Dealing With Third-Party Providers
Spell out expectations before entering a relationship
Kelly D. Talcott
New York Law Journal
While outsourcing has received a lot of attention lately, particularly during the last election, the practice is at least as old as the Roman Empire's practice of outsourcing the collection of taxes. From relatively mundane tasks such as office cleaning and plant watering, to so-called "mission critical" responsibilities like product fulfillment and customer service, companies have for years been outsourcing a wide range of functions that could otherwise be performed by employees.
Cheaper and more reliable communications capabilities have driven the practice of international information outsourcing, where outsourced services are performed by third parties located time zones away from both the outsourcing company and many of its customers. It is this "off-shoring" subset of outsourcing that appears to have attracted the most political attention.
As both domestic and foreign third-party service providers (TSPs) assume increasingly critical responsibilities for corporate clients, it becomes correspondingly more important for corporations to take a structured approach to entering into and conducting the outsourcing relationship. A new handbook published by the Federal Financial Institutions Examination Council, titled "Outsourcing Technology Services," provides a brief but comprehensive guide that can be used not only by financial institutions, but also by a wide range of companies that are considering entering into an outsourcing relationship with a TSP.
The growing number of laws that regulate in broad strokes the way businesses operate make it important from both a legal and business perspective to put careful thought into outsourcing relationships. The council's outsourcing handbook is a useful tool for prompting such consideration. Following are some highlights of the handbook, especially as they apply to companies outside the financial services industry.
RISK AND REWARD
Risks are associated with every business venture, whether or not it outsources any of its business activities to a TSP. For example, even something as simple as hiring an outside cleaning service can add a significant level of risk to a company's operations: Unknown third parties enter the premises at night when few if any employees are around and have close contact with virtually every physical area of the business.
Recognizing and managing the risks associated with an outsourcing relationship is key to making that relationship work. The goal should be to take reasonable steps to reduce the identified risks while still maintaining the benefits of the outsourced relationship.
Risk identification and management are thus extremely important parts of making an outsourcing relationship work. The Federal Financial Institutions Examination Council, for example, places responsibility for overseeing important outsourcing relationships with the board of directors and senior management and not with subordinate groups like the information technology department. It views the development of company-wide policies that govern the outsourcing process in a consistent manner as the key tool for boards and management to use in discharging this responsibility.
These policies should be designed to identify, measure, monitor, and control the risks associated with outsourcing. Typical company policies will require assessment of outsourcing risks and the creation of a requirements definition that will describe what is expected of the TSP. They will also require that active due diligence procedures be used in selecting a TSP, and should mandate the development of a comprehensive list of issues that are to be addressed in the outsourcing contract. Finally, company policies should require that the performance of TSPs be measured on an ongoing basis against some pre-defined standards.
DEFINING THE NEED AND RISKS
Several broad types of risks are associated with putting a portion of a company's operations in the hands of a third party. These include risks to the company's reputation, since poor performance by a TSP can alienate customers or suppliers.
Strategic risk is another danger. If the company depends on the TSP to supply it with critical business information (such as inventory levels for an order fulfillment TSP), then poor performance in this area by a TSP can lead to the company making poor strategic decisions. Legal risk can follow when a TSP fails to comply with applicable legal requirements, such as maintaining the appropriate safeguards on the privacy of customers' personal information.
It is thus crucial for the company to take a close look at the functions to be assumed by a TSP and to take active steps to investigate the risks that are being outsourced with those functions. Some of these risks are inherent in the function that a TSP is performing, such as the risk of customer or client information disclosure that accompanies the outsourcing of order processing or financial services. Other risks come from a TSP itself, and are a product of how well it conducts its business and how experienced it is in providing the kinds of services that the parties contemplate are to be performed by the TSP.
Still other risks come from the technology used by a TSP to provide the outsourced services; for example, the reliability and security of the computer systems that it uses to run its business.
Finally there are external risks, such as those introduced by changing governments, terrorist attacks, or natural disasters, that can adversely impact a TSP's ability to fulfill its contractual obligations.
Taking the time to produce a written requirements definition for internal use can help a business understand the appropriate boundaries of the outsourcing relationship. Defining the business functions that are to be outsourced, assessing the risks associated with outsourcing those functions, and establishing a baseline that can be used to create appropriate control and performance evaluation measures once the relationship is operating are important parts of this process.
To do this properly, it makes sense to include the business units that will be working with a TSP or that will depend on a TSP for services or information in the planning process. The goal is the development of a written document that explains the functions a company will seek to outsource and identifies the risks associated with outsourcing those functions.
Typical components of a written requirements definition are a detailed description of the scope and nature of the work to be performed; a definition of the standards and service levels to be maintained by a TSP; a listing of the minimum qualifications needed to be considered as a potential TSP; an explanation of how TSP performance is to be monitored and reported; a discussion of the requirements for the transition of outsourced functions from the company to a TSP; and required contract provisions dealing with term, termination, assignment, liability, indemnification, and insurance.
The selection of a TSP should be driven by the services a company needs to buy, not by the services a TSP is trying to sell. Defining what the company is looking for in a TSP makes it much easier to analyze the candidates. By insisting on certain minimum qualifications in a TSP (such as industry or management experience, financial condition, or reputation) a company can reduce the risk that the outsourced functions will not be performed as well as the company would perform them if they had remained in-house.
REQUEST FOR PROPOSAL
A written request for proposal is essentially a version of the requirements definition that is intended for review by potential TSPs. It will obviously leave out sensitive information (such as the risks identified by the company), but it should inform potential TSPs of the objectives of the outsourcing project, details of the work that is to be outsourced, what level of service will be expected of a TSP, how performance is to be measured, and requirements such as security and disaster protection. The request for proposal should require a written response from each potential TSP that addresses each requirement and proposes a fee structure for the relationship. It then becomes relatively easy to compare one proposal with another.
It is possible that no potential TSP is able to meet all the requirements set forth in the request for proposal. Being able to identify at the negotiation stage where the risk areas are, however, allows a company to take affirmative steps to address those areas through negotiations with the TSP before it awards a contract.
While the award of an outsourcing contract may not rise to the level of the purchase or sale of a corporate division, it still makes sense to conduct some due diligence about a potential TSP. It is important, for example, to confirm the existence and corporate history of a TSP, as well as the backgrounds of its key executives. Knowing how long the company has been providing similar services to similar clients, as well as knowing the identities of some of those clients, can provide a sense of how experienced the TSP is in the relevant business area.
Reviewing audited financial statements and insurance coverage will give some indication of a TSP's ability to continue to provide services even in lean times. Learning how a TSP secures and manages its technology and what its IT capabilities are can give an understanding of any potential problems in that area. If a TSP is based abroad, learning something about the social and political climate in its host country can provide insight into the potential for large-scale disruption of outsourced services.
An eventual agreement between a company and a TSP should be no less carefully negotiated than any other important contract. Because a TSP is providing important services to a company, an agreement should include a detailed description of those services, an explanation of how a TSP's performance will be measured after the relationship begins, and what the consequences are for failure to meet performance standards. Other important contract issues include the ability of a TSP to subcontract any part of its operations to third-party TSPs; the nature and frequency of performance reports and audits; and, where appropriate, an acknowledgment by a TSP (particularly a foreign TSP) of the authority of relevant U.S. regulatory agencies over the outsourced operations and resulting information.
The performance requirements may be expressed in a detailed service level agreement focusing on the work to be performed by a TSP. A typical agreement will identify measurable elements of the services to be provided, such as the availability of the services (times of day, hours per week, maximum unscheduled downtime), information or transaction processing speed and accuracy, permissible error rates, and support response time.
It may also include discounts or other penalties for failure to meet the defined measures for service, or bonuses if certain targets are exceeded. Addressing such details in writing before the relationship begins helps reduce conflicts over performance later
Foreign TSPs pose a particular challenge. Different cultures, legal standards, customs, political systems and technical capabilities can quickly lead to misunderstandings and disappointment on both sides of the transaction.
Furthermore, domestic requirements that apply to information access or privacy are likely to apply with equal force even if information is processed in another country. U.S. courts are not likely to be sympathetic with a company that is having difficulty responding to a subpoena or document request because its foreign TSP cannot or will not provide the information in a timely fashion. It is thus particularly important in foreign TSP relationships to identify the risk issues, address them at the requirements definition stage, and provide protection against them in the contract.
RIGOR IS REQUIRED
While outsourcing discrete business functions may seem like the management flavor of the month, there are undeniable attractions to the practice that make it unlikely to go away anytime soon. It is important, however, to approach a relationship with a TSP with a strong understanding of what it is the TSP will be expected to do, and what risks will result from the relationship.
The Federal Financial Institutions Examination Council's Official Handbook, while by no means the last word in helping companies structure their outsourcing relationships, is an excellent source for becoming acquainted with these important issues and defining affirmative steps that can reduce the risks encountered in entering into a relationship with a TSP.
Kelly D. Talcott is a partner at Kirkpatrick & Lockhart, where he practices intellectual property and technology law.