A Clear Understanding of Outcome-Based Contracts?

It’s easy to hear a buzz word in the industry and make assumptions. However, what happens when those assumptions prove incorrect? And what happens when those assumptions are the bedrock under which a sourcing contract is being shaped, priced and a customer/service provider relationship is developed?

I’ve heard it many times; “I don’t care how you do it – but we need the job done.” This can be a dangerous mindset if seeking to embark on an outcome-based project. If the customer is stating this, they have missed the point of an outcome-based agreement and should re-think their approach. If a service provider is on the other side of the table hearing that statement, they should challenge the customer’s approach and determine whether the customer has fully comprehended the level of work and commitment associated with the outcome-based approach.

Outcome-based contracting is not a tool by which customers can shift responsibility to their service providers and seek to avoid the effort and time associated with good governance and performance delivery. It is an operational model that requires a strong customer and service provider relationship, trust and a genuine sharing of risk and reward. If a customer misunderstands what outcome-based contracting is (and perhaps confuses it with output-based contracting as this statement suggests), the customer’s expectations are already misaligned with the service provider’s and what each party should be committing to.

Outcome-based models are by no means new to the sourcing world but now with a greater understanding and implementation of Artificial Intelligence (AI) at the customer side, they have grown again in popularity as we see a resurgence in customers demanding greater innovation and more cost-effective service, particularly in process-driven services such as finance and accounting.

But with potential for misunderstanding and customers confusing output for outcome, will we start to see an increase in issues arising from outcome-based contracts?

A true outcome-based model requires a considerable amount of strategic planning from the customer before engaging with service providers. A customer needs to be capable of introspective analysis to understand, develop and communicate its business values and strategic agenda. However, this flow of information will need to go both ways as the parties will need to determine whether they share the same business values and approach on which to base the relationship. While trust will be of utmost importance, this flow of communication should be subject to early contractual commitments of confidentiality. Both parties may want to share, at a high level, their business strategies and potentially confidential information about business projections and future aspirations. This should be done in a controlled and respectful manner, sharing only the information that will benefit the relationship, with the requisite protections in place.

Ultimately both parties need “buy in” from senior stakeholders and will need commitment from every level of the organisation before a strong working relationship can be established. All levels of the customer organisation have to want to work with a service provider as a strategic partner and see the benefit in the service provider helping them achieve their organisational goals. This is more than just the parties outlining and agreeing to certain contract outcomes. A strong and well developed business case should be circulated to ensure that internal alignment. In turn, the service provider has to want to align its business with the customer and trust that the customer will commit to a true risk and reward model.

Each party will need to invest in the process at an early stage. The customer will need to have the right resources available for its internal analysis and baseline of existing services. Both parties will need their project teams to invest time and effort in deal structuring and seeking to exclude external factors that may impact the measurable outcomes that the service provider is remunerated upon. Early investment of this type (on both sides) will be key to demonstrating commitment to the process and a successful, working contract. The time spent in the early stages of development of core principles, agreed measures and conducting due diligence means that there is a significant level of work done before the parties reach contractual negotiation. If customers are not capable or cannot spare the resource to take on these tasks, they would do well to consider using a consultant who understands the complexities of an outcome-based approach and who can assist with baselining the relevant existing services and create a true risk and reward program.

Although not yet at contracting phase, the work effort involved in this early stage of development should be documented and agreed to by the parties. In addition, the baselines from which the outcomes can be measured, the outcomes themselves and any risk factors that may adversely impact the service provider’s efforts should also be agreed on and clearly documented. Outcome measurements will involve negotiation and discussion between the parties. Each measurement should be capable of being objectively monitored rather than an internal metric understood by only one of the parties.

Strong governance is key in most (if not all) sourcing relationships, but it is even more important when working on an outcome-based model. Governance structures should be developed early in the relationship and be robust with the ability to flex over time in line with the relationship needs and both customer’s and service provider’s businesses. It is of paramount importance that the parties – at all levels of the relationship – adhere to the agreed structure. Like with all sourcing models, if one party deviates from the model, the relationship is strained and trust is lost.

The parties will need to trust each other sufficiently to afford a greater level of transparency than is customary with other contractual models. If a party experiences changes in its interests, business strategies or demands, it is important that this information be shared in sufficient detail to allow the parties to address what changes may need to be made, whether that should cause a re-baselining or a change in measurable business outcome. These will be difficult to legislate for at the outset but the contract should afford the parties sufficient flexibility to ensure the ongoing success of the contract for both parties.

Some may feel an outcome-based contract implies a greater level of understanding and more sophisticated level of contracting between customer and service provider. However, more simplistically it involves good planning, a clear demand from the customer for increased innovation and cost savings and a genuine alignment of the service provider’sI lov and customer’s interests. Outcome-based contracting is not suitable for all services but for business processes the model is a joint endeavour that rests on the strength of the relationship and an honest and open sharing of information and risk and reward.

Source: futureofsourcing.com-A Clear Understanding of Outcome-Based Contracts?

How to integrate disruptive technologies into IT outsourcing contracts

An incumbent IT service provider may be a good option for implementing new technology solutions, but you should take these four steps to most effectively integrate disruptive technologies into your existing outsourcing deals.

In the era of digital disruption, the ability to successfully implement new technologies such as mobility, big data and analytics systems, cloud computing options, or robotics for competitive advantage is critical. In some cases, going to an existing IT service provider may not be the best way to do so. However, in many cases, there are advantages to working with incumbent supplier. Doing so may enable IT outsourcing customers to leverage existing contractual commitments and terms to accelerate the contracting process.

Business and IT leaders may want a trusted partner to manage their entire technology environment. By expanding the scope of an existing deal, the customer can retain integrated performance standards and service levels for the entire environment and maintain streamlined governance processes. It also may be a way to minimize any transition or termination costs.

The challenges of integrating disruptive tech into an existing contract

However, the integration of disruptive technologies into an existing sourcing arrangement can present a number of new challenges, says Linda Rhodes, partner in the Washington, D.C. office of law firm Mayer Brown. “The contractual rights and protections available to the client in important areas — such as control rights, approval rights, audit rights, intellectual property ownership rights and post-termination rights—are likely to be different in many respects,” Rhodes says.

“The pricing models used for disruptive technologies, such as cloud, everything-as-a-service and autonomics or robotics, are also likely to be very different.” What’s more, the existing IT service provider may have to rely on a subcontractor to deliver some of these capabilities.

In addition, there are potential issues common to expanding the scope of any IT outsourcing contract. There may be transition charges to consider. “Moving to a new technology solution will require transition work, including designing the new solution, developing a detailed transition plan, determining the road map for the migration, and migrating to the new technology,” Rhodes says. “Implementing new tools, including reporting tools and processes, may also be necessary.” Customers must build such additional costs into their business cases.

Moving to a new technology solution could result in the termination of all or part of the existing agreement for convenience or trigger minimum commitments, resulting in continued payment of minimum charges or termination charges. “Working in the context of your existing contract, you may have leverage to negotiate around certain termination charges,” says Daniel Masur, Partner-in-Charge of Mayer Brown’s Washington, D.C. office and a leader of its business and technology sourcing practice. “But certain termination charges, such as stranded costs, may not be negotiable.”

Stranded costs can include equipment that becomes irrelevant. “If the client owns or leases the equipment, it is likely to have equipment that is not at end-of-term or end-of-life at the time of migration to the new solution,” Masur says. “If the provider owns the equipment, then the provider will have stranded costs and want to pass those costs onto the client through termination charges.”

Similarly, there may be third-party maintenance contracts that will have to be ended with their own associated termination fees. In addition, the outsourcing client may have leased space that is no longer needed with the new technology solution. That, too, must be factored into business cases and planning.

Steps IT outsourcing customers can take to integrate disruptive tech

First and foremost, clients should define the optimum process from the beginning. “Do not feel constrained to link the negotiations with contract renewal,” Masur says. “Instead, be driven by the objectives and requirements of the business.” Companies should also define the role of the incumbent outsourcing provider in this process.

Secondly, companies should perform a detailed cost-benefit analysis. This evaluation “may be more complicated than the cost-benefit analysis associated with traditional transactions,” says Masur. “Often, the impetus for the new technology solution is more than just cost savings. The anticipated benefits may include improvement in time to deploy, end-user productivity, speed to market, cost of inventory, marketing effectiveness, customer renewal rates, and so on.”

Third, outsourcing customers should not underestimate the change management challenges and considerations. The company’s employees must be willing and able to adopt these new technologies and processes in order to extract their intended value. “Be honest regarding your organization’s willingness to embrace change, relinquish control, accept a vanilla one-to-many solution and forego customization,” Masur advises.

Finally, clients should create and maintain negotiating leverage throughout the process. To that end, “it is important to create deadlines and a sense of urgency and to maintain the specter of competition,” Masur says. “Be sure you understand what the supplier wants out of the process and build that into your strategy.”

Source: Cio.com-How to integrate disruptive technologies into IT outsourcing contracts

How to build cybersecurity into outsourcing contracts

IT outsourcing customers must take greater care in building cyber-risk protection into their IT services and cloud computing deals.

Any time a company shares data or provides access to third-parties, it increases its vulnerability to unauthorized access or breach. So in today’s IT environment in which enterprises partner with multiple IT service providers, who in turn may have multiple subcontracters, cyber risks increase exponentially.

“Customer data and systems are only as secure as the weakest link in the vendor ecosystem,” says Paul Roy, a partner in the business and technology sourcing practice of Mayer Brown. “The risks for customers are twofold: not only does the customer increase its risk of a data breach, it also increases the risk that it will be in breach of its regulatory or contractual obligations if its vendors fail to comply with such obligations.”


CIO.com talked to Roy and Lei Shen, senior associate in the cybersecurity and data privacy practice at Mayer Brown about the potential impact of security incidents arising from IT outsourcing or cloud computing engagements, the shortcoming of cloud computing contracts with regards to customer cyber risk protection, the key contractual provisions for mitigating these risks in an evolving regulatory landscape, and the importance of ongoing review in this rapidly changing area.

CIO.com: What are the potential consequences of cyber security failures with third parties, like IT service providers and cloud computing vendors?

Paul Roy, partner, Mayer Brown: The consequences of a cybersecurity failure can be substantial. They include the expense of remediation and notification, damage to the brand, loss of sales, management disruption, regulatory sanctions, shareholder derivative suits and other lawsuits, and other collateral damages. The customer remains ultimately responsible for these risks, even if its vendor was the source of the security failure.

CIO.com: Is cyber risk adequately covered in standard outsourcing or cloud contracts?

Lei Shen, senior associate, Mayer Brown: To adequately cover cybersecurity risks, the standard outsourcing contract has to include clear technical and legal compliance requirements and the right for the customer to monitor and otherwise verify the vendor’s compliance with such requirements.

To align incentives, the contract should make the vendor liable for the costs of breaches that it or its subcontractors cause, including the costs of notification, remediation, fines and similar costs. Well-crafted standard outsourcing agreements should contain these types of protections. However, the contractual protections are only adequate when combined with effective oversight and enforcement by the customer.

The adequacy of cloud contracts to protect against cyber risk is more complicated. On the one hand, a cloud service can inspire customer confidence in a cloud vendor’s well-established and hardened security. On the other hand, cloud contracts often fall short of a customer’s compliance requirements for sensitive data, particularly if the customer is in a regulated industry.

Customers must perform a gap analysis between the vendor’s offering and the customer’s requirements to identify gaps and determine whether they can be covered by either party. In addition, narrow limitations of liability—frequent in cloud contracts—can warp the incentives for protection against cyber risk. While there has been a significant growth among sophisticated cloud vendors who are able to address their customers’ data protection and compliance requirements, there is still substantial variation among cloud vendors’ ability to adequately address such requirements.

CIO.com: What are the key contractual provisions for mitigating these risks?

Roy: The key contractual provisions to mitigate cyber risk are: (1) the security standards required of the vendor; (2) restrictions on subcontracting; (3) employee related protections, such as background checks and training; (4) security testing; (5) security audits; (6) security incident reporting and investigation; (7) data retention and use restrictions; (8) customer data access rights; and (9) vendor liability for cyber incidents.

Many of these contractual protections come with limitations. Since vendors must maintain consistent internal security standards, especially in a cloud setting, they may have limited ability to customize such standards to meet a customer’s unique requirements. However, the key for customers should be the adequacy of the protection, not the specific means for achieving that protection.

Cloud contracts typically include additional limitations on these types of provisions. For example, in a standard outsourcing agreement, the customer typically has the right to approve subcontractors, whereas cloud vendors have pre-existing subcontractors that are subject to change without customer approval. The key protections for customers in that circumstance are the assurances that security provisions are flowed down to subcontractors and that the customer has the right to periodically obtain a list of those subcontractors, especially if such a list is required by applicable privacy laws. Similarly, a standard outsourcing agreement often contains the right for the customer to conduct security audits, but cloud vendors typically do not permit physical audits of their facilities. The absence of this right can typically be satisfied by third party compliance audit and certifications.

One aspect of cloud contracts that is sometimes overlooked is the restriction on secondary uses of the data by the vendor, including aggregated or anonymized data. From a purely commercial standpoint, this secondary use right can mean substantial value to the vendor and corresponding loss of value to the customer. From a cybersecurity standpoint, any retention of data by the vendor risks re-identification of the data, thereby increasing the risk of security failures. In addition, a vendor’s retention of inadequately de-identified data may also run the risk of violating certain privacy laws.

CIO.com: What existing regulations around third-party cybersecurity risk should IT outsourcing customers understand?

Shen: There is a patchwork of regulations in the U.S. across industries and states. At the federal level, they include Gramm-Leach Bliley, HIPAA, SEC requirements for public companies, and FTC requirements. In addition, some states, such as Massachusetts, have their own data protection requirements. The common thread of all of these laws is the requirement that companies take “reasonable and appropriate measures” to protect their data, including care in the selection and oversight of third party vendors.

The European Union has more consolidated and stricter privacy legislation that generally imposes higher standards of data protection than in the U.S. In addition, the new EU privacy regulations that were recently introduced impose additional limitations and much higher penalties for companies that fail to comply. Companies would be well advised to become informed of the upcoming changes in the EU data protection regulations. Many other countries outside of the EU, such as South Korea, also have strict requirements for data protections.

CIO.com: How can customers build flexibility into their contracts so that they remain protected in an evolving regulatory and cyber risk landscape?

Shen: The regulatory landscape has evolved and will continue to evolve for the foreseeable future. Outsourcing agreements should include a requirement that the vendor implement changes as needed to adapt to regulatory changes. Where these regulatory changes are specific to the customer, it is reasonable for the customer to be responsible for the incremental costs incurred by the vendor to adapt to those changes. If a cloud vendor refuses to commit to adapt to changes in a customer’s regulations, the customer should at least retain the option of exiting the arrangement.

Source: CIO-How to build cybersecurity into outsourcing contracts

What to consider when IT outsourcing contracts come up for renewal

Outsourcing contracts worth billions of pounds come up for renewal over the next few years – but unprecedented industry change complicates the CIO’s decision.

According to figures from ISG, if you just take into account IT outsourcing contracts worth over $5m a year, globally there are nearly 3,000, worth over $270bn (£175bn), coming up for renewal around the world in the next three years.

ISG figures show there are 1,400 deals in the Europe, Middle East and Africa (Emea) region, worth over $14bn, coming to an end before 2019.

In 2016 alone there are over 1,100 contracts – worth about $20bn – coming up for renewal around the world.

According to ISG, the likes of Accenture, Atos, BT, Capgemini, HP, IBM and TCS all have significant numbers of contracts coming to the end of term.
But what should a CIO or business leader be thinking about as a contract nears its conclusion? It is a great opportunity to shake things up and learn from past mistakes – but there is a lot of choice out there, which can make decisions more difficult.

A recent example of an organisation that shook up its IT outsourcing strategy when its contract came to an end is the Driver & Vehicle Licensing Agency (DVLA).

When its major “Partners Achieving Change Together” (Pact) IT outsourcing contract with IBM, Fujitsu and Concentrix – which had been running for 13 years – came up for renewal, the DVLA weighed up its options after outsourcing IT for about 30 years.

Newly appointed CEO Oliver Morley and his team looked at the fashionable tower and service integration and management (Siam) models, both increasingly common in the public sector. But in a matter of weeks he had decided to bring IT in house. The two-year move to in-house completed on 12 September 2015.

There are a lot more options available today than when many of the contracts coming up for renewal were signed, and a lot to consider. The DVLA case shows that nothing – including bringing IT back in-house – should be ruled out.

Technologies, models and consultants

As well as different models and contracts to consider, technology has shaken things up. Today increasing numbers of IT services are based in the cloud, which changes the nature of contracts and delivery. Then there is the automation software and artificial intelligence (AI) shaking up the IT outsourcing sector.

The increased pace of technology change and the speed at which consumers are changing their habits could also be a calling for business consultancy. Businesses today are re-inventing their businesses to fit the habits of the digital age. Choosing the right technology and services contracts to fit with a transforming business might be something CIOs will need support with: Business and IT consultancies might have to enter the renewal equation.

Then there is globalisation to consider. Today CIOs have a number of choices in where to have services delivered from. It is no longer the case that India is the first choice, as there are locations throughout the world offering their own advantages.

When renewal time arrives

“When a contract comes to an end, the client firm gets an opportunity to do things differently,” said Ilan Oshri at the Centre for Global Sourcing and Services at Loughborough University’s School of Business and Economics.
Microservices and DevOps are changing software development
Oshri said there are two questions organisations should ask themselves: “Are we going to renew and, if so, what will change in the new arrangement? And are we going to bring work back in house – and, if so, how are we going to do that?”

For the first question, he said the opportunity is to examine the latest models and technologies in the market.

“For the second question, bringing work back has become a real option for many firms, but there are still obstacles,” said Oshri.

“Firms should regularly assess their ability to re-integrate the service, be in a sound financial position to bear additional costs involved in bringing back the operations and an exit plan that ensures the transfer of knowledge from the supplier.”

Unprecedented change

Outsourcing consultant Jean-Louis Bravard – who was a CIO at JP Morgan and headed global financial services at IT services giant EDS in the past – said CIOs should think about outsourcing agreements all the time, and not just when they are coming to an end.

He said planning for change now might be more complicated than last time around, due to the level of change in the last five or 10 years. “The world has changed dramatically. So any contract signed even five years ago is fundamentally obsolete. And, to make matters worse, I think the rate of change is not about to drop in the next five years.”

Bravard said CIOs should organise their thoughts around certain themes.

He said the big US suppliers such as Hewlett-Packard (HP) and IBM are all trying to protect their business from in-sourcing and Indian players in IT, as well as more international suppliers in business process outsourcing (BPO).

Meanwhile, the advent of software robots will force major changes to IT and business process outsourcing. “The human consequence on employment is obvious but increasingly the CIO will have to become responsible for all production and interactions. Glitches will longer be tolerated and fault tolerance and redundancy will be absolutely critical for all,” he said.

Bravard added that another major change in the last few years is how pay-as-you-go services have transformed. CIOs as well as suppliers must understand what this means to their businesses, he said. “Even internal solutions must be priced ‘by the drink’ and most often with a downward slope. This presents a huge challenge on pricing and funding for both users and suppliers.”

Mark Lewis, head of outsourcing at law firm Berwin Leighton Paisner, said that, as revewals approach, CIOs should be thinking strategically rather than tactically.

“First, strategically, how they can benefit from either renewing the current contract or going to the market potentially for a new provider or providers. The stress here is on strategic, rather than tactical, decision making,” he said. “It has been tempting for many CIOs to consider at a tactical level the disruption and cost of retendering, as well as taking the approach of ‘better the devil you know’.”

He said logic and market forces dictate a retendering exercise, and there is no reason not to include the incumbent. “There is the task of persuading the rest of the market that this is genuinely an open process and that the outcome isn’t a foregone conclusion.” Otherwise, he said, the most promising potential providers will be deterred from bidding.

Support your decision with action

He urges CIOs ensure they have the right exit plans in place. “When outsourcing contracts near the end of term or are coming up to termination for whatever reason, one of the big – and more often than not – painful and too-late lessons learned by CIOs and their operational and contractual colleagues is that their exit plans and processes are not fit for purpose,” said Lewis.

If existing plans are not sufficient, the CIO will be forced into a corner, he said. “If plans are not fit for purpose, there is an understandable desire by CIOs and their other colleagues not to endure the pain of separation from the incumbent provider – unless the pain of separation is going to hurt less than staying with the incumbent.”

He said a robust exit plan should address the hardware and software assets used to provide the services at the time of transfer, and similarly third-party assets and contracts, people, operations libraries and manuals: “In other words, all the people, tangible and intangible assets and know-how necessary for an incoming provider to make sense of the services before or at transition.”

Then, he said, the exit plan needs to contain the necessary processes and actions for a a smooth handover to an incoming provider.

Source: computerweekly-What to consider when IT outsourcing contracts come up for renewal