The cloud, long-term value, an employee-owned devices are challenging HR executives.
By Chris Ford and Alistair Maughan
As with last year, Morrison & Foerster’s global sourcing group lawyers in Asia, Europe, and the United States have been surveyed to create a snapshot of the current state of the global outsourcing market and to identify emerging trends that are likely to shape that market over the next 12 months. In this year’s update, the group of lawyers comment on the challenges of cloud-based outsourcing, driving long-term value in engagements, and vendor profitability, as well as the impact of such factors as cross-border deals, growing regulation, and the proliferation of employee-owned technology in the workplace.
As cloud computing changes the economics of the entire IT industry, it is also becoming more prominent in the outsourcing sector. According to ISG, a leading sourcing advisory firm, some 300 IT outsourcing contracts included cloud platforms in 2012, up from 220 in 2011 and 110 in 2010. In addition, ISG reports that the majority of surveyed vendors expect cloud services to grow faster than traditional IT outsourcing.
The potential benefits of cloud-based outsourcing are clear, but there are a number of issues that complicate this shift. Continued growth is inevitable; the potential scale of that growth will be tempered as vendors and customers work through the issues.
In the past few years, a great deal of attention has been paid
to the growth of public cloud vendors. Public clouds offer economies of scale by providing services to a broad range of customers on the same infrastructure, as opposed to private cloud platforms, where a company has internal or external cloud resources dedicated to its needs. In the last year or so, more organizations have overcome their initial reservations about public cloud services and moved portions of their data and functions to such providers. The reason: public cloud providers offer low costs and relative ease in getting started.
Private or hybrid cloud solutions offer a potential alternative, and for noncommodity solutions, such approaches are being constructed by providers and taken up by customers with some regularity. Often, however, adopting organizations need to team with an experienced partner in order to integrate cloud solutions into their environment.
Many companies struggle with the tactical complexities of moving from their current sourcing arrangements to new cloud- based arrangements. “A big question for many is how to adopt cloud and even Big Data solutions into their existing outsourcing contracts,” says Spencer Izard, a research manager at IDC, a market intelligence and advisory firm. “A company may have its information and communication technologies (ICT) handled by five different outsourcers, with each contract in a different stage and with different nuances regarding services and the ability to move to new technologies.”
Aligning those agreements to enable a coordinated shift to the cloud “is a major challenge for a lot of people,” he adds.
The strategic shift in the outsourcing market, therefore, has been to commingle cloud- and non-cloud-based sourcing options. The challenge has been to create a successful cloud/ non-cloud cocktail while avoiding the inherent pitfalls.
More broadly, companies are starting to run into some fundamental realities that make public cloud services more problematic than traditional arrangements. Public cloud outsourcing works because it is a commodity offering, which allows the provider to offer a very economical service, but typically allows for little or no customization of contract terms. Factors such as security, access to data, availability, business continuity, and so forth are usually not negotiable. Or, if they are, the customizations drive up the price,
which cuts into cost advantages. Companies need to consider the trade-off between costs and the flexibility of the terms that govern the public cloud service.
There are other areas where these types of cloud-based outsourcing arrangements can increase a company’s risk profile. For example, cloud providers might store data in various locations in different countries and, over time, move it to new locations to get the most cost-effective service—without the customer company knowing where its data is kept. This can have significant data privacy implications, and could cause companies to inadvertently run afoul of laws that require them to know where their data is and restrict the movement of personal data across borders.
The issue of data privacy in the cloud is serious enough that
in early 2012 the European Union published an opinion paper noting that “the wide-scale deployment of cloud computing services can trigger a number of data protection risks, mainly
a lack of control over personal data as well as insufficient information with regard to how, where, and by whom the data is being processed/sub-processed.”
Such concerns have been echoed in the U.S. Last year a group
of federal agencies expressed concern over security and data integrity in cloud environments, noting that “a financial institution’s ability to assess compliance may be more complex and difficult in an environment where the cloud computing service provider processes and stores data overseas or commingles the financial institution’s data with data from other customers.”
In general, many cloud agreements provide little in the way of assurances about data privacy. The customer may have almost no control over how its outsourced data is managed, but because it collected the information in the first place it is still legally responsible for that data.
None of this is to say that such issues will stop the move to cloud-based outsourcing or that companies should avoid the practice. But outsourcing customers need to recognize not only what the cloud can do for them, but what it cannot do in terms of reducing risk and addressing compliance issues. Companies can consider strategies such as hybrid clouds, maintaining backups in-house, and encrypting data sent to the cloud. They need to perform thorough due diligence, carefully weigh the legal risks and business benefits involved, and determine how best to take advantage of the cloud.
Those decisions may become easier as the marketplace evolves and adapts. We now see some cloud outsourcing providers recognizing that large corporate customers—and especially companies in regulated sectors with heightened security concerns—will ultimately need more than the basic, one-size- fits-all agreement. These providers are exploring ways to set up their infrastructure and design their services to meet the needs of corporate customers and proactively offer more flexibility while still keeping costs down.
Similarly, we expect to see more vendors working to address data privacy issues in order to appeal to the corporate market. For example, rather than leaving it up to the customer to worry about legal compliance—an approach typical of public cloud providers—a vendor could offer assurances that its operations will keep personal information in certain countries and be in compliance with European Union data protection laws. The upside of cloud-based outsourcing is too powerful to ignore. Fortune 500 companies are interested in these services,
and vendors want to tap into that interest. We believe that marketplace realities will drive vendors to find new flexibility and data protection solutions—and the cloud will be a core ingredient in the outsourcing formula.
Sustaining Value Through Measurement
With two decades of outsourcing experience, vendors and
client companies have become adept at forging agreements that focus on value for money being spent. They have learned
to create contracts that balance cost benefits with broader business benefits such as innovation, transformation, and entry into new markets. But, too often, the focus is on initial value for money. Organizations have been less effective when it comes to establishing the kind of oversight and follow-through needed to ensure that the expected deal value is delivered and sustained over time.
Over the past year, however, we have been seeing more contract discussions where companies and vendors are taking steps
to drive and sustain results over time, throughout the life of
the engagement. The issue of sustained value is not new, of course, but perhaps as a legacy of the wave of outsourcing deal realignments during the recent global recession, organizations appear to be more conscious of looking for ways to continue the value-for-money promise.
In the past, signing a contract was considered an endpoint.
Now there is growing interest in establishing mechanisms
to monitor performance, make mid-course corrections, and continue to drive the delivery of value, even as conditions change. Previously, organizations might have put all their eggs in the benchmarking basket as a way to realign deals. But benchmarking can be costly and cumbersome, and too often requires agreement on results before implementation. Our experience is that “little and often” corrections offer a better approach to securing ongoing value than infrequent “big stick’’- type mechanisms.
Underlying the “little and often” approach is the need to establish governance processes that include regular discussions about performance gaps, changes in the business or technology environment, and improvements and innovations to enable
the continued delivery of business value. This means formally putting the tracking and pursuit of value on the governance agenda, rather than relying on the trajectory of the original agreement to achieve results.
With that in mind, some companies are rethinking the use of benchmarking in assessing results. Traditionally, contracts might call for a benchmarking exercise every two or three years to
see how performance measures against the company’s peers. The problem is that many things can change in a few years, and such assessments may come too late for a meaningful response to new conditions. And benchmarking can lead to lengthy discussions about data validity, rather than taking the actions needed to keep the operation on track to value.
As a result, companies and outsourcers are seeking ways to conduct smaller, more frequent performance measurements that allow them to make incremental adjustments as needs change. Gain-sharing agreements—in which vendors and customers
alike benefit from productivity improvements, cost reductions, increased revenue, etc.—are being used to keep both parties focused on value. Some agreements spell out how technology upgrades or process improvements will be triggered, or establish processes that incentivize the vendor to keep bringing best practices to the company’s operations.
We are seeing this renewed emphasis on sustaining value
across various industries—and in both IT and business process outsourcing deals. It is especially prominent in complex, transformation/innovation-focused engagements where business value extends beyond cost reductions and the ability to adapt and exploit new opportunities is especially key.
The search for sustained value is also prompting companies to look for greater flexibility in contract terms. These might cover how often and quickly personnel adjustments can be made,
the frequency of technology improvements, or even the ability to bring in another provider midway through a contract if performance is falling short. “In many of the deals I’ve worked with in the last year or 18 months, companies are trying to be immensely more flexible in terms of being able to switch on and switch off costs and services, with limited penalties,” says Julian Hamilton, the EMEA sourcing lead, IT & Telecoms, at Procurian.
Companies have long been interested in such flexibility, but that interest is now heightened by economic uncertainty and the need to deal with rapid change, as well as concerns over being locked into a vendor’s processes and technologies and being left behind. There’s a mindset change at work, Hamilton says. As on- demand cloud computing becomes more practical, “that kind of thinking about the cloud is spreading into perceptions of other outsourcing services,” he says.
Of course, not all vendors have come to such conclusions. “I am seeing that clients want flexibility, but suppliers don’t want them to have it,” Hamilton says. “So there are some struggles going on.” But there is a potential carrot for vendors in that picture. Recent years have seen a trend toward smaller, more narrowly focused outsourcing engagements. But if there is more flexibility in contract terms, customer companies might be more willing to sign up for longer-term deals.
The pursuit of value for money is leading some companies to reassess what they need from an outsourcing engagement. In the wake of the economic crash and the scramble to find cost savings, some companies have decided they did not need “gold- plated” service. That perspective seems to be sticking as the economic recovery moves forward, and it may be part of the value-for-money equation for the foreseeable future.
The BYOD Challenge
Companies today are seeing an influx of employee-owned smartphones, tablets, and laptops being used for work, in and out of the office. In response, many are embracing this bring- your-own device (BYOD) trend and encouraging employees to use their devices for company business. Others, however, view the risks as outweighing the benefits. Advocates see BYOD as a positive development that can help reduce technology costs and improve productivity. But the advent of BYOD is creating some significant challenges for IT—and companies and vendors should factor this reality into their IT outsourcing agreements.
In this environment, companies need to develop policies covering areas such as the privacy of employee communications and the ownership of IP developed on employee devices. There is considerable room for improvement here: according to the Ovum analyst firm, only about 20 percent of employees using their own devices at work have signed a company BYOD policy. Once a policy is in place, companies need to make sure that their outsourcing vendor can support it from a process and technology standpoint.
Data security typically requires special attention. Protecting against data breaches in a secure data center is difficult enough, and the challenge is vastly more complex in an environment where mobile, far-flung employees are using and sending company information.
What tools and technologies will the vendor use to ensure security? This is especially important for companies in regulated industries. However, the guidance from regulators on ensuring compliance with BYOD technology has not been clear to date (if, indeed, such guidance exists at all). As a result, companies and vendors need to be prepared to act quickly when firmer rules are eventually put in place.
Contracts also need to spell out how a vendor will address
IT support in a BYOD era, where IT has less control over technology. How will it provide assistance for a variety of different devices, with new ones appearing all the time? How will it handle the various kinds and versions of software on employee devices?
Finally, companies need to determine how a vendor will support the need for discovery in the event of litigation. The BYOD era brings complex challenges to IT. Managing information and technology in this environment will require new tools—and with IT as their core business, outsourcing vendors may be in better position to find the best fit and apply those tools.
Chris Ford is the chair of Morrison & Foerster’s firm global sourcing group and Alistair Maughan is partner in the firm’s London office and co-chair
of the technology transactions group. The preceding was excerpted from the white paper Global Sourcing Trends in 2013 from Morrison & Foerster.