value insights

IT Service Delivery Risk Analysis- Valutrics

The IT service delivery value chain relies on a wide range of external service providers and vendors. The value chain is as vulnerable as its weakest link. Doing IT all in-house is not an option for any company; however, where the line is drawn in terms of what is in-house vs. outsourced differs substantially. When more dependency on third parties exists there will be a greater need for IT service provider risk management.

The key questions for those managing IT service provider and vendor/product risks revolve around the difficulty of achieving the right level of transparency and rigour across the management boundary.

The dimensions of service provider failure
This list indicates four main sources of failure:
1. Failure to deliver the in-scope / contracted service to defined service levels as part of an operational service;
2. Failure to deliver the implicit, expected or required services around a contract or relationship to make it work;
3. Failure to deliver in-scope / contracted project services in line with an agreed statement of work;
4. Failure of the service provider to stay in business.

Other risks include:
• Low accountability
• Poor value for money
• Inflexibility
• Difficulty integrating services
• Bumpy transitions
• Unfulfilled transformation objectives
• Poor visibility
• Lack of control
• Low contestability
• In-house delivery risks
• External service provider delivery risks
• Shared services delivery risks
• Vendor failure to support the product
• Product functional gaps open up
• Product aggressive upgrade cycles
• Product unfulfilled promises
• Offshore sourcing risks

Failure to meet service levels for an operational service
An IT service provider agreement typically includes stipulated service levels that are required to be met. Failure to meet a particular service level will result in pain being experienced somewhere in your company and potentially further afield.
Service levels for an operational IT service will first and foremost specify the requirements of availability or uptime. Failure to meet this service level equals unacceptable downtime. Various other service levels are typically in place to ensure quality of service in areas such as reliability – correctly processing all requests and user sessions – and response time – performing transactions quickly.
Failures can occur across a range of severities and frequencies. Loss events will be experienced with each although this pain will be only partially reflected through to the service providers by even the best-constructed performance management regime. This is because the service provider incentives and penalties are a percentage of the contracted payments (e.g. 10% of monthly revenue by service line is risked by the service provider each month), typically bearing little relationship to the business value at risk.

Failure to meet other contract or relationship requirements
Beyond the delivery of service levels there is a set of helpful and positive behaviours that are generally expected of service providers. For example, some degree of flexibility to accommodate new and emerging requirements, leadership in the relevant IT field, a solid understanding of and commitment to industry standards, general cultural fit.
Some of these requirements may be written into the contract, although this does not provide protection in its own right. People interpret contracts – generally to suit themselves. It is thus important that key relationships are managed actively particularly in the areas that can’t be nailed with service level agreements. The nature of a technology vendor relationship is normally not specified in a contract. However, most customers have an expectation of continuity of support – within a reasonable time-span – and an upgrade path to new or enhanced products. Failure to deliver to the customer expectations is far less clear to identify and very difficult to mitigate and contain. Today’s Top Five vendor may be next year’s down-and-out, especially as the loss-maker’s cost of capital vulnerability may accelerate its demise.
So what does this risk look like when it bites? Some examples include:
•An IT services contract that has remained fixed while business requirements have changed;
•Delayed technology refresh and retention of aging hardware and software;
•Proliferation of multiple standards and unresolved legacy issues; and
•Lack of interest in adopting service improvements that might appear to be obvious ‘win–win’.

Failure to deliver project services
The unsatisfactory performance of service providers is a major contributing cause of project failure on each of the three key dimensions of time, quality and cost.
•Time – a blowout against the project plan dates for a service provider task slips all dependent tasks.
•Quality – when service providers have responsibility for IT system components (application or infrastructure) both functional and non-functional characteristics of the end product (i.e. systems / solutions) and services (in operation) can be fundamentally impacted by poor service provider delivery quality. A well-managed project will seek out these early so as to reduce the downstream impact.
•Cost – extensions in time and poor quality (requiring rework) cause second- order cost implications. Difficulties in cost estimation and commercial engagement commonly cause great variation in initial expectations / quotes and final total payments to service providers.58
Such outright failures to deliver lead to the obvious question: ‘Don’t we pick our service providers carefully and manage their project performance?’
Often IT service provider relationships commence with a relatively narrow definition of the required services. For example: ‘We need someone to run our current IT infrastructure.’ Only later does it become apparent that any ‘build’ project that requires an IT infrastructure change will need to involve the ‘run’ service provider and that their (operational acceptance) blessing or sign-off is necessary for new services being introduced; otherwise they will blame the project team for getting it wrong.
It is common, therefore, for IT service providers other than those contracted directly and specifically to achieve IT project outcomes to become major sources of IT project risk.

Failure to stay in business
The paradox of contracting with a service provider who offers you an unbelievably good deal is that they may be unable to make sufficient profit to remain viable long-term.
If a key service provider goes out of business then a transition project becomes necessary. That is, a transition out of the failing provider either in-house or to another provider. Ultimately the total impact and disruption can far outweigh the gap between the lowest cost provider and the competitor who stayed in business.

Low accountability
When each service provider is responsible for only a part of the end-to-end IT service an all-too-often occurrence is a finger-pointing of service failures that cannot be unequivocally slated back to one of the service provider’s discrete domains.
Unfortunately, common in the world of IT is a multiple contributing factors problem space where all participants must cooperate to both identify and resolve underlying issues. Occasional forays by lawyers intent on contractually defining responsibilities in this space can further compound the trench warfare approach. Beware if allocating blame and responsibility is the official first step of the contractual problem resolution cycle.
Many IT service providers are organized internally to deliver services by technology silo. One group looks after servers, one local area networks, one desktops, another applications, etc. The silos are only thinly wrapped with a customer-aligned service management layer to (appear to) provide integrated services delivery. Unfortunately contracting with a single provider for an end-to- end service may not completely avoid accountability issues.

Poor value for money
When contestability is lost, the perception of value for money is too. If every initiative or piece of work that needs to be done goes to the incumbent service provider (for better or worse) then there is no point of comparison. In such cases there is a natural tendency for stakeholders to question whether value for money is being achieved.
The notion of benchmarking is an attractive one to some seeking to determine where they currently sit vs. industry norms and top quartile performers. However, service providers have perfected the art of obfuscation of benchmarking results and many will drag the anchor on any improvements that may be indicated.

Inflexibility
Many IT outsourcing contracts are established for a period in excess of three years. Typically the service provider is investing at the front end of the contract period and taking higher profits towards the back end. Generally it will suit the service provider to hold an environment stable and squeeze the delivery cost structures down over time. As a consequence it is common for the service provider to limit flexibility. If flexibility must be accommodated it will be with significant additional cost.

Difficulty integrating services
Most service providers will attempt to operate according to some form of standard or ‘cookie cutter’ operating model. While there are benefits from having the service provider delivering to a tried and true formula, in adopting to fit the service provider there is often the need to disrupt your existing IT service management and delivery processes. When multiple providers are engaged this can be most acute as each (of course!) has their own ‘best’ way of doing things. It is important not to underestimate the effort required to integrate – even only at the interfaces between organizations – the most straightforward of trouble-ticket processes or basic control of asset and configuration data.

Bumpy transitions
Changing from an in-house to an outsourced model is fraught with transition risks, which mostly translate as a risk to IT service continuity over the transition period. Switching or bringing a service back in-house can also be subject to similar risks as outsourcing.
Risks in transitioning to new technologies are not only about the trials and pitfalls that crop up with the component or system, but also in the learning curve in the operations and support teams and in the newly established vendor relationship. For example, how long do known defects remain outstanding? What is the frequency of new releases and how is backwards compatibility assured – that is, how do we know the new version will do at least what the old version did?

Unfulfilled transformation objectives
A contract in which the IT service is to be transitioned and a subsequent (or parallel) transformation is to occur can suffer from either of two common failings:
1. The transformation never completes.
2. The transformation occurs but is significantly biased and skewed in favour of the service provider – e.g. improvements that will benefit the service provider’s cost structure are introduced without consequent reductions in service prices or valued improvements in service quality.
When confronted with this reality, many choose to strip back a core contract to the day-to-day performance of duties and separately contract for the transformation agenda. This can provide incentive in the form of revenue enhancement for the service provider hungry for the transformation pie. Unfortunately for these ‘unbundled’ sourcing contracts, any transformation will most typically be part revenue substitution and part risk for the service provider and may be marginally less attractive than retaining the status quo.

Poor visibility
The real cost and effort of delivering a service is typically not communicated from the service provider to the customer. Open-book accounting remains, in general, nothing more than an interesting concept and is mostly absent, other than in minority ‘cost plus’ deals.
It has commonly been viewed that managing IT service providers should be about managing the ‘what’ rather than the ‘how’ – that is, specifying and managing to outputs and outcomes rather than dictating the means and/or the processes by which work gets done.
This is fine when things are going well. However, when things are going wrong, as evidenced in outputs missing the mark and loss events crystallizing in your business, there is a need to get into the IT service provider’s shop and develop a good understanding of the real contributing factors. This is ‘dirty laundry’ and any incursion will be resisted unless contractual levers and relationship development has paved the way.

Lack of control
At the heart of many IT service provider disputes is a customer’s perceived view that the service in another’s hands is out of control. Perhaps it is clearer to consider this as difficulty managing IT by contract. Certainly for any customer unhappy with an external IT service provider there will be another who is unhappy with their internals!
In terms of IT risk it is important to be absolutely clear what the service provider is now responsible for. Furthermore, within the agreed scope it is necessary to ensure adequate implementation and functioning of risk management controls. Recognizing the shared nature of risk management and the importance of two-way communication, agreeing to and adopting a common IT risk management model between yourself and your major providers may be an excellent start.

Low contestability
All incumbent suppliers know and understand the existing environment. They have relationships with key people on your team and they already have in-scope responsibility to leverage. They can erect barriers to entry for new players that work to your disadvantage with respect to future contestability – and not just for currently in-scope activities.
Other competitor service providers must carefully allocate their scarce sales and business development resources – any dollar spent in sales is an overhead that must be recovered from the profit margin on contracted accounts. An account that is locked up by a competitor can easily fall foul of their bid qualification regime. If a calculated probability and resultant business value of winning is low then either a ‘no bid’ or a notional bid may result.
You are left with an incumbent who may become lazy and unresponsive – knowing that any threat to call in competitors is an empty one. Alternatively the incumbent may take advantage of your captured-customer status by advancing their own technology agenda and increasing prices to premium levels for anything new or different.

In-house delivery model risks
Doing all IT service delivery in-house does not eliminate service provider risks. Lack of clarity typically abounds – it is never quite clear how ‘expected’, ‘targeted’ and ‘absolute minimum’ service level standards differ, partly because there is no formal contract for service. There are typically poor incentives for high-quality service delivery and in many cases an acceptance of under- performance. There may be extreme inflexibility and high-cost structures that cannot be avoided because of internal monopoly rules that are typical around IT service departments in large corporations.
In good times in-house teams can be gutted – all of the good talent fleeing to higher-paying IT service companies and the rest remaining – and in bad times left without any ‘new blood’ injections. Concepts of best practice are generally absent and the importance of demonstrating compliance will be typically given short shrift – surely it is enough that the job is done, isn’t it?
When it comes to IT risk management often there is a limited ability to question the status quo that arises from little exposure to other IT shops with different practices.

External service provider delivery   risks
Customers want the best service at the lowest possible price (or something similar!) whereas the service provider has investors demanding a return. This may manifest as the service provider striving to cut delivery costs, which negatively impacts customer service levels. Other threats exist in their potential to leverage an acquired asset as part of an outsourcing deal to provide services to your competitors – let’s hope this wasn’t a source of competitive advantage that you just outsourced!
It is always important to understand what the service provider will gain from a deal with your company. Ideally you can be a valuable reference site. In return for good service and a few extras you will provide some input into a case study and offer the service provider the opportunity to bring new customers through to show how great it really is. With technology vendors a seat at the ‘user group’ table can help you shape the direction of the product – you will of course be expected to buy it in due course, but it might be evolving into a product you want!

Shared services delivery model risks
The shared services model, where a separate entity is created to deliver services to a number of customer groups, contains a mixture of both the in-house and external service provider risk profiles.
There is an implied or explicit benefit through aggregation / scale that created the shared services provider. However, often this can erode customer orientation as a one-size-fits-all approach to service delivery is attempted. An interesting dynamic can occur when one of the key customers pulls out, undermining the economics of the shared services model. This is played out in many firms with autonomous business units that seek to carve out their own IT empires. As core (enterprise) systems managed to a shared services model are deserted, their costs spiral upwards, creating a further incentive for customers to depart.
And if the shared services provider seeks to stretch its wings a further conflict can occur. The customers wanted a tame and predictable factory that is now a profit-seeking growth animal.

Vendor Failure to support the product
Failure of the vendor (i.e. disappearance) is one risk only, failure to support product adequately is another. Even for a predominantly in-house operation it becomes apparent that most IT systems are extremely vulnerable to technology vendor service failures, particularly in relation to the ‘break–fix’ cycle.
Let’s imagine a critical system goes down unexpectedly. The helpdesk are notified and raise an incident, while others get to work on minimizing fallout , the internal A team is assembled and troubleshooting begins. If the problem can’t be solved at Level 2 support (the common description of the internal support group with particular technical knowledge and skills) then Level 3 support must be relied on.
Obviously the dream scenario for Level 3 support is a 24/7 technology vendor contact centre that mobilizes a rapid and effective response, injecting support specialists with deep technology skills into the virtual problem management team, rapid root-cause analysis – leveraging databases of others’ experiences – and insightful solutions for both interim workarounds and durable fixes. This may include the rapid and controlled assembly of a patch that can be distributed and installed readily by the Level 2 team. Only when the problem is solved and the system restored does the Level 3 support team sign off.
The nightmare scenario arises with the discovery of a technology component that doesn’t appear to be working correctly and the consequent discovery that the component is no longer supported. More typically, degraded levels of support are encountered.
In understanding why degraded support is commonly encountered it is useful to consider the vendor perspective. Yesterday’s technology products (the ones you bought and installed) represent good bread and butter for the vendor as long as a sufficient critical mass of customers remain on support contracts. As components age and other customers move onto newer products it becomes less feasible to assign good quality technical resources who would otherwise be working on developing the next generation of products, which are required to secure next year’s sales.

Product Functional gaps open up
You review a system that meets most of your requirements and rates well against competitors. Should you acquire it?
Most product evaluation methodologies only evaluate the fit of the current product against current business requirements. An underlying risk when acquiring technology products is that the successor product may be less well aligned with emerging business requirements. This has most to do with the vendor’s capability and product development track record but is unfortunately often overlooked when an out-of-the-box solution appears to offer a fast track to the desired (short-term) solution goal.
Over time as functional gaps open up, greater effort needs to be ploughed into modifying or working around the solution. The paradox is that with every modification you further commit to the increasingly ill-fitting system.

Product Aggressive upgrade cycles
When you are changing software because your vendor has released a new version (and withdrawn an old one) and not because you perceive any great advantage from moving, you are in the upgrade cycle. When you are changing hardware because your new software won’t run on the old hardware, you are in the upgrade cycle.
If it sounds like the setting on a washing machine it can feel like one too. The main risk is that this upgrade cycle becomes an end in itself and locks out the pursuit of value-adding opportunities to enhance IT systems. Proprietary solution lock-in
Most vendors claim their products are ‘open’. Most, however, also deliberately construct their products to be differentiated from others! It is important to look beyond the veneer of openness to the underlying proprietary features and potential risks.
For example: will the data be locked into a vendor-defined world view that no others share – thus limiting opportunities for potential future migration? Are the interfaces restricted or limited so that data will not easily flow to and from other systems? Will any customizations become tightly bound into the product and impede potential upgrades? Are compatibilities assured with only a limited range of (mostly vendor produced) other products?
Committing to a ‘box set’ or ‘stack’ of related IT products is not necessarily a bad thing – particularly if the alternative is a hodge-podge of components wired up together. However, overcommitment to proprietary solutions will make you more vulnerable to an individual service provider failure or inadequacy.

Product Unfulfilled promises
Pre-emptive and premature product announcements are often made to draw the market away from a competitor offer. The latest is always the greatest, particularly in the IT world, but this might not be the best for you. It is important first to ascertain whether you really require the features that may require you to wait and second look at the vendor’s track record and discount future promises accordingly.

Offshore sourcing risks
The main risks to avoid that relate to offshore IT sourcing include:
•Political and economic instability may create a relatively less secure and predictable operating environment than exists for an on-shore provider;
•Inability of both service provider and customer teams to bridge social, language and cultural barriers to interface and to work as teams effectively on business initiatives that require IT solutions and services;66
•Difficulties achieving redress in the event of a contractual or service delivery dispute;
•Significant ‘hidden costs’ in terms of management time and the two-way ‘exchange’ costs of travel and accommodation;
•Legal and regulatory issues and requirements that you may not be able to satisfy by having your company data stored in another country; and
•Greater potential for your intellectual property tied up in the computer systems you use to be exploited by a third party in another country without an opportunity for redress.

An overriding issue is the danger of thinking that with an outsource arrangement in place you have outsourced the risk. When things go wrong, the problems belong to you. The service provider may well suffer too, but it will be in their cash flow or reputation, rather than their business operation.
The distinctive feature of outsourcing and third party risks is the role of the contract. By their very nature, contracts try to cover all eventualities, especially those where ‘things are going wrong’.