ECM

Outsourcing, Reliability, and IT

When the grid collapses or a hurricane wipes out power to millions of customers, how does a customer information system (CIS) information technology (IT) manager ensure his or her outsourcing partner works as an extension of the IT organization by providing system reliability? When customer privacy of a competitor is questioned, how can the company be certain that the team members of the outsourcing partner have had sufficient background security checks, and that company data is safe?

Wishful thinking is to believe such untoward events never occur. Foolish thinking is to never plan for them. Meeting the customer's expectation in servicing problems can ensure customer satisfaction. To ensure that the expectation of services is met, it is important that the outsourcing partner and the CIS stakeholders agree to mutually acceptable definitions of service levels.

Service levels can be defined in multiple ways, starting by defining an incident as an event apart from business-as-usual, with the potential to disrupt service or compromise service quality. An incident could be as simple as maintenance that goes beyond schedule, or as complex as an act of God that disables power and communications.

The criticality of an incident is assessed by looking at the impact of the incident. Does a reported defect affect only one customer service representative (CSR) or a whole group of CSRs? Another dimension in assessing criticality is its urgency or the speed required to resolve the impact. Does the defect affect the viewing of a bill 13 months old, or the current bill that cannot be retrieved? Does it affect one customer or a group of customers on a certain tariff? Does the problem occur once in a while or every day, and is it getting worse? What will be the total loss in terms of revenue generation or collections on a daily basis? The criticality and urgency help in determining the priority of the incident. It is common for IT shops to classify priority levels as P1, P2, and P3, with P1 being the highest and P3 the lowest.

For each priority level, the service level agreement (SLA) defines an agreed-upon response time. For example, at an investor-owned electric utility in the United States, an SLA requires the outsourcing partner to respond to 90 percent of calls within 10 minutes. The response time may depend on when the incident is logged (after-office hours, during office hours, weekday or weekend, and holidays.) It is, therefore, common for the on-call team to carry pagers, cell phones, and secure IDs to receive the incident and respond to it. Remote access also is provided for the on-call team to connect to the CIS from home.

Another aspect in defining an SLA is service hours. How many hours of service in the day and number of days in the week will the service be provided? Defining service hours to take full advantage of any time differences can make the best use of an offshore partner, depending on where the onshore team and offshore team are located.

When the offshore services involve application maintenance, additional SLAs can be defined in terms of metrics, including efforts to rework secondary defects, percentage of service requests completed on time, overrun on service requests, and capacity utilization by category of service requests.

Going for Gold: Defining Priorities Is Key

Based on the dimensions of criticality, priority, service hours, and response time, it is a good idea to segregate different parts of the CIS suite into categories of gold, silver, and bronze service levels. For example, an online CIS application used by CSRs and requiring the most up-time may be classified as gold. Certain weekly or month-end jobs where near perfect up-time is not required may be classified as silver, and in-house IT tools for development or maintenance that are not customer-facing could be classified as bronze.

It is worth emphasizing that classifying applications into service-level groups varies throughout the industry. An over-cautious approach results in a higher-cost and lower added value to the customer, while cutting corners can compromise the reliability of the system. The contribution of an experienced outsourcing service provider becomes very critical in defining such a framework.

Moreover, planning involves defining the SLAs. How does a CIS manager ensure that the plan works operationally? For every application an escalation hierarchy should be defined to ensure that incidents are escalated in a timely fashion. An incident escalation hierarchy should include both the client organization and the organization of its outsourcing partner. A rigid escalation hierarchy ensures that adequate attention to SLA compliance has been given. The mode of escalation should be agreed upon based on cost and outsourcing partner experience in providing the agreed service.

The challenge to working the plan lies in how well the SLAs have been drafted and how well they work operationally. An SLA that works in theory but is unreasonable operationally because of politics or organizational structure will need to be reworked. Another important aspect of keeping SLAs working operationally is performing periodic reviews. Reviews between the CIS manager and outsourcing partner management ensure that SLAs are kept up-to-date and functioning.

A CIS manager and an outsourcing partner can agree to a set of SLAs ensuring service reliability of a CIS application, but without commitments from the underlying infrastructure team, the outsourcing partner may not be able to meet its agreements. Dependencies on an outsourcing partner's SLAs must be identified. For example, an agreement to support a client's CIS residing on their mainframe commits the outsourcing partner to respond to an incident within 10 minutes at least 90 percent of the time. Mainframe uptime is ensured to be above 95 percent. Likewise, the link to connect the outsourcing partner to the client's mainframe, such as a leased line, remote access, Citrix solution, terminal server, or PCAnywhere also must have a higher standard of reliability.

This becomes even more important when the outsourcing partner is offshore and working across different time zones. Regular services such as database administration or systems programming, which are deemed to be present during regular business hours, may not be present at the same level during night hours when the offshore partner would be in its prime shift.

It is not uncommon that the outsourcing partner supports some of these infrastructure resources remotely. The advantage of this approach is that the critical IT infrastructure resources are supported after office hours by an offshore team during its prime office hours as compared to an in-house support staff working the graveyard shift. The key, therefore, is to define and manage SLAs between the client organization and the outsourcing partner or partners. Once again, the experience of the outsourcing service provider is extremely valuable in supporting similar agreements.

To manage different outsourcing partners performing complementary functions, a management office sets up an office to oversee all outsourcing activities related to a particular part of the client's business. The office may consist of both client staff and representatives of the outsourcing partners or sole-sourced to one of the vendors or a separate vendor. Either way, by keeping a high-level perspective across functions, activities can be better coordinated and planned.

Security of CIS Information Assets

Corporate data security is maintained by defining stringent induction criteria for an outsourcing partner similar to that of the client's own employee. The criteria are agreed upon by the client's CIS manager and the human resources, corporate security, and procurement departments, as well as the outsourcing partner's management. Overprotection can result in an operational nightmare for the outsourcing partner while compromising the process could be a potential security weakness. Security criteria used in the past include:

Background checks: A law enforcement agency of the outsourcing partner country can be used to verify that members of the outsourcing partner team do not have criminal backgrounds and are compliant with visa regulations when bringing outsourcing team members onsite.

Confidentiality agreements: These should be signed by the outsourcing partner and members of their team.

Misdemeanor and felony prosecution. For any outsourcing partner team member who fails to work within the standards set forth by the client country's law.

Physical security: Limit access to the building/room where client work is performed via access control IDs and badges.

Access to secure areas: Only during business hours.

Definition of separate systems' security groups: These determine access to development, test, and production environments on an as-needed basis only.

Revoking all access: Whether physical or system access, as soon as a team member rolls off the project.

Periodic security awareness training programs: Periodic audits to ensure process compliance.

Outsourcing partner compliance: With industry security standards such as BS779.

Periodic security updates: For desktops used by the outsourcing partner team.

Biometrics. To provide for an additional level of physical security.

Paperless office. Sometimes a system can be designed so that notes do not need to be taken by hand. All customer data therefore stays within the system and cannot be accidentally removed from the outsourcing partner's environment.

Periodic client visits to offsite offices. To ensure compliance with policies.

At the end of the day, the processes set forth in an SLA are only as good as the people using them. The key, therefore, is to ensure that the outsourcing partner's management team is committed to the success of the engagement. As long as the CIS manager can ensure the client's commitment and attention, the rest soon follows. It is imperative, therefore, that the CIS manager treats the outsourcing partner team as an extension of his own staff. The client and the outsourcing partner should organize frequent CIS team-building events so that members of the client and partner teams are adequately engaged. Good working relationships between the client and the on-site partner team go a long way to ensure processes that provide reliability and security are adequately followed.

Articles found on this page are available to subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.