1. Insights on IT risk
through IT outsourcing
2. Opportunities for
L`] [mjj]fl ][gfgea[ ]fnajgfe]fl ak [Yddaf_ aflg
im]klagf Zmkaf]kk eg]d ^mfYe]flYdk& ;gehYfa]k
are revisiting questions such as: can I restructure my
Zmkaf]kk lg af[j]Yk] eq d]n]d g^ daimaalq7 O`]j] [Yf
A [ml [gklk7 @go [Yf A af[gjhgjYl] af[j]Yk] Ö]paZadalq
aflg eq Zmkaf]kk eg]d7
In order to investigate this process further and put it in the
context of current events, Ernst & Young interviewed over 300
business leaders across the globe in January 2009. The results
were surprising and indicated a considerable level of planned
reorganization in the year ahead. A full 82% of respondents
expected business restructuring to play an increased role in
their company’s activities over the upcoming year and for many
organizations, the IT function was clearly targeted as a priority.
There are several options available to companies for reshaping and
restructuring their IT function, including: centralizing functions
in a shared service center, relocating for better access to cheaper
labor or specialized skills, or outsourcing IT functions to a service
provider. In this article, we take a closer look at the potential
Z]f]Õlk Yf jakck Ykkg[aYl] oal` l`] gmlkgmj[af_ ghlagf&
Insights on IT risk — May 2009 1
3. Investigating the outsourcing option
Hgl]flaYd Z]f]Õlk Questions to ask
Pressures to reduce costs are driving more organizations to The following questions are critical for business and IT leaders
consider or re-consider the outsourcing option. In Ernst & Young’s to consider before evaluating outsourcing alternatives:
2008 European outsourcing survey, 23% of organizations indicated 1. What services should be outsourced? Will we pay
an intention to outsource, or enlarge the scale of their outsourcing, a premium for the types of services selected for
over the next two years. For IT-related activities, the percentage outsourcing?
was even greater, with 37% of the survey respondents planning to
2. Where should the service provider be located?
outsource within the next two years.
3. How will we maintain control over the processes that have
Cost reduction is certainly a primary driver, but outsourcing can been outsourced?
also support non-traditional business models where specialists are
4. How will we ensure shared data is protected and securely
engaged at every level of the value chain. In addition, outsourcing
handled by the outsource provider?
[Yf Õdd j]kgmj _Yhk ^gj kcaddk l`Yl Yf gj_YfarYlagf eYq Z]
unable to develop in-house or has recently lost due to workforce 5. How will we manage data quality?
reductions. By focusing on core business activities and outsourcing 6. Will there be cultural differences and communications
the routine or low value-added processes, many believe they issues that could impact the outsourcing relationship?
can provide better service to their customers and achieve their 7. What should be included in the outsourcing contract? How
objectives at a lower cost. oadd h]j^gjeYf Z] e]Ykmj]7 @go oadd [gfÖa[lk Yf
The outsourcing experience is generally felt to be positive, with disputes be settled?
94% of respondents identifying at least one advantage. In addition
to cost savings (49% response rate), companies increasingly
Z]f]Õl ^jge ^mjl`]j YnYflY_]k km[` Yk l`] ghhgjlmfalq lg jan]
standardization and improve compliance across the organization.
Improved strategic organization and better quality services were
a]flaÕ] Zq *0 Yf ++ g^ j]khgf]flk j]kh][lan]dq
Outsourcing advantages (%) response rate
O`Yl Yj] l`] YnYflY_]k g^ gmlkgmj[af_ ^gj qgmj [gehYfq7 :Ykak2 [gehYfa]k gmlkgmj[af_ Yl d]Ykl gf] ^mf[lagf
At least one advantage 94%
Cost savings (and increase 49%
Better quality 33%
af[dmaf_ kh][aÕ[ kcaddk!
Egj] Ö]paZd] 25%
Multiple responses permitted.
Source: Ernst Young’s 2008 European outsourcing survey
2 Insights on IT risk — May 2009
4. Hgl]flaYd [`Ydd]f_]k Some of the challenges that companies relying on outsourced
services now face due to today’s economic environment include:
]khal] l`] hgl]flaYd Z]f]Õlk$ l`] gmlkgmj[af_ ][akagf ak fgl
jYm$ [gfÕ]flaYdalq$ afl]dd][lmYd hjgh]jlq Yf hjanY[q jakck
always an easy one to make. There are many unique risks that
due to increases in motivational pressures and opportunities by
must be addressed. Staff issues featured at the top of the list of
service provider distress
a^Õ[mdla]k a]flaÕ] Zq gmj gmlkgmj[af_ kmjn]q$ [al] Zq )* g^
respondents. Such staff problems may be at the buyer or provider Loss of reputation and customer goodwill
end of the equation. For the buyer, there may be problems of Lack of regulatory/government oversight in foreign
an employee backlash, with fears of job losses and internal jurisdictions
reorganizations. On the provider side, staff problems may arise DY[c g^ kmhhdq ZYk] an]jkaÕ[Ylagf
due to the physical distance, which may make staff relationships ;`Yf_]k lg ÕfYf[aYd naYZadalq Yf Zmkaf]kk gh]jYlagf eg]dk
more challenging. Different corporate cultures may also result in
communication issues. Successful implementation may require Some potential solutions to these challenges include establishing
more of a partnership type of relationship, rather than a complete a steering committee or vendor and outsourcing oversight board.
delegation of responsibilities. Organizations should explore multi-sourcing and/or maintaining
9fgl`]j [`Ydd]f_] a]flaÕ] af gmj gmlkgmj[af_ kmjn]q j]dYl]k some redundant expertise in-house. Companies should also take a
lg Õfaf_ l`] hjgh]j gmlkgmj[af_ hYjlf]j L`] Zmkaf]kk jakck ^j]k` dggc Yl m] ada_]f Yf l`] n]fgj imYdaÕ[Ylagf hjgmj]k
associated with choosing the right partner are more important than for new providers as well as contract renewals.
ever in today’s economic climate. In the last year alone, we have
oalf]kk] k]n]jYd `a_`%hjgÕd] ^Yadmj]k g^ kgd]%k]jna hjgna]jk Yf
dYj_] gmlkgmj[af_ Õjek L`]k] ^Yadmj]k Yf l`] j]kmdlaf_ ]e]j_]f
of new risks has a direct and far-reaching impact on the process
for choosing a provider. Organizations must consider possible
service and operational disruptions, occurring from a transition of
customers to remaining service providers if a change in provider is
required. A reduction in quality from distressed service providers
with overburdened employees may also be experienced; or the
organization may need to absorb the impact of increased service
costs resulting from less competition and fewer service providers.
Gmlkgmj[af_ k]l%mh a^Ô[mdla]k ! j]khgfk] jYl]
O`Yl Yj] l`] a^Õ[mdla]k Yf'gj gZklY[d]k qgm ]f[gmfl]j] Yl l`] lae] g^ k]llaf_ mh l`] gmlkgmj[af_ hjgkk7
:Ykak2 [gehYfa]k gmlkgmj[af_ Yl d]Ykl gf] ^mf[lagf
Staff related problems 12%
Finding the proper 9%
Change management 8%
IT and technical 6%
Legal problems 5%
Source: Ernst Young’s 2008 European outsourcing survey
Insights on IT risk — May 2009 3
5. Gmlkgmj[af_ [Yf Zjaf_ Zgl` Z]f]Õlk Yf jakck
Hgl]flaYd Z]f]Ôlk Hgl]flaYd jakck
;gkl j]m[lagf Yf af[j]Yk] ]^Õ[a]f[q2 gmlkgmj[af_ [Yf Cost reductions cannot always be realized in full: this is often
reduce costs by eliminating institutional impediments to the case where only a high level business case is prepared,
]^Õ[a]fl gh]jYlagfk KYnaf_k k`gmd Z] j]Ydar] Zq l`] the actual cost structure (internal baseline) and target costs
outsourcer through: restructuring the services, achieving are not correctly calculated, or the business case was based
greater economies of scale, shifting to business partners on wrong assumptions.
(with other fee structures), shifting to countries with lower
J]kaklYf$ af]jlaY$ Yf [gfÖa[lk oal` j]khgfkaZadala]k2
labor costs (Eastern Europe, India, China, Vietnam, etc.)
in practice, there needs to be strong alignment with
Service delivery improvements: outsourcing in many cases the outsourcer on the management of the transition.
permits the use of state-of-the-art technologies without Poor training of employees, language problems, lack of
having to invest directly. consideration of cultural differences between outsourcer
employees and remaining staff, plus fears, and loss of power
Concentration on core competencies: outsourcing helps
and responsibilities of people are some of the reasons for
enable corporate resources to be focused on core business.
j]kaklYf Yf afl]jh]jkgfYd [gfÖa[lk
Increased solvency: demand for capital and investment for
Dependence on one outsourcer with no possibilities for
the IT function is easier to predict and plan.
switch: contracts are generally signed for 5-10 years (3
Realization of economies of scale: the outsourcing providers years minimum). The wrong choice of outsourcer, combined
Yj] kh][aYdar] af l`]aj hYjla[mdYj Õ]dk ap] [gklk Yj] dgo]j oal` afkm^Õ[a]fl [gfljgd g^ l`]aj k]jnak ak dac]dq lg j]kmdl af
and the contract can be negotiated to share some of these project failure.
savings between outsourcer and client.
Dgo ][gfgea]k g^ k[Yd]2 Yf afkm^Õ[a]fl klYfYjarYlagf
Avoiding “over-servicing”: internal employees often perform especially for “special services” or an above-average level of
more services than needed. This can be managed by service variable costs can lead to low economies of scale. The range
level agreements with the provider. of different systems and processes across many entities
needs to be evaluated.
Increased agility: it is easier to switch between service
providers than to change a complete IT function if the ImYdalq hjgZd]ek Yf af[j]Yk] af [gehd]palq2 afkm^Õ[a]fl
[gfljY[l g]k fgl ]dan]j hjgeak] Z]f]Õlk 9dkg$ k`gjl%l]je k]jna d]n]d Y_j]]e]flk$ afkm^Õ[a]fl ^g[mk gf l`] j]Yd
[YhY[alq hjgZd]ek [Yf Z] [gn]j] Zq mkaf_ l`] Ö]paZadalq g^ customer needs, or lack of hands-on approach lead to quality
outsourcers’ global resources. problems. Also, designing a “to-be” concept based on a
misunderstood “as-is” situation or very complex interfaces
:]ll]j [gfljgd2 m] lg ]Õf] k]jna d]n]d Y_j]]e]flk$
between processes, organizational entities and applications
transparency of costs, prevention of insider relationships, and
can result in quality issues.
the force to have open and comparable standards, the level
of control can be increased. Dgkk g^ [gfljgd Yf cfgo%`go2 afkm^Õ[a]fl k]jna d]n]d
Y_j]]e]flk gj afkm^Õ[a]fl afl]jfYd [gfljgd g^ l`] k]jnak
can result in loss of control. The relocation of knowledge
champions to another site can lead to a loss of internal
business knowledge. An in-house service management
organization should be created to control the service delivery
Yf ]fkmj] l`] imYdalq g^ l`] ]Õf] k]jna
4 Insights on IT risk — May 2009
6. K]d][laf_ l`] ja_`l k]jnak
Like other functional areas of the business, certain components To address this issue, organizations should evaluate the outsourcing
of IT services are rarely or never outsourced. Organizations g^ ]Y[` AL k]jna gj Y[lanalq oal` Y k]hYjYl] [gkl%Z]f]Õl YfYdqkak
typically outsource repeatable or routine IT services, such as the There may be little or no incentive to outsourcing some specialized
management of a help desk, on-site technical support and security activities and could actually lead to a more costly outcome than the
testing. Most organizations are unwilling to outsource the activities current situation. In addition, prior to entering into an outsourcing
that require more unique or specialized skills. In the Ernst Young arrangement, they should closely examine the contract to identify
2008 Global Information Security Survey, less than 30% of the and understand the “premium” pricing scenarios and the potential
respondents indicated they would outsource disaster recovery, impact on the organization. The business relationship will be much
incident response or IT forensics. more successful if all “surprises” or unexpected fees are avoided.
The reluctance to outsource certain IT activities is decreasing as the
pressures to reduce costs increase and a broader array of IT processes
are now being outsourced. However, outsourcing these specialized
services is not always a low-cost alternative. Many service providers
now offer a standard portfolio of services and deviating from the
klYfYj hgjl^gdag [Yf d]Y lg Y ka_faÕ[Yfl af[j]Yk] af hja$ Yk l`]k]
services cannot be easily provided by the outsourcing “factory”
without additional specialists. The increased cost of the specialists
is simply passed on to the service provider’s customers.
KljYl]_a[ kgmj[af_ da^][q[d] È [jala[Yd km[kk ^Y[lgjk
=Y[` klY_] g^ l`] kgmj[af_ da^][q[d] hgk]k mfaim] jakck$ Yf l`] km[kk g^ l`] gn]jYdd kgmj[af_ hjg_jYe ak
]h]f]fl gf [jala[Yd km[kk ^Y[lgjk Yf ]^^][lan] eYfY_]e]fl g^ l`]k] jakck
Sourcing and business Structured governance Timely transition Compliance management
Effective contract Policy enforcement Service-level management
Senior management buy-in
Effective service level key Process discipline and maturity Quality assurance and change
Right selection criteria for performance indicators management
Effective program execution
vendor/partner selection and metrics
Effective operating model Dependency and impact analysis with vendors
Risk-adjusted business case Prudent program planning
;gfhl HdYf Transition Monitor
Mf[d]Yj Zmkaf]kk gZb][lan]k ;gfljY[lmYd jakck Gh]jYlagfYd jakck :YdYf g^ hgo]j egnaf_
and priorities lgoYjk n]fgj
:mkaf]kk [gflafmalq jakck @meYf [YhalYd jakck
K`gjl%l]je ZaYk] kljYl]_q ;jala[Yd af^gjeYlagf eakmk]
;gjj][l gh]jYlaf_ eg]d Afl]dd][lmYd hjgh]jlq jakck
Gj_YfarYlagfYd mfhj]hYj]f]kk Customer dissatisfaction
J]_mdYlgjq Yf hgdala[Yd jakck
Sub-optimal sourcing strategy Stuck with a bad contract ]dYq] Z]f]Õlk Vendor holding the balance
Ineffective operating model Fgf%j]YdarYlagf g^ Z]f]Õlk Business case doesn’t hold true
anymore Litigation and regulatory issues
Credibility loss at executive Bad experience with outsourcing
management level Relationship goes sour between Brand dilution
Degraded quality of services
Insights on IT risk — May 2009 5
7. ;`ggkaf_ l`] Z]kl dg[Ylagf
In 2009, companies have become more convinced of the merits of
developing markets. India, China and Eastern Europe all rate highly C]q g^^%k`gjaf_ Yf dg[Ylagf lj]fk2
Yk g^^%k`gjaf_ dg[Ylagfk AfaY ak a]flaÕ] Yk l`] hj]^]jj] g^^% Collaborative strategies are increasingly valued. More
shoring destination by all respondents (45%) regardless of where Ö]paZd] gh]jYlaf_ eg]dk$ emdla%[mdlmjYd YhhjgY[`]k$
their headquarters’ operations are situated. China ranks second collaborative partnerships and new forms of out- and
and Eastern Europe third (26% and 23% of votes respectively). co-sourcing of production and service delivery bring new
Surprisingly, the strong image of Eastern Europe as an off-shoring opportunities.
destination extends not only to European companies, but also those Talents are essential. The race for skills, talent and
in North America. [j]Ylanalq ak gf af dg[Ylagfk o`]j] [geh]lalagf ^gj kh][aÕ[
Motivations for off-shoring certain activities to developing countries [geh]l]f[a]k ak Õ]jj Zq l`] o]]c Kge] [gehYfa]k
have changed as these markets evolved. Initial decisions were develop protectionist strategies and, in turn, slow down a
generally taken purely on a cost basis. This was largely behind the region’s ability to grow through new inward investment.
phenomenal growth seen in recent years in markets such as India. Emerging markets … have emerged. By 2050, the
However, in recent years, the cost advantage of off-shoring to many Emerging-7 (Brazil, Russia, India and China, together
developing markets has dramatically reduced. At the same time, with Indonesia, Mexico and Turkey) are likely to overtake
these countries have moved up the value chain as their operations the economies of the G-7 countries in terms of gross
`Yn] eYlmj] Af [gfljYkl lg Õn] q]Yjk Y_g$ l`] k[Yd] Yf lqh]k domestic product (GDP). Will they be able to develop their
of services they are delivering are much more sophisticated. IT af^jYkljm[lmj] Yl Y km^Õ[a]fl jYl] lg c]]h mh oal` l`] hY
services such as remote infrastructure management and industry- g^ _dgZYd afn]kle]fl7 Oadd l`]q Z] YZd] lg hjgÕl ^mddq ^jge
kh][aÕ[ Yhhda[Ylagf ]n]dghe]fl `Yn] fgo ]n]dgh] aflg `a_`% l`] Z]f]Õlk g^ nYdm]%Y] afoYj afn]kle]fl Yf oadd l`]q
growth outsourced services. undertake changes in transparency, fairness and openness?
In our experience, destination preferences also vary according to Risk management is now at the heart of a company’s
the particular function to be off-shored: Eastern Europe is preferred location decisions, prompted by the prevailing climate
for industry and production processes, while a mix of local, near- of uncertainty. The current priority is for transparency,
shoring and, to a lesser extent, off-shoring is preferred for process stability and clarity in the countries chosen for investment
gja]fl] ^mf[lagfk [Ydd fl]jk! 9 kh][aÕ[ eap g^ dg[Yd Yf g^^% projects. Companies put a sharpening focus on the balance
shore sourcing is generally adopted for IT operations. of risks and rewards in economies everywhere. Investors
look at a complex variety of costs, quality and risks factors
before selecting their business locations.
O`a[` g^ l`] _]g_jYh`a[ eYjc]lk g qgm ]ph][l Based on Ernst Young’s research on location trends in
“Attractiveness Survey — 2005/2008”
lg g^^]j l`] Z]kl g^^%k`gjaf_ hgkkaZadala]k ^gj
Eastern Europe 23%
Southeast Asia 16%
Latin America 14%
Middle East 5%
North America 5%
Western Europe 4%
New Zealand 3%
(up to three responses possible)
Source: Ernst Young, Opportunity in adversity, January 2009
6 Insights on IT risk — May 2009
8. EYaflYafaf_ [gfljgd ^jge Y aklYf
IT outsourcing creates a new challenge for organizations to
maintain control of services being supplied by personnel that are
not your employees, and often out of your physical control. A While implementing governance and service-level reporting
starting point of control is a detailed contract which contains explicit processes are important, they do not relieve an organization
requirements with respect to the quality of the provided services of responsibility for evaluating the quality of services received.
and the controls that must be in place to protect information. This can be performed by either the organization sending its
:ml Y [gfljY[l Ydgf] ak fgl km^Õ[a]fl3 l`] gj_YfarYlagf emkl `Yn] own personnel to the supplier location to perform evaluations of
a way to determine if the contractual obligations are being met. the services or obtaining a report on the services prepared by a
There are two dependable ways in which this can be done, supplier independent auditor. While sending its own personnel provides an
management and third-party reporting. organization with the maximum control over the process, a report
from an independent auditor is usually more cost effective and the
cost can be shared by several of the supplier’s customers.
Kmhhda]j eYfY_]e]fl One type of independent auditor report is a SAS 70 report. While
According to the Ernst Young ICT Barometer report for October the purpose of this report is to provide information regarding
2008 (an outsourcing study of 600 Dutch companies), the [gfljgdk j]d]nYfl lg ÕfYf[aYd Ymalk lg [mklge]jk g^ Y kmhhda]j$ l`ak
responsibility for managing service providers generally rests with an type of report may also be useful in understanding the supplier’s
existing line of business function or an organizational function (e.g., processes and controls as it relates to operations and compliance.
procurement); although a small number of organizations (15%) However, many aspects of a supplier’s processes will not be covered
have established a special department to oversee these activities. by a SAS 70 report. Other types of independent auditor reports,
Whether it becomes the responsibility of an existing department or such as SysTrust®, have been developed to address security,
a newly created department, managing service providers is usually YnYadYZadalq$ [gfÕ]flaYdalq$ hjgkkaf_ afl]_jalq Yf hjanY[q l`Yl
done through the following mechanisms: may not be included in a SAS 70 report. In addition, an organization
Contract: the contract between the user organization and the may work with its supplier to have an independent audit performed
service provider is used as a control mechanism by the use of on those aspects of the services received that are of particular
special clauses related to bonuses and penalties. interest to the organization.
Governance structure: procedures and structures agreed upon
in advance to resolve any issues that may arise.
Service level agreement: this instrument provides a way in
which the quality of the services delivered can be evaluated
and measured in pre-determined units.
Service level reporting: this method utilizes periodically
prepared reports on the realized service levels for which the
service provider can be held responsible.
Despite occasional disputes, maintaining a good relationship
with the service provider is often the most important objective
for an organization when it comes to supplier management. The
ICT Barometer study found that 33% of organizations have had
a dispute with their service provider, but only 20% have ever
exercised a clause in a contract to resolve the dispute.
Insights on IT risk — May 2009 7
9. Securing shared data
The increase in IT outsourcing also means more data and sensitive Information security must go beyond physical borders. The
information is being shared with external service providers. Sharing organization’s data needs to be protected whether the information
data does not mean that the risk or responsibility for protecting is stored within its own building or at the service provider’s location.
l`] af^gjeYlagf ak Ydkg ljYfk^]jj] Gj_YfarYlagfk emkl Õf Y For this reason, it becomes important that an organization can
way to protect their information even when it has left their own obtain assurance that their service providers are providing a level of
information systems. security to match or exceed their own.
Ernst Young’s 2008 Global Information Security Survey (GISS)
provided evidence that many organizations are struggling
to address third-party risk. The survey found that 29% of all
respondents indicated that they do not perform any type of
audit or assessment of the third parties with whom they
@go g qgm ]fkmj] l`Yl qgmj ]pl]jfYd hYjlf]jk$ n]fgjk Yf [gfljY[lgjk Yj] hjgl][laf_ qgmj
Assessments performed by your
organization’s internal audit function
Reviews of internal
self-assessments performed by 36%
partners, vendors or contractors
Reviews of independent external
assessments of partners, vendors 32%
No reviews or
assessments performed 29%
Multiple responses permitted
Source: Ernst Young’s 2008 Global Information Security Survey
8 Insights on IT risk — May 2009
10. Why do organizations overlook the security aspects of an ;gflafmgmkdq eYfY_] Yf egfalgj l`] jakck a]flaÕ] af l`]
outsourcing initiative? Among other things, they are often unaware risk analyses.
of the risks or they may assume that data protection will be well Periodically assess the service provider using an international
organized by their service provider. In addition, rarely are the right standard such as ISO/IEC27001 or by means of a third-party
h]ghd] afngdn] af ]Õfaf_ l`] k][mjalq j]imaj]e]flk o`]f l`] report (i.e., SAS 70, ISAE 3402).
service contracts are being constructed.
Make security a part of the governance structure between the
To effectively address information security in an outsourcing organization and that of the service provider at a strategic,
situation, organizations should focus on the following: tactical and operational level.
Utilize the service contract as a control mechanism by use of Considering security early in the outsourcing process — before
special clauses related to bonuses and penalties. contracts and agreements are made with service providers — can
Perform a risk analysis to determine the associated risks and prevent many problems from developing in the future.
how the potential service provider is planning to address them.
Involve the security resources within your organization to
assess potential service providers.
EYc] kh][aÕ[ [gfljY[lmYd Y_j]]e]flk [gfjfaf_ l`] oYq
in which the service provider will implement and adhere to
EYfq gj_YfarYlagfk fgo cfgo l`Yl k`Yjaf_ YlY jYj]dq e]Yfk l`] jakc gj
j]khgfkaZadalq ^gj hjgl][laf_ l`] af^gjeYlagf ak Ydkg ljYfk^]jj]
Insights on IT risk — May 2009 9
11. EYfY_af_ YlY imYdalq
Data quality is the reliability and integrity of the data used in The key to data quality is sound data management and can be
electronic processing. It can be measured by the degree in which ]Õf] Yk l`] ^gddgoaf_2
[gjjmhlagf gj afY[[mjY[q ]paklk oal`af l`] YlY Õd]k =pYehd]k Organization: it is imperative to have clear roles and
of poor data quality are duplicate entries, incomplete data responsibilities, training and education, planning and change
and incorrect data. Poor data quality can lead to an unreliable management processes.
af^gjeYlagf kqkl]e l`Yl oadd `Yn] Y ka_faÕ[Yfl aehY[l gf l`]
Hgda[q2 km[kk^md YlY eYfY_]e]fl hjg_jYek `Yn] ]Õf]
gj_YfarYlagf 9 YlY hjgZd]e [Yf aehY[l ÕfYf[aYd j]hgjlaf_ Yf
Yf g[me]fl] aj][lan]k [gfjfaf_ YlY ]Õfalagfk$
internal control processes. It can also restrict the organization’s
monitoring and measuring, data access, data availability and
ability to recognize fraud and result in poor management decisions
based on incorrect information.
Standards: it is important to incorporate taxonomies, reference
An outsourcing initiative can be a compelling reason to increase dates, an enterprise data model and use of proven tools.
efforts related to improving the quality of data. However, for
organizations which strive to optimize the use of their information The impact of poor data quality is often underestimated and
systems, it is critical to incorporate data quality activities within proper attention is often only given after an outsourcing initiative
their current IT processes and not wait for an external spark such as has begun. Organizations that currently take steps to safeguard
outsourcing to drive improvements. data quality are much better prepared to work with external
service providers and will have fewer issues to address during the
Depicted below is the impact of a shortcoming in data quality. outsourcing process.
Lqha[Yd YlY management
Poor data capture business processes Financial restatements
Duplicate master data Poor business insights Loss of market share/
Incomplete data hjgÕlYZadalq
Poor data Data inconsistencies reporting Financial instability/
liquidity and/or solvency
imYdalq Yf Inaccurate source data Inability to identify
YnYadYZadalq Inappropriate data Loss of stakeholder
usage Sub-optimal business
L`] aehda[Ylagfk g^ hggj YlY eYfY_]e]fl [Yf d]Y lg Zmkaf]kk akkm]k
10 Insights on IT risk — May 2009
12. Gn]j[geaf_ [mdlmjYd a^^]j]fk
Gmlkgmj[af_ AL k]jnak lg gl`]j [gmflja]k [Yf hj]k]fl Y ka_faÕ[Yfl L`] kmjn]q j]kmdlk j]Ö][l l`] a^Õ[mdlq af gn]j[geaf_ [mdlmjYd
challenge in terms of cultural differences and communications. and communications problems. Technical problems can usually
Results from the Ernst Young ICT Barometer study show that be solved with more resources and budget. This approach does
++ g^ l`] [gehYfa]k Yj] akkYlakÕ] oal` l`] AL k]jnak o`a[` not work for cultural differences. To close the gap and develop a
are outsourced to other countries. In regard to a reason for this successful business relationship with an organization that is abroad
dissatisfaction, 67% of the respondents viewed cultural differences requires an acceptance that there will be differences and there
as the primary reason and 46% cited problems with communications must be an investment in knowledge of each other’s culture. Open
as the main issue. Surprisingly, cultural differences are more than and honest communication is of vital importance, making clear
twice as likely to be a problem as the actual application not meeting agreements concerning common targets, milestones and sanctions
expectations. at the onset can help prevent communication mistakes and lead to
mutually realistic expectations.
O`q ak qgmj gmlkgmj[af_ hjgb][l fgl ]flaj]dq Y km[kk7
Cultural differences 67%
Problems with 46%
Application does not (fully) 30%
meet the expectations
Project has run out of time 18%
leader unavailable 17%
Application does not work due to
gj_YfarYlagfYd a^Õ[mdla]k 17%
Application does not work due to 15%
Project budget was exceeded 14%
Problems with supplier 13%
Source: Ernst Young’s ICT Barometer
Gmlkgmj[af_ AL k]jnak lg gl`]j [gmflja]k [Yf hj]k]fl Y ka_faÕ[Yfl
[`Ydd]f_] af l]jek g^ [mdlmjYd a^^]j]fk Yf [geemfa[Ylagfk
Insights on IT risk — May 2009 11
13. Structuring the agreement
Outsourcing arrangements should be recorded in a formal document J]kgdnaf_ [gfÖa[lk
l`Yl j]Ö][lk l`] ]ph][lYlagfk g^ Ydd hYjla]k afngdn] @go]n]j$ l`]
pressures and time constraints on legal staff, process managers, Outsourcing arrangements are usually expected to be a long-
human resources, IT staff and the organization’s executives term relationship. But it does not always work out this way and
^j]im]fldq d]Y lg Yf afkm^Õ[a]fl j]na]o hjgkk Yf Y g[me]fl an organization may want to or need to take back control of the
that does not meet the needs of the organization. It is important to outsourced activities or migrate to another outsourcing provider.
recognize that this scenario will result in a business relationship that gj km[` Y [gfÖa[l$ l`]j] Yj] l`j]] km__]kl] ghlagfk lg k]lld]
will suffer due to the lack of a common understanding. the dispute:
1. End the relationship in a structured manner by making use of
l`] ]pal kljYl]_q l`Yl oYk ]Õf] af l`] [gfljY[l
]Õfaf_ Yf egfalgjaf_ l`] [gfljY[l 2. Both parties submit to binding arbitration by an independent
A good contract, like a good business relationship, should be third party. The expertise of the independent third party
regularly reviewed and revised if necessary. Besides comparing can help settle the dispute in such a manner that both
achieved performance with the fees charged, it is important that organizations are treated fairly. This helps to prevent high
performance levels be objectively measured on a timely basis. ÕfYf[aYd [gklk Yf Zmkaf]kk jakc
H]j^gjeYf e]Ykmj]k l`Yl Yj] a^Õ[mdl lg imYfla^q oadd mfYngaYZdq 3. Gf] gj Zgl` hYjla]k Õd] Y dYokmal L`ak ak Y dgf_ Yf ]ph]fkan]
d]Y lg [gfÖa[lk Kh][aÕ[ h]j^gjeYf j]hgjlk gj e]Ykmj]e]fl route for all involved.
techniques must also have been fully disclosed in the contract.
Because the dispute resolution process forces both parties to walk
It is also important that the outsourcing contract include any through the process together once again, a better arrangement can
agreements related to sanctions, guarantees, exit strategies and sometimes be reached and the parties often end up cooperating
akhml] k]lld]e]fl hjgmj]k L`]k] Yj] fgl l`] Õjkl eYll]jk gf] and completing or modifying the contract.
thinks of when entering a new business relationship, but they are
Outsourcing is not without risks or possible consequences, but
vital provisions if something does go wrong.
many of these factors can be mitigated by having a solid contract
in place with agreed-upon measures to help prevent a dispute
situation from escalating.
Gmlkgmj[af_ YjjYf_]e]flk k`gmd Z] j][gj] af Y ^gjeYd g[me]fl
l`Yl j]Ö][lk l`] ]ph][lYlagfk g^ Ydd hYjla]k afngdn]
12 Insights on IT risk — May 2009
14. 9Zgml =jfkl Qgmf_
9l =jfkl Qgmf_$ gmj k]jnak ^g[mk gf gmj afanamYd [da]flkÌ kh][aÕ[ Zmkaf]kk f]]k Yf akkm]k Z][Ymk] o]
j][g_far] l`Yl ]n]jq f]] Yf akkm] ak mfaim] lg l`Yl Zmkaf]kk
Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity to get closer, more
^g[mk] Yf ^Ykl]j af j]khgfaf_ lg [mklge]jk$ Yf [Yf j]]Õf] Zgl` l`] ]^^][lan]f]kk Yf ]^Õ[a]f[q g^ gh]jYlagfk :ml Yk ghhgjlmfalq
grows, so does risk. Effective information technology risk management helps you to improve the competitive advantage of your
af^gjeYlagf l][`fgdg_q gh]jYlagfk$ lg eYc] l`]k] gh]jYlagfk egj] [gkl ]^Õ[a]fl Yf lg eYfY_] gof l`] jakck j]dYl] lg jmffaf_ qgmj
systems. Our 6,000 information technology risk professionals draw on extensive personal experience to give you fresh perspectives and
open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic approach to your information
l][`fgdg_q jakc gj lg ]Yd oal` Y kh][aÕ[ jakc Yf af^gjeYlagf k][mjalq akkm] O] mf]jklYf l`Yl lg Y[`a]n] qgmj hgl]flaYd qgm f]] Y
lYadgj] k]jna Yk em[` Yk [gfkakl]fl e]l`ggdg_a]k O] ogjc lg _an] qgm l`] Z]f]Õl g^ gmj ZjgY k][lgj ]ph]ja]f$ gmj ]]h kmZb][l
matter knowledge and the latest insights from our work worldwide. It’s how Ernst Young makes a difference.
For more information on how we can make a difference in your organization, contact your local Ernst Young professional or any of the
people listed in the table below.
Norman Lonergan +44 (0) 20 7980 0596 firstname.lastname@example.org
(Advisory Services Leader, London)
HYmd nYf C]kk]d +31 88 40 71271 email@example.com
(IT Risk and Assurance Services Leader, Amsterdam)
Robert Patton +1 404 817 5579 firstname.lastname@example.org
(Americas Leader, Atlanta)
Norman Lonergan +44 (0) 20 7980 0596 email@example.com
(Europe, Middle East, India and Africa Leader, London)
Fa_]d Cfa_`l +86 21 2228 8888 firstname.lastname@example.org
(Far East Leader, Shanghai)
Isao Onda +81 4 3238 7011 email@example.com
(Japan Leader, Chiba-shi)
gm_ Kaehkgf +61 2 9248 4923 firstname.lastname@example.org
(Oceania Leader, Sydney)
IT Risk and Assurance Services
:]jfa] O]_] +1 404 817 5120 email@example.com
(Americas Leader, Atlanta)
HYmd nYf C]kk]d +31 88 40 71271 firstname.lastname@example.org
(Europe, Middle East, India and Africa Leader, Amsterdam)
Ljgq C]ddq +81 2 2629 3238 email@example.com
(Far East Leader, Hong Kong)
Giovanni Stagno +81 3 3503 1100 firstname.lastname@example.org
(Japan Leader, Chiyoda-ku)
AYaf :mjf]l +61 8 9429 2486 email@example.com
(Oceania Leader, Perth)
Insights on IT risk — May 2009 13