Successful outsourcing projects have always relied on a clear and commercially reasonable allocation of risks between the parties for all aspects of the relationship.
These range from actual service delivery, fulfilling the underlying business case, through to greater and more unpredictable risks which emerge in the life of an outsourcing agreement, such as changes in business requirements, the wider economic climate, governmental policy changes and geopolitical shocks.
The trend towards flexibly-priced, on-demand service-based models has afforded both customers and suppliers greater flexibility and a broader range of options in delivering infrastructure, technology platforms, IT applications and analytics services. It has also contributed to the gradual erosion of the dominance of the traditional single supplier model in favour of differentiated offerings from a greater number of suppliers.
In recent years, highly-publicised instances of IT system failures and large-scale data breaches have often been blamed (at least in part) on the outsourcing of the business processes in question. Several industry surveys have attributed fault to outsourced service providers in a high proportion (as many as two-thirds) of data breaches.
The shifting technology landscape has resulted in a more complex interplay between customers and suppliers (or sometimes a complex web of suppliers). In particular, the nature and extent of controls over data (including personal data and confidential information) and allocation of liability for breach of legal and regulatory obligations.
These factors are likely to become more prominent on a number of levels: the increased complexity and preponderance of technological threats; the greater costs of remediation; decreasing tolerance among businesses and consumers; and significantly more onerous legal compliance obligations. Discussions of allocation of risk and liability for loss of data and compliance obligations in technology outsourcing agreements traditionally centered on a limited number of provisions, and suppliers in a single supplier model often ultimately carried most of the risk.
This will change further over the next few years. Headline changes likely to be introduced in the EU Data Protection Regulation include mandatory data breach reporting requirements, significantly higher fines and increased obligations relating to the data processing activities of service providers.
Contractual discussions will go beyond the scope of liability for data loss and compliance with data protection laws and will increasingly pervade other areas such as the technical structure (and location) of the service delivery model, responsibilities for breach response, investigation, reporting (to regulators, investors and insurers), remediation and reputation management and, ultimately, termination rights.
Sourcing professionals are already getting to grips with these issues and will be looking to a number of technical and professional colleagues to make the outsourcing arrangements work.
☛ Huw Beverley-Smith is a partner at Faegre Baker Daniels.