Growing concerns about ICT Outsourcing are evident from recent government and regulatory initiatives, both local and international. On the home front there is the July 2015 APRA Information Paper Outsourcing Involving Shared Computing Services (Including Cloud) relating to outsourcing which involves the sharing of IT assets (including hardware, software and/or data storage) with other parties. While the Information Paper is intended primarily for APRA-regulated entities, it provides detailed advice which can be relevant for any organization considering shared computing services. Chapter 3 – Risk management considerations includes a number of “Observed weaknesses” to be avoided.
The earlier March 2015 APRA Prudential Standard HPS 231 Outsourcing for Private Health Insurers also includes requirements for outsourcing arrangements, including an Outsourcing policyand governance arrangements which could be relevant for any organization considering outsourcing.
Lessons from the UK were reported in an October 19, 2015 article in The Mandarin, The UK experience: when contracting goes wrong, and how to prevent it, The article, by David Donaldson, reports on the Institute of Public Administration Australia national conference in Melbourne in October, at which Tom Gash from the UK’s Institute For Government and former departmental secretary Lord Bob Kerslake provided cautionary case studies of UK examples where outsourcing went wrong.
One of the mistakes was a focus on driving the cost down, as a result of which the contracted company started having financial difficulty and went under — though the owner of the company still “walked away a very wealthy man from it for various reasons to do with how the contracting was designed”.
In another example, the Ministry of Justice was getting data feeds from the contractors “for a very long time, it just happened the data wasn’t necessarily right.”
(See our article Fooled by Dud Data in this Newsletter )
Kerslake concluded with six learnings from his experience with commissioning, as both permanent secretary for the United Kingdom’s Department for Communities and Local Government and head of its Civil Service (see The UK experience: when contracting goes wrong, and how to prevent it.)
Standards Australia is also acting on concerns about ICT Outsourcing. An August 12, 2015 panel led discussion Challenges and Complexities in Governance of Multiple Service Providers for IT-Enabled Business Services asked the question: “ Ineffective service integration with multiple points of inefficiency, risk and failure – is this the reality for organisations even though each contract was well designed and suppliers are certified?”
The discussion covered the governing requirements for multi-sourced internal and external suppliers, contractual implications, end-to-end service definition and performance management as well as risks and controls management and Audit oversight.
The Standards Australia invitation noted that:
“Following international concern that there is a lack of standards and guidance for governance of multi-sourced IT services, the ISO committee SC40 has initiated a 12 month Study Group. Standards Australia ICT Governance and Management Committee has nominated several experts to be involved in this study group including representatives from Institute of Company Directors, Governance Institute, Australian Industry Group, Council of Small Business, Australian Computer Society, ISACA, Australian Information Industry Association and State and Federal Governments.”