For several years now, IT has played a central role in the smooth running and development of companies and public bodies of all sizes. However, the day-to-day management of information systems is not an easy task, and outsourcing has become a common practice, with a number of advantages and risks that need to be assessed before taking the plunge. This article focuses on the latter aspect.
What is outsourcing?
Outsourcing involves entrusting an external service provider with the management of all or part of your information system. It covers a wide spectrum of services, from simple data hosting to complete external management of the customer’s information system.
For most of our customers, the aim of outsourcing is to refocus on their core business, and take advantage of the benefits that this formula offers, such as IT expertise, cost reduction, access to the latest technologies, productivity gains and improved system security.
However, this operation is not without its risks, and we suggest that you identify some of them below, so that you can highlight them in your negotiations with your service provider.
Risks inherent in subcontracting
Outsourcing is a service that does not escape the risks that could be described as “usual and classic” in subcontracting:
- the adequacy of the service provider’s technical and financial capabilities and the resources required to perform the services. He or she must be able to provide all the information needed to reassure the customer about these aspects;
- the provision of unsuitable services due to misunderstanding of needs and lack of advice. The expression of need is an essential step in the service provision process. This means being as precise as possible about your expectations and constraints, and paying particular attention to the solutions put forward by the service provider;
- the lack of transparency regarding the organization of the service, and in particular, compliance with safety constraints in the case of cascading subcontracting. Sufficient guarantees must be provided to enable the services to be carried out in accordance with the established safety requirements;
- dependence on the service provider when its offer does not include portability or reversibility services. This aspect must be addressed prior to the conclusion of the contract, and must be an integral part of the service provider’s offer, so as not to be caught unprepared and avoid any operational difficulties at the end of the contractual relationship.
All these points of attention enable us to analyze and reflect on the choice of service provider, according to your needs, your strategy over time and the objectives you wish to achieve. We recommend that our customers attach as much importance to this as to financial and technical terms, and include it in their contracts.
Risks specific to outsourcing services
Outsourcing the management of all or part of your information system entails other risks specific to this type of service, which, if left unchecked, can lead to loss of control and have a serious impact on your business. We can categorize these possible failures as follows:
- Data security : a lack of clarity about data management and location can increase the risk of data breaches. The customer must be in a position to ensure that all accommodation meets his safety requirements and applicable legal and regulatory obligations. The risk of disclosing sensitive information must be assessed at all times, so that appropriate decisions can be taken with full knowledge of the facts;
- Personal data : failure to comply with the provisions of the General Data Protection Regulation (GDPR) is very heavily penalized (over 100 million euros in fines imposed in France by CNIL in 2022). Responsibilities must therefore be determined, and it must be ensured that specific legal obligations can be met in the outsourcing environment by the service provider;
- Remote interventions : outsourcing services provided remotely can subject the information system to various types of vulnerability, which can considerably affect it and have serious consequences for the organization. We can, for example, list intrusions by unauthorized persons, abuse of rights by a technician who accesses, downloads or modifies sensitive data, or the difficulty of ensuring traceability of interventions. These situations can be controlled by identifying and analyzing the technical and organizational safety devices and measures available;
- Shared hosting : this involves hosting several services on a single server, to rationalize resources. In most cases, the services concerned are websites, messaging services or databases. Co-hosting in a less controlled environment accentuates the risk of loss of service availability, integrity or confidentiality. The solutions put in place in the event of attack or incident prevention, as well as reversibility, must also be clearly defined in order to limit these inconveniences;
- Technical choices of the service provider : it is sometimes necessary during the course of a contract to upgrade the information system in order to integrate new functions, adapt to new regulations or for reasons of obsolescence. In this case, the technical choices made by the service provider may be inadequate to meet the customer’s needs. The contract will validate these choices and the necessary adjustments.
Conclusion
It’s undeniable that outsourcing offers advantages for an organization’s productivity and structural development. However, as we have emphasized throughout this article, this outsourcing process is not without its risks, which you need to limit throughout your dealings with the service provider to give your project every chance of success.
In this respect, our Contract Management team, which is regularly consulted on this type of subject, is ready to share its expertise and support solutions with you.
