Governance Frameworks in IT Outsourcing

Focus Areas In IT Governance
Strategic alignment and strategic governance are keys to ensuring the enterprise is fully exploiting opportunities and managing risks in an evolving market. According to the IT Governance Institute, there are five areas of focus:

Strategic Alignment
Linking business and IT so they work well together. Typically, the lightning rod is the planning process, and true alignment occurs only when the corporate side of business communicates effectively with line of business (LOB) leaders and IT leaders about costs, and benefits.

Value Delivery
Ensuring that IT department does what is necessary to deliver the benefits from an IT investment. The best practice is to develop processes for ensuring that target values grow, and those that reduce value are eliminated.

Resource management
One way to manage resources more effectively is efficient staff organization, for example, by skills instead of by line of business. This allows better personnel deployment and demand management.

Risk Management
Instituting a formal risk framework puts rigor around how IT measures, accepts and manages risk, as well as reports on what risks are managed.

Performance Measures
Putting structure around measuring business performance. A popular method is instituting an IT Balanced Scorecard (BSC), which examines where IT makes a contribution in terms of achieving business goals. It uses qualitative and quantitative measures for measurement.

Governance Challenges In Outsourcing
In 2004, a survey conducted by the IT Governance Institute (ITGI revealed that the required levels of governance are not reliably extended into relationships when service provisioning is outsourced. It is no longer an organization’s ownership of capabilities that matters, but rather its ability to leverage and scale its outsourcing capabilities. The findings show that outsourcing benefits are not just about price, but rather about service quality, risk management and freeing up of key personnel to focus on core value-adding activities.

Chief Information Officers (CIOs) looking to outsource parts of the IT operation to 3rd party agents overseas should carefully look at their own processes for maturity and organizational readiness. The need to demonstrate IT’s contributions to a company’s bottom-line. Furthermore, increased financial regulations, such as Sarbanes Oxley Act (SOX) & Basel II are forcing CIOs to look closely at the IT landscape. Consequently, agents are also looking for 3rd party assurance to provide their principals with comfort about their internal control environment.

Many Indian service providers have implemented recommendations from NASSCOM, the premier organization that represents and sets the tone for public policy for the Indian software industry. Most organizations are conscious of potential problems that can emerge from information security abuses. Strict measures have been adopted by many Indian businesses to prevent information misuse. NASSCOM has been encouraging Indian legislature to pass amendments to the Information Technology laws to expand focus areas of data protection. “The customer has to do certain things and is responsible for certain things, and so are we,” said Ed Nalbandian, Vice President for Avaya Operations Services, a global provider of Business communications solutions.

We shall begin our discussion on frameworks with the Statement on Auditing Standards (SAS) No. 70, the most widely employed auditing standard.

SAS 70
SAS No. 70 (SAS 70 in short), an auditing standard developed by American Institute of Certified Public Accountants (AICPA), recognizes that an audit by an “independent” auditor had been performed and that a service organization has been through an in-depth evaluation of its control objectives. This is critical because service organizations or providers must demonstrate adequate controls and safeguard mechanisms in place, especially when they host or process client data.

Control Objectives for Information Technology (COBIT) is another popular process framework created by Information Systems Audit and Control Association (ISACA). COBIT is both, an IT governance framework and supporting toolset that allows managers to bridge governance gaps across the organization. This framework encompasses core business and support processes. COBIT is a framework to be applied by both the IT department and the business as a whole.

Val IT
Complementing COBIT is ISACA’s Val IT governance framework that demonstrates business value derived from IT investments. It is a set of guiding principles, processes, best practices and management practices to help executive management demonstrate value from IT at the enterprise level. This framework goes further beyond financials to include Portfolio Management.

IT Infrastructure Library (ITIL)
Information Technology Infrastructure Library (ITIL) is a set of practices developed by the United Kingdom’s Office of Government Commerce (OGC) for IT service management (ITSM). ITIL version 3 (latest) aligns IT services with business strategy and provides a holistic perspective, covering the entire IT and supporting organizations.

Calder-Moir IT Governance Framework
The Calder-Moir IT Governance Framework is designed to help exact maximum benefit from overlapping frameworks and standards. This framework is not another solution, but a way of organizing IT governance issues. It proffers tools the board could apply to evaluate, direct and monitor processes through a PDCA (Plan, Do, Check, Act) cycle.

This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission. It includes guidelines on many functions, including human resource management, inbound and outbound logistics, external resources, information technology, risk, legal affairs, the enterprise, marketing and sales, operations, all financial functions, procurement and reporting. This is a more business-general framework that is less IT-specific than the others.

The Capability Maturity Model Integration method, created by a group from government, industry and Carnegie-Mellon’s Software Engineering Institute, is a process improvement approach that contains 22 process areas. It is divided into appraisal, evaluation and structure. CMMI is particularly well suited to organizations that need help with application development, lifecycle issues and improving the delivery of products throughout the lifecycle.

Framework Selection
Choosing the best corporate governance framework for a business is a subject of finding the right balance of serving all stakeholders in which the business operates. A good governance framework should be managed and supervised an independent board of directors that oversees the implementation of a corporate vision. Directors are guided by a set of policies that govern the business practices in all areas of operation.

Nowadays, most companies choose COBIT or ITIL, but others frameworks are suitable as well. ITIL is especially a good framework or operations, while CMMi is suitable for application development and lifecycle issues. COBIT is a great umbrella framework for risk management.

Though each framework has a unique value proposition, combining frameworks to design a customized framework to suit an organization’s objectives. A company may use COBIT as an overall framework and ITIL for specific operations, CMMI for development and ISO frameworks for security. In fact, combining frameworks is fairly common. A study by PricewaterhouseCoopers found that in 65 percent of cases, companies used COBIT and ITIL together or with lesser-known frameworks.

Specifically, outsourcing governance is a sub-set of IT governance and its primary focus is regulating the interface between the organization and its outsourced service provider. One crucial consideration when considering outsourcing governance is the close interrelationship between the in-house and outsourced IT environment, focusing on IT outsourcing governance invariably proves inadequate. It must be considered within the context of IT governance as a whole.

Most importantly, a framework that fits the corporate culture and that most stakeholders are familiar with should be used.

Bringing Them Together
To transform great ideas into great project outcomes, strategic IT Governance is mandatory. “If the IT governance framework isn’t implemented properly, it can directly affect how IT is perceived at a high level. The last thing you want is for IT to be perceived as a cost center that doesn’t produce real value“, says Marios Damianides, former International President of ISACA and the IT Governance Institute, and currently a partner for Ernst & Young.

Solid governance goes côte à côte with good execution. This means establishing a Project Management Office (PMO) and a Governance Board. For larger projects, a Program Manager should be chartered and made accountable for all issues and escalations. The PMO should report the progress on a regular basis to the Governance board.

Furthermore, the chosen Governance framework should not be too complicated or difficult to manage. The structure should be simple and easy to understand; the objectives should be clear and understood by all stakeholders. In short, outsourcing Governance frameworks need to be effective, productive, and align to the strategic business needs and requirement. Importantly, the Governance framework should be periodically re-energized to stay relevant on business objectives.

Further Readings

  1. When to divest support services by Petter Østbø, Tor Jakob Ramsøy, and Anders Rasmussen, Corporate Finance Practice, McKinsey Quarterly, July 2009
  2. The value in outsourcing legacy insurance products by Matthias Daub and Ferruccio Lagutaine, Business Technology Office, McKinsey Quarterly, December 2010
  3. The Black Book of Outsourcing: How to Manage the Changes, Challenges, and Opportunities (Wiley Desktop Editions) by Douglas Brown and Scott Wilson (May 2, 2005)
  4. Operational Excellence: The New Force Driving High Performance Through Outsourcing by Jeff Osborne, Managing Director, BPO Global Delivery, Accenture, 2010
  5. The Outsourcing Enterprise – From Cost Management to Collaborative Innovation by Leslie P. Willcocks, Sara Cullen and Andrew Craig. ISBN: 9780230231917, published 14.Oct.2010
  6. Information Technology Strategy and Management: Best Practices (Premier Reference Source) by Eng K. Chew and Petter Gottschalk (Nov 26, 2008)
  7. Creating Better Governance of Offshore Services, Judith C. Simona, Robin S. Postona & Bill Kettingera, Information Systems Management, Volume 26, Issue 2, 2009; DOI:10.1080/10580530902794778
  8. Information Systems Audit & Control Association frameworks
  9. Fortress India? by Pete Engardio, Majeet Kripalani and Josey Puliyenthurrthel,, Business Week, Aug. 16, 2004