In the adoption of any new technology, companies always face the classic choice between "make" and "buy"\u2014that is, between developing the technology themselves (insourcing) and buying it from outside (outsourcing). Both have advantages and disadvantages; the key to making a good decision is developing a good understanding of what they are. Having spent a dozen years studying the issue, by examining sourcing decisions with a range of corporations, participating in litigation in international outsourcing contract disputes and examining the economic theory through ongoing research programs at the Wharton School, we have developed a framework for anticipating and managing risks and achieving desired benefits through stable relationships. In this article, I\u2019ll focus on managing the risks of outsourcing; in my next column, I\u2019ll delve more into maximizing the rewards.The Benefits of OutsourcingIn general, companies outsource when they expect to receive one or more of the following benefits:* Lower cost, because the outsourcing vendor can produce software or operate systems more cheaply than the company can. Vendors often can offer such scale advantages by reusing code or sharing risk across a large book of contracts, for example.* Increased flexibility, allowing the company to add capacity or reassign personnel as demand moves up or down.* Faster speed in development, leading to reduced time to get a product or service to market.* Some form of accounting advantage\u2014by shifting resources off the balance sheet, the company can sometimes report a better return on assets.So why don\u2019t companies outsource all their IT? Because outsourcing also poses a number of disadvantages. As in any other area of contracting, software outsourcing increases transaction costs\u2014the costs of arranging to produce or purchase something rather than the direct costs associated with producing it or purchasing it. Some of these are frictional costs: It costs more to administer contract employees than it does to use in-house staffers, for example.It may also cost more to develop a specification for an outside contract than it would to develop one for internal development. Moreover, legal costs associated with contracting and the expense of monitoring or measuring vendor performance may be higher than the comparable costs associated with internal activities.There are also risk-based costs. That is, there may be a greater risk of deliberate contractual abuse, for profit, by an outside contractor than there would be from an internal development team. If these risks materialize\u2014if the contractual abuses occur\u2014they will produce real and potentially substantial financial costs.The Risks of OutsourcingRisks associated with outsourcing contracts are principally one of the following three types:1. Shirking. This is when a vendor deliberately underperforms while claiming full payment. It may involve such tactics as billing for more hours than were worked and bait-and-switch staffing, providing excellent staffers at first and then replacing them with less qualified personnel.2. Poaching. This represents the client\u2019s loss of control over an information asset that occurs when a vendor develops a strategy and a strategic application for one client and then redevelops the system for a second client. The second client\u2019s cost is likely to be lower, placing the first client at a disadvantage, rather than offering it a sustainable advantage. In the most extreme case, the vendor goes into the client\u2019s business and competes directly using the expertise it developed on the project.3. Opportunistic repricing or holdup. When a company enters into a long-term contract, it is not uncommon for the vendor to try to change the terms at some point. "Vendor holdup" occurs when a vendor overcharges for unanticipated enhancements and contract extensions.What makes these risks possible? In general, each occurs when the vendor sees a profitable opportunity that could not have been predicted or prevented by the terms of the contract.For shirking to occur, for example, there must be some form of incentive differences between the client\u2019s interests and the vendor\u2019s interests\u2014that is, some motivation for the vendor to act in its own interests and counter to those of the client. Second, there must be some form of uncertainty; shirking is a poor strategy if it can be detected and punished. Unfortunately, the difficulty and expense of careful monitoring mean that detection with certainty is rarely possible.Poaching, too, occurs when there is a difference in incentives\u2014that is, when the vendor can earn more by reusing and reselling expertise gained from the client, or even competing with the client, than it can otherwise. And, as is the case with shirking, poaching occurs when there is uncertainty in detection or precontractual uncertainty as to what actions might be possible and attractive for the vendor later on.Holdup also requires an incentive difference between client and vendor. In this instance, it is easy to understand: The vendor wishes to charge more than originally required by the contract, while the client does not wish to pay more. There must also be some change in power that enables the vendor to demand and win this increase in payment. This often occurs by way of a phenomenon called postcontractual small numbers bargaining: Once a contract has begun, there are frequently few alternatives available to the client but to continue with the vendor that was originally selected. This lack of alternatives can occur for any of several reasons. The client may have made a sunk cost investment of some form, for example, such as buying hardware with limited resale or salvage value that works effectively only with software provided by the vendor. Alternatively, it may have transferred to the vendor ownership of critical assets, such as its data center hardware and legacy systems, or it may have divested internal staff and expertise, again making it dependent upon the vendor. Whatever the reasons, the bottom line is that the client loses power because it would suffer an intolerable loss of revenue or profits if the vendor\u2019s demands are not met.Managing the RisksWhen you outsource application development, any and all of the above risks are possible. Fortunately, there are a few simple guidelines that can substantially improve your chances of success:1. Understand the project. Companies that choose to outsource applications must have a high degree of understanding of the project they are undertaking, including its requirements, the method of its implementation and the source of expected economic benefits. This is crucial to providing reasonable incentives for meaningful measures of performance. On Wall Street, historically, attention and rewards have been given to those who produce profits, like successful trading desks; there has been less interest in managing cost centers like information processing. Despite the strategic importance of information infrastructure, many companies on the Street have attempted to squeeze systems, and they have failed to provide the resources or the guidance needed for long-term investment in IT. When they realized that they have not always done a good job managing this area or rewarding performance, some have outsourced with contracts obligating vendors to "do a better job"; however, this provides neither the metrics needed to define a better job nor the incentives for the vendor to steer in the desired direction. Understanding project objectives also helps to reduce the risks of poaching, since it is then possible to specify and control access to elements that may be critical to the client\u2019s future competitive positioning. The risks of outsourcing product distribution\u2014as airlines did with computer reservation systems in the 1970s, for example\u2014can clearly shift too much power to the distribution system. Using a third-party information processor to manage client relationships can allow another party to have access to your customer history and pick off your best accounts. The most successful projects we studied were those in which the client was fully capable of developing the application itself but chose to outsource simply because of constraints on time or staff availability.2. Divide and conquer. Dividing a large project into smaller, more manageable pieces will greatly reduce programmatic risk. In principle, completion of each independent chunk creates the possibility that subsequent development work will be handed off to a different developer. Each chunk should have specific objectives and quality metrics, and each piece should be independent, in the sense that companies would have to absorb only tolerable increases in development costs should they choose to switch vendors after one or more chunks has been completed. Although this will increase development costs, it reduces or eliminates the risk of vendor holdup. If the vendor attempts to overcharge for continuation, the self-contained nature of the work completed to date will permit a more or less painless handoff to another vendor for continuation of development. Moreover, by assessing checkpoints at the completion of each chunk, the company can detect quality problems and reduce the risk of shirking or underperformance. Thus, when deciding on the milestones for such a project, it is important to have a viable exit strategy if any chunk fails.3. Align incentives. Although the vendor\u2019s incentives can never be fully aligned with those of the client, it is frequently possible to design contractual incentives that will help enhance performance. If you pay a telephone interviewer for the number of calls he makes, they will be short; if you pay for the number of minutes he is on the phone, each call will be long; if you pay for applications approved, you will have lots of approvals, and if you pay for applications rejected, you will have lots of rejections. What you want to do is pay for incremental sales. Unfortunately, such incentives are not always guaranteed to work. It is difficult to define incremental sales or determine the basis of compensation for your call center operators. A similar "law of the wallet" holds in all software outsourcing, and it suggests that you get what you pay for: If you pay for lines of code, for example, you will get many lines of code; if you pay for testing, you will get lengthy test logs. Incentives can bring vendor behavior in line with a client\u2019s expectations, thereby improving performance, but they can also distort it, causing performance to drop. It depends on how well individual vendor activities can be measured and how accurately measurable and rewardable activities can be correlated with desired performance.In short, for all its attractiveness, there are a number of potential costs and risks associated with outsourcing. The above guidelines can help keep those risks under control. One final tip: When in doubt, hiring an honorable and well-managed vendor with a reputation to preserve may be your best protection.