In the most recent presidential campaign, outsourcing was a hot-button issue. Accusations were bandied about by both parties about how one group was “outsourcing jobs” and reaping grotesque profits at the expense of the U.S. worker. However, and notwithstanding the political gamesmanship, more and more companies – regardless of size, geographical location or ownership structure – continue to utilize outsourced relationships to improve the bottom line. Regardless of the public perception, outsourcing service providers regularly deliver the promised economic benefits of outsourcing: improved operations, lower costs, enhanced shareholder value. So it's not surprising - particularly in tough economic times – that outsourcing remains not only a viable option, but a frequently used solution for companies looking to reduce overhead and grow profits.
But a stagnant economy isn't the only thing that keeps a company's COO up at night. In today's business environment, where new government regulations seem to pop up every day, a company's compliance and governance policies and structures are subject to frequent and sometimes intense scrutiny. Consequently, management is continuously searching for cost-efficient ways to ensure compliance and reduce the risks inherent in these regulations. Because many of these organizations regularly use outsourcing to improve their bottom line, the capability of the outsourcer to meet a company's compliance requirements (or even, in some cases, to improve an organization's compliance) has become a primary focus (and indeed, is more and more a key differentiator in an organization's decision in selecting an outsourcer). This is particularly important where a company decides to outsource business functions that involve sensitive data.
Cost-cutting while still ensuring compliance in an increasingly complex regulatory environment sounds daunting. Everyone enjoys receiving financial benefits but reducing costs without risking regulatory penalties or – worse yet – lawsuits is a challenge. Now layer into the mix the use of an outsource services provider that in many instances will have control of protected information – including personal information of the company's customers – and one begins to understand why folks in the C-Suite are suffering sleepless nights.
So now that we've painted a bleak picture, the question is how does a company garner the benefits of outsourcing without insourcing more risk? While a comprehensive answer to that question would take more time and space than what's allotted for this discussion, following are a handful of key steps that should be taken and key issues that should be considered. Remember, while a company can outsource some of the responsibilities for ensuring compliance, it can never outsource its accountability.
Many of us consider the RFP/RFQ/RFI process to be not only cumbersome but far too frequently a waste of time. On the one hand there is the overly constrictive format utilized by the company issuing the request that prevents even a minimal explanation of a response, while on the other is the “canned” snippets offered by the respondents that seem to condition more detailed information on being down-selected. That being said, when it comes to an outsourcer's compliance/data protection/information security areas, the RFP can prove to be a very useful tool.
One thing to stress here is the need for the company considering outsourcing to carefully examine the business processes, the type of data or information that is involved, and the applicable internal structures in place that have been developed and implemented to address compliance concerns. The company will want to verify that an outsource services provider will at a minimum maintain the same levels of security. After all, a company's base case -- and how the internal costs for that base case measure up against an outsourcer's solution – includes all of the investment and ongoing costs that the company has incurred and will continue to incur to sustain its data security infrastructure. On the other side of the equation, any outsourcer worth engaging will go to great lengths to drill down on the specific requirements being imposed so that it understands its obligations and can adequately bake the costs of those obligations into its pricing models. Using a “cookie-cutter” approach when it comes to the data security/compliance portions of the RFP does a disservice to both sides. A little effort at the front end to classify the data at issue and the company's current data security environment will go a long way to ensure that the RFP responses are useful and targeted to the peculiar issues inherent in outsourcing the particular business process.
While some might say that some of us put far too much stock in the “Ts and Cs” of the outsourced services agreement, the fact remains that defining the party's respective rights and obligations at the outset, particularly in those areas of the relationship that involve data privacy and data protection, will minimize the risk that there are gaps in the processes. Experience tells us that putting effort towards drafting specific provisions in the following areas of the contract will pay dividends throughout the term of the relationship:
Several other contractual provisions can impact or address compliance concerns and the parties' objectives of protecting sensitive data. Clear language that deals with a data breach and the parties' respective obligations, disaster recovery plans, and meaningful indemnification language and liability limits and exceptions are important. And obviously, requiring an outsourcer to contractually commit to ongoing compliance with law is a must-have. But while this language is essential, establishing a mechanism for verifying that the outsource services provider is actually meeting all of those contractual standards is vital.
The outsourcer's central business proposition is that its expertise and experience allow it to perform critical business functions more efficiently and more economically than the company itself. When using an outsourcer, a company must balance its financial goals with its obligation to comply with an ever-changing regulatory world. Due diligence at the front end and a well-crafted agreement that clearly allocates responsibility, coupled with a disciplined process to verify ongoing compliance, will help to ensure that the outsourcing customer reaps the promised financial benefits without incurring expanded or additional risk.
 We'll leave for another time a discussion about whether this characterization is fair or if it even accurately describes the typical outsourcing business model. For instance, many companies that engage outsource service providers require that the services be performed within the U.S., which effectively results in job creation (or at a minimum, job retention) for U.S. workers.
 With the exception of that little girl on the credit card commercials that consistently refuses cash back from Jimmy Fallon (though admittedly, this is likely more an indictment of Mr. Fallon's powers of persuasion than it is the young lady's business judgment).
 Admittedly, that may be somewhat of an overstatement. After all, we've all likely run into an Inquisition-style auditor that seems to enjoy his/her job far too much.
Douglas S. Tripp is a Director with Crowe & Dunlevy in the Oklahoma City office, where he is a Member of the firm’s Commercial Transactions and Financial Institutions practice group and Chair of the firm's Business and Information Technology Sourcing practice group. Mr. Tripp’s primary area of practice involves the negotiation and structuring of agreements relating to business process and information technology outsourcing.
Mr. Tripp actively represents clients in a wide range of outsourcing matters, including HR/employee care services, customer care, finance and accounting, help desk, training and recruitment, and contact center services. In addition, Mr. Tripp has significant experience relating to information management technologies, hardware and software licensing, technology acquisition, software maintenance and support, and technology company/product acquisition.