In simplified terms, the term “IT outsourcing” refers to the procurement of services (sourcing) from outside a company (out). The term thus encompasses the outsourcing of service components in the area of information technology. The motivational reasons for deciding to outsource are often as follows:
Costs & balance sheet:
The concentration of service components with a provider specializing in this area and the associated efficiency benefits are associated with overall cost savings compared to providing services oneself with one’s own hardware and personnel. IT outsourcing also has effects in the area of cost representation. For example, the procurement of services in the form of services instead of the company’s own capital expenditures should not be included in fixed assets (CAPEX) but should be reflected directly in operating costs (OPEX).
Skills & Capacity needs:
Competition for IT professionals has already led to a bottleneck in the skills and capacity required to maintain IT services. To counter this increasing risk, outsourcing those service elements with insufficient available human resource capacities (FTE) and/or lacking competence profile is often one of the decision bases for an IT outsourcing initiative.
Flexibility & Liability:
Other motivations for IT outsourcing can arise from a technological, legal, or structural basis. For example, the outsourcing of business processes also represents a transfer of responsibility. This can make it possible to pass on liability for IT damage caused by malware, ransomware, or Trojans, for example, to the IT outsourcing contractor. The flexibility associated with outsourcing relates to the service components. Due to the specialization in service provision, managed service providers are able to make short-term adjustments to IT services. The flexibility here extends to Pay-Per-Use procedures,, which are based on the fact that only the resources actually required temporarily are provided and charged for (e.g., storage).
In the context of outsourcing IT services, active IT risk management and thus also the review of contracts is essential. We are happy to support you in this. Essential questions in this context are, among others:
- To what extent are contractually extended liabilities defined and effective as a safeguard?
- Are the conditions for claiming damages clear?
- Are sufficient levels and response times defined for an emergency?
IT outsourcing types
Just as important as the motivation and goals of IT outsourcing is the decision on the type of IT outsourcing and, in particular, the so-called service or performance slice within the overall process environment of IT. The following diagram shows the questions and some of the characteristics that are to be evaluated as a result of the requirements analysis:
Determination of the average performance
In order to determine the service average and to develop the outsourcing model, the following characteristics must be evaluated in terms of their relevance:
Selective vs. Total:
How extensive are the service components to be provided externally? Selective IT outsourcing includes highly specialized tasks (e.g., software development) but also basic services (e.g., housing and hosting) as a potential scope. On the other hand, there is complete IT outsourcing. In this case, an external provider makes the entire IT service scope available and the internal company (client) responsibility is reduced to coordination and control of the provider.
Onshore vs. Nearshore vs. Offshore:
How important is geographic proximity to the contractor? The more standardized a service component is and the less a component is characterized by personal interaction, the more cost-optimized (offshore) the service component can usually be awarded. If the interaction is necessary (e.g., on-site operations), an onshore approach is almost mandatory.
Multi-Vendor vs. Single Vendor:
How are services managed and provided? Depending on the service cut, a supplementary provider for additional service components often has to be taken into account in the IT outsourcing project and integrated into the process world. For example, license management or the area of IT security lend themselves to a separation of execution and control.
On-Premise, IaaS, PaaS und SaaS:
How extensive is the service cut in the context of selective outsourcing? The classic breakdown looks something like the following:
- Level 1: Infrastructure
- Level 2: Virtual environment
- Level 3: Operating systems
- Level 4: Middleware
- Level 5: Application operation
In addition to the classic subdivision, new service cuts have now been established in IT in the form of service products based on technological developments. These are:
The provider makes resources, such as virtual machines, network connections and storage space, available in a data center.
At this advanced level, the provider also passes the responsibility for the operating system from the customer and thus takes over the administration of the IT environment.
The last level no longer includes only IT resources, but also processes and applications. A well-known example is O365, but CRM, communication, or ERP systems can also be provided in this way.
When defining a cloud strategy, there are a number of pitfalls associated with it, particularly in the area of IT security, but also many opportunities. In the following, we have outlined the essential points that are considered:
- As soon as an Internet connection is no longer available, services are unavailable. In the case of basic IT services, this can have far-reaching consequences for operational processes.
- A password manages the entire data inventory and enables external access in the event of a loss.
- Access and legal concepts in cloud transformation must be further developed in order to continue to provide relevant protection.
- The decision-making basis for data storage in the cloud also includes a risk assessment based on the respective data content.
- Established redundant concepts for data protection are easy to adapt for your own company.
- A flexible response to resources is possible and thus increases the protection of availability.
- Security measures can also be purchased as a service and can therefore be upgraded more quickly and cost-effectively than by purchasing additional hardware or a license.
IT outsourcing risks
However, there are not only advantages associated with IT outsourcing, there are also risks. IT is no longer in the company’s own hands and a certain loss of control goes hand in hand with a certain dependency on the IT provider.
This is particularly evident in examples where the expectations of both sides (contractor and client) are not met. For this reason, early and comprehensive documentation of requirements is just as essential as an effective and contractually clearly defined set of rules in the form of SLAs at the respective service levels. In addition, tangential measures must be integrated to ensure compliance with the control obligation in the context of the strong dependency on the provider.
These include, for example, audits of the processes and systems, the performance of penetration tests, or the direct integration of experts as part of the IT outsourcing project as an independent qualitative assessment authority for the transition and the establishment of rules and processes for future cooperation in the line business.
If an IT outsourcing project is pending as a plan or as a concrete project in the implementation phase, we recommend taking into account the view from the outside as a quality-shearing measure. Based on our experience in the contractual design and technical implementation of such projects, we support the securing of IT outsourcing potentials without compromising IT security.