19 ICT Outsourcing recommendations from Brandon Global for 2019

1.    Increase board of directors and senior managements awareness in the key areas of security, governance, risk and compliance (SGRC) 

2.    Develop an outsourcing strategy and policy to ensure best practices and correct process are used and followed

3.    Develop a procurement strategy and policy to ensure best practices and correct process are used and followed

4.    For the sourcing stage ensure the most suitable procurement process is used, people with sufficient skills and experience are involved especially during the evaluation and contractual phases

5.    Ensure contractual arrangement are in place for all outsourced services and are understood by key personnel including the board of directors especially areas such as escalation and complaints processes, service levels and penalties for non-performance, terminating or existing the contract, privacy and data confidentiality, adherence to data protection and GDPR requirements

6.    Know and understand the key elements of the service outsourced, any legal or regulatory requirements you and the supplier need to meet

7.    Know the risks from exiting an outsourcing arrangement such as the supplier ceasing to operate or any event that prevent the supplier from delivering the service, poor performance or a failure to deliver the service as agreed, going to tender and selecting an alternate supplier among others

8.    Ensure your Business Continuity Plan (BCP) and the BCP of the supplier caters for any event likely to place the service under risk of either a failure to deliver or the delivery of a reduced service that impact your business

9.    Develop and understand an exit strategy from outsources agreements that clearly documents how the organisations would address the handover or return of a service or an option to continue running the service using another supplier. Pay particular attention to critical services such as a business application or any system or service that support the critical business application. Carry out a regular business impact analysis (BIA) to identify these critical services

10.  Understand and know the process of exiting an existing outsourced agreement especially where the reasons may be the result of a non-performance issue. Maintain a risk register and/or logging system to track activities

11.  Develop an ICT Strategy aligned to the Business Strategy using roadmaps to highlight timeframes. This strategy should be supported by individual operational plans that initially sets out the sourcing stage where it applies

12.  Continually monitor and review outsourced arrangement that include monthly reports from suppliers on key deliverable and performance indications (KPI). Agree and hold regular review meetings to discuss ongoing and future services with the supplier.

13.  During the sourcing stage ensure good practices around due diligence are followed that include obtaining and validating the financial status of the supplier, staffing levels in key areas, staff experience, training and certifications relevant to the service, the organisations certification and adherence to standards relative to the service offering, prior and existing supplier’s client

14.  Develop a working relationship with the supplier. An outsourced supplier should be viewed as a business partner committed to ensuring the service they are providing contributes to the overall success of your business

15.  Where cloud or hosted services are planned consider a number of key areas such as the location of data (Ireland/EU/Outside EU), Brexit, chain sourcing (subcontracting or under pinning contract used by the primary supplier), security and security standards, contingencies, understand the type of cloud service offered, years in operations, current customer base

16.  Use people with the required skills to monitor and control the outsource arrangement

17.  Provide key reports on a regular basis to senior management and the board of directors for discussion that include KPIs, service deliverable failures and non-performance issues especially those that present a risk to the business. Allow time at senior management and board meetings to review these reports

18.  Continually monitor the overall performance of the supplier for any indicator that might place the service at risk or place your business at risk examples include major changes in financial status, customer losses,  service delivery issue increase, cancellation of regularly agreed meetings. Use the grapevine and other contacts

19.  Share Information Security Policy with outsourced partners to ensure all parties are working to the same standards and establish clear expectations on on-going security of data exchange and storage. 

Elaine English