensation equal to their U.S. Based peers could face less rate pressure compared to those suppliers who today offer the lower Landed rate structure.
One can debate the real merits of using offshore resources to do work in the U.S., but outsourcing customers that currently benefit from Landed resource pricing should be aware of the potential changes coming.
In a previous post, TUPE: Service Provision Change, we discussed that the UK Government had issued a Call for Evidence to review the current Transfer of Undertakings (Protection of Employment) Regulations 2006 ("TUPE 2006") as part of its wider review of reforms to UK employment laws. The Call for Evidence concluded in 2012 and the UK Government has now launched a consultation on its proposal to amend TUPE 2006, which it believes will improve and simplify the regulations for all parties involved.
The Proposed Changes
The Government's proposed changes to TUPE 2006 include:
1. Removal of the Service Provision Changes ("SPC"). As a result, outsourcing, in-sourcing and re-tendering wouldnot be brought expressly within the scope of TUPE.
2. Removal of the requirement to provide Employee Liability Information at least 14 days before a transfer and replace this with an obligation that the parties disclose information necessary for the parties to comply with their duties under TUPE.
3. Enabling pre-transfer consultation under TUPE to count towards collective consultation on redundancies and to allow smaller businesses to inform and consult with employees directly where there are no recognised trade union or existing employee representatives.
4. Allowing greater flexibility for employers to make changes to terms and conditions of employment post transfer. However, the Government will not introduce an express provision allowing parties to agree changes in order to harmonise terms and conditions of employment .Changing the wording of the provisions giving protection against dismissal so that dismissals will only be automatically unfair where they are by reason of the transfer itself. As a result dismissals for a reason connected with the transfer (which is currently automatically unfair) may potentially be fair, subject to the employer satisfying the normal test for a fair dismissal.
5. Limiting an employee's right to resign in response to a material detriment to their working conditions or to claim unfair dismissal as a result.
6. Expanding the definition of Economical Technical and Organisational (ETO) reasons to include changes in the location of the workforce. This would benefit employers who, depending on the facts, might be able to argue a broader range of ETO reasons for making a fair dismissal. The Government is also seeking views on whether a transferor can rely on the transferee's ETO reason to legitimise pre-transfer dismissals.
The effect of the proposed changes
Some of the proposed changes will be welcomed and will ease the burden on business, such as greater flexibility in making changes to terms and conditions of employment post transfer or being able to make employees redundant where there is a change in the location of the workforce. On the other hand, there is likely to be a wave of new legal challenges if the proposals are implemented. The repeal of the SPC provisions is a likely hot button. The UK Government view is that the SPC provisions impose unnecessary burdens on businesses and go beyond the requirements of the ARD. Supporters of the SPC provisions argue that they give needed clarity that TUPE applies to outsourcing, insourcing and re-tendering and thereby provide a level playing field. Businesses have also embraced the general assumption that TUPE will apply to service provision changes and factor the costs into their pricing model. The proposed elimination of the SPC provisions would once again bring unwanted uncertainty, much like the uncertainty that surrounded the application of TUPE 1981, with multiple criteria being applied inconsistently in European case law.
The consultation will end on 11 April 2013 and any reforms (with the exception of the repeal of SPC provisions) are expected to come into force in October 2013. Although the Government has indicated that there will be a significant transitional period before the SPC provisions are repealed, when negotiating contracts going forward, it will be prudent for businesses to bear in mind that TUPE may not automatically apply on exit.
Why do you need to act urgently even if you feel your data handling is compliant?
If you are a US headquartered company do you need to bother with these new EU laws and significant changes proposed?
2013 has already seen the frenetic pace of change from last year continue regarding new data laws and fines that will affect how all companies, regardless of business sector, use employee or customer data. The European Union, confirmed in the January 2013 Albrecht report, is indeed planning to dramatically amend its EU Data Protection Directive with a new Regulation.
This will tackle recent developments in social media, mobile apps and cloud computing as well as deal with a perceived serious lack of compliance thus far, particularly over use of customer data, lack of proper consents and more invasive marketing and advertising.
Some were hoping that after much discussion and lobbying some of the more serious proposals might be further watered down or deleted, such as the "nuclear" 2% of global turnover/revenue fine for serious breaches of EU data law. However, the recent report from the EU Parliament's Jan Philipp Albrecht confirms the perceived need for even tougher fine levels and more aggressive enforcement. This is all on top of recent changes which saw fines dramatically increased in a number of EU countries, for example in the UK with new powers to issue fines of up to £500,000 (approx $800,000) per breach, and increased fine levels being pursued in France, Spain and so on. These major fines are not theoretical or proposals. They have already come into force and are being used. The "nuclear" option will be in addition.
Other hopes from some in industry that new proposed rights such as that "to be forgotten" might fade away were also dashed. Businesses will have to consider seriously what the impact will be of such changes and also note that such proposals have also highlighted existing requirements, such as not holding onto data for longer than necessary, which are already law and which enforcers are looking to more closely. This, along with the new Binding Corporate Rules (BCRs) for data processors that took effect on 1 January 2013, are just some of the recent changes with respect to privacy in the EU that need immediate attention and consideration even if the business is not EU based.
This week many stakeholders are meeting in Washington DC to take part in a major conference (as is your author) on such issues and it will be interesting to see if the feedback from industry sessions makes its way into deliberations and further fine tuning of the proposed new Regulation. Some further twists and turns are likely but the core new elements will almost certainly not be going away. What is certain is that companies cannot assume they are fully on top of what is arguably the fastest moving area of the law currently. A review of where the business is now and identification of what needs addressing is without doubt a current business imperative.
2013 began with a flurry of articles about companies insourcing work or rethinking their sourcing strategies. The reasons for this vary by company, but often include a perception that outsourcing has not delivered the cost savings, innovation or other value the companies had hoped to realize, particularly in information technology outsourcing (ITO). In contrast, we continue to see high levels of satisfaction among companies that have outsourced facilities management and other real estate functions. This makes us think the ITO industry might benefit from some of the best practices used in FMO deals.
It has become more and more important for the ultimate customer to know that the relationships and interactions among these multiple parties are well-known, documented in clear and precise language, and reflected in binding agreements that can be enforced-if necessary-by the customer.
Bob suggests the customers should address OLAs before the RFP:
Customers often fall into the process by first executing multiple outsourcing contracts, and only then recognizing that they need to coordinate and integrate activities across these various outsourcing contracts," says Zahler. "OLAs should not be used after-the-fact to document relationships that have just developed over time. Rather, OLAs should provide the roadmap for how those relationships should be established in the first instance
When customers decide to outsource part of their operations there are many factors to be considered and decisions to be made over the course of the initiative. Getting to the "right price" is obviously one of the key objectives in any outsourcing transaction. Nobody wants to pay too much for a particular service and, while it might seem nice at first blush, nobody really wants to pay substantially below market price for a service because of the problems that will ensue later in the relationship. However, once the right price has been determined, then a decision must be made as to how to structure the payment of this right price.
A recent special report in the Economist focused on the general state of the offshore outsourcing industry, with a particular focus on the emerging trend of companies relocating the performance of IT services from offshore locations to locations closer to home in the United States (known as "re-sourcing"). The report cites a number of reasons for this trend, such as the increase in wages in offshore locations, performance issues by offshore service providers, and the inherent challenges posed by the distance between a U.S.-based customer and the offshore service provider. The Economist isn't the only one to take notice, a recent article on CIO.com cited a number of similar factors contributing to the new attractions in keeping outsourced resources stateside.
The Economist notes that 67% of American and European outsourcing contracts have some element of offshore outsourcing, so most customers with any sort of outsourcing agreement are impacted by the changing landscape of the offshore outsourcing industry. However, deciding to move services back from an offshore location isn't as simple as flipping a switch (or sending a notice of termination). There are major risks in terminating and transitioning IT services, and the service provider, having been notified that their services are no longer required, is hardly in a motivated position to help mitigate those risks.
Pillsbury Global Sourcing advises buyers on all aspects of outsourcing and complex technology acquisitions. We have architected and negotiated deals worth over a half a trillion dollars on behalf of Fortune 500 clients. Blog content taps the insight of our people based in London, New York, San Francisco, and Washington, DC.