Tuesday, July 17, 2018
banner 650w

Bits & Bytes e-zine, Vol3 #2 - IT GOVERNANCE 202: Outsourcing and Managed Service

The question of whether to outsource IT has become part of the strategic thinking process for many organizations. These organizations are increasingly evaluating what is core to their mission and weighing the benefits of turning non-core, but often critical functions such as IT, over to outside partners.

The benefits are compelling. Through a managed services model, the process by which day-to-day business processes or functions are outsourced to a third-party that is expert in that particular area, organizations can benefit from greater expertise, lower costs and higher quality, as well as free up management to focus on more strategic endeavours.

While the case can be made that outsourcing, at least in the area of IT, is potentially a higher value alternative to internal delivery, its success rate, viewed from the perspective of broad customer satisfaction, has not been equally overwhelming. The absence of good IT governance leading up to the decision to outsource and perpetuating thereafter is often cited as a key reason for failure of the relationship.


IT governance exists within the context of corporate governance, and the principles are essentially the same. IT governance is an accountability framework and management process that helps to define and communicate what must be done in alignment with the annual IT plan agreed to by the stakeholders and provides the rigorous oversight to ensure that it is well executed. It drives collaborative interactions and provides feedback mechanisms that encourage communication and desirable behaviours within a defined and agreed upon organization model.

The accountability framework is typically made up of well-defined roles and responsibilities reflecting decision rights among the participants in the IT management process and is reinforced by effective factual reporting shared to all stakeholders via the organizational committees.

Making sure decision rights are clearly defined is critical to resolving a myriad of issues related to strategy, standards, monitoring and change introduction. Some of these key issues include the following:

  • Who are the stakeholders? (Are all concerned groups well represented in the relationship?)
  • Who approves the IT strategy? (Is it aligned with the company’s business priorities?)
  • Who approves the IT standards? (Are they unnecessarily diverse?)
  • Who is responsible for monitoring project delivery?
  • Who decides upon a change?
  • Who is ultimately accountable for the results?
  • What will the retained organization look like to ensure that the proper roles are covered?
  • How are decision rights and the decisions themselves periodically revisited to ensure continual alignment?

Addressing these questions is critical to a well-managed IT function. Too often, a lack of clarity on who owns the decision rights and lack of visibility to support those decisions in these areas leads to value destruction in the delivery of IT services.

In an outsourced environment, clarity and communication of decision rights of all stakeholders of a service is fundamental. Left unaddressed, both parties’ participants are likely to make assumptions that can lead to conflict and unmet expectations


Because good IT governance is so essential to establishing an effective IT environment and even more essential to a successful sole or multi-sourcing relationship, it should receive priority attention in the early stages of the negotiation and contracting phase of such a deal.

By focusing on governance in the negotiation stage of the relationship, parties can clarify their respective roles and responsibilities to ensure the relationship’s success. Incorporating an IT governance structure, role and responsibility accountability matrix, and reporting mechanisms into the contract increases the likelihood that the IT governance model will be implemented with the required discipline and rigor.

Rather than be a victim of poor IT governance, the outsourcer is in a position to establish through contracting a rigorous governance model that will lead to improved IT effectiveness and continual IT/business alignment. From the client’s point of view, taking advantage of this opportunity is critical to ensuring a successful outcome for both parties.

Indeed, good IT governance can be seen as a principle value of outsourcing. Contracted IT governance should cover four areas in particular:

1. Roles and responsibilities

2. Defined processes

3. Management structure

4. Reporting


At a high level, four stakeholders are involved in a good IT governance model and their decision rights should be clarified in the contract:

1. Business unit or functional leadership – typically defines what IT deliverables (projects, services and service levels) are essential to meeting the organization’s business and functional requirements.

2. Business executive leadership - sanctions and funds the level of IT activity.

Within the contract it must be clear what activity can and cannot happen without executive approval. Typical items contracted as requiring executive approval include:

  • All major projects
  • Partnership changes
  • Changes to critical service levels
  • Major pricing changes or changes to contracted terms and conditions
  • Major IT directional changes

By contracting the requirement for executive ownership of key decisions, the outsourcer ensures that it is brought to the table in critical areas of IT management.

3. Senior IT leadership - clearly defined to prevent conflict between the outsourcer and the “stay-back” team. This definition should be included in the Statement of Work, which should look very much like a RACI (Responsible, Accountable, Consulted and Informed) chart for outsourced processes.

4. IT delivery leadership – an outsourcing contract is generally the most clear as deliverables are articulated in terms of service levels around key processes. What should also be contracted, however, are the management responsibilities of IT delivery leadership, such as their responsibility to provide guidance on evolving technologies, to monitor performance, and to perform capacity planning, etc. The more specificity defined the better.


The responsibilities and decision rights of each of these stakeholders should be negotiated and defined within the contract.

The outsourcer will typically not want to undertake initiatives without clear business ownership and clarity around requirements. The contract should go so far as to state that all projects will require a business owner and that the tracking and realization of business benefits from each project is the business owner’s responsibility. Otherwise, the outsourcer often ends up being held accountable for non-realized project value and is required to defend the client’s expected business benefit results, which can translate in lack of trust when its responsibility was only the technology component.


In support of roles and responsibilities, the moments and sequence in which these roles and responsibilities come into play need to be defined. A process will include elements such as:

a. Each role required to have a process started, executed and completed

b. The time, delay and sequence an activity will occur

c. Identification of each control and decision making steps

d. The prerequisites, dependencies and out-bounds for each activity

e. The completion criteria

f. Support information that is relevant to the effectiveness of such process

The approach taken usually translates into a project that includes the creation, education, communication and write-up of a first version of a tailored set of processes. Unfortunately, it is common after a short period of time to find outdated or missing sets of processes upon notification of a regulatory requirement or a compliancy target date that is close to being reached. Also, it is common for the formal processes to be “misplaced,” resulting in having these processes found and known by only a few. This situation increases the risk of introducing an organization into a storming phase and increases confusion or the possibility of creating “flavour of the day” controls upon a “silo” decision due to a possible change or occurrence.

Today’s market set of defined management processes are available and can easily coexist by selecting the best of each. For example, CobIT and ITIL® are not mutually exclusive and can be combined to provide a powerful IT governance, control and best-practice framework in IT service management. Organizations that want to put their ITIL program into the context of a wider control and governance framework can use CobIT.

Relying on an experienced outsourcer that demonstrates a breath of experience and is knowledgeable in market best practices, such as CobIT, ITIL or CMMI, allows clients to accelerate integration and to reuse the best practice processes that already existed within the organization. Leveraging what is currently in place and enhancing it to achieve value-driven IT governance allows the client to benefit from operational excellence and the reduction of overall operating IT costs.


Equally important to defining roles and responsibilities with their respective processes is establishing within the contract a management structure to support the execution of those roles and responsibilities. A forum must exist to review and approve requirements and to monitor execution. Ideally, this type of structure would already exist within an organization. Too often, however, this is not the case and the contract is an ideal opportunity to create the necessary structure.

A four-level structure made up of the following committees can be built into the contract, ensuring that stakeholders execute their roles and responsibilities:

1. User / project committee - formed around business units, technology groupings or business processes, are ideal forums in which to review emerging business needs and service delivery with the capability to report back on the progression of in-flight requirements

2. Operation committee - generally composed of senior IT leadership and IT delivery leadership

3. Executive committee - the forum for approval of IT directions and initiatives for the agreed upon scope of services, and the contract should specify the composition, agenda, frequency of meetings, and deliverables of this committee as well

4. Management committee - includes both organization executives, who share the strategic orientation of the business relationship strategy and the evolution of such relationship


While outsourcing contracts typically require service level reporting to some extent, outsourcers are in an ideal position to introduce a broader scope of IT reporting and support the roles and responsibilities articulated in the contract. User committees would generally require progress reporting on approved projects, enhancement backlog reporting to monitor request status and, of course, service level reports on critical processes. The operating committee would require similar reporting and, based on its responsibility for the execution of all IT services, supplemental financial information.

The executive committee reporting requirement would be highly summarized and may take the form of a balanced score card report, touching on four or five critical dimensions, such as business contribution, service quality, budget, user/client satisfaction and strategic direction

The outsourcing contract should specify the reporting required to manage the relationship and services and, indeed, examples of required reporting should be included within the contract.


While companies are now treating IT as a key element of their business, they often fall short in the area of IT governance, especially when outsourcing their IT functions. By making good governance an essential part of the contract, outsourcers and clients can do a better job of setting expectations and significantly increase their chances of creating a win-win situation for all.

Category: Bits & Bytes