Tuesday, February 24, 2004
I've been trying to take a balanced view of outsourcing. On the one hand, I want to acknowledge the market forces that are driving companies to outsource IT services offshore. On the other hand, I want to identify the risks, so that clients may understand what they are signing up for and make rational decisions. I am concerned that the benefits of outsourcing have been overhyped, while the risks generally have been minimized.
Meta Group has made an attempt to itemize the risks of outsourcing. Executives that are planning to outsource significant parts of the IT function or back office processes should pay attention. The following is my paraphrasing and further elaboration on some of the risks that Meta Group points out.
Meta Group has identified four additional risks. Read Meta's whole article on CIO Magazine's web site for more details.
- Risk of unmet cost savings. Too many executives think that if Indian programmers are paid 80% less than U.S. programmers, then they will save 80% of their IT personnel costs. They forget that outsourcing introduces an additional management layer and inefficiencies. Yes, you will save money. But not as much as you might think. Meta Group estimates typical savings of 15-25% in the first year, and 35-40% in year three. Nothing to sneeze at, but keep reading.
- Risk of insecurity and loss of intellectual property. If you are outsourcing software development, and software is important to your business, this is a huge risk. As my friend David Harding points out, some countries that are high on the list of outsourcing destinations are the same countries that have an extremely poor track record in respecting IP rights. Be sure you are not the next Ishoni Networks.
- Insufficient discipline to manage the vendor. Interestingly, many offshore service providers are more disciplined in their business processes than their US customers. They have to be: they depend on standardized, repeatable processes. But if you have been running your IT function in an ad-hoc fashion for years, how are you going to manage the outsourcer? Meta Group points out that in such cases, offshore service providers will need to compensate by putting some of their resources on site at your facilities, adding cost.
- Loss of business knowledge. Having worked in IT for over 25 years, I have observed that a tremendous amount of organizational and business knowledge resides in the application development groups of many companies. If you outsource application development, you are effectively transferring that knowledge to a third party. Is it worth the cost savings? Maybe, but recognize what you are doing.
- Risk of vendor failure. Smart companies do not put all their eggs in one basket, but rather choose to outsource to more than one service provider. If the vendor goes out of business, at least it won't be a complete disaster. Do your outsourcing plans address contingencies in the event that the outsourcer cannot deliver?
- Risk of non-compliance. Government regulations are placing increasing demands on the IT function. This has been true in military contracting and life science industries for years. Now, HIPAA, CA 1386, and other privacy regulations add new demands for compliance on IT systems. Can compliance be ensured if the IT function is largely outsourced to a third party, thousands of miles away? Massachusetts congressman Ed Markey has already sent letters to 16 U.S. regulatory agencies raising privacy concerns over offshore outsourcing. Markey's press release refers to one anecdotal example of such risks to privacy:According to press reports, last year a Pakistani woman who had been hired as a subcontractor to perform medical transcription work for a Texas company engaged as an outsourcing firm for a California hospital threatened to post sensitive patient medical records on the Internet unless she received certain payments she claimed were due to her. Press reports indicated that the Pakistani woman actually posted one confidential medical file onto the Internet, demonstrating her willingness to carry out her threat if her demands were not met.