PART 1 – INTRODUCTION

Outsourcing refers to the transfer of a business activity or function from a client/customer to a local or foreign third party service provider. Examples of commonly outsourced activities include: IT services; delivery, logistics and distribution services; human resources services; sales and marketing services; procurement services; customer call centre services; and finance and accounting services. The decision to outsource is typically developed at senior levels of corporate management and is usually contemplated as part of a larger strategic initiative. Well-structured outsourcing arrangements should lead to a more efficient allocation of roles and responsibilities among the parties to the arrangement and, from a customer’s perspective, can bring a range of benefits. The recognized benefits of outsourcing include: increased efficiency (which can translate into an important competitive advantage), reduced risk associated with running effective IT departments, controlled costs (by releasing capital for investment in other areas such as revenue-producing activities), increased reach by providing access to world class capabilities that might otherwise not be affordable, better investments, and an improved focus on core business activities. Ultimately, outsourcing should serve to make companies more flexible and agile, ready to meet the challenges of doing business in an increasingly technological and competitive world, while providing cost savings and service level improvements.

According to a new survey from Duke University's Offshoring Research Network and PricewaterhouseCoopers (PwC), outsourcing providers around the world predict demand for their services will expand rapidly and are adding staff and investing in new services to meet that expected growth. The economic crisis of 2009 re-emphasized the importance of cost savings and efficiency improvements as the top strategic reasons for outsourcing, followed by access to qualified personnel. The survey found that 62% of service providers planned to expand the scale of their existing offerings and 70% of existing outsourcing arrangements were renewed in 2008. Unrealistic client expectations and the lack of a client outsourcing strategy were cited as the top reasons for contract terminations. [1]

Despite the advantages mentioned above, outsourcing does have a number of drawbacks. This includes access by the service provider to the company’s confidential information (including potentially personal information about customers and/or employees) which poses enhanced security risks. Furthermore, it can create difficulties in managing the service provider beyond those present when managing people and processes sited within the company, particularly over time, as re-badged employees move on to staff other service provider accounts.

Risks Specific To Offshore Outsourcing

When services are outsourced to offshore providers, a customer faces increased costs and risks compared to solutions involving on-shore resources. Offshore outsourcing, though potentially more cost-effective, may involve hidden costs including: a more expensive and lengthy step of vendor selection, a longer (3-12 month) timeframe to complete work handover to the offshore partner, severance and costs related to layoffs of local employees who will not be relocated internationally , turnover cost, and costs associated with addressing language and other communications or cultural differences. Lastly, managing the actual offshore relationship is also a major additional and sometimes unforeseen cost. Overall, a company may end up paying up to 50% more in front end costs than initially expected [2] and only achieve a cost savings of up to 15%-25% in the first year; well below the expected 35%-40% in savings, which will only be achieved in the third year of the agreement. [3]

An increase in front-end costs may cause the outsourcing organization to agree to lengthen the initial term of the agreement in order to generate the required financial benefits, which ultimately involves making a larger commitment and therefore increases risk. Aside from costs, other risks which must be considered when outsourcing to offshore companies include:

Data/Security Protection

While most IT organizations find offshore vendor security practices impressive (often exceeding internal practices), the risk of security breaches or compromised intellectual property (IP) rights is inherently raised when working internationally. Privacy concerns are addressable (see Part 3 below). On the IP front, some Indian courts have recently demonstrated a meaningful response to the problem of respect for and enforcement of IP rights in their respective countries by awarding punitive and exemplary damages in infringement cases.[4]

Process discipline

The Capability Maturity Model (CMM) becomes an important measure of a company’s readiness to adopt an offshore model. META Group observes that approximately 70% of client IT organizations are at CMM Level 1, whereas offshore vendors require a CMM Level 5 standardized and repeatable model. This disparity creates a gap that is usually compensated for by additional vendor resources on-site. [5] Companies lacking internal process model maturity will therefore find it challenging to realize upon the cost savings which should arise from the retention of an offshore service provider.

Loss of business knowledge

Companies must carefully assess business knowledge and determine if moving it to an offshore location will compromise the company’s ongoing ability to perform at the required levels.

Vendor failure to deliver

A common oversight for IT organizations lies in not implementing a contingency plan to deal with the risk that a vendor, for whatever reason, fails to deliver as expected. High risk or exposure might force the organization to unexpectedly alter its outsourcing strategy (i.e. from a single offshore vendor to multiple vendors).

Compliance with Government Oversight/Regulation

Utilities, financial services institutions, and healthcare organizations - among others - face various degrees of government oversight. The negotiating team advising this type of regulated entity must ensure that the selected offshore vendor is aware of and will be compliant with industry-specific requirements and that the vendor’s compliance will be demonstrable to, among others, all necessary auditors.

Culture

Cultural differences include religion, mode of dress, social activities and even the way a question is asked or answered. Although most leading vendors have cultural education programs, the challenges and costs associated with cultural alignment may not be insignificant or trivial.

Turnover of key personnel

Rapid growth among outsourcing vendors has created a dynamic labour market. Common turnover rate levels, especially in India, are in the 15-20% range. [6] A high turnover rate has an indirect impact on the client organization because it forces it to increase time spent on knowledge transfer and training new individuals. To address this concern, clients have recently tended to demand that contracts place a “liability” on the vendor for any personnel that must be replaced.

Productivity fluctuations

Most IT organizations experience a 20% decline in productivity during the first year of an agreement, largely due to time spent transferring both technical and business knowledge to the vendor.[7] Furthermore, the cost savings achieved from an offshore arrangement often come at the expense of personnel layoffs by the client organization. Layoffs can cause significant morale problems among the “in house” survivors, which may sometimes lead to dissatisfaction and work slowdowns.[8]

PART 2 – SOME SPECIFIC CONTRACTUAL CONSIDERATIONS

The following six points address common potential pitfalls and outline the main points to be considered.

Competitive Procurement

Potential Pitfall: A customer may enter into an agreement with a service provider that does not generate the expected benefits and/or undermines the bargaining position the customer will have during any renewal negotiations.

It is critical that the customer develop an accurate “baseline” of the process(es) or function(s) to be outsourced prior to entering into negotiations with the service provider. The baseline will establish important negotiation input data, such as the number and type of internal resources currently required to perform the function/process and the service levels then being experienced by the internal service recipients. Once acquired, these data will assist the parties in negotiating the appropriate deal parameters including pricing, service levels and the length of the initial term.

It is now the norm that outsourcing services providers are selected after robust “request for proposal” (RFP) processes have been followed, that RFP process having possibly been preceded by initial “request for information” (RFI) or “request for quotation” (RFQ) phases. For significant outsourcing transactions, it is now quite usual for the customer to enter into substantial negotiations with the top two bidders and to only make the final selection once further discussions have taken place and details uncovered via those negotiations.

Changes

Potential Pitfall: A service provider may become opportunistic in its pricing in the event that material changes to the relationship need to be introduced “mid-stream” during the initial term or any renewal term of the agreement (a likely occurrence given the usual lengthy duration of outsourcing arrangements). This risk is particularly present when, as a result of an over-reliance upon the competitive procurement process just discussed, the customer has aggressively negotiated down the profit margin accruing to the service provider pursuant to the agreement as initially negotiated.

One way for the customer to manage the risk of change-related costs subsequently undercutting the economic viability of the outsourcing arrangement, is to obtain the service provider’s promise to use commercially reasonable efforts to quote a fixed price for implementing any proposed change. In the event a fixed price cannot be quoted, the service provider shall quote the customer a charge for the proposed change which is equal to the service provider’s incremental direct cost of providing the change, plus a profit margin equal to a defined amount less than its annual operating margin as reported in its most recent annual report.

Benchmarking

Potential Pitfall: A service provider may not pass on the appropriate portion(s) of the cost reductions generated during the term of an agreement, such that the customer is subsequently placed at a relative competitive disadvantage.

In order to have a viable means for testing whether any promises made by the service provider have been adhered to and that the expected cost reductions have materialized and have been appropriately shared during the term of the agreement, the customer will often propose that benchmarking provisions also be included in the agreement.

Benchmarking provisions allow a customer to have a knowledgeable third party compare the service provider’s pricing with the pricing being offered to other customers operating under similar arrangements. The negotiation of benchmarking provisions can be challenging, as the service provider can be expected to resist the imposition of terms which are perceived by its negotiating team as materially enhancing the risk of an unfair clawback on the profitability of the arrangement, particularly since customer concerns about minimizing upfront transition costs generally result in outsourcing contracts that are “back-end loaded” (i.e. the service provider’s profits often only arise during the latter portion of the initial term and, of course, during any renewal terms). On the other hand, a customer would be leery to agree to provisions where the output of a time consuming and expensive benchmarking process is merely an opportunity to meet with service provider representatives to discuss the possibilities for reducing costs, and therefore pricing, under the agreement.

Service Levels

Potential Pitfall: A failure to adequately define the nature of the service expectations via the service level agreement (SLA) portion of the overall outsourcing agreement, and the initial monetary consequences in the event of failure(s) on the part of the service provider to meet those expectations, will increase the likelihood of disputes between the parties and leave the customer with inadequate means of incenting the service provider to meet its contractual commitments.

It is difficult to overstate the importance of negotiating a comprehensive and realistic SLA and, generally speaking, this portion of the negotiations tends to be both challenging and time consuming. The SLA negotiations should serve to shed light on many of the existing “grey areas” in the relationship and so it will likely also be time well spent during the formative period of the relationship. As the service provider can be expected to resist the imposition of SLA fee clawback regimes which allow customers to impose a “penalty” in the event of a breach of an SLA metric, in seeking to negotiate the SLA provisions the customer should be guided by the principle that it will pay 100% of the agreed to rate(s) for full service and a reasonable amount less for less than full service up to the defined point(s) where a customer termination right will arise. It is critical that the SLA also define the point at which poor service will give rise to a customer option to terminate the agreement “for cause” (i.e. without an obligation to pay termination fees) and it include a provision stating that termination rights not be subject to an additional cure period. This approach addresses the reality that termination tends not to be an attractive remedy for the customer in the event of poor service and thus should only be considered after less draconian options have been exhausted.

Disputes

Potential Pitfall: Not having an appropriate dispute resolution process.

As is the case with other sophisticated commercial contracts, outsourcing contracts usually include dispute resolution provisions. Such provisions can provide for an initial phase during which a dispute will be escalated up through a series of suitably constituted committees staffed by representatives of the parties. This is followed by a second more formal phase during which any dispute which remains unresolved at the conclusion of the initial phase becomes the subject of: (1) litigation; (2) mediation (a voluntary, non-adjudicative process in which the mediator assists the parties in negotiating a settlement); or (3) arbitration (arbitration can be considered as providing the function of a private judge and accordingly is an adjudicative option conducted before either a panel of one or three arbitrators). Another dispute resolution mechanism sometimes used is “last offer arbitration,” colloquially known as “baseball arbitration.” In this scenario, each party submits their last best offer to the arbitrator in advance of the hearing. This process is intended to promote the submission of reasonable offer proposals by the parties as the arbitrator is limited to awarding one of the offers submitted.

Transition Out

Potential Pitfall: The customer will be in a weak position at the time the outsourcing relationship is being terminated or is expiring to negotiate transition out terms and runs the risk of being exposed to large unexpected costs.

A failure on the part of the customer to be comprehensive in its approach to defining the transition out process(es) will leave it vulnerable at a time when the service provider’s behaviour may not be moderated by the prospect of future revenues. Typically, this portion of an outsourcing agreement will set out the maximum duration of a “termination period” during which the service provider is required to provide defined “termination services” to the customer and/or its new third party provider under a termination services plan. The obligation to provide such termination services should be made contingent upon the payment to the service provider of all prior undisputed service fees and the execution of an appropriate confidentiality agreement by any such third party provider. The service provider will generally be entitled to additional compensation (at defined rates) if, in providing the termination services, it is required to use additional resources or additional resource hours. Transitioning out provisions also usually address: the return of data and records relating to the services, each in a specified format; the return of ownership to the customer of assets previously sold by a customer to a service provider; the reassignment of contracts (including licenses) to the customer that were originally assigned by the customer to the service provider; the provision by the service provider of the necessary staff, services and assistance to effect an orderly transition and migration, which obligations will frequently encompass the hiring of staff, software training, access to personnel, provision of copies of procedures manuals, use of software, sale to the customer or the third party provider of dedicated equipment, and the disclosure of service provider proprietary information. Lastly, it is a good idea to include at least a soft “cap” on transition out fees.

PART 3 - PERSONAL INFORMATION

A key concern with outsourcing arrangements is ensuring the adequate protection and security of personal information (customer, employee, contractor, etc.) being transferred and/or accessed under an outsourcing agreement.

In Canada, the federal Personal Information Protection and Electronic Documents Act [9] (“PIPEDA”) promulgates a comprehensive regime to address the protection of personal information collected, used, maintained and disclosed for commercial purposes and it will be the relevant Canadian statutory constraint in respect of any inter-provincial and international access to personal information.

The transfer of a database comprising personal information will trigger regulatory oversight under PIPEDA as a “disclosure,” in which case the key issue will be to ensure compliance with the appropriate consent standard (ranging from express opt-in consent to implied); however, the Federal Privacy Commissioner has, consistent with the wording of PIPEDA Principle 4.1.3, indicated in a clarifying guideline[10] that PIPEDA exempts, i.e. treats as not a disclosure within the meaning of that act, certain transfers of personal information to outsourced service providers and that a transfer for processing is instead a “use” of the information by the transferring organization. As a result, additional consent for the transfer is not required provided that the information is being used for the purpose it was originally collected. However, in accordance with transparency requirements, companies proposing to transfer data across borders for processing must advise the individuals concerned that their data may be transferred to a foreign service provider and that, when held in the foreign country, the data may be accessible to law enforcement and national security authorities of that country. The Privacy Commissioner has not provided very much guidance as to how information respecting the intended processing of data outside of Canada must be communicated to the individuals concerned. However, in two cases, she has approved of procedures whereby organizations sent a communication to customers notifying them of the intended processing.

The term “processing” is not defined in the Guidelines and the Privacy Commissioner has interpreted the term broadly to include “any use of the information by the third party processor for a purpose for which the transferring organization can use it.” The Privacy Commissioner’s promulgation of a relatively “tough” standard to determining whether an activity is to be considered as “processing” does appear to be in keeping with the general protection of the public aims of the legislation.

Principle 4.1.3 places an obligation on the outsourcing organization to use contractual or other means to provide a comparable level of protection to that provided by the organization while the personal information is being processed by the service provider. In the Guideline, the Privacy Commissioner has indicated that “comparable level of protection” does not mean that the protections must be the same across the board, but it does mean that they should be generally equivalent.

OSFI Guideline B-10

OSFI’s guideline B-10 – Outsourcing of Business Activities, Functions and Processes[11] – sets out expectations for financial services companies that outsource, or contemplate outsourcing, one or more of their business activities to a service provider. Although the guideline sets a high standard for the protection of sensitive financial information by financial institutions, it can serve as a model for other organizations involved in the transfer of sensitive personal information.

According to the guideline, prior to entering into outsourcing arrangements, a company must: evaluate the risks associated with outsourcing arrangements; develop a process to determine the materiality of outsourcing arrangements; implement a program for managing and monitoring risks; ensure that the board of directors or chief agent receives information sufficient to enable it to discharge its duties; and refrain from outsourcing activities to their external auditor that would jeopardize the auditor’s independence of the client company.

In evaluating the risks associated with an outsourcing arrangement, management of the risk may be scaled to take into account the different levels of risk attendant to a particular arrangement. The materiality of an outsourcing arrangement will depend on the extent to which the arrangement can influence a significant line of business of a company. Therefore, companies should consider the following when assessing the materiality of an outsourcing arrangement: the impact of the outsourcing arrangement on the finances, reputation and operations of the company, or a significant line of business, particularly if the service provider or a group of affiliated service providers should fail to perform; the ability of the company to maintain appropriate internal controls and meet regulatory requirements - including those of OSFI - particularly if the outsourced party were to experience problems; the cost of the outsourcing arrangement; the degree of difficulty and time required to find an alternative service provider or to bring the business activity back in-house to the company; and the potential that multiple outsourcing arrangements provided by the same service provider can, in the aggregate, have a significant influence on the company.

Under Guideline B-10, companies are also required to have in place a risk management program that applies to all material outsourcing arrangements. According to OSFI, this risk management program should include: an internal due diligence process to determine the nature and scope of the business activity to be outsourced, its relationship to the rest of the activities of the company and how the business activity is managed; policies and procedures to manage risks associated with material outsourcing arrangements including performance measures, reporting requirements, a dispute resolution mechanism, provisions for termination, ownership of and access to intellectual property and tangible assets, contingency planning, confidentiality, audit requirements, and a business continuity plan of the company; and finally, monitoring and oversight of material outsourcing arrangements commensurate with the size and complexity of the arrangement.

Where a company is considering outsourcing an activity to a jurisdiction outside Canada, OSFI expects that the company will assess the legal requirements of the foreign jurisdiction, including the potential political, economic and social conditions, along with any events that may inhibit the ability of the foreign service provider to provide the service.

In addition to the requirements discussed thus far, the OSFI outsourcing guideline also requires that: companies must ensure that the service provider regularly tests its business recovery system relating to the outsourced activity and any material deficiencies are addressed, as OSFI may ask the company to provide a summary of test results; companies must use the OSFI standardized template to compile a centralized list of material outsourcing arrangements; and lastly, a company’s review of the ability of the service provider to deliver the service in the expected manner should relate to the level of risk involved. This review could include an assessment of the service provider's circumstances such as its reliance on significant subcontractors and the historical performance record of those subcontractors.

Conclusion

Given that the primary means by which an organization may protect personal information which is sent to a third party for processing is through a contract, and furthermore, given the Privacy Commissioner’s reference to the outsourcing guideline promulgated by OSFI in her Guidelines as a suitable reference for organizations transferring sensitive personal information and the general restrictive tenor of the Guidelines, it seems clear that a high standard of contractual data protection is envisaged for the protection of personal information in outsourcing agreements.