Outsourcing IT: The Governance Challenge

March 28, 2010

The drive towards outsourcing the IT function is a response to the emergence of a ‘new’ business environment arising from the globalisation of world commerce and the need for organisations to compete in a worldwide market.

Many organisations have found in-house IT strategies to be resource-intensive, in terms of both finance and personnel, and unable to respond to the needs of an ever-changing market. Legal and regulatory compliance issues are global. Non-compliance has global consequences involving criminal and civil sanctions as well as the risk of damage to reputation in a global market.

Outsourcing the IT function is often perceived as an effective strategy for achieving the business benefits that an in-house IT function should provide, but which it does not. A decision to outsource the IT function is central to any organisation’s business strategy. Entrusting a business tool that is so critical to the survival and success of an organisation to a supplier about whom the organisation may know little or nothing carries significant risk. Many IT outsourcing projects result in project failure. A principal reason for the high incidence of project failure is neglect by the organisation in applying the principles of governance.

Traditional IT Outsourcing

The traditional IT outsourcing model involves a process of identifying how and why an outsourcing strategy should be adopted within the context of the organisation achieving its objectives and business goals, and calls for systematic and focussed strategic, managerial and operational skills to ensure that:

? the most suitable supplier is selected;

? the contract supports the organisation’s business goals;

? the service level agreement (SLA) provides levels of service that will satisfy the needs of the organisation’s end-users; and

? the project is implemented efficiently and effectively.

As outsourcing projects typically continue for several years and can involve many millions of pounds, the need for the organisation to ensure the project success becomes critical:

     ? the project must have top-level support, or sponsorship;

     ? the interests of the stakeholders must be accommodated;

? the relationship with the supplier must be managed; and

? strategic, IT, legal and compliance, operation and financial risks must be identified and managed.

IT outsourcing is a process of considerable complexity and significant risk which has the potential to destroy an organisation either as a commercially viable entity, or simply in terms of its reputation.. It requires principles of governance not only to be understood, but to be adopted, then rigorously applied. 


Governance is about control and regulation implemented so as to reflect good order. Three areas of governance apply to IT outsourcing: corporate governance, IT governance and project governance.

Corporate Governance

Corporate governance is interpreted at board or partnership level as being conduct that includes: transparent decision-making; clearly defined responsibilities and line-management accountabilities; taking account of the interests of shareholders and stakeholders; and addressing risk issues that include compliance and information security.

Statutory and non-statutory frameworks prescribe the duties of directors in making strategic decisions, including duties to exercise reasonable care, due diligence and judgement, to avoid conflicts of interest and to declare interests.

The culture of corporate governance is set by the board or partnership and its principles should be promulgated to all levels of management.

IT Governance

IT governance is a subset of corporate governance. IT governance introduces a framework of leadership, structure, business processes, standards and compliance requirements designed to ensure that IT supports the achievement of the organisation’s objectives.

Supporting this framework are various tools in the form of methodologies, standards and compliance legislation. This framework is represented by the management infrastructure, the lines of responsibility, accountability and transparency and the decision-making processes. All should operate to achieve business objectives.

Examples of the tools that may be used within the framework are certification under relevant British, European or international standards addressing such issues as risk management, information security and data protection. CoBIT is an example of a methodology that is adopted within an IT governance framework.

One governance tool is BS ISO/IEC 38500:2008, a standard developed to provide directors and senior management of organisations with a set of key principles to be observed in achieving effective use of IT.

Project Governance

Project governance is another subset of corporate governance. Project governance addresses the development, implementation and conclusion of projects, of which an outsourcing project is a typical example.

The defining principles of good project governance are: top-level leadership and oversight; a clear project plan with milestones; identification of resources; clear lines of responsibility and accountability reporting and communications; adoption of a recognised methodology for implementing the project; and a risk management strategy.

This framework may involve several teams.  For instance, in an outsourcing project, input may be necessary from teams concerned with transition, risk management, change control and management and a team to represent the retained IT function after completion of the project.

A framework of project governance may also be supported by various governance tools. Methodologies such as Prince2, and tools such as British, European or international standards are designed to assist in the management of projects within a governance framework

Invariably, the IT department of an organisation will operate various different projects. This portfolio of projects also requires management within project governance principles. For example, an organisation may decide to outsource the provision of a small number of specialist IT applications, while leaving more general applications to be retained by the in-house IT department. This involves program portfolio management (PPM). A clear risk of inadequately managed project portfolios is that the organisation’s project strategy becomes aimless and confused, ultimately leading to project failure.

Governance Structures

It is difficult to be definitive over the composition of a governance framework. Every organisation is different and, in the case of outsourcing, every project is different. An organisation’s governance structure is likely to include various management functions.

Senior management

This involves:

 i) the board of directors or partnership which sets the strategy and provides sponsorship of the project;

ii) a strategic steering committee, comprising a number of directors and key senior executives to oversee all the organisation’s projects and including an outsourcing project;


iii) an executive committee which assumes responsibility for the project, driving it forward, establishing lines of responsibility and accountability and delegating according to skills and capabilities. 

Project management

At the core of the procurement process is the project management team.

With involvement of the board, or partnership and senior management committees as appropriate, the project management team might address, for instance: supplier tendering and selection; negotiations; the contract and SLA – in fact, all steps up to and including the signature of the contract.

Central to the project management team may be, for instance, one member concerned with contract issues; a second member concerned with commercial issues; and a third member concerned with operational issues.

Specialist teams

Some functions may require specialist members on the project management team or, subject to their complexity, separate teams of specialists, for example:

i) IT, where the complexity and sophistication of IT to be outsourced requires specialist knowledge;

ii) asset management, where significant assets are to be transferred;

iii) human resources, where significant numbers of personnel are to be transferred;

iv) transition, where significant operational disruption is likely.

Teams operating within this general structure are subordinate and accountable to the project management team which defines their brief.

Risk and compliance

Depending on the size of the organisation and the complexity of the project, it may be necessary to constitute dedicated teams for the purposes of compliance or risk management. The important point is that the organisation recognises that compliance and risk management issues thread throughout and well beyond the management of the contracting process; and there must be prompt and reliable expertise available at short notice.

Exit committee

If the organisation decides to bring the outsourced functions in-house, it will need to re-constitute the IT function. An exit committee should manage contract termination procedures. The exit strategy will be the board’s or partnership’s responsibility because the strategy must be aligned with the organisation’s goals and objectives. The strategy will be driven by a board steering committee to which the exit committee will be responsible for implementation.

Retained IT department

Once the outsourcing contract is operative, the retained IT department assumes responsibility for a number of functions and is an important factor in determining the success of the project. The retained IT department has three roles.

First, it must protect the organisation’s interests under the contract and SLA. Examples include contract management, finance management, performance management (including audits) and relationship management.

Secondly, it must maintain an interface with the supplier, ensuring that the supplier is aware of the organisation’s needs and that issues and disputes are managed promptly and efficiently.

Thirdly, it must manage the organisation’s end-users, opening channels of communication so that the organisation is aware of their changing needs and can proactively identify opportunities for innovation and competitive performance in the marketplace.

From a governance perspective, effective performance of this role is critical to the project’s success. Within an IT-governance framework, the retained IT department will be supervised, monitored and resourced, so that the supply chains from end-user to organisation to supplier, and from supplier to organisation to end-user, remain robust yet sufficiently flexible to meet changes in the business environment.

Supplier relationships

Successful management of the supplier relationship can be a challenge over a period of several years. Organisations and suppliers change; personnel change; business environments change. Relationships tend to be most successful when they are open and transparent, with adequate lines of communication – three important corporate governance principles. They facilitate a mutual understanding and appreciation of the parties’ objectives.

It is preferable that there should be corresponding, executive, management and operational functions in each organisation able to communicate with each other on the same level. Those involved in the project, both within the organisation and the supplier, should, as far as possible, have respective counterparts with whom they can discuss problems and develop new ideas. Examples of where this is beneficial are management of the contract and SLA, dispute escalation and potential innovation.

The organisation should establish any standards with which the supplier is certified, and any methodologies the supplier adopts. Data protection issues abound throughout any outsourcing project. An organisation might check, for instance, for certification under BS 10012:2009. A checklist of potential methodologies and standards should form part of the tendering and due diligence.

Cloud Computing

Cloud computing has emerged as a radically different outsourcing model. Otherwise known as ‘software-as-a- service’ (SaaS), this is a web-based hosting service. Its key features are that it is subscriber-based, universally available and scalable for single (dedicated – private cloud) or multiple organisations (multi-tenants – public cloud).

The model is that of an ‘on-demand’ service. Cloud services are frequently provided from farms of virtualised servers, each capable of holding vast amounts of data and serving multiple tenants.


The difference between this and the traditional model lies in the relationship between the parties. The traditional model is based on a carefully negotiated and settled contract and SLA (usually drafted by the organisation), underpinned by extensive due diligence processes and implemented by various layers of board, executive and operational management.

In the cloud model, the contract and SLA are most commonly issued as standard by the supplier, almost on a ‘take-it-or-leave-it’, non-negotiable approach – just as in the case of a domestic utility service.

This changes the dynamics of the relationship. In the traditional model, the service is tailored to the requirements of the organisation. While this remains the case to a larger extent in dedicated cloud computing projects, in the multi-tenant model, the emphasis shifts to availability of the service. It is the service that is being sold, not the IT.

Cloud computing is widely regarded as disruptive technology because of its ability to transform the IT services market. It can be available on an infrastructure, platform and application basis to mass markets. One issue that is emerging is the potential complexity of the model. The variety, type and number of services capable of delivery in the cloud model pose a significant management problem. They promise to proliferate faster than the ability of cloud consumers to manage them. An organisation might adopt the single-tenant model for one set of services and a multi-tenant model for several other services. How is that to be co-ordinated in an organised way?

For all the excitement surrounding the cloud model, a recent survey by Gartner has revealed that many organisations are ‘underwhelmed’ by their experiences and believe that SaaS is not the anticipated panacea.  

Risk and compliance

Some key risks arise from cloud computing. Principally, they revolve around the management, confidentiality and security of data. The storage of vast amounts of data in server farms presents the potential for data leakage, contamination and interference. The Data Protection Act 1998 contains strict provisions governing the storage and transfer of data internationally. With globally located server farms, how can an organisation be sure about:

·        location

·        competence of management

·        protection from interference

·        confidentiality

·        security

·        ability to secure access

·        safe return

·        the competence of the supplier in the whole operation?

Another concern is performance reliability and standards – unscheduled downtime or unexpected faults in the supplier’s systems might result in significant loss to the organisation and has the potential to put the reputation of the supplier at risk.

Governance principles

The obligation of the board or partnership to apply governance principles in the adoption of cloud services as a strategy remains equally valid in the cloud context as for the traditional model. The principles of transparent decision-making, clear lines of responsibility and accountability, risk and compliance management and realising stakeholder value, all apply to any cloud project.

Similarly, IT governance principles – ensuring IT operates to support and achieve the organisation’s objectives – are equally applicable.

Project governance principles also continue to apply. The organisation must also ensure that adoption of cloud services is part of a balanced portfolio of in-house and outsourced services and will supply an adequate return on investment. Although a simple concept, the cloud model has the potential to develop into a complex range of services. Some organisations may decide to ‘mix and match’ their portfolio of services, outsourcing more complex, tailored services through a traditional supplier, while entrusting more commoditised services, such as e-mail, to a cloud provider. Others may opt for a combination of dedicated single-tenant services and multi-tenant services – and even combine them with traditional services.


The adoption of an outsourcing strategy, whether traditional or ‘cloud’, rests with the board or partnership. It should be made with governance principles uppermost in mind and applied to decision-making at every stage of the process.

Boards of directors or partnerships embarking on outsourcing projects without the application of governance principles from the outset face hazardous risks and challenging vulnerabilities that all too often are inadequately managed and can lead to project failure. 

Rupert Kendrick is an IT journalist and author. This article is drawn from his recently published book Outsourcing IT: A Governance Guide, available from IT Governance Publishing: ISBN 978-1-84928-025-9