How to make your IT outsourcing contracts work for you

For thousands of businesses across the UK, outsourcing IT provides greater value, a better return on investment and peace of mind. It allows companies to spread their investment in IT infrastructure and call upon a wealth of expertise as and when needed, rather than employing a large in-house team.

Global business spending on IT outsourcing and hardware maintenance has increased from a total value of about 400 billion US Dollars in 2013 to near 503 billion US Dollars forecasted by the end of 2017. But high value IT contracts come with their own risks and it is vital to know what you are signing up to before putting pen to paper.

It is also in the interest of you and your Managed Service Provider to ensure that both parties are in agreement about their respective roles and responsibilities under the contract.

In this Top Tips article, I have given guidance on the questions you should ask when finalising the contract and any service levels for performance of the service.

1.    Know what you want and involve your IT team

It sounds so simple but know what you want from your IT supplier and what the minimum is that you expect from them. If you have your own in-house IT team, make sure you involve them in the contract process – they have the best understanding of what systems and features are required to support your business going forward so use them to your advantage. Ask them to work with your procurement or legal team to check that the contract covers everything you need both now and in the future. 

2.    Read the small print and don’t be afraid to ask questions.

One of the main risks of outsourcing IT is ensuring adequate service level commitments. An outsourcing provider might promise the earth in their sales patter and marketing literature but when you look at the terms of the contract they give few assurances about the services and limited remedies if things go wrong. Any pre-contract assurances given by the provider about the service should be clearly documented in your agreement with the provider.

Things to check in the contract include:

  • Will the supplier outsource any of your work to a third party and what measures are in place to keep your data safe in that instance? This is particularly important with the introduction of the new General Data Protection Regulation which requires data processors to implement adequate security measures and obtain the data controller’s consent to any sub-processing.
  • Where will your data be stored – for example will it be stored on servers in the UK or in the US or India or elsewhere in the world? Is it easily accessible?
  • Has the supplier sought appropriate indemnities and insurances from any third parties they work with?
  • What security systems does the service provider have in place? Do they protect you, and them, from viruses, rogue code execution, unauthorised access and social engineering?
  • If the service is web-based, how is it protected from Denial of Service (DoS) attacks, which are often part of a wider targeted hacking attempt?
  • If the service provider uses third party software, what is the process and schedule for updating this with the latest security updates?
  • What back-up and business continuity arrangements will the supplier provide? How often is this backup taken? What is their disaster recovery policy?
  • What happens if the data is corrupted and can the IT service provider restore the position to the last backup?
  • What are the plans in place in event of a physical problem with the data centre(s), such as fire or flood?

3.    Negotiate a liability amount that protects your business

One of the most common problems businesses face when outsourcing their IT is that the supplier excludes or limits much of their liability within their contract. A low limit of liability may significantly reduce the effectiveness of any assurances given about the service and security of your data. Financial limits on liability set by a supplier can be as low as several thousand pounds. If a service provider is responsible for hosting your entire transactional website or customer database, the economic consequences of a loss of data or dealing with a cyber attack could be significant. The cost of reconstituting the lost data alone could exceed a low cap on liability. Added to this are the financial impact of lost profit, damage to reputation and fines that may be imposed by the Information Commissioner. Take time to calculate the losses that could be incurred in a worst-case scenario and use that to negotiate a liability amount that protects you.