Long-term outsourcing agreements can be exceedingly complex and are full of pitfalls for the unwary. In part one of this article (CIO Canada, April ’06) we looked at human resources issues, regulatory considerations and vendor oversight on such deals. In this second and final part, we explore data protection concerns, cost issues, dispute resolution and terminating the relationship.
It’s never easy to part with corporate ‘crown jewels’, yet that is a common and significant risk from an outsourcing deal. The user is often in the position of having to transfer its data or other valuable intellectual property to the service provider for safekeeping and processing. This may include sensitive information, such as the user’s own financial data or personal information about the user’s customers.
Some of the risks associated with an outsourcing arrangement are not that different from those that were present while you processed your own data internally. Hackers, for instance, are keen to get into your data whether you process it or have a third party do it for you. Thus, just as you would have a security policy to guard against such third-party intrusions, so too should you ensure, in the services agreement, that the vendor commits to abiding by a security policy that meets your standards. In fact, if they’re a reputable firm, they are likely to have a security policy that is even more robust than your own.
There is, however, an additional risk that arises as a function of the fact that the user is retaining a third party to provide outsourcing services, and that is the risk that the service provider goes bankrupt. If this worst case scenario were to happen, will your data be at risk? Can you get at it? Will you have what you’ll need to work with it? These types of concerns can be mitigated to some extent if you choose a large, solvent company with good prospects as your outsourcer; however, as we have seen over the last several years, even apparently large, strong companies can be struck by insurmountable financial difficulties.
These sorts of data protection concerns are serious enough that in some industries, regulators have established best practices to be followed by industry participants when outsourcing. The Office of Superintendent of Financial Institutions in Ottawa, for example, has a specific outsourcing policy with which the financial services companies under its purview must comply when engaged in any “material outsourcing”. The requirements of the policy are quite extensive, and include requirements relating to data protection and due diligence with respect to the financial viability of the service provider.
In a similar vein, the federal privacy law requires that parties who outsource their information processing use contractual means “to provide a comparable level of protection while the information is being processed by a third party”. Thus, at a minimum the outsourcing agreement should provide that, to the extent that the service provider is collecting, using, disclosing or handling personal information of the user or its customers, this personal information will be owned by the user; will at all times be accessible to the user; that certain security measures will be taken to safeguard the data; and that the user will have the right to audit the vendor’s procedures intended for security and privacy purposes.
As for audits, many vendors have a review of internal controls conducted by their auditors, also known as a section 5970 audit under the Canadian accounting standards handbook (the equivalent in the U.S. is known as a SAS 70 Type II audit). As a user, you should insist that this audit is indeed performed annually, and you should have the right to prescribe the appropriate scope of the audit to meet your requirements, and to review its results once it is complete. This may lead to some lively discussions regarding which party will bear the cost of such an audit, as they can be quite expensive.
What’s all this going to cost?
An important rationale in some (though by no means all) outsourcing deals is cost savings. Particularly if significant components of services are outsourced and then shared by the outsourcer amongst its customers, economies of scale and scope realized by the vendor should result in lower costs to the user.
One way to ensure meaningful cost savings is for the user to organize a competitive bid and negotiation process. By the same token, the user will also want comfort that the price (and pricing of changes) will remain competitive during the term of the agreement. This concern is particularly acute where the agreement has a long, non-cancellable term, and where the user is otherwise captive to the service provider with respect to changes to the scope of the services provided.
In such circumstances users often negotiate “most favoured customer” pricing clauses (though often the “mfc” provision applies to all other aspects of the arrangement beyond merely price). The core idea is simple enough: that the vendor will provide to the user as good a deal as the vendor offers to its most favoured customer. These clauses, however, are highly negotiated; for example, the vendor, not unreasonably, wants to qualify it by referencing only other deals that have the same or similar volume or mix of services.
However qualified the mfc clause becomes, users typically insist on some sort of mechanism to ensure its practical enforcement. This might entail, for example, requiring a senior officer of the vendor to certify to its compliance once a year. Better still for users is the right to have an independent accountant audit compliance.
Another approach to pricing discipline is benchmarking. The exercise here involves giving a third-party IT consultant various data about the services provided by the vendor, and their respective costs, and having the third party compare these to a cross section of other comparable arrangements, in order to see where your costs/performance figures sit relative to the market generally.
Now, what to do with the results of the benchmarking exercise? In some outsourcing agreements it’s a non-binding process, but presumably its results will have some moral suasion on the parties, particularly if their numbers are dramatically different from the norm. In some others, however, the results are binding, and they (either alone or in conjunction with other factors) can cause an amendment to price going forward.
We have a problem
It is not surprising that over time a relationship as complex, important and expensive as an outsourcing will have its challenges, and sometimes out-and-out disputes. A good agreement will anticipate this, and provide several mechanisms for the channelling and resolution of disputes. For example, several levels of committees can be established, together with respective schedules of regular meetings, so that lots of communication flows between the parties. As with most disputes, outsourcing-related or otherwise, a failure to communicate typically exacerbates the problem.
A threshold question is whether the ultimate form of dispute resolution should be a court process or arbitration. One potential benefit with the latter is that someone quite expert in the matters surrounding the actual dispute can be the decision maker. So, for example, you might choose an accountant to mediate/arbitrate a complex billing dispute.
On the other hand, arbitration tends to be a private affair (unlike the regular court proceeding, which is typically open to the press and public). Thus, while in some cases privacy is conducive to creative settlement, in others the potential for publicity causes both sides to be more reasonable in the event of a dispute. There is no right or wrong answer; rather, you have to give some thought to these and other factors as you come to draft the dispute-resolution provisions in your outsourcing agreement.
All good things must end
A well crafted legal agreement invariably contemplates the end of the parties’ relationship and provides for their disentanglement. In an outsourcing relationship, thinking about the end is even more important because a lot of potentially scary risks could come to pass at this critical juncture.
Indeed, most users nowadays negotiate a very useful provision that allows them to terminate the relationship for convenience (i.e., for no specific reason, and not merely default) upon payment of an early termination fee, though sometimes these fees will be waived. In any case, however the end comes, it is worth contemplating it in the agreement.
Take, for example, the software transition issue. Let’s say the services provided by the vendor required an important and expensive third-party software program. Software like this can increasingly be licensed in two ways; either on an annual basis, for a relatively modest amount, or a perpetual license for a large one-time fee.
You can quickly see the dilemma. If the outsourcing deal is for five years, it might make sense for the vendor to license only five yearly increments of the software. On the other hand, if the user wants to use the software even after the outsourcing ends (a provision in the agreement would stipulate that the vendor obtain a license that can be assigned to the user at the end of the outsourcing relationship), then for the user a perpetual license would make sense, even though it was initially more expensive. Thus, it is important that the outsourcing agreement reflect careful consideration of these sorts of post-termination issues.
Space constraints prevent a fuller treatment of these outsourcing issues, while many others have not even been broached in this article. Needless to say, it is important to canvass all of them to assess what your risks and vulnerabilities are, and then to negotiate a fair and even-handed agreement that addresses the needs and desires of both you and the vendor.
–Wendy Gross is a partner in McCarthy T