by Kevin Christ, Patricia Connolly

A 7-point blueprint for assessing your offshore IT risk exposure

May 06, 20207 mins
IT LeadershipOutsourcing

Offshore service providers are grappling with COVID-19's impacts, limiting their ability to meet obligations. This guide will help you evaluate your provider's performance and capabilities.

India, mapped on a dark globe.
Credit: Kasezo / Getty Images

COVID-19 in India: Impact assessment

In India, as in the U.S., headlines about current conditions regarding COVID-19 vary widely suggesting a range of beliefs from “India is re-opening” to “undersized healthcare and high population density make India uniquely fragile.” Currently, the daily count of new cases and daily reported deaths is continuing to rise.

On May 1, India’s initial nationwide lockdown which had been scheduled to expire on May 3, was extended for two additional weeks through May 18, the second such extension.  The edict continues  conditional relaxing of regulations based on red, orange and green rated containment zones.  Locations with a higher infection rate continue under strict quarantine with restricted movement.  While some news reports mention red zone offices (virtually all large cities) are now allowed a one-third occupancy rate, this is not universal and offices remain statutorily closed in many service parks. India’s Ministry of Home and Family Welfare permits e-passes only for approved critical business and individuals.

Some Indian service providers have smoothly transitioned to remote operations, while others continue to struggle. In evaluating the status of vendors, you cannot assume that issues will be communicated consistent with U.S. culture. Difficult news may be softened.  We suggest “Asking seven times and seven ways” leveraging multiple sources to cultivate respectful dialogue while gaining accurate insight. In other words, “trust, but verify.”

The following seven areas provide a blueprint for CIOs to assess your offshore provider’s performance and capabilities under COVID-19’s restrictions. Your assessment should inform risk awareness and mitigation.

1. Evaluate IT contracts and partners for obligations, opportunities and risks

Outsourcers may find it difficult to meet their contractual obligations based on constraints including limited remaining personnel. Review SLOs (service level obligations) to reconfirm agreed performance metrics, reporting and remedies. Know what is owed you to confirm it is received.

Liquidity challenges are forcing many firms to reduce discretionary IT spend and conserve cash. Look to reduce usage-based metrics (e.g., transaction volumes) and confirm billing reflects actual usage. Look for contractual out clauses for convenience or force majeure that would allow suspension of discretionary initiatives without penalty. Additionally, confirm that your partners have the financial stability to survive the current disruption.

Finally, your vendors’ pockets may be deeper than your own. Terms may be renegotiated for a defined term with vendors including deferred payment, reduced pricing, or zero-cost measures. In these unprecedented times, ask for what you need.

2. Assess Business Continuation Plans (BCP) and status

CIOs must demand detailed information on each vendor’s BCP, their preparedness for a remote-work-only scenario, testing and outcomes.  An Indian multinational service provider told us that, “No one ever envisioned this scenario to occur. Our business continuity plans did not provide direction on work from home restrictions. Our team works from a center using desktops. India’s swift lockdown left many resources in remote locations without the tools to perform their work.”

Review the BCP in detail with an eye for impact on your services and fit for the current remote-work scenario (equipment, connectivity, security).  Review the recency and results of the BCP testing and any audit concerns.  Confirm that the BCP meets contractual obligations, including notification requirements.

3. Understand your place in the pecking order

If vendor resources are constrained, confirm your relative priority with your vendor. Larger contracts may consume the attention (and possibly your resources). If unable to improve your stature, determine your risk exposure. “Depending on how big the contract is and considering the competition’s footprint, vendors today may be forced to spread their resources,” an SVP of Client Support for an offshore service provider told us.

Reiterate your expectations, stay informed and monitor your vendors. Confirm adequate personnel, facilities, equipment and bandwidth remain dedicated, even in scarcity. Falling performance metrics are a lagging indicator of a struggling vendor.

4. Confirm assigned team member are effective in their new working conditions

With widespread migration away from larger cities, personnel may lose access to needed equipment or stable telecom. The sudden policy changes left teams with little time to prepare or coordinate. In some cases, living arrangements, eldercare or childcare may make working from home less effective. For example, any Paid Guest housing facilities (PGs) have been closed by government mandate. PGs are a cost-effective shared housing/services alternative. Closing PGs may displace staff from their primary work location and erode the vendor’s service delivery.

CIOs should request confirmation of the assigned roster including names, roles, reporting relationships, skills, certifications and experience and health status. Request any changes in roster and confirm equipment, network access, reliable power and security.

5. Determine current security and confidentiality risks

Technology leaders must assess security capabilities under modified working conditions. While regulatory, industry, intellectual property and internal requirements were initially well-defined, upholding standards could be impossible with resources now working from various unsecured locations. Customers must confirm whether contractual requirements are being upheld or what alternatives have been implemented. Reconfirm vendor procedures to disclose changes in protocol or breaches. Finally, determine if additional tools, controls and practices are needed.  

6. Determine if remote work is effectively producing the desired outcomes

Most offshore IT workers have traditionally worked in closely-supervised, large office settings. Under COVID-19 restrictions, it is important to confirm that work proceeds efficiently with effective supervision.

Understand how service delivery model has changed, how performance is measured, and what reporting is available. Review trend reports to assess current performance versus past experience.  Instruct your leaders to keep close connection with offshore counterparts.

The director of development for a Fortune 500 manufacturer told us to “look for specifics on testing results, resource turnover, extensions or estimates changing. Challenge your leaders (IT and business) to stay engaged to ensure ongoing success of offshore team projects.”

7. Immediate and long-term IT talent strategy changes

If your offshore vendor performance introduces unacceptable risks, compromised controls, or poor service levels, consider alternative talent strategies. Some companies have resorted to reshoring roles, forgoing prior offshore benefits.

Others are evaluating alternative offshore models, such as global insourcing centers (GICs). GICs replace offshore contractors with dedicated local/global teams, garnering the better access to select offshore talent and cost structures.  The CIO of a global consumer products company told us, “We found shifting to a global insourcing (GIC) strategy gave us cost savings, but more importantly provided an employee-centric workforce. During this time, we released most of our contract resources and are now doubling down on our managed-service GIC team.  This may be a time for CIOs to make the pivot to an alternative talent strategy.”

With an understanding of current conditions and your vendor assessment completed, the final article in this series will share a playbook of alternatives and actions for you to recover offshore capabilities.