Increasing flexibility through IT outsourcing, por Ernst & Young
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Increasing flexibility through IT outsourcing, por Ernst & Young

  • 2,163 views
Uploaded on

Presentación Ernst & Young Foro Global Crossing de Tecnología y Negocios, Perú 2010.

Presentación Ernst & Young Foro Global Crossing de Tecnología y Negocios, Perú 2010.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,163
On Slideshare
2,156
From Embeds
7
Number of Embeds
1

Actions

Shares
Downloads
41
Comments
0
Likes
1

Embeds 7

http://foro.globalcrossing.com 7

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Insights on IT risk May 2009 Af[j]Ykaf_ Ö]paZadalq through IT outsourcing
  • 2. Opportunities for restructuring L`] [mjj]fl ][gfgea[ ]fnajgfe]fl ak [Yddaf_ aflg im]klagf Zmkaf]kk eg]d ^mfYe]flYdk& ;gehYfa]k are revisiting questions such as: can I restructure my Zmkaf]kk lg af[j]Yk] eq d]n]d g^ daimaalq7 O`]j] [Yf A [ml [gklk7 @go [Yf A af[gjhgjYl] af[j]Yk] Ö]paZadalq aflg eq Zmkaf]kk eg]d7 In order to investigate this process further and put it in the context of current events, Ernst & Young interviewed over 300 business leaders across the globe in January 2009. The results were surprising and indicated a considerable level of planned reorganization in the year ahead. A full 82% of respondents expected business restructuring to play an increased role in their company’s activities over the upcoming year and for many organizations, the IT function was clearly targeted as a priority. There are several options available to companies for reshaping and restructuring their IT function, including: centralizing functions in a shared service center, relocating for better access to cheaper labor or specialized skills, or outsourcing IT functions to a service provider. In this article, we take a closer look at the potential Z]f]Õlk Yf jakck Ykkg[aYl] oal` l`] gmlkgmj[af_ ghlagf& Insights on IT risk — May 2009 1
  • 3. Investigating the outsourcing option Hgl]flaYd Z]f]Õlk Questions to ask Pressures to reduce costs are driving more organizations to The following questions are critical for business and IT leaders consider or re-consider the outsourcing option. In Ernst & Young’s to consider before evaluating outsourcing alternatives: 2008 European outsourcing survey, 23% of organizations indicated 1. What services should be outsourced? Will we pay an intention to outsource, or enlarge the scale of their outsourcing, a premium for the types of services selected for over the next two years. For IT-related activities, the percentage outsourcing? was even greater, with 37% of the survey respondents planning to 2. Where should the service provider be located? outsource within the next two years. 3. How will we maintain control over the processes that have Cost reduction is certainly a primary driver, but outsourcing can been outsourced? also support non-traditional business models where specialists are 4. How will we ensure shared data is protected and securely engaged at every level of the value chain. In addition, outsourcing handled by the outsource provider? [Yf Õdd j]kgmj[] _Yhk ^gj kcaddk l`Yl Yf gj_YfarYlagf eYq Z] unable to develop in-house or has recently lost due to workforce 5. How will we manage data quality? reductions. By focusing on core business activities and outsourcing 6. Will there be cultural differences and communications the routine or low value-added processes, many believe they issues that could impact the outsourcing relationship? can provide better service to their customers and achieve their 7. What should be included in the outsourcing contract? How objectives at a lower cost. oadd h]j^gjeYf[] Z] e]Ykmj]7 @go oadd [gfÖa[lk Yf The outsourcing experience is generally felt to be positive, with disputes be settled? 94% of respondents identifying at least one advantage. In addition to cost savings (49% response rate), companies increasingly Z]f]Õl ^jge ^mjl`]j YnYflY_]k km[` Yk l`] ghhgjlmfalq lg jan] standardization and improve compliance across the organization. Improved strategic organization and better quality services were a]flaÕ] Zq *0 Yf ++ g^ j]khgf]flk j]kh][lan]dq& Outsourcing advantages (%) response rate O`Yl Yj] l`] YnYflY_]k g^ gmlkgmj[af_ ^gj qgmj [gehYfq7 :Ykak2 [gehYfa]k gmlkgmj[af_ Yl d]Ykl gf] ^mf[lagf& At least one advantage 94% Cost savings (and increase 49% in productivity) Better quality 33% af[dmaf_ kh][aÕ[ kcaddk! Improved strategic organization/alignment 28% Egj] Ö]paZd] 25% Multiple responses permitted. Source: Ernst & Young’s 2008 European outsourcing survey 2 Insights on IT risk — May 2009
  • 4. Hgl]flaYd [`Ydd]f_]k Some of the challenges that companies relying on outsourced services now face due to today’s economic environment include: <]khal] l`] hgl]flaYd Z]f]Õlk$ l`] gmlkgmj[af_ ][akagf ak fgl  >jYm$ [gfÕ]flaYdalq$ afl]dd][lmYd hjgh]jlq Yf hjanY[q jakck always an easy one to make. There are many unique risks that due to increases in motivational pressures and opportunities by must be addressed. Staff issues featured at the top of the list of service provider distress a^Õ[mdla]k a]flaÕ] Zq gmj gmlkgmj[af_ kmjn]q$ [al] Zq )* g^ respondents. Such staff problems may be at the buyer or provider  Loss of reputation and customer goodwill end of the equation. For the buyer, there may be problems of  Lack of regulatory/government oversight in foreign an employee backlash, with fears of job losses and internal jurisdictions reorganizations. On the provider side, staff problems may arise  DY[c g^ kmhhdq ZYk] an]jkaÕ[Ylagf due to the physical distance, which may make staff relationships  ;`Yf_]k lg ÕfYf[aYd naYZadalq Yf Zmkaf]kk gh]jYlagf eg]dk more challenging. Different corporate cultures may also result in communication issues. Successful implementation may require Some potential solutions to these challenges include establishing more of a partnership type of relationship, rather than a complete a steering committee or vendor and outsourcing oversight board. delegation of responsibilities. Organizations should explore multi-sourcing and/or maintaining 9fgl`]j [`Ydd]f_] a]flaÕ] af gmj gmlkgmj[af_ kmjn]q j]dYl]k some redundant expertise in-house. Companies should also take a lg Õfaf_ l`] hjgh]j gmlkgmj[af_ hYjlf]j& L`] Zmkaf]kk jakck ^j]k` dggc Yl m] ada_]f[] Yf l`] n]fgj imYdaÕ[Ylagf hjg[]mj]k associated with choosing the right partner are more important than for new providers as well as contract renewals. ever in today’s economic climate. In the last year alone, we have oalf]kk] k]n]jYd `a_`%hjgÕd] ^Yadmj]k g^ kgd]%k]jna[] hjgna]jk Yf dYj_] gmlkgmj[af_ Õjek& L`]k] ^Yadmj]k Yf l`] j]kmdlaf_ ]e]j_]f[] of new risks has a direct and far-reaching impact on the process for choosing a provider. Organizations must consider possible service and operational disruptions, occurring from a transition of customers to remaining service providers if a change in provider is required. A reduction in quality from distressed service providers with overburdened employees may also be experienced; or the organization may need to absorb the impact of increased service costs resulting from less competition and fewer service providers. Gmlkgmj[af_ k]l%mh a^Ô[mdla]k ! j]khgfk] jYl] O`Yl Yj] l`] a^Õ[mdla]k Yf'gj gZklY[d]k qgm ]f[gmfl]j] Yl l`] lae] g^ k]llaf_ mh l`] gmlkgmj[af_ hjg[]kk7 :Ykak2 [gehYfa]k gmlkgmj[af_ Yl d]Ykl gf] ^mf[lagf& Staff related problems 12% Finding the proper 9% partner Change management 8% problems IT and technical 6% problems Legal problems 5% Other 15% Source: Ernst & Young’s 2008 European outsourcing survey Insights on IT risk — May 2009 3
  • 5. Gmlkgmj[af_ [Yf Zjaf_ Zgl` Z]f]Õlk Yf jakck Hgl]flaYd Z]f]Ôlk Hgl]flaYd jakck  ;gkl j]m[lagf Yf af[j]Yk] ]^Õ[a]f[q2 gmlkgmj[af_ [Yf  Cost reductions cannot always be realized in full: this is often reduce costs by eliminating institutional impediments to the case where only a high level business case is prepared, ]^Õ[a]fl gh]jYlagfk& KYnaf_k k`gmd Z] j]Ydar] Zq l`] the actual cost structure (internal baseline) and target costs outsourcer through: restructuring the services, achieving are not correctly calculated, or the business case was based greater economies of scale, shifting to business partners on wrong assumptions. (with other fee structures), shifting to countries with lower  J]kaklYf[]$ af]jlaY$ Yf [gfÖa[lk oal` j]khgfkaZadala]k2 labor costs (Eastern Europe, India, China, Vietnam, etc.) in practice, there needs to be strong alignment with  Service delivery improvements: outsourcing in many cases the outsourcer on the management of the transition. permits the use of state-of-the-art technologies without Poor training of employees, language problems, lack of having to invest directly. consideration of cultural differences between outsourcer employees and remaining staff, plus fears, and loss of power  Concentration on core competencies: outsourcing helps and responsibilities of people are some of the reasons for enable corporate resources to be focused on core business. j]kaklYf[] Yf afl]jh]jkgfYd [gfÖa[lk&  Increased solvency: demand for capital and investment for  Dependence on one outsourcer with no possibilities for the IT function is easier to predict and plan. switch: contracts are generally signed for 5-10 years (3  Realization of economies of scale: the outsourcing providers years minimum). The wrong choice of outsourcer, combined Yj] kh][aYdar] af l`]aj hYjla[mdYj Õ]dk& >ap] [gklk Yj] dgo]j oal` afkm^Õ[a]fl [gfljgd g^ l`]aj k]jna[]k ak dac]dq lg j]kmdl af and the contract can be negotiated to share some of these project failure. savings between outsourcer and client.  Dgo ][gfgea]k g^ k[Yd]2 Yf afkm^Õ[a]fl klYfYjarYlagf  Avoiding “over-servicing”: internal employees often perform especially for “special services” or an above-average level of more services than needed. This can be managed by service variable costs can lead to low economies of scale. The range level agreements with the provider. of different systems and processes across many entities needs to be evaluated.  Increased agility: it is easier to switch between service providers than to change a complete IT function if the  ImYdalq hjgZd]ek Yf af[j]Yk] af [gehd]palq2 afkm^Õ[a]fl [gfljY[l g]k fgl ]dan]j hjgeak] Z]f]Õlk& 9dkg$ k`gjl%l]je k]jna[] d]n]d Y_j]]e]flk$ afkm^Õ[a]fl ^g[mk gf l`] j]Yd [YhY[alq hjgZd]ek [Yf Z] [gn]j] Zq mkaf_ l`] Ö]paZadalq g^ customer needs, or lack of hands-on approach lead to quality outsourcers’ global resources. problems. Also, designing a “to-be” concept based on a misunderstood “as-is” situation or very complex interfaces  :]ll]j [gfljgd2 m] lg ]Õf] k]jna[] d]n]d Y_j]]e]flk$ between processes, organizational entities and applications transparency of costs, prevention of insider relationships, and can result in quality issues. the force to have open and comparable standards, the level of control can be increased.  Dgkk g^ [gfljgd Yf cfgo%`go2 afkm^Õ[a]fl k]jna[] d]n]d Y_j]]e]flk gj afkm^Õ[a]fl afl]jfYd [gfljgd g^ l`] k]jna[]k can result in loss of control. The relocation of knowledge champions to another site can lead to a loss of internal business knowledge. An in-house service management organization should be created to control the service delivery Yf ]fkmj] l`] imYdalq g^ l`] ]Õf] k]jna[]& 4 Insights on IT risk — May 2009
  • 6. K]d][laf_ l`] ja_`l k]jna[]k Like other functional areas of the business, certain components To address this issue, organizations should evaluate the outsourcing of IT services are rarely or never outsourced. Organizations g^ ]Y[` AL k]jna[] gj Y[lanalq oal` Y k]hYjYl] [gkl%Z]f]Õl YfYdqkak& typically outsource repeatable or routine IT services, such as the There may be little or no incentive to outsourcing some specialized management of a help desk, on-site technical support and security activities and could actually lead to a more costly outcome than the testing. Most organizations are unwilling to outsource the activities current situation. In addition, prior to entering into an outsourcing that require more unique or specialized skills. In the Ernst & Young arrangement, they should closely examine the contract to identify 2008 Global Information Security Survey, less than 30% of the and understand the “premium” pricing scenarios and the potential respondents indicated they would outsource disaster recovery, impact on the organization. The business relationship will be much incident response or IT forensics. more successful if all “surprises” or unexpected fees are avoided. The reluctance to outsource certain IT activities is decreasing as the pressures to reduce costs increase and a broader array of IT processes are now being outsourced. However, outsourcing these specialized services is not always a low-cost alternative. Many service providers now offer a standard portfolio of services and deviating from the klYfYj hgjl^gdag [Yf d]Y lg Y ka_faÕ[Yfl af[j]Yk] af hja[]$ Yk l`]k] services cannot be easily provided by the outsourcing “factory” without additional specialists. The increased cost of the specialists is simply passed on to the service provider’s customers. KljYl]_a[ kgmj[af_ da^][q[d] È [jala[Yd km[[]kk ^Y[lgjk =Y[` klY_] g^ l`] kgmj[af_ da^][q[d] hgk]k mfaim] jakck$ Yf l`] km[[]kk g^ l`] gn]jYdd kgmj[af_ hjg_jYe ak ]h]f]fl gf [jala[Yd km[[]kk ^Y[lgjk Yf ]^^][lan] eYfY_]e]fl g^ l`]k] jakck&  Sourcing and business  Structured governance  Timely transition  Compliance management ;jala[Yd km[[]kk strategy alignment  Effective contract  Policy enforcement  Service-level management  Senior management buy-in ^Y[lgjk  Effective service level key  Process discipline and maturity  Quality assurance and change  Right selection criteria for performance indicators management  Effective program execution vendor/partner selection and metrics  Opportunistic renegotiation  Risk management  Effective operating model  Dependency and impact analysis with vendors  Risk-adjusted business case  Prudent program planning ;gf[]hl HdYf Transition Monitor  Mf[d]Yj Zmkaf]kk gZb][lan]k  ;gfljY[lmYd jakck  Gh]jYlagfYd jakck  :YdYf[] g^ hgo]j egnaf_ Key risks and priorities lgoYjk n]fgj  :mkaf]kk [gflafmalq jakck  @meYf [YhalYd jakck  K`gjl%l]je ZaYk] kljYl]_q  ;jala[Yd af^gjeYlagf eakmk]  ;gjj][l gh]jYlaf_ eg]d  Afl]dd][lmYd hjgh]jlq jakck  Gj_YfarYlagfYd mfhj]hYj]f]kk  Customer dissatisfaction  J]_mdYlgjq Yf hgdala[Yd jakck  Sub-optimal sourcing strategy  Stuck with a bad contract  <]dYq] Z]f]Õlk  Vendor holding the balance of power AehY[l  Ineffective operating model  Fgf%j]YdarYlagf g^ Z]f]Õlk  Business case doesn’t hold true anymore  Litigation and regulatory issues  Credibility loss at executive  Bad experience with outsourcing management level  Relationship goes sour between  Brand dilution client-vendor  Degraded quality of services Insights on IT risk — May 2009 5
  • 7. ;`ggkaf_ l`] Z]kl dg[Ylagf In 2009, companies have become more convinced of the merits of developing markets. India, China and Eastern Europe all rate highly C]q g^^%k`gjaf_ Yf dg[Ylagf lj]fk2 Yk g^^%k`gjaf_ dg[Ylagfk& AfaY ak a]flaÕ] Yk l`] hj]^]jj] g^^%  Collaborative strategies are increasingly valued. More shoring destination by all respondents (45%) regardless of where Ö]paZd] gh]jYlaf_ eg]dk$ emdla%[mdlmjYd YhhjgY[`]k$ their headquarters’ operations are situated. China ranks second collaborative partnerships and new forms of out- and and Eastern Europe third (26% and 23% of votes respectively). co-sourcing of production and service delivery bring new Surprisingly, the strong image of Eastern Europe as an off-shoring opportunities. destination extends not only to European companies, but also those  Talents are essential. The race for skills, talent and in North America. [j]Ylanalq ak gf af dg[Ylagfk o`]j] [geh]lalagf ^gj kh][aÕ[ Motivations for off-shoring certain activities to developing countries [geh]l]f[a]k ak Õ]j[]j Zq l`] o]]c& Kge] [gehYfa]k have changed as these markets evolved. Initial decisions were develop protectionist strategies and, in turn, slow down a generally taken purely on a cost basis. This was largely behind the region’s ability to grow through new inward investment. phenomenal growth seen in recent years in markets such as India.  Emerging markets … have emerged. By 2050, the However, in recent years, the cost advantage of off-shoring to many Emerging-7 (Brazil, Russia, India and China, together developing markets has dramatically reduced. At the same time, with Indonesia, Mexico and Turkey) are likely to overtake these countries have moved up the value chain as their operations the economies of the G-7 countries in terms of gross `Yn] eYlmj]& Af [gfljYkl lg Õn] q]Yjk Y_g$ l`] k[Yd] Yf lqh]k domestic product (GDP). Will they be able to develop their of services they are delivering are much more sophisticated. IT af^jYkljm[lmj] Yl Y km^Õ[a]fl jYl] lg c]]h mh oal` l`] hY[] services such as remote infrastructure management and industry- g^ _dgZYd afn]kle]fl7 Oadd l`]q Z] YZd] lg hjgÕl ^mddq ^jge kh][aÕ[ Yhhda[Ylagf ]n]dghe]fl `Yn] fgo ]n]dgh] aflg `a_`% l`] Z]f]Õlk g^ nYdm]%Y] afoYj afn]kle]fl Yf oadd l`]q growth outsourced services. undertake changes in transparency, fairness and openness? In our experience, destination preferences also vary according to  Risk management is now at the heart of a company’s the particular function to be off-shored: Eastern Europe is preferred location decisions, prompted by the prevailing climate for industry and production processes, while a mix of local, near- of uncertainty. The current priority is for transparency, shoring and, to a lesser extent, off-shoring is preferred for process stability and clarity in the countries chosen for investment gja]fl] ^mf[lagfk [Ydd []fl]jk!& 9 kh][aÕ[ eap g^ dg[Yd Yf g^^% projects. Companies put a sharpening focus on the balance shore sourcing is generally adopted for IT operations. of risks and rewards in economies everywhere. Investors look at a complex variety of costs, quality and risks factors before selecting their business locations. O`a[` g^ l`] _]g_jYh`a[ eYjc]lk g qgm ]ph][l Based on Ernst & Young’s research on location trends in “Attractiveness Survey — 2005/2008” lg g^^]j l`] Z]kl g^^%k`gjaf_ hgkkaZadala]k ^gj qgmj Zmkaf]kk7 India 45% China 26% Eastern Europe 23% Southeast Asia 16% Latin America 14% Middle East 5% North America 5% Western Europe 4% Africa 3% Australia and New Zealand 3% (up to three responses possible) Source: Ernst & Young, Opportunity in adversity, January 2009 6 Insights on IT risk — May 2009
  • 8. EYaflYafaf_ [gfljgd ^jge Y aklYf[] IT outsourcing creates a new challenge for organizations to maintain control of services being supplied by personnel that are L`aj%hYjlq j]hgjlaf_ not your employees, and often out of your physical control. A While implementing governance and service-level reporting starting point of control is a detailed contract which contains explicit processes are important, they do not relieve an organization requirements with respect to the quality of the provided services of responsibility for evaluating the quality of services received. and the controls that must be in place to protect information. This can be performed by either the organization sending its :ml Y [gfljY[l Ydgf] ak fgl km^Õ[a]fl3 l`] gj_YfarYlagf emkl `Yn] own personnel to the supplier location to perform evaluations of a way to determine if the contractual obligations are being met. the services or obtaining a report on the services prepared by a There are two dependable ways in which this can be done, supplier independent auditor. While sending its own personnel provides an management and third-party reporting. organization with the maximum control over the process, a report from an independent auditor is usually more cost effective and the cost can be shared by several of the supplier’s customers. Kmhhda]j eYfY_]e]fl One type of independent auditor report is a SAS 70 report. While According to the Ernst & Young ICT Barometer report for October the purpose of this report is to provide information regarding 2008 (an outsourcing study of 600 Dutch companies), the [gfljgdk j]d]nYfl lg ÕfYf[aYd Ymalk lg [mklge]jk g^ Y kmhhda]j$ l`ak responsibility for managing service providers generally rests with an type of report may also be useful in understanding the supplier’s existing line of business function or an organizational function (e.g., processes and controls as it relates to operations and compliance. procurement); although a small number of organizations (15%) However, many aspects of a supplier’s processes will not be covered have established a special department to oversee these activities. by a SAS 70 report. Other types of independent auditor reports, Whether it becomes the responsibility of an existing department or such as SysTrust®, have been developed to address security, a newly created department, managing service providers is usually YnYadYZadalq$ [gfÕ]flaYdalq$ hjg[]kkaf_ afl]_jalq Yf hjanY[q l`Yl done through the following mechanisms: may not be included in a SAS 70 report. In addition, an organization  Contract: the contract between the user organization and the may work with its supplier to have an independent audit performed service provider is used as a control mechanism by the use of on those aspects of the services received that are of particular special clauses related to bonuses and penalties. interest to the organization.  Governance structure: procedures and structures agreed upon in advance to resolve any issues that may arise.  Service level agreement: this instrument provides a way in which the quality of the services delivered can be evaluated and measured in pre-determined units.  Service level reporting: this method utilizes periodically prepared reports on the realized service levels for which the service provider can be held responsible. Despite occasional disputes, maintaining a good relationship with the service provider is often the most important objective for an organization when it comes to supplier management. The ICT Barometer study found that 33% of organizations have had a dispute with their service provider, but only 20% have ever exercised a clause in a contract to resolve the dispute. Insights on IT risk — May 2009 7
  • 9. Securing shared data The increase in IT outsourcing also means more data and sensitive Information security must go beyond physical borders. The information is being shared with external service providers. Sharing organization’s data needs to be protected whether the information data does not mean that the risk or responsibility for protecting is stored within its own building or at the service provider’s location. l`] af^gjeYlagf ak Ydkg ljYfk^]jj]& Gj_YfarYlagfk emkl Õf Y For this reason, it becomes important that an organization can way to protect their information even when it has left their own obtain assurance that their service providers are providing a level of information systems. security to match or exceed their own. Ernst & Young’s 2008 Global Information Security Survey (GISS) provided evidence that many organizations are struggling to address third-party risk. The survey found that 29% of all respondents indicated that they do not perform any type of audit or assessment of the third parties with whom they exchange information. @go g qgm ]fkmj] l`Yl qgmj ]pl]jfYd hYjlf]jk$ n]fgjk Yf [gfljY[lgjk Yj] hjgl][laf_ qgmj gj_YfarYlagfËk af^gjeYlagf7 Assessments performed by your organization’s internal audit function 39% Reviews of internal self-assessments performed by 36% partners, vendors or contractors Reviews of independent external assessments of partners, vendors 32% or contractors No reviews or assessments performed 29% Multiple responses permitted Source: Ernst & Young’s 2008 Global Information Security Survey 8 Insights on IT risk — May 2009
  • 10. Why do organizations overlook the security aspects of an  ;gflafmgmkdq eYfY_] Yf egfalgj l`] jakck a]flaÕ] af l`] outsourcing initiative? Among other things, they are often unaware risk analyses. of the risks or they may assume that data protection will be well  Periodically assess the service provider using an international organized by their service provider. In addition, rarely are the right standard such as ISO/IEC27001 or by means of a third-party h]ghd] afngdn] af ]Õfaf_ l`] k][mjalq j]imaj]e]flk o`]f l`] report (i.e., SAS 70, ISAE 3402). service contracts are being constructed.  Make security a part of the governance structure between the To effectively address information security in an outsourcing organization and that of the service provider at a strategic, situation, organizations should focus on the following: tactical and operational level.  Utilize the service contract as a control mechanism by use of Considering security early in the outsourcing process — before special clauses related to bonuses and penalties. contracts and agreements are made with service providers — can  Perform a risk analysis to determine the associated risks and prevent many problems from developing in the future. how the potential service provider is planning to address them.  Involve the security resources within your organization to assess potential service providers.  EYc] kh][aÕ[ [gfljY[lmYd Y_j]]e]flk [gf[]jfaf_ l`] oYq in which the service provider will implement and adhere to security measures. EYfq gj_YfarYlagfk fgo cfgo l`Yl k`Yjaf_ YlY jYj]dq e]Yfk l`] jakc gj j]khgfkaZadalq ^gj hjgl][laf_ l`] af^gjeYlagf ak Ydkg ljYfk^]jj]& Insights on IT risk — May 2009 9
  • 11. EYfY_af_ YlY imYdalq Data quality is the reliability and integrity of the data used in The key to data quality is sound data management and can be electronic processing. It can be measured by the degree in which ]Õf] Yk l`] ^gddgoaf_2 [gjjmhlagf gj afY[[mjY[q ]paklk oal`af l`] YlY Õd]k& =pYehd]k  Organization: it is imperative to have clear roles and of poor data quality are duplicate entries, incomplete data responsibilities, training and education, planning and change and incorrect data. Poor data quality can lead to an unreliable management processes. af^gjeYlagf kqkl]e l`Yl oadd `Yn] Y ka_faÕ[Yfl aehY[l gf l`]  Hgda[q2 km[[]kk^md YlY eYfY_]e]fl hjg_jYek `Yn] ]Õf] gj_YfarYlagf& 9 YlY hjgZd]e [Yf aehY[l ÕfYf[aYd j]hgjlaf_ Yf Yf g[me]fl] aj][lan]k [gf[]jfaf_ YlY ]Õfalagfk$ internal control processes. It can also restrict the organization’s monitoring and measuring, data access, data availability and ability to recognize fraud and result in poor management decisions YlY egaÕ[Ylagfk& based on incorrect information.  Standards: it is important to incorporate taxonomies, reference An outsourcing initiative can be a compelling reason to increase dates, an enterprise data model and use of proven tools. efforts related to improving the quality of data. However, for organizations which strive to optimize the use of their information The impact of poor data quality is often underestimated and systems, it is critical to incorporate data quality activities within proper attention is often only given after an outsourcing initiative their current IT processes and not wait for an external spark such as has begun. Organizations that currently take steps to safeguard outsourcing to drive improvements. data quality are much better prepared to work with external service providers and will have fewer issues to address during the Depicted below is the impact of a shortcoming in data quality. outsourcing process. Hgl]flaYd Zmkaf]kk Lqha[Yd aehda[Ylagfk Lqha[Yd YlY management management [`Ydd]f_]k issues  Litigation/regulatory Õf]k  Af]^^][lan]'af]^Õ[a]fl  Poor data capture business processes  Financial restatements  Duplicate master data  Poor business insights  Loss of market share/  Incomplete data hjgÕlYZadalq  AfY[[mjYl] ÕfYf[aYd Poor data  Data inconsistencies reporting  Financial instability/ liquidity and/or solvency imYdalq Yf  Inaccurate source data  Inability to identify issues fraud YnYadYZadalq  Inappropriate data  Loss of stakeholder usage  Sub-optimal business [gfÕ]f[] decisions  Poor product development L`] aehda[Ylagfk g^ hggj YlY eYfY_]e]fl [Yf d]Y lg Zmkaf]kk akkm]k 10 Insights on IT risk — May 2009
  • 12. Gn]j[geaf_ [mdlmjYd a^^]j]f[]k Gmlkgmj[af_ AL k]jna[]k lg gl`]j [gmflja]k [Yf hj]k]fl Y ka_faÕ[Yfl L`] kmjn]q j]kmdlk j]Ö][l l`] a^Õ[mdlq af gn]j[geaf_ [mdlmjYd challenge in terms of cultural differences and communications. and communications problems. Technical problems can usually Results from the Ernst & Young ICT Barometer study show that be solved with more resources and budget. This approach does ++ g^ l`] [gehYfa]k Yj] akkYlakÕ] oal` l`] AL k]jna[]k o`a[` not work for cultural differences. To close the gap and develop a are outsourced to other countries. In regard to a reason for this successful business relationship with an organization that is abroad dissatisfaction, 67% of the respondents viewed cultural differences requires an acceptance that there will be differences and there as the primary reason and 46% cited problems with communications must be an investment in knowledge of each other’s culture. Open as the main issue. Surprisingly, cultural differences are more than and honest communication is of vital importance, making clear twice as likely to be a problem as the actual application not meeting agreements concerning common targets, milestones and sanctions expectations. at the onset can help prevent communication mistakes and lead to mutually realistic expectations. O`q ak qgmj gmlkgmj[af_ hjgb][l fgl ]flaj]dq Y km[[]kk7 Cultural differences 67% Problems with 46% communication abroad Application does not (fully) 30% meet the expectations Project has run out of time 18% Experienced project leader unavailable 17% Application does not work due to gj_YfarYlagfYd a^Õ[mdla]k 17% Application does not work due to 15% l][`fa[Yd a^Õ[mdla]k Project budget was exceeded 14% Problems with supplier 13% Source: Ernst & Young’s ICT Barometer Gmlkgmj[af_ AL k]jna[]k lg gl`]j [gmflja]k [Yf hj]k]fl Y ka_faÕ[Yfl [`Ydd]f_] af l]jek g^ [mdlmjYd a^^]j]f[]k Yf [geemfa[Ylagfk& Insights on IT risk — May 2009 11
  • 13. Structuring the agreement Outsourcing arrangements should be recorded in a formal document J]kgdnaf_ [gfÖa[lk l`Yl j]Ö][lk l`] ]ph][lYlagfk g^ Ydd hYjla]k afngdn]& @go]n]j$ l`] pressures and time constraints on legal staff, process managers, Outsourcing arrangements are usually expected to be a long- human resources, IT staff and the organization’s executives term relationship. But it does not always work out this way and ^j]im]fldq d]Y lg Yf afkm^Õ[a]fl j]na]o hjg[]kk Yf Y g[me]fl an organization may want to or need to take back control of the that does not meet the needs of the organization. It is important to outsourced activities or migrate to another outsourcing provider. recognize that this scenario will result in a business relationship that >gj km[` Y [gfÖa[l$ l`]j] Yj] l`j]] km__]kl] ghlagfk lg k]lld] will suffer due to the lack of a common understanding. the dispute: 1. End the relationship in a structured manner by making use of l`] ]pal kljYl]_q l`Yl oYk ]Õf] af l`] [gfljY[l& <]Õfaf_ Yf egfalgjaf_ l`] [gfljY[l 2. Both parties submit to binding arbitration by an independent A good contract, like a good business relationship, should be third party. The expertise of the independent third party regularly reviewed and revised if necessary. Besides comparing can help settle the dispute in such a manner that both achieved performance with the fees charged, it is important that organizations are treated fairly. This helps to prevent high performance levels be objectively measured on a timely basis. ÕfYf[aYd [gklk Yf Zmkaf]kk jakc& H]j^gjeYf[] e]Ykmj]k l`Yl Yj] a^Õ[mdl lg imYfla^q oadd mfYngaYZdq 3. Gf] gj Zgl` hYjla]k Õd] Y dYokmal& L`ak ak Y dgf_ Yf ]ph]fkan] d]Y lg [gfÖa[lk& Kh][aÕ[ h]j^gjeYf[] j]hgjlk gj e]Ykmj]e]fl route for all involved. techniques must also have been fully disclosed in the contract. Because the dispute resolution process forces both parties to walk It is also important that the outsourcing contract include any through the process together once again, a better arrangement can agreements related to sanctions, guarantees, exit strategies and sometimes be reached and the parties often end up cooperating akhml] k]lld]e]fl hjg[]mj]k& L`]k] Yj] fgl l`] Õjkl eYll]jk gf] and completing or modifying the contract. thinks of when entering a new business relationship, but they are Outsourcing is not without risks or possible consequences, but vital provisions if something does go wrong. many of these factors can be mitigated by having a solid contract in place with agreed-upon measures to help prevent a dispute situation from escalating. Gmlkgmj[af_ YjjYf_]e]flk k`gmd Z] j][gj] af Y ^gjeYd g[me]fl l`Yl j]Ö][lk l`] ]ph][lYlagfk g^ Ydd hYjla]k afngdn]& 12 Insights on IT risk — May 2009
  • 14. 9Zgml =jfkl  Qgmf_ 9l =jfkl  Qgmf_$ gmj k]jna[]k ^g[mk gf gmj afanamYd [da]flkÌ kh][aÕ[ Zmkaf]kk f]]k Yf akkm]k Z][Ymk] o] j][g_far] l`Yl ]n]jq f]] Yf akkm] ak mfaim] lg l`Yl Zmkaf]kk& Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity to get closer, more ^g[mk] Yf ^Ykl]j af j]khgfaf_ lg [mklge]jk$ Yf [Yf j]]Õf] Zgl` l`] ]^^][lan]f]kk Yf ]^Õ[a]f[q g^ gh]jYlagfk& :ml Yk ghhgjlmfalq grows, so does risk. Effective information technology risk management helps you to improve the competitive advantage of your af^gjeYlagf l][`fgdg_q gh]jYlagfk$ lg eYc] l`]k] gh]jYlagfk egj] [gkl ]^Õ[a]fl Yf lg eYfY_] gof l`] jakck j]dYl] lg jmffaf_ qgmj systems. Our 6,000 information technology risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic approach to your information l][`fgdg_q jakc gj lg ]Yd oal` Y kh][aÕ[ jakc Yf af^gjeYlagf k][mjalq akkm]& O] mf]jklYf l`Yl lg Y[`a]n] qgmj hgl]flaYd qgm f]] Y lYadgj] k]jna[] Yk em[` Yk [gfkakl]fl e]l`ggdg_a]k& O] ogjc lg _an] qgm l`] Z]f]Õl g^ gmj ZjgY k][lgj ]ph]ja]f[]$ gmj ]]h kmZb][l matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference. For more information on how we can make a difference in your organization, contact your local Ernst & Young professional or any of the people listed in the table below. ;gflY[lk ?dgZYd Norman Lonergan +44 (0) 20 7980 0596 norman.lonergan@uk.ey.com (Advisory Services Leader, London) HYmd nYf C]kk]d +31 88 40 71271 paul.van.kessel@nl.ey.com (IT Risk and Assurance Services Leader, Amsterdam) 9nakgjq K]jna[]k Robert Patton +1 404 817 5579 robert.patton@ey.com (Americas Leader, Atlanta) Norman Lonergan +44 (0) 20 7980 0596 norman.lonergan@uk.ey.com (Europe, Middle East, India and Africa Leader, London) Fa_]d Cfa_`l +86 21 2228 8888 nigel.knight@cn.ey.com (Far East Leader, Shanghai) Isao Onda +81 4 3238 7011 onda-s@shinnihon.or.jp (Japan Leader, Chiba-shi) <gm_ Kaehkgf +61 2 9248 4923 doug.simpson@au.ey.com (Oceania Leader, Sydney) IT Risk and Assurance Services :]jfa] O]_] +1 404 817 5120 bernard.wedge@ey.com (Americas Leader, Atlanta) HYmd nYf C]kk]d +31 88 40 71271 paul.van.kessel@nl.ey.com (Europe, Middle East, India and Africa Leader, Amsterdam) Ljgq C]ddq +81 2 2629 3238 troy.kelly@hk.ey.com (Far East Leader, Hong Kong) Giovanni Stagno +81 3 3503 1100 stagno-gvnn@shinnihon.or.jp (Japan Leader, Chiyoda-ku) AYaf :mjf]l +61 8 9429 2486 iain.burnet@au.ey.com (Oceania Leader, Perth) Insights on IT risk — May 2009 13
  • 15. Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. For more information, please visit www.ey.com. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. The Ernst & Young organization is divided into five geographic areas and firms may be members of the following entities: Ernst & Young Americas LLC, Ernst & Young EMEIA Limited, Ernst & Young Far East Area Limited and Ernst & Young Oceania Limited. These entities do not provide services to clients. About Ernst & Young’s Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 18,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization, you require services that j]khgf lg qgmj kh][aÕ[ akkm]k$ kg o] Zjaf_ gmj broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference. © 2009 EYGM Limited. All Rights Reserved. EYG no. AU0425 Supersedes EYG no. AU0288 In line with Ernst & Young’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.