In previous blogs in September/October 2011 (Supplier Selection; Contract Negotiations; Relationship Management) I offered practical tips on how to manage and mitigate some of the risks that arise throughout the life cycle of a typical outsourcing. These risks may arise during the supplier selection process, in the course of contract negotiations or during the implementation and day to day operation of the outsourced services. In this final chapter on managing risks in outsourcing I will focus on exiting from an outsourcing contract.
The exit from an outsourcing deal gives rise to a variety of different risks for a customer, particularly an exit following termination due to the supplier's default or termination for convenience by the customer.
Common risks which you may face as a customer upon exiting an outsourcing contract include:
disruptions or discontinuity in the supply of the services to your organization,
significant and unplanned costs,
loss of critical assets, software, know-how or other intellectual property,
delays in the exit process,
damage to your reputation,
unauthorized disclosures of your organization's confidential or commercially sensitive information or data,
being locked into specific but inflexible exit arrangements,
loss of critical staff, and
poor or insufficient termination assistance being provided by the exiting supplier.
To the extent feasible, you should address these risks at the outset of the outsourcing. Exit planning should not be left until a termination is imminent, as suppliers will have little motivation or desire to be cooperative and agree to customer-favorable terms at that point, particularly if the relationship has deteriorated.
An effective pricing model is a foundational component for long-term success in an outsourcing relationship. Success or failure in a relationship can often be traced in part to the wisdom, or lack thereof, of the pricing model. A good pricing model will create predictability while serving to align interests, allocate risk, and manage expectations on both sides. A misguided one can foster mutual mistrust and lead to mismatched incentives, inefficiency, and unpredictable expenditures.
Given their importance to a successful outsourcing arrangement, it's no surprise that industry pricing models continue to evolve. Stephanie Overby recently wrote on CIO.com about 4 new IT outsourcing pricing models; these include gain-sharing, incentive-based, consumption-based, and shared risk-reward pricing. While the nomenclature for pricing models may have taken a while to catch up, these "new models" have been in practice in some form for a number of years and may be more aptly construed as evolutions of existing models.
Here's a quick run-through of a few of the traditional pricing models:
Fixed Price - In this model, the parties agree on a set of "base" services for which the customer pays a fixed amount, typically in monthly installments. The fee may be all-encompassing with respect to a particular function (e.g. application development), or it may correspond to a "baseline" figure for specific services (e.g. number of help-desk calls). The biggest challenge for this model is determining what is "in" and "out" of scope.
Rate-Based - In this model, the parties negotiate a per-unit rate for particular resources (e.g. maintenance hours). A rate-based contract usually includes a minimum usage requirement so that the vendor is guaranteed a certain level of income. Even with a minimum usage requirement, this model allows the customer to efficiently deal with fluctuating demand while still obtaining a volume discount.
Cost-Based - In this model, the customer pays the actual expenses incurred by the provider in supplying the services plus a negotiated profit percentage based on the total cost. The parties must agree beforehand which costs should or should not be passed on (e.g. expenses for maintenance are allowed, but expenses for training are not allowed). In addition, the customer will want to have some auditing rights to verify the accuracy of invoices.
These traditional models are often hybridized and now enhanced with new pricing mechanisms, such as those described by Ms. Overby. The driving force behind these evolutions is the desire of customers to maximize their leverage and assure that the vendor's interests are aligned as much as possible with their own. Whether implemented as an independent model or more likely in conjunction with one of the traditional models described above, gain-sharing, incentive-based, and shared risk-reward pricing all serve to promote the customer's interests by getting the vendor to play with more of its own skin in the game.
Back in 1999 Kevin Ashton, the British technology pioneer and cofounder of Auto-ID Center at MIT (creators of the global standard system for radio-frequency identification (RFID)), coined the term, the Internet of Things, to describe "uniquely identifiable objects (things) and their virtual representations in an internet-like structure." Put simply, the Internet of Things refers to networks of everyday objects such as phones, car and household appliances which are wirelessly connected to the internet through smart chips, and can collect and share data.
Now, well over a decade later, the European Commission has issued an online questionnaire which seeks views on the future regulation of the Internet of Things. The Commission sees both opportunity and threat from the exponential growth of interconnected networks, with 50 billion wirelessly connected devices predicted by 2020: "The Internet of Things holds the promise of significant progress in addressing global and societal challenges and to improve daily life. It is also a highly promising economic sector for sustainability, growth, innovation and employment. But it is likely to have a profound impact on society, in areas like privacy, security, ethics, and liability."
Predicting a future where everyday objects are linked, the Commission has started to gather views on how best to design and shape a regulatory framework which operates in an open manner, enabling a level playing field, whilst ensuring an adequate level of control over the connected devices gathering, processing and storing information. Views on privacy, safety and security, security of infrastructure, ethics, interoperability, governance and standards are sought. Responses to the questionnaire are requested by 12 July 2012. The Commission's recommendation on the Internet of Things is expected to be published by summer 2013.
India's recent demand for European Union designation as a data secure country (see our blog) has brought the issue into the spotlight. Here we take a closer look at those nations which have achieved EU recognition and the benefits of doing so.
Article 25.1 of the Data Protection Directive (in the UK enacted through the eighth principle of the Data Protection Act, 1998) prohibits the transfer of personal data to a third county (i.e. a country or territory outside the EEA) unless that third country provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Several exceptions to this rule are available including, in particular, the use of the approved EC model clauses.
Data transfers to third countries can take place in many circumstances, such as where an EU- based business relocates functions to subsidiaries outside the EEA, establishes an offshore shared service centre which processes, for example, HR or payroll data, where data is transferred for offshore processing as part of an outsourcing agreement with a third party supplier or as part of a hosting or cloud computing deal. The onus is on the data controller to ensure that he complies with the eighth data protection principle in relation to any cross-border data transfer of personal data.
The European Commission has designated a small number of third countries as providing adequate protection. The European Commission publishes a list of its decisions on the adequacy of personal data in third countries together with copies of the Commission Decision and Article 29 Working Party Opinion on which the decision is based.
ZDNet blogger, Michael Krigsman, reported recently that nearly 70% of IT projects fail in some important way: An eye-popping number!
There can be endless debate on the actual failure rate of IT projects - the answer most likely depends on the criteria used to define "failure" - but a couple points are clear:
An unacceptably large percentage of IT projects are not delivered on time or on budget or fail to produce the desired outcomes.
This is a chronic problem in the industry that has not materially abated over time despite extensive commentary describing "best practices" for reducing the incidence of failure.
Engaging an external supplier to perform an IT project, whether as part of a larger outsourcing or as a standalone initiative, adds a further layer of complexity. Not only does the customer need to focus on the internal challenges to achieving success (e.g., clear articulation of objectives / requirements, strong executive / project leadership, setting realistic expectations with users), it must integrate a third party - whose interests are not fully aligned with those of the customer - into the project.
Given the high failure rate of IT projects, customers are advised to spend the time required to negotiate contracts that provide appropriate protections against financial and contractual risks. While there are many elements that should be addressed, the following deserve special attention:
The topic of the day appears to be "big data," meaning the aggregation, mining, and analysis of data. This data analytics helps determine customer profiles so that companies can tune their offerings and sell more of the right things to the right customers. As recently reported in the New York Times Magazine, Target, through the use of such analytics, was able to determine that a teen was pregnant by her purchases before her father knew she was pregnant. This allowed Target to adjust its coupon offers based on Target's knowledge of buying practices of mothers-to-be. But, at what cost does this analytics come?
Caribou Honig, writing on Forbes.com, makes a case "In Defense of Small Data" that collecting, storing, and processing mounds of data is costly and provides no more--and perhaps less--useful data than analyzing only the limited data set that really matters. In addition, storing this volume of data has its own direct costs.
And this is only half of the story . . . There are also legal costs and risks to big data.
With every item of data collected and retained, comes increased data privacy risk. Nearly every state and the District of Columbia has a data breach law that requires companies to take affirmative actions in conjunction with any release of personally identifiable information. The net result is that if information is improperly disclosed, a company can face huge financial and reputational risk. Any time a company collects more data, a company increases its risk of disclosure of personally identifiable information. This means that added security is required, additional insurance may be required, and there is still the risk of a disclosure. These problems are compounded in the international space where different countries have laws that are even more stringent than those in the US about how personally identifiable information can be used--particularly without the consent of the relevant individual.
According to a report in the Economic Times of India, the Indian government has demanded that the European Union designate her as a data secure country. The request came in the context of current bilateral free trade agreement negotiations. An Indian government official is reported saying "Recognition as a data secure country is vital for India to ensure meaningful access in cross border supply." The official goes on the state that "we have made adequate changes in our domestic data protection laws to ensure high security of data that flows in."
Seasoned India-watchers may disagree. Traditionally India has had no dedicated privacy or data protection laws, with various statutory aspects scattered under a number of enactments, such as India's cyber law, The Information Technology Act 2000. In 2011, India finally enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 to implement parts of the Information Technology (Amendment) Act 2008. The 2011 Rules cover a subset of personal data (referred to as sensitive personal data, but unhelpfully the meaning of this term differs from that used in the Data Projection Directive) and lay down security practices and procedures that must be followed by organisations dealing with such sensitive personal data.
Transition Services Agreements (TSAs) have become common (and more complex) in corporate divestitures, mergers, and spin-offs due to the increasing operational complexity of the environments impacted by these transactions. And if M&A activity increases as expected, despite a slow start in 2012, these agreements will continue to play an important (but often undervalued) role in the success of the transaction (especially after the closing dust settles).
Transition services typically are provided by the seller to the buyer (or by the former parent to the spun-off enterprise) to ensure business continuity and interim operational support for the impacted business during a "transitional" period after closing. Transition services may also be required from the buyer or divested enterprise where, for example, commingled tools, operations, software products, and know how need to be leveraged by the seller or former parent for some period of time. These "reverse" transition services are often overlooked.
In effect, transition services are a form of outsourcing where the processes that were previously handled internally are performed by the formerly affiliated enterprise during the transition period. Sounds simple, right? Isn't it just maintaining the status quo for a short time?
Not too long ago a major supplier asked us what we are seeing in the cloud space. We thought the interchange might be of interest to readers of the blog -- so here are some selected questions and our responses.
Since the start of the 112th Congress, there has been a heightened focus on cybersecurity. Congress has not passed new cybersecurity related legislation since 2002 when the Federal Information Security Management Act was enacted. In 2011, the Obama Administration announced its cybersecurity proposal, and a number of bills are currently active in both the House and Senate that focus on different aspects of cybersecurity and the mechanisms to protect private infrastructure and networks against cyber threats. One of the major philosophical differences between the various bills is which government entity should be responsible for cybersecurity - the Department of Homeland Security (DHS) or the National Security Agency (NSA). The Administration's proposal favors DHS over NSA.
The most widely supported proposal is the bipartisan Cybersecurity Act of 2012 sponsored by Sens. Joe Lieberman (I-Conn) and Susan Collins (R-Maine). The hallmark of this Bill is the requirement that companies notify DHS of intrusions into their networks and the creation of mandatory compliance with industry specific cybersecurity standards. Senator John McCain (R-AZ) has a competing bill in the Senate, the Secure IT Act (S.2151), that focuses on self-regulation by the private sector rather than imposing government standards.
Ultimately, it seems unlikely that any major cybersecurity legislation will pass during this session of Congress given the current election cycle. However, the recent activity on the Hill highlights to private industry areas where significant cyber improvements are warranted. Information sharing between government and the private sector, as well as compliance with certain baseline security standards for privately held infrastructure, are perhaps the most prominent topics. The potential for legislation, on top of existing requirements like the SEC's cybersecurity disclosure guidance, demonstrate that for private industry, focusing on only the technical aspects of cybersecurity is likely to be insufficient. Companies will need to understand the evolving legislative and regulatory requirements with which they must comply and build compliance into their operations.
In 2009, the EU issued Directive 2009/136/EC of the European Parliament. The Directive concerns the 'regulatory framework for electronic communications networks' and includes what has come to be known as the "EU Cookie Rule"; the part concerning the use of cookies is just a small part of the whole Directive. Other articles of the Directive included accessibility for disabled users, provision of public telephones, and the universality of affordable internet connections at a reasonable connection speed.
All EU Member States were to have implemented new laws to comply with the Cookie Rule by May 26, 2011, but not all have. In the case of the UK, the Directive was implemented and the government immediately suspended enforcement for 12 months to provide organizations with time to comply. We're now about 10 weeks from May 26, 2012, when websites selling goods or services to individuals in the UK must comply with the UK implementation of the Cookie Rule or face investigation by the Information Commissioner's Office with the potential for fines of up to £500,000.
After deciding recently that peeking cautiously at quarterly brokerage statements might not be the best investment strategy, I can now say that while I've been sleeping at the investing switch for the last couple of years, innovation has been working overtime.
Having scoffed for a while at what "good paying green jobs" might have meant, it didn't take a lot of poking around in the battery, fuel cell, natural gas and chemical industries, to paint a more vivid and alluring picture. As an investor waking up from a long hibernation, I only wish this was a party where I had shown up unfashionably early.
Despite most of us having spent the last few years of the economic meltdown hunkered down, reducing our expenses and keeping a low profile, there have been some brave souls that have been hard at work reinventing how the world might work in this century.
Take for instance a company that calls themselves a mobile application studio - Chaotic Moon. It takes guts (and success) for them to promote their services by saying they're smarter than you, they're more creative than you and they can make you more money. While I'm not personally interested in brainwave controlled skateboards, I was very interested to read what Wired, PCWorld and GeekWire (hey, an investor has to seek high and low for good opportunities), had to say about them helping Whole Foods develop the shopping cart of the future.
Do I really need a shopping cart that follows me down the aisles? I wouldn't have thought so, but given the skinny aisles in my local grocery store and the added benefit of not having to worry about circumnavigating stock boys, small children and those whose only job appears to be getting in everyone else's way, maybe my visceral reaction was all wrong. Add in the bonus of not having to correct for wheels that inevitably pull to the side or having to apologize for smacking my cart directly into someone while I'm busy scanning the shelves for some product that I'm too embarrassed to ask where it's located, and grocery shopping begins to look more like toy shopping from a kid's perspective.
Think about it. Self navigating, self powered, shopping carts that know where to find the items on your list, know what you've added, tell you if you've added the wrong item (say, frozen rather than fresh broccoli - without having to wait for your spouse to tell you after you've gotten home) and can perform the checkout without having to take everything out of the cart. That smells like the future is about to arrive.
So what's involved? I guess we'll all have to wait until MJ from iFixit gracefully performs the official teardown, but in the meantime, it appears the Smarter Cart consists of a basic shopping cart that's been modded to include a Windows 8 tablet, Kinect sensor, barcode scanner, battery, motor, a whole lot of software (locally and in a cloud or two) and a speech-based interface like Apple's Siri, that hopefully won't make too many smart remarks about my food choices or mock me with synthesized tsk-tsk noises.
Will it work? Maybe. Others have tried aspects of this before. Like IBM's Shopping Buddy.
What I like about it as a consumer is the chance to improve the grocery shopping experience. What I like about it as an investor is the knowledge that innovation is still alive and kicking all over, not just at 1 Infinite Loop. What I like about it as an outsourcing advisor is that it seems like things are about to get really interesting.
Given how busy the privacy world has been recently, we thought we'd take this "extra day" to catch up on some of the bigger recent developments:
The White House unveiled its Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (see the White House "Fact-Sheet" on the proposal here). The Framework contains five key elements: a "Consumer Privacy Bill of Rights" (CPBoR); a "stakeholder-driven" process to specify how the principles in the CPBoR apply in particular business contexts; stronger enforcement by the FTC and states Attorneys General; a commitment to increase interoperability between the US privacy framework and those of the international partners of the United States; and various proposals and recommendations for data privacy legislation, including a call for a national standard for security breach notification.
Google was accused of circumventing privacy protections in the Safari and Internet Explorer browsers, and the fallout continued from Google's announcement of its new harmonized privacy policy in advance of its March 1 implementation.
The California Attorney General announced its agreement with the largest mobile app providers (Google, Facebook, Hewlett Packard, Research in Motion/Blackberry) under which these companies have committed to provide mobile app purchasers with access to a clear, conspicuous, privacy policy before they download an app from the relevant provider's site. At the same time, the mobile provider trade association GSMA announced a set of Privacy Design Guidelines for Mobile Application Development.
The 11th Circuit held that being forced to reveal the password for an encrypted drive would violate the 5th Amendment. This is the first time this issue has been considered at the Circuit Court level.
The last outstanding requirement of the 2010 Massachusetts Data Protection Law relates to third-party service provider compliance and will take effect on March 1, 2012.
Section 17.03(2)(f)(2) of the Law mandates that entities holding Massachusetts' residents' personal information require their third-party service providers to contractually commit to implementing and maintaining security measures for personal information. The Law defines a service provider as
"any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to [the Massachusetts] regulation."
Companies subject to the Law should validate that any agreements with service providers that fall within this definition address the Massachusetts requirements, and any gaps in contract language should be immediately corrected.
As a matter of good information security practice, contracts with service providers should also include: (i) security audit rights, (ii) terms requiring that the service provider immediately notify the contracting partner of any data breach, and (iii) language requiring that all personal information be returned or destroyed upon the termination of the contract.
For additional background on the Massachusetts Data Protection Law see here.
Enterprises that undertake serial M&A or outsourcing activity can find themselves with a diverse workforce with differences in pay and other terms and conditions of employment applying to different categories of employees across the business. This can lead to inefficiencies such as the cost of administering different benefit plans as well as dissatisfaction amongst groups of employees who consider themselves to be, rightly or wrongly, worse off than their colleagues. For this reason, we are often asked to help with developing and implementing plans designed to harmonise terms and conditions of employment across a client's business.
Each harmonisation plan must be carefully considered. In the UK an employer's ability to make changes to an employee's terms and conditions of employment has always been challenging, particularly where an employee transfers pursuant to the Transfer of Undertakings (Protection of Employment) Regulations ("TUPE Regulations"). (Similar laws apply across the European Community although there can be marked differences.) This can be frustrating for an employer trying to integrate the new transferred employees into its existing workforce - because managing employees on different terms can often lead to issues in the workplace - and employers also need to provide a pay and benefits system which is not unlawfully discriminatory.
May 16, 2012Managing Risks in Outsourcing during ExitIn previous blogs in September/October 2011 (Supplier Selection; Contract Negotiations; Relationship Management) I offered practical...