The growth of economics and business has made many companies focusing their business process enhancement through information technology (IT). This condition drives the fast growing of IT inventions and stimulates the growth of IT companies to provide various services such as business application system development, IT planning, IT blue print design, to the IT outsourcing services.
Especially in banking and telecommunication industry, either to improve their services to its customer or compliance with regulations, the need of IT services has become a very serious consideration. In regards to fulfill the needs, many companies enhanced their IT division with certified professionals or decide to outsource.
In Indonesia, the idea for outsourcing IT related operations has raised in recent years especially in banking due to the newly implemented regulations from Bank Indonesia (PBI 9/15/PBI/2007) that enforced Banks to report their IT Governance implementation activities. Although in securities industry, outsourcing the remote trading system to the Application System Provider (ASP) has drop due to the growth of the industries that stimulates each broker to have their own manageable front office and back office systems.
The main drivers for companies which prefer outsourcing are to save costs, improve service levels, business strategic matter, standardize the desktop and end user computing, enhances IT asset management, manage technical change, or the lack of technical expertise to in-house develop the solutions or to perform the operations.
In order to put the selection, companies must established the formalized methodologies including the policies and procedures so that the top management can implement their designated controls to ensure the alignment of “the business needs” to the providers offering. Many cases we are facing is that the providers offer “cool stuffs” that makes the company “thinks” that they need them to improve their business while not considering that selection into the business needs.
The request for proposal (RFP) plays a critical role. The RFP must define the functions to be outsourced, detail business requirement, the current technical environment, and the possible future changes. Besides that, the required service level is also important to set the minimum standards that the vendor must meet.
The contributors of the RFP (user department, IT department, and top management) should take a final look at its contents before it can be send to the vendors. Is it complete? Is it easily understood? And finally, will it help eliminate from bidding those service providers that are inappropriate for the deal?
Once the selection is made, anotheanother “big” issue is that the Service Level Agreements (SLAs) are either poorly defined or nonexistent. The vendors should be given a basic list of service-level metrics against which their performance can be evaluated. As a response requirement, vendors may be asked to delineate what service levels they would commit to once the environment has been transferred to the vendor.
Based on Information System Auditor and Control Association (ISACA) guidelines, the agreement with vendors should consider the following controls:
- Formal agreements between the service provider and the service user
- Inclusion of a clause in the outsourcing agreement which explicitly states that the service provider is obligated to meet all legal requirements applying to its activities and comply with acts and regulations pertaining to the functions it should undertake on behalf of the service user
- Stipulation in the outsourcing agreement that activities performed by the service provider are subject to controls and audits as if they were performed by the service user itself
- Inclusion of audit access rights in the agreement with the service provider
- Service Level Agreements (SLAs) with performance monitoring procedures.
- Adherence to the service user’s security policies
- Adequacy of the service provider’s fidelity insurance arrangements
- Adequacy of the service provider’s personnel policies and procedures
Subsequent to the agreement, the companies should managed the outsourced services. Also from the ISACA guidelines, companies must managed the outsourced services by considering the following matters;
- Business processes to produce the information used to monitor compliance with the SLAs are appropriately controlled
- Where SLAs are not being met, the service user has sought remedy and corrective actions have been considered to achieve the agreed service level
- The service user has the capacity and competence to follow up and review the services provided
The vendor management best practice were also stated in Control Objective for Information and Related Technology (COBIT) that published by the Information Technology Governance Institute (ITGI) in the Delivery & Support (DS) domain.
End users will always need IT support, whether it is outsourced or not. IS managers must retain internal expertise to manage the vendor. Adequate number of staff (in proportion to the business size), is needed to monitor and evaluate the performance measurements and ensure the outsourcer is always maintain proper service levels.
Only if all these conditions are satisfied will IT outsourcing succeed.
This article has been published in RSM AAJ Newsletter, check out the link here: http://rsm.aajassociates.com/publications.php?menu=7&id=1&id0=1
Syahraki Syahrir (Raki) 