THE OUTSOURCING AGREEMENT
Which brings us to the outsourcing agreement itself. For a material, long term arrangement, this can be a sizeable document that addresses in great detail various aspects of this important relationship. We'll consider in particular an outsourcing in the information technology (IT) area, but the issues canvassed here apply equally to any type of business process outsourcing.
Getting From Here to There
A large outsourcing deal can involve the transfer of the entire information technology (IT) department of the user – sometimes upwards of two or three hundred staff people – to the vendor, together with the sale of a lot of IT equipment and software. In this sense, the outsourcing starts with a significant asset purchase deal, and the outsourcing contract will reflect this.
On the software front this raises interesting assignment issues. Software that the user owns -–for example, custom software developed in-house – can be transferred with little difficulty, though you will want to check your intellectual property agreements with staff, especially with third party contractors, to ensure you have obtained all necessary rights, including waivers of moral rights.
Third party owned software that you license can be more finicky. Ideally, when you negotiated the license initially you put in a clause that contemplated eventual outsourcing, so that you now clearly have the ability to hand over the software to the outsourcing vendor, so long as it uses the software solely to provide you with services. If you don't have such a clause, things can get tricky, as you parse the assignment clause of the software agreement to see if something like the outsourcing is permitted. Thus, an initial step in the outsourcing process is a due diligence exercise to review what can be done with the software licenses, and whether any extra costs may arise from their transfer; any such costs are then part of the overall financial negotiation with the outsourcing vendor.
Transferring employees to the vendor also raises a set of delicate legal issues. For example, it is often the case that the user has a traditional defined benefit pension plan, whereas the outsourcing vendor has a defined contribution pension plan, or no pension plan at all. Thus, serious homework, thought and creativity need to go into an HR plan that allows the pension transition issue to be dealt with fairly and in compliance with regulatory requirements.
On the employment law side, special considerations may also arise. The user may want the outsourcing vendor to treat the transitioning employees in a certain manner, at least for a period of time. From the vendor's point of view, this raises a host of issues, not the least of which is that it wants to treat all of its staff consistently. Creative, temporary deals can result, where the user's and vendor's reasonable interests are accommodated.
All these transition issues then need to be slotted into a detailed transition plan that sets out expectations regarding timing and the respective roles and responsibilities of the parties in getting the new environment up and running. It's important to do the transition right, so that the user can see it picked the right company among the different prospective bidders, and so the vendor can begin to earn the confidence of the user.
Can We Do This?
One of the threshold questions that the user would have researched during the early, internal phase of deciding whether and what to outsource/offshore, would be whether the particular function being considered for outsourcing/offshoring can in fact, from a regulatory perspective, be outsourced, and especially to a service provider in an offshore country.
The general response is usually "yes," but there are numerous industries that generate more complex answers. Financial services companies, for example, must comply with guidelines on outsourcing from the Office of the Superintendent of Financial Institutions ("OSFI"). And sending data out of Canada, especially offshore, requires yet further approvals from OSFI. These hurdles tend not to be insurmountable, but they are more effectively managed when work on them starts early in the outsourcing/offshoring consideration process.
Keeping Data Private
Data privacy is one regulatory issue that has gained prominence over the past few years, particularly in light of the relatively new federal data protection law in Canada. This law has broad rules governing the collection, use, storage and transfer of personal information. So if you collect customer data from individuals, and want to have this data processed offshore, you have to carefully consider the relevant privacy law issues, and make sure they are adequately dealt with in the outsourcing agreement with the vendor.
Moreover, when you (or your supplier) is offshoring it's not just Canadian privacy laws you have to contend with. Keep in mind that your company's data is contemplated to be processed and possibly stored in a foreign country. What is that country's legal regime like in respect of privacy protection? How do those rules square with those in effect in the relevant Canadian province?
Not Very Patriotic
Other foreign laws can also come into play. For example, under the U.S. Patriot Act, American law enforcement entities can access computers resident in the U.S. looking for data regarding various persons and activities. What protection, if any, does a Canadian user have if the US government wants to access data of a Canadian that happens to be resident in the U.S.?
If this sort of issue is of concern, one response is to require the service provider to store the data in Canada, but sometimes this may not be enough, particularly depending on the ultimate ownership of the service supplier. Each situation needs its own analysis. And views, and levels of concern, may vary depending on the foreign jurisdiction involved.
Keeping Auditors Happy
One further area that needs to be addressed in any outsourcing deal is to ensure that the user's auditors have adequate access to the supplier's computer system, and the user's data on the system, so they can discharge their audit responsibilities. This is not a trivial issue, and it is a good idea to get the auditors to review, in advance, the audit clause that will be used in the definitive outsourcing agreement.
Offshoring presents an even larger challenge from an audit perspective. Does the jurisdiction where the systems and data reside present any particular concerns for the auditors? Or is it just a matter of additional cost (or does the audit firm have a local affiliate in the country where the offshoring is to take place)? Again, you need to loop in the auditors early on to make sure they are comfortable later.
These are a few of the higher profile issues that come up in outsourcing/offshoring deals. There are many other important provisions that need to be addressed as well in the initial RFP term sheet and the ultimate definitive agreement. Accordingly, give yourself lots of time to prepare for, and to negotiate, a sensible, win-win deal.
Who Shall Govern the Vendor?
Plato asked "who shall govern the governors?". In the case of an outsourcing, the similar question is: who at the user shall keep on top of the vendor? The answer, ideally, is that a group of senior IT managers of the user (let's call them the Project Management Office or "PMO") are not transitioned to the vendor, but rather they remain with the user in order, among other things, to oversee the relationship with the vendor and to implement and enforce the outsourcing agreement.
The roles of the people in the PMO change quite drastically from what they did before the outsourcing. Instead of focussing on the day-to-day activities of running a data centre, they now focus on meeting the IT needs of the user's various business groups. And they translate these requirements to the outsourcing vendor in a manner that ensures that the user continues to have an important impact on the general direction of the user's IT strategy. Thus, ideally in an outsourcing the user delegates performance to the vendor, but does not abdicate overall IT vision and strategy.
Defining Services, Qualitatively
One important mechanism utilized by the user PMO to assert oversight is the outsourcing contract, the usually lengthy legal document that defines the formal commercial relationship between the user and the vendor. That outsourcing agreements can easily exceed 100 pages (exclusive of another 200-500 pages of schedules) is not a function of outsourcing counsel conspiring to create complex contractual labyrinths only they can understand. Rather, there are simply so many important issues that need to be addressed in an outsourcing relationship, that the resulting memorialization is invariably a weighty tome.
No part of this document is more important than the description of the services that the vendor will provide. You would think that this would be a fairly simple exercise. Well, you also thought at one time – particularly before you began playing it – that golf was a simple game. Of course now you know it isn't, and similarly defining services in an outsourcing deal is not a trivial exercise.
Enumerating the list of services is relatively straight forward – like picking a good set of clubs in golf. Describing in meaningful detail the quality levels at which those services will be performed, now that's a much more challenging endeavour, like playing par – or even bogey – golf on a consistent basis.
The quality of a given outsourced service is usually defined by means of a "Service Level Agreement" ("SLA"), which is typically a fairly lengthy schedule (rather than separate agreement, notwithstanding its name) to the main agreement. An SLA for a software application, for example, might include that under certain volume load conditions, the average response times of the user for certain functions and queries are as set out in the schedule. There would also be a remedial system in the agreement in the event the detailed performance standard is not met, in order to exert a discipline on the vendor.
The all important question is what should be the applicable SLA for this (and many other) portion of the outsourcing services. It goes without saying that it should be at least equal to the experience obtained by the user before the outsourcing (or why outsource in the first place?). But – and here comes the first big challenge – what if the user didn't track SLA statistics historically? You can start to see why outsourcing agreements can get complicated and contentious.
How Long Should This Be Going On
The term of the outsourcing agreement is also, obviously, enormously important. Term will impact on price and a multitude of other aspects of the deal. As a general proposition, the vendor will want a longer term, in order to amortize over a lengthier period the up front costs of the transition. This rationale is even more pronounced if there is a "build" component to the deal; that is, the vendor will be developing various software programs for the user, the development cost of which will be financed by the vendor.
The user, by contrast, prefers a shorter term. It is fiendishly difficult to predict the future, whether in terms of market risk (i.e.- will the user's business space expand or contract), company risk (i.e.- will the user be bought, or will it be doing the buying of other companies/business lines, etc., and hence will its need for IT services increase or drop), or technology direction (i.e.- what if there is a paradigm technological shift in a few years?). All these factors might result in a situation in which the existing outsourcing agreement – essentially prepared for another scenario – no longer speaks to reality, or if it does, only in a muffled way.
So, what's a reasonable term for an outsourcing agreement? There is no right answer. Rather, we encourage clients to roll-up their sleeves and think through these "futures" issues, in order both to determine a reasonable term, as well as to define what happens if they actually arise.
Handing Over the Crown Jewels
A clear and ever present danger presented by outsourcing is the obvious fact that the user is transferring its data to the services provider for safekeeping and processing. This will include sensitive information, such as the user's own financial data. Depending on the user, however, it will also mean handing over large volumes of personal information that had been collected by the user from its own clients.
Some of the risks presented by the outsourcing arrangement are not that very different from those that were present while you processed your own data internally. Hackers, for instance, are keen to get into your data whether you process it or have a third party do it for you. Thus, just as you would have a security policy to guard against such undesirables, so too should you ensure, in the services agreement, that the vendor has one too. And if they're a reputable firm, they are likely to have one that is even more robust than your own.
The other risk, though, relates simply to using a third party for processing and storing your data; namely, what if they go bankrupt? Will your data be at risk? Can you get at it? Will you have what you'll need to work with it? These types of concerns are somewhat alleviated if you choose as your outsourcer a large, solvent company with good prospects.
In any event, these sorts of data protection concerns are serious enough that in some industries regulators have promulgated best practices to be followed by industry participants when outsourcing. The Office of Superintendent of Financial Institutions in Ottawa, for example, has a specific outsourcing policy to be adhered to by the financial services companies under its purview.
In a similar vein, the federal privacy law requires that parties who outsource their information processing use contractual means "to provide a comparable level of protection while the information is being processed by a third party". Thus, at a minimum the outsourcing agreement should provide that the user's data will always be owned by the user; that it will at all times by accessible to the user; that certain security measures will be taken to safeguard the data; and that the user will have the right to audit the vendor's procedures intended for security and privacy purposes.
As for audits, many vendors have a security review done by their auditors, also known as a 5900 audit under the Canadian accounting standards handbook. As a user, you should insist that this is indeed performed annually, and you should have the right to review its results once it is complete.
What's All This Going to Cost?
An important rationale in some (though by no means all) outsourcings is cost savings. As discussed above, particularly if significant components of services are outsourced, economies of scale and scope realized by the vendor should result in lower costs to the user.
One way to ensure meaningful cost savings is for the user to organize a competitive bid and negotiation process (more on this below). By the same token, the user will also want comfort that the price will remain competitive during the term of the outsourcing agreement. This concern is particularly acute where the agreement has a long, non-cancellable term.
In such circumstances users often negotiate "most favoured customer" pricing clauses (though often the "mfc" provision applies to all other aspects of the arrangement beyond merely price). The core idea is simple enough: that the vendor will provide to the user as good a deal as the vendor offers to its most favoured customer. These clauses, however, are highly negotiated; for example, the vendor, not unreasonably, wants to qualify it by referencing only other deals that have the same or similar volume or mix of services.
However qualified the mfc clause becomes, users typically insist on some sort of mechanism to ensure its practical enforcement. This might entail, for example, requiring a senior officer of the vendor to certify to its compliance once a year. Better still for users is the right to have an independent accountant audit compliance.
Another approach to pricing discipline is "benchmarking". The exercise here involves giving a third party information technology consultant various data about the services provided by the vendor, and their respective costs, and having the third party compare these to a cross section of other computing environments, in order to see where your costs/performance figures sit relative to the market generally.
Now, what to do with the results of the benchmarking exercise? In some outsourcing agreements it's a non-binding process, but presumably its results will have some moral suasion on the parties, particularly if their numbers are dramatically different from the norm. In some others, however, the results are binding, and they (either alone or in conjunction with other factors) can cause an amendment to price going forward.
We Have A Problem
It is not surprising that over time a relationship as complex, important and expensive as an outsourcing will have its challenges, and sometimes out-and-out disputes. A good outsourcing agreement will anticipate this, and provide several mechanisms for the channelling and resolution of disputes. For example, several levels of committees can be established, together with respective schedules of regular meetings, so that lots of communication flows between the parties. As with most disputes (outsourcing-related or otherwise), a failure to communicate typically exacerbates the problem.
A threshold question is whether the ultimate form of dispute resolution should be a court process, or arbitration. One potential benefit with the latter is that some one quite expert in the matters surrounding the actual dispute can be the decision maker. So, you might choose an accountant to mediate/arbitrate a complex billing dispute.
On the other hand, arbitration tends to be a private affair (unlike the regular court proceeding which is typically open to the press and public). Thus, while in some cases privacy is conducive to creative settlement, often times the potential for publicity causes both sides to be more reasonable in the event of a dispute. There is no right or wrong answer; rather, you have to give some thought to these and other factors as you come to draft the dispute resolution provisions in your outsourcing agreement.
All Good Things Must End
A well crafted legal agreement invariably contemplates the end of the parties' relationship, and provides for their disentanglement. In an outsourcing relationship, thinking about the end is even more important because a lot of potentially scary risks could come to pass at this critical juncture.
Indeed, most users nowadays negotiate a very useful provision that allows them to terminate the relationship for convenience (i.e.- for no specific reason, and not merely default) upon payment of relatively modest early termination fees (though sometimes even these fees will be waived). In any case, however the end comes, it is worth contemplating it in the agreement.
Take, for example, the software transition issue. Let's say the services provided by the vendor required an important, and expensive, third party software program. Now, software like this can increasingly be purchased in two ways; either on an annual basis, for a relatively modest amount, or a perpetual license for a large one-time fee. You can quickly see the dilemma.
If the outsourcing deal is for five years, it might make sense (for the vendor) to purchase only five yearly increments of the software. On the other hand, if the user wants to use the software even after the outsourcing ends (a provision in the agreement would stipulate that the vendor obtain a license that can be assigned to the user at the end of the outsourcing relationship), then (for the user) a perpetual license would make sense, even though it was initially more expensive. Thus, it is important that the outsourcing agreement reflect careful consideration of these sorts of post-termination issues. This is in addition to the typical matters raised by computer agreement termination provisions.
Space constraints prevent a fuller treatment of these outsourcing issues, let alone many of the other ones not even broached above. Needless to say, it is important to canvass all of them to assess what your risks and vulnerabilities are, and then to negotiate a fair and even-handed agreement that addresses the needs and desires of both parties. As to how to negotiate such an agreement, it is to this we turn next.
NEGOTIATING OUTSOURCING DEALS
The first thing to understand before embarking on the negotiation of a significant information technology (IT) outsourcing deal is that these are major transactions. Serious dollars are involved, but this is only one indicia of importance. These deals also affect key performance issues in a critical infrastructure component of the organization. This is particularly true where competitive advantage is sought to be gained by some aspects of the applications being developed and operated by the outsourcer.
Given that large outsourcing deals are significant transactions, adequate support has to be devoted to them. This means that appropriate people, time and financial resources must be made available by senior management, otherwise non-optimal outcomes will likely result.
Building the Negotiating Team
It is absolutely critical for the organization contemplating a major outsourcing to gather together a negotiating team right from the outset that includes fairly senior people from a number of areas of the company. If employees are going to be transferred to the outsourcer, then obviously HR expertise will be required. And if these staff have a pension, then a pension specialist needs to be involved (as well as the external actuarial firm). The finance group also needs to be intimately involved, as the pricing algorithms from the outsourcing vendor bidders will likely be complex, particularly if any vendor financing is involved.
Corporate counsel needs to play an important role. While specialized outside legal help with lots of outsourcing expertise will also be required, it is imperative that one (or sometimes more) corporate counsel are on the team as their institutional legal memory and knowledge will be critical to securing a deal that ultimately reflects the specific needs and requirements of the user organization. You should not try to abdicate this important function to external counsel, as they will likely be unable to discharge it. In essence, what's required here is a partnership between inside and outside counsel that is probably unparalleled in its intensity and mutual dependency.
Obviously the other key folks on the team come from the IT division. Several senior people will be required; in a large, full-scale IT outsourcing, this means the CIO as well as the leaders of the operations, network, and applications divisions. This is only the bare minimum. Who else gets added to the team, however, is often as much a question of confidentiality as it is expertise.
The members of your team need to be told (warned?) that the negotiating process will be intense and time consuming. And of course they all continue to have their regular day jobs, though serious consideration should be given to trying to free at least some of them from their normal duties. Remember, the outsourcer's team has on it various experts who do these negotiations for a living. You have to give your team a fair chance to be able to compete on a level playing field.
Who Needs to Know?
An important threshold question that needs to be addressed at the outset of the project is whether the consideration of the outsourcing option will be kept confidential within the very senior ranks of the user organization. It may be, for example, that the user doesn't want staff to get concerned about the prospect of an outsourcing, if ultimately the decision – after some analysis – is to not outsource.
On the other hand, the invidious situation can arise where the "Go/No Go" decision on outsourcing can be made effectively and meaningfully only after gleaning the input of a number of people in the organization. In this case, some very careful judgments need to be made as to who is (and is not) in the know for this decision.
Assuming the decision is made to go ahead with the outsourcing (subject to coming to reasonable terms with an outsourcer), then the question must be answered as to how many others are brought into the picture beyond the core negotiating team. This is a finicky question, which requires a delicate balancing between needing more people for diligence and related purposes, but wanting to keep the circle rather small to increase the likelihood of maintaining confidentiality. In any event, there should also be in place a contingency plan in case word of the negotiations does get out.
To lessen the likelihood of premature disclosure of the negotiations, it is useful to execute a rigorous non-disclosure agreement with the outsourcer. Most importantly, this agreement would limit the number of outsourcer staff that would have knowledge of the negotiations, and would require that they interface with the user organization only through pre-defined contact points. Similarly, all technical and financial material of the user necessary for the outsourcer to prepare its proposal would be lodged in an off-site data room so that strange faces are not in evidence around the user's offices. The concept is to create prophylactic measures to help avoid premature disclosure.
Go – No Go
It perhaps seems obvious (but often the obvious often deserves repeating), but before the team starts down the negotiating path, it needs to come to a landing on whether or not outsourcing (or how much of it) is even a good idea. At this stage an IT/strategy consulting firm is often retained to help come to a reasoned, rigorous decision on this critical threshold point.
The credentials for this consultant obviously include deep experience in outsourcing, coupled, ideally, with sustained knowledge of the user's industry. The other qualification is independence. This consultant should not be in a conflict situation, at least not directly, and ideally even not indirectly. For example, giving the work to the consulting arm of a bigger technology services provider that also provides outsourcing services is akin to asking a rabbit to take a lettuce to market.
Sole Source or Competitive Bids
Once you have your negotiation team, complete with IT consultant and your expert outside counsel, and you've done your homework to understand exactly what you want to outsource, and why, you can get a good sense of who might be interested in bidding by sending out an RFI (request for interest). The alternative is to sole source the arrangement to a single outsourcer, perhaps someone your company has had a long relationship with. This latter course should only be pursued after much careful consideration, as it will deny you the multiple benefits of competition. If, however, you are forced into it for various corporate reasons, then at least consider making a priority some of the "discipline" provisions discussed above, such as those related to most favoured customer and benchmarking.
If you go the competitive bid route, you will likely get four or five responses to the RFI. You have to qualify the potential bidders and make sure they are all companies that could do the job. Let's say only four pass muster. These four would then receive a detailed RFP (request for proposal), a critical document in the negotiation process.
The RFP would typically contain lots of technical and financial information about the user, so that the bidders can submit fulsome and meaningful proposals. Accordingly, don't forget to include in the RFP your proposed contractual and legal terms, so you can see and cross-compare the various bidder responses to these as well. Many users miss this wonderful opportunity presented by the RFP to set off the contractual negotiations on the right foot.
This doesn't mean you have to include with the RFP a full-blown draft contract. Rather, consider the use of a fairly detailed term sheet, that would cover at some length the essential business and legal concerns. Such a document is very useful for eliciting and understanding the various positions of the bidders; it is also a superior mechanic for organizing the potentially diverse views on issues within the user's organization to ensure that a common position is created.
Selecting the Winner
After the RFPs are sent to the potential bidders, there follows a very intensive period of due diligence where the bidders need to get up a very steep learning curve about your business, technology and people. Hopefully you've prepared for this barrage of questions by putting in the data room reports detailing current service levels, and various other pieces of homework that, reasonably, the outsourcer will require to submit a sensible bid.
Then the proposals are delivered, and the user has an all-important fork in the negotiating road. Some users immediately select a winner based solely on the proposals as submitted, without conducting any negotiations with multiple bidders. Only after the winner is picked does the user, in this scenario, begin to negotiate the final contract.
The other negotiating model is quite different. Under this approach, no announcement of a winner is made merely after receipt of the proposals. Rather, the four proposals (to continue our earlier example) are carefully reviewed and evaluated, and the list of four is "down selected" to the top two finalists. Then, negotiations of the definitive outsourcing agreement follow with both of the short-listed candidates. This sort of process will be familiar to advocates of strategic sourcing in larger organizations.
The question of how long a user should proceed with parallel negotiations has no stock answer. Some users will cease active negotiations with one of the two vendors after an initial round of discussions on the term sheet, particularly if it becomes clear that one offering is simply far superior to the other. In some cases, however, two-track negotiations can continue to the point where both agreements are put before the user's board or senior management the day of the final selection. Clearly the dual negotiation approach requires significantly more time and stamina from the negotiating team than the single track one. On the other hand, the benefits of the dual negotiating strategy can be significant. Like most things in life, what you get out of something is usually inversely proportional to what you put in.
You're Not Finished Yet
Most legal agreements, once signed, are put in a filing cabinet and rarely if ever referred to subsequently. This will definitely not be the case with the outsourcing contract. The outsourcing relationship is simply too important and complex to permit such benign neglect.
Rather, issues will come up constantly where resort will be required to the contract for guidance and direction. In this regard, again it is important that the original negotiating team (or most of it) be intimately involved in these post-signature deliberations, as they undoubtedly will have on-going financial and operational impacts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.