Coronavirus (COVID-19) has swiftly exposed the vulnerability of supply chains. For most IT organizations, that fragile ecosystem includes providers of critical IT services.
Service problems were already emerging as an issue for outsourcing customers surveyed by Everest Group prior to India’s shutdown. As of April 1, 14 percent of respondents were reporting major business disruptions and another 21 percent were seeing the beginnings of serious issues. More than half had seen minor disruptions.
In addition, work-from-home mandates are requiring service providers to ensure that their workers who are supporting mission-critical enterprise customers have the necessary tools and technologies to enable the speed, security, quality, and overall efficacy of services provided.
“Especially in offshore locations, much of the workforce has not previously been set up for this work-from-home scenario, presenting new tactical and operational challenges, including getting laptops to service provider personnel; setting up VPN, VDI, and/or Citrix access; ensuring WiFi is available; and providing the requisite security software applications,” says David Rutchik, executive managing director at Pace Harmon.
Slipping service levels and accommodating shelter-in-place orders are just a couple of the ways the global pandemic will impact the IT services ecosystem in the near term. Following are the areas IT leaders will need to address in the coming weeks as the outsourcing industry adjusts to this evolving new reality.
Business continuity challenges
Most outsourcing business continuity plans were built for local disasters and don’t factor in a global pandemic necessitating widespread work-from-home operations.
“Clients need to rapidly assess the status of business continuity measures and operations and take steps to address any gaps or issues,” says Bill Huber, partner, digital platforms and solutions at global technology research and advisory firm ISG.
The market has performed remarkably well in recent weeks given the complexity of the situation, notes Steve Hall, ISG partner and president, noting that India is currently operating at around 80 percent of its pre-pandemic productivity levels while nine out of ten IT employees are working at home. Nonetheless, some enterprises are repatriating services in the short term and others are considering alternative delivery methods. Looking forward, business continuity and disaster recovery plans should be modified to factor in cases in which an entire country is locked down, Rutchik says.
“If outsourcing provider resources are now working from home, it is likely that this was not contemplated in the drafting of the agreement,” Rutchik says. “Enterprises should seek to modify existing contractual provisions accordingly.”
If they haven’t already, IT leaders should focus on putting requisite controls and protections in place, especially for arrangements that include intellectual property, confidentiality, physical and logical security, data privacy, and audit rights.
Information security changes
“We saw a big uptick in VPN solutions last week as organizations worked to ensure data was secure from home locations,” Hall says. Some industries with greater regulatory oversight have repatriated certain activities or are requiring the work to be completed from a certified delivery center, but such situations account for less than 25 percent of total work, according to Hall.
Nonetheless, outsourcing customers must be diligent in making sure their providers put alternate methods in place to achieve security of the provider location. For example, managed services agreements often require that services be performed in segregated locations where the service provider personnel are not permitted to print, download to USB drives, have smartphones or otherwise have the ability to copy sensitive data. They also often rely on the physical access control at the facility, with some sort of device or token.
“To the extent possible, these should be implemented at home also,” says Brad L. Peterson, partner in the Chicago office of law firm Mayer Brown. Software loaded on a WFH device might disable its USB drives, screenshot functionality, and print functions. Multi-factor authentication with a separate digital token required for accessing the network could replace physical access control. A “look over the shoulder” management approach could be swapped for watching a screen copy.
Service level shifts
Many providers are seeking relief from service levels and other performance standards due to limited bandwidth at home, distracted workers, or an inability to use tools available only at the supplier facility.
“A broad excuse from service levels and other performance standards is almost never reasonable. For example, there is no reason for excusing provider from meeting accuracy service levels or meeting obligations to exercise due professional care, with qualified and skilled personnel,” says Linda Rhodes, a partner in the Washington, D.C. office of law firm Mayer Brown.
The current environment may feel like a force majeure event, however “if your outsourcing agreement is well crafted then this circumstance shouldn’t quality as [one],” says Rutchik. “This is important as it will not relieve IT service providers from meeting their full service, service level, and overall terms obligations. Even if this was considered a force majeure event, there still should be contractual obligations for the provider to re-instate the services in accordance within specific timeframes.”
While service providers may contractually be required to maintain the same level of service level agreements (SLAs) and SLA credits, practically speaking this may not be possible right now.
“This is an unprecedented time for all industries including IT services delivery,” Rutchik says.
Service levels for several key functions are being impacted as service providers and clients prioritize critical activities, says Hall, who expects service level credits or rebates to accrue over the next couple of quarters reducing revenues by as much as 3 percent across the industry.
For the short term, Rutchik advises IT leaders to be flexible — operationally and contractually — to accommodate the impact this crisis is having on people. “Given the challenges of meeting obligations in a fluid situation with varying constraints on delivery, we are seeing clients work with providers to adjust service levels to best use available capacity to meet the changing business needs,” Huber notes.
Rhodes suggests addressing providers’ service level concerns “through the governance process or a conversation whereby the provider describes with specificity which obligations it cannot meet, why it cannot meet them, and what workarounds or modifications would resolve the concerns. The customer can then make an informed decision about if, and to what extent, adjustments (if any) may be made without forgoing rights to receive contracted-for levels of performance.”
Pricing model modifications
In some cases, outsourcing customers and their providers are rethinking their pricing models temporarily to reflect operational shifts, says Rutchik. Some are switching managed services arrangements to time-and-material pricing, for example.
Discretionary spending delays
ISG has found that six out of ten outsourcing clients are delaying any discretionary spending by at least 90 days. The ISG Index (released on April 8) shows a 17 percent drop quarter over quarter in discretionary spending with an expected decrease of 20 percent over the next quarter.
Application and network resiliency
The work-from-home mandate is taxing many networks. “Infrastructure across India is being stretched,” Hall says. “Mobile providers in particular are struggling to keep up with demand from movie streaming and broadband connections.”
In many cases, providers must put in place additional redundancies to ensure sufficient availability, says Huber. Remote support from smaller areas and villages has been more likely to be disrupted than that from the major tech hubs such as Bangalore, Chennai, Hyderabad, and Noida.
“Major service providers are also deep cleaning facilities and arranging safe transportation to enable some essential workers to return to campus to mitigate network concerns,” says Hall.
Audit rights uncertainty
Service providers may ask their clients to waive their audit rights for the duration of any lockdown orders, given the unfeasibility of on-site audits. However, a complete waiver is overkill and leaves the client without recourse in situations where they are necessary or appropriate, such as a suspected breach, according to Rhodes.
“Many audit rights may be available to the client that do not require access to facilities, such as access to contract records and personnel engaged in the performance of the services,” Rhodes says. “It is important for clients to maintain these audit rights, in particular given that the need to ensure adherence to contractual terms may be heightened as personnel work remotely.”
In fact, IT outsourcing customers might want to expand their audit rights to monitor and manage new work methods.
Public cloud push
Cloud computing providers could to be big beneficiaries of the COVID-19 disruption. “We see an acceleration of cloud migration to provide better availability,” Huber says. “This acceleration may require renegotiation of existing agreements.”
Cloud providers were up almost 15 percent year over year, according to the latest ISG index and are expected to be up again in the second quarter despite the overall economic downturn.
“Clients are clearly moving more workloads to the hyperscalers and where possible reassessing their fixed asset strategies,” says Hall. “Supply chain resiliency and business-to-consumer solutions will be board-level issues by the third quarter, which will accelerate ERP and digital solutions and further increase migration to the public cloud.”
Preparing for the new, new normal
IT leaders must keep the post-lockdown future top of mind even as they scramble to manage this interim period. “As this situation will not last forever, it is critical for enterprises to retain the ability to quickly return to the status quo,” says Rutchik. “All changes — whether operational, contractual, or financial — should be considered and executed with the reversion to the status quo in mind.”
It’s important to put in place specific plans and provisions that enable quick recovery and a return to the original service environment, service level requirements, contract and financial structures, and corresponding business needs.
“Once government-mandated lockdowns have been relaxed, there will likely need to be a negotiated ‘return to normal’ between customers and service providers that aligns with applicable government guidance,” says Joe Pennell, partner in the technology transactions practice at Mayer Brown. That renegotiation should address a number of key questions, including what portion of the service provider personnel continue to work from home, which facilities will be re-opened, how quickly personnel will return to delivery centers, what health precautions will be taken, and what reimbursement for costs the provider may seek for the transition.