The Risks of Outsourcing IT

Magazine: Spring 1996Research Feature April 15, 1996 Reading Time: 24 min

While outsourcing IT has been a trend in the 1990s, it is not a new phenomenon. For example, systems development has been sourced from outside through application packages or software houses for many years. Large facilities management contracts in the late 1980s signaled a timely convergence of supply and demand factors. On the one hand, major vendors offered facilities management and other outsourcing services. On the other hand, managers who were tired of IS budget growth year after year and sometimes elusive business benefits saw an opportunity to cut IT costs, downsize the IS function, and do to IT what they were doing in other parts of the business subcontract. The announcement of two seemingly revolutionary outsourcing contracts at Eastman Kodak and at General Dynamics may have given business the confidence to take on IT outsourcing on an ever-widening scale, and the issue was established on corporate agendas.1 The objectives of outsourcing are cost cutting; a desire to focus on the business, not on IT (or on core systems, not on the total application portfolio); or subcontracting responsibilities for operating and maintaining legacy systems. Whatever the objective, the possibility of outsourcing tends to generate strong emotions among both IS professionals and general managers. Thus research on the myths and realities of outsourcing has been followed by how to do it literature that aims to help companies implement outsourcing, not only in managing contracts and relationships sensibly but also in how to select sourcing options.2 These prescriptions help both the companies that are bold protagonists of IT outsourcing and those that think they have to do some outsourcing and would appreciate guidelines on being selective. There is currently a trend toward selective or smart sourcing and a recognition of alternative sourcing strategies, whatever the objective. Figure 1 offers a typical analytical framework to aid in these decisions, in which the guiding parameters are the business value of a technology or application and the operational performance of the associated service. The framework suggests, for example, that outsourcing of information systems central to business strategy may be a dangerous diversion, especially if IT operations are already efficient. Insourcing in this situation is preferred. If business value is high but operational performance is weak, then market testing (or benchmarking) might make sense, at least so a company can see what performance improvement might be possible by either internal or external sourcing. However, if operational performance is weak and the business value of the particular technology or application is low, then outsourcing is a more obvious route to improvement. Finally, smart sourcing might be a way to simplify the IT domain when elements of it are satisfactory for operational performance but not central to business capability or strategy. Such arguments are intuitively appealing at an analytical and general level. The trouble is that they can be simplistic in practice. They do not account for the complexities that permeate the management of information resources. Several years ago, I suggested that

managers should ask themselves whether they should outsource IT services, just because it was a good question to ask, even if the answer was no.3 The question provided an acid test of the importance of a firms information systems and the performance of the IS function, the criteria underpinning Figure 1. While I am not retracting my conclusions, on the basis of experience (namely, discussions with both vendors and customers in Europe and North America), I now suggest that managers ask why does outsourcing make sense and why does it work. There are many risks that, in practice, indicate limits to outsourcing. Those who have outsourced have more regrets than they acknowledge and more anxieties about vendors than they care to confront. CIOs in firms that are currently on the cusp of deciding to outsource have confided apparently sound cautionary instincts, but momentum can be difficult to stop. Furthermore, frameworks for analysis like that in Figure 1, while highlighting different sourcing options, also give momentum to outsourcing because they imply that the marketplace has significant potential in the supply of IT services, albeit in different ways, whatever the difficulties involved. So I offer, unapologetically, a plea that CIOs and CEOs proceed with caution when they consider IT outsourcing. Indeed, I recommend that the IT sourcing question be rephrased to, Why should we not insource IT services?

Eleven Risks of Outsourcing

1. Possibility of Weak Management
If an IT service scores low on the operational performance dimension, a company will clearly be tempted to outsource it to a third party. This is true whether poor performance is real or imagined, or whether top managements views are rational or emotional. Yet let us consider the likely causes or context of poor performance. If cost or quality problems are due to inadequate economies of scale, outsourcing can make sense, although there may be internal solutions available through centralized rationalization. Collaborative joint information processing ventures with other similar companies are another option. However, whatever option a company adopts, there is still a need for capable IS executives who know how to manage IT operations so that they can be informed buyers and demanding customers. If the company selects outsourcing, the executives also have to know how to manage contracts and relationships with third parties. If the IT activity has been badly managed in the first place, will the IT managers be any better at managing an external provider? Indeed, does executive management want to give the benefits of improving an inefficient operation to the marketplace? In this situation, there are at least two possible responses. A company can (1) hire better IT managers or (2) turn around internal performance before subcontracting to the marketplace. These are sensible precautions and probably should precede any outsourcing based on dissatisfaction with operations.

However, once outsourcing has been initiated, managing IT operations on the outside is still far from easy. As a manager at one company well known for its IT outsourcing put it, There is always another hill to climb. If the third party is not necessarily better, a company has to enhance its management of vendor skills and placate users. If the third party chooses to change the way it provides the service with a different platform, location, or modus operandi the company has to learn about the new mechanisms in a domain that it thought it could ignore. If there are changes in the vendors personnel or organization, the company has to invest in building new partnerships and understanding how things are done in the new regime. In other words, to reduce initial risks in outsourcing, a company must be capable of managing the IT service first. Vendors may pull out at the first stage when they learn how weak the customers IT management is; they recognize that weak management is not an opportunity for profit taking but a recipe for conflict and dissatisfaction. If firms do outsource, they are likely to need to enhance their commercial and legal competences in the IT domain. In the long run, management tasks neither disappear nor remain static. Customers may eventually withdraw because managing outsourcing can be as difficult as, but more remote than, internal management.

2. Inexperienced Staff
One argument for outsourcing is that specialist IT companies are likely to have better IT specialists. While this might be true, relatively new IT services businesses do not necessarily have either the best expertise or solid experience. What is worse is that in facilities management contracts with even the most established IT service businesses, the customers staff may go work with the vendor. As one manager put it, All we did was transfer our weaker staff, and then we had to deal with them all over again. In retrospect, the company would have tried to avoid such an occurrence. Since some of the largest outsourcing contracts were initiated to transform a resistant and slack IS function, this risk becomes even starker. Even the boldest company would try to transfer some of its IT staff to the vendor to ensure some continuity of service and knowledge in the short run. But, again, would this appeal to its more able IT staff who more likely would prefer to find new, more reliable employees altogether? The biggest risk occurs, however, when a large out-sourcing contract is awarded to a major vendor. Head-hunters call their network of contacts with a frantic request for someone who can manage a large facility that has just been outsourced or anyone who has experience in managing contracts and can head up a rapidly growing outsourcing division. If the candidate is someone working for the company that has just decided to out-source which has occurred the chances are that he or she will be retained by the original company anyway, or will prefer to work for another user company where his or her experience is better suited. Shrewd personnel policies can help mitigate some of the risks at the time an outsourcing contract is signed. However, capable IT staff people are rare, and there is a chance that the customer company will want to keep them or that they will decide to go elsewhere.

3. Business Uncertainty
If a firm decides to outsource IT services because of costs or focus, it is assuming that its future direction and needs are clear. For example, the parent of a financing company that had suffered losses for the first time asked it to cut costs. The CEO saw IT as the businesss highest single cost center, and he outsourced as many IT services as possible to save costs. Once the business was profitable again, the CEO began to craft strategies for growth. He commented, Everything we planned to do depended on IT, and I realized that we had sold our most creative, relevant people and devalued the platform of our future electronic distribution channels. He had not just signed a long-term contract in an uncertain world, but had signed away a resource that would take a long time to replace. This CEO could be written off as dumb. Or perhaps such short-term actions were justified by the need to survive. However, when cost is the driver of outsourcing, or converting fixed costs to variable costs is the declared aim, it is likely that the company will sacrifice crucial competences or capabilities. One multinational corporation that has grown through acquisitions and successfully assimilated acquired IT operations not only achieved economies of scale by centralizing IT operations in-house but also improved the acquired companies IT management capabilities. The corporation is now under some pressure to outsource its IT, largely because it has become the trend. But because the acquisitions (or disposals) have continued and the business demands on IT will vary, the parent probably will decide on short-term outsourcing agreements or possible future amendments to the contract. The vendors will demand premium prices or penalty clauses for these privileges. Will IT outsourcing prejudice future returns from mergers and acquisitions by either delaying the delivery of synergy or handing some of the returns from IT rationalization to the marketplace? The IT marketplace, of course, may offer more variety in services and suppliers than any one corporation can. Thus, unknown future business needs may, in principle, be satisfied when they arise. However, the above examples suggest that there may be longterm opportunity costs, which can increase with business uncertainty.

4. Outdated Technology Skills

When a company outsources an IT service to a third party, how can the company be sure that the vendors skills stay current? As one vendor put it, We have won some good business by taking over legacy systems. The trouble is we now have legacy IT skills, and our customers are sometimes technologically ahead of us. If cost reduction is the objective in an outsourcing deal, the hope is that the current cost base is reduced and that, over time, there are further cost reductions due to learning and technological change. Indeed, a company can build these improvements into the contract at the outset or negotiate them at annual reviews. However, if the vendors skills do not advance, the cost-reduction potential is lessened, and unless further market testing is done, target setting is suboptimal. The option then is to find another vendor. However, as one company recently discovered, alternative suppliers are rare, especially

for a large-scale contract. The market is immature, and the more that legacy systems are outsourced, the more the market will be frozen in old technology. If better focus is the objective, the customer may be willing to pay for future inefficiency. However, as several vendors have pointed out, customers often require cost reductions along with any other objective they first had in mind. The same can be true of companies whose original objective was to get rid of the legacy systems. A counterargument, of course, is that the market will correct itself; vendors will respond to market pressure or customers will invent alternative solutions. Unfortunately, the transitional phase will be uncomfortable.

5. Endemic Uncertainty
IT operations and development have always been inherently uncertain. Users are not sure of their needs, new technology is risky, business requirements change, and implementation is full of surprises. A systems project management regime that demands no changes to specifications and rigid time and budget controls can produce applications that do not achieve their full potential or can create user-specialist conflicts. Companies should avoid outsourcing contracts that are set in concrete. As a result, there is plenty of advice in the outsourcing literature to build in contract variation clauses, agree on annual reviews, sign short-term contracts, and so on if the vendors will agree. In reality, one-year reviews can involve costly annual contract amendments. Short-term contracts may attract cost premiums, and contract variation clauses may not foresee all the uncertainties. An executive at an airline that both supplies and buys services reflected on this dilemma: You can buy flexibility, but you have to pay for it. A U.S. food company discovered that the development of new systems was going to take longer than it expected, as business requirements were changing. It had outsourced the running of the legacy applications that the new systems were replacing. The food company approached the vendor to seek a nonpunitive revision of the contract. The vendors reply was the equivalent of caveat emptor, or we knew what we were signing, even if you didnt. Being willing to pay for flexibility may be better than specifying tight performance contracts with penalty clauses, followed by litigation. A lawyer in this field remarked that he was happy to take legal fees from clients who believed that IT was a game of certainty and discovered that it was not, but he would prefer to earn money by educating them. His first principle was that when they met contractual problems in IT, companies really should want to solve them, not sue the third party. Thus IT contracts of any sort should first agree on a process of conflict resolution and problem solution for the inevitable uncertainties. However, the more likely it is that uncertainties will materialize, the more a company might wish to control its own destiny.

6. Hidden Costs

When cost reduction is the objective of outsourcing, there is typically a promise of early cash flow benefits and long-term cost savings. Certainly, a company can compare vendor costs with current costs and build technology and learning curves into future cost schedules. Conversely, it may not know about future possible cost savings or foresee technological discontinuities. These issues are probably matters of judgment. There are two tendencies, however, that are of concern. First, companies underestimate the setup costs, including redeployment costs, relocation costs, and longer-thanexpected handoff or parallel running costs. One U.S. corporation recently asked its European division to provide for $700,000 of these costs in the first year. The local managers were not amused! Second, companies may underestimate management costs. A manager at one U.K. company that considers its outsourcing a success reports, We never anticipated the management resources and time and thus cost that we have had to put in. Perhaps fortunately, companies rarely record the costs of management.

7. Lack of Organizational Learning

Much learning about the capability of IT is experiential. Organizations tend to learn to manage IT by doing; they do not appreciate the challenges until they have experienced them. Since informed buyers of IT services have been providers of the particular service before, where will the informed buyers of tomorrows technologies come from, unless firms first insource future new technologies before they decide to source them from the marketplace? The organizational learning phenomenon, however, becomes more important in the applications domain. Management tends to learn the value of IT applications (or of an infrastructure) by using them and seeing further opportunities for development. Many so-called strategic information systems were discovered in an evolutionary fashion. For example, several airline reservation systems began as automation initiatives to save clerical costs before they were seen as stock optimization systems and electronic distribution channels.4 Thus the strategic scope of systems often emerges as users learn what is possible and as the business context and needs change. If a firm pursues the logic illustrated in Figure 1, it can write off the value of an application, classifying it as tactical, commodity, or low value today, only to discover that it becomes strategic, core, or high value tomorrow. This situation has occurred with the sales transaction systems in food and drink companies that were seen as essential but not special. These companies now tend to see the systems differently as they seek to outwit retailers with better and more current information and practice micromarketing techniques with deeply segmented data. Likewise, an airline reported that more of the information linkages it needed to build as it competes on knowledge were in segments of its infrastructure that it had previously classified as commodity, over which it had relaxed its control. Of course, there is no reason that a third party cannot operate, enhance, or rebuild an application that has been reclassified as strategic. However, in other areas of business,

responsibility for strategic assets is not so easily delegated to the marketplace. A company may seek to recover from such errors of judgment by shifting the contractual relationship with a vendor from a transactional contract to a more strategic partnership. Unfortunately, there is no guarantee that either party knows how to create or sustain such a relationship. Vendors in particular have suggested that strategic is customer shorthand for please share our uncertainties, but dont expect to be more involved in our plans or win better prices.

8. Loss of Innovative Capacity

In the long run, a company wants to maintain innovative capacity in IT because there will be new ways of providing IT services and of exploiting IT for the business. If the company has outsourced IT services and down-sized as well, its ability to innovate may be impaired. Innovation needs slack resources, organic and fluid organizational processes, and experimental and intrapreneurial competences all attributes that external sourcing does not guarantee. The following situation results: The CIO comments, We want innovation from our vendors and partners. The marketplace should be better at innovation and technology development than we are. We have been disappointed so far. The chief executive of one vendor responds quite openly, We didnt know that we had to innovate. We thought the deal was all about cost. We will have to think about how to rise to the challenge. While this situation does not prove that innovation cannot be bought, it suggests that partners have their limitations and that expectations must be properly managed. However, if others in the marketplace generate some innovative ideas, the vendors who could not innovate in the first place but who now have operational control of the IT resources may then have to implement the ideas. The web of relationships becomes complex. While such complications are not impossible to cope with, they raise management costs again, in particular, the search costs of innovation. (Search involves identifying people in the market with ideas and locating people who have the technological capability to translate an idea into an application and implement it.) The complex web of likely relationships within the marketplace also limits the opportunities for users who understand the business to interact with specialists who understand the technology on a continuing informal and formal basis. Outsourcing does not seem a good fit with some of the established processes of innovation.

9. Dangers of an Eternal Triangle

Some years ago when IT specialists and users could not understand each other, a few companies created a new role for intermediaries or interpreters between the two parties. Often called business analysts, client managers, or systems liaison officers, they sought in theory to understand user needs and convey them to the specialists, while representing the specialists concerns to the users. In practice, the liaison roles succeeded only in keeping the two communities apart and in creating more confusion.

In a major outsourcing program at one company, the remaining IT people act as conduits or consultants between the line managers and the vendors. The line managers say they cant speak directly to the vendors. The vendors say they cant get near the business people who matter. The solution to take out the middlemen may seem simple. Curiously, company managers often claim they want to work with people who belong to and understand their culture. The vendors say they must undertake another reskilling exercise, namely to teach their specialists more about business and building organizational relationships. At the same time, vendor personnel may be located in the clients organization for long periods in order to become accepted as members. Meanwhile, the remaining IT personnel are likely to rethink how they can add value and probably will hone up their skills in project management, teamwork, negotiation, and conflict resolution. Some organizations stand still in their IT evolution as this learning takes place. Outsourcing can recreate the eternal triangle for some time.

10. Technological Indivisibility

Outsourcing may be attractive and workable when it involves management of mature, legacy, or separate activities such as running data centers and corporate wide-area networks or commissioning separable application developments. Benchmarking, service-level agreements, efficiency incentives, annual reviews, and so on can help mitigate risks in these domains.5However, much of IT is not divisible or capable of ring-fencing. Current information systems, for example, are increasingly integrated or interconnected, and problems can occur at the interface of responsibility between different vendors or between the vendors domains and the customers domain. A contemporary and common outsourcing issue is the desktop, comprising personal computer service, software maintenance, local area networks, and user support. Corporations want to outsource this headache activity but are nervous not least because of obvious uncertainties about the direction and pace of change in hardware, operating systems, and applications. The desktop in a typical knowledge-based organization has a PC hardware platform (which may have PCs and Macintoshes). There are also the operating system platform (DOS, Windows, Windows 95, Mac OS, and so on) and common, shared, or local packages (word processing, spreadsheets, database, graphics, and so on). Behind these are probably a local area network and perhaps a corporate (and beyond) wide-area network. In front are personal knowledge-working tools and applications, perhaps interfacing with enterprise-level groupware. Previously, in data centers, arguments with vendors about responsibility when something went wrong were commonplace. Was the mainframe supplier, the disk supplier, the communications vendor, or the customer at fault? Translate this into the desktop environment and imagine the fault-blaming routines. More important, think about solving a user-support query. Where in the various components of desktop architecture does the problem lie? In the interface between the users highly knowledgespecific local application and the technology architecture, or in incompatible software

releases? Is it a local area network fault or a server problem? More particularly, does the new support person from the outsourcing supplier understand the problem well enough to sort it out quickly? It can be difficult to delineate the desktop and create sufficiently generic support skills and specific user-oriented capabilities, because there are too many interdependencies. One general manager observed that on a scale of one to ten, the IT utilities in his company rated at least nine in performance. On desktop service, the rating was three or four. Does his rating comment on the companys IS function, on the inherent complexity and indivisibility of the desktop, or on the very visible nature of distributed and enduser computing environments? If a third party who was brought in to take over desktop service could not cope, the levels of satisfaction would only decline further. Given the inevitable company-specific nature of the desktop domain, it is advisable to think twice about outsourcing in this and other such indivisible areas of IT. One knowledge-based organization learned this lesson from the marketplace. No vendor would bid for a contract to manage the desktop.

11. Fuzzy Focus

Outsourcing is essentially concerned with the supply side of IT. The marketplace in principle can provide IT operations, development, service, and training. It is not so able to provide acceptable, innovative application ideas, the challenging effort and commitment required in systems implementation, and the harvesting and delivery of IT benefits. Recently, I asked the managers of a large multinational corporation what their IT achievements had been in the past five years. They replied that they had downsized and outsourced. Certainly, there had been a clear need for cost cutting and IS performance improvement. Perhaps the corporation did not countenance investment in any visionary, transformational application of IT until the credibility of IS delivery was restored. However, when I asked what they had done that they were proud of in terms of achieving some degree of IT-enabled business change, they responded that they had built a new architecture in the process of outsourcing and downsizing. This might pay off, but after five years, it is neither evidence of, nor a recipe for, achieving sustainable business-added value or competitive advantage. A real problem, then, with outsourcing is that it concentrates on the how of IT, not on the what. It focuses on the supply side, not the demand side. And because it occupies substantial management resources and executive time, it can unwittingly become another form of denominator management rather than revenue creation not a prescription for long-term success.

Conclusion
These eleven risks of outsourcing do not occur in every sourcing decision. Conversely, they are not unusual or esoteric risks. Some can be avoided or reduced by implementing

my suggestions, by using the advice of recent managerial articles, or by carefully selecting sourcing. As corporate knowledge about IT outsourcing continues to advance, the strategy of selective or smart sourcing may become the norm. The common reasons for outsourcing IT services cost reduction, business focus, and subcontracting legacy systems remain sensible goals. However, if these eleven risks are real, even if not universal, then outsourcing looks very complex and uncertain. Are the benefits of outsourcing so great that the risks are worth managing? Or are the risks so manageable that the benefits are worth having a sort of risk/return trade-off? This logic could lead companies toward out-sourcing only the most commodity like, utility IT services, and toward adopting some mix of selective or smart sourcing. Risk-averse executives, however, might ask why they should not insource IT. Hard-won experience may suggest that risk aversion is attractive in the complex, uncertain world of IT services. This may especially be the case if effectiveness, business value, and the demand side are of equal or more interest than efficiency, cost cutting, and the supply side. Managing IT to achieve sustainable competitive advantage requires continuous energy in identifying and implementing innovative uses of IT without dissipating and diverting it on supply-side issues. A senior executive in a vendor company that had provided IT services to a major multinational for some years commented, They [the client] have become very good at managing the supply side but thats what were good at and its our business. The question is, has their effort been balanced in terms of creating shareholder value? The same logic perhaps underpinned the disappointment and dismay of a newly installed CEO when he asked his CIO, What is the IS function doing for the business right now? The CIO responded, We are very busy out-sourcing and trying to make it work. Drucker has observed that the important business results are on the outside, in the domains of markets and customers.6 The same applies to IT results. There are limits to the returns from investing in the domains of sourcing and vendors. A companys big gains are likely to come from concentrating on IT-enabled business transformation and, particularly, on focusing its IS executives attention on deploying IT to improve the businesss revenue.