What are the risks?
The more likely risks relate to data security, retention and retrieval, as well as privacy, disaster recovery and business continuity. These risks arise because the customer’s data (possibly including third party data) is often loaded onto and stored on the supplier’s remote servers, possibly offshore somewhere. The customer may know little about the location or security of its data, or how they can access that data (other than by standard internet access). Consider the following scenarios:
• You discover that your outsource service provider has gone into liquidation and all of your business critical data is currently stored on servers located in Thailand. You are unable to access the software/service due to the liquidation and the liquidator is not returning your calls. Without your business critical data, or software to use it with, your business becomes ‘strangled’, or;
• You recover your data, only to find that the time it will take to purchase new software and ‘go live’ using that software after likely data conversion or migration issues, is months (and at a considerable cost) – again your business becomes ‘strangled’, or;
• You discover that your service provider (based offshore somewhere) has far from best-practice data security systems and processes and that your data has been leaked or otherwise accessed, possibly by a key competitor.
How can these risks be mitigated?
These risks can be mitigated by a combination of the following:
• Thorough technical and process related analysis of the proposed outsourcing, both pre and post-contract signing. This will, amongst other things, involve the review of your disaster recovery plan and your data security and maintenance plan. In the circumstances it may be prudent to require the service provider to supply regular backups of data in an agreed form, so that you can store that data as ’ready to use’ if required. The type and form of those data backups might also be discussed with a fall back service provider. You may also agree to a ‘quick’ transition plan with that service provider if required.
• Ensure that the contract with your service provider effectively covers these issues, allowing for any offshore jurisdictional legal issues as may be required.
Sean Lynch is a Partner at Hesketh Henry and is also a PRINCE2 certified IT project manager. He can be contacted on 09 375 8722 or firstname.lastname@example.org
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.