Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Eliminating Today’s Costly
Outsourcing Operations Challenges
By Randy Brasche
M
ore companies are turning to outsourcing as a viable
means to achieve efficiencies and make vital
resources more available. By outsourcing key
portions of their infrastructure, including the mundane, day-today monitoring and maintenance of applications, networks and
hardware, companies can free people and budgets to focus on
core business initiatives. Since many outsourcers have
established economies of scale, they can provide services at a
much lower—and much more predictable—cost.
Through outsourcing, companies gain IT agility without the
expense or burden of maintaining and managing increasingly
complex systems and processes. For an outsourcing service
vendor, providing these benefits can come with a significant
risk. Divergent technologies, complex systems and elevated
customer requirements can amplify operational inefficiencies,
endanger service level agreements and ultimately increase
costs. As a result, service vendors must start focusing on the
two most costly and unpredictable components of their
infrastructure: people and process. By focusing on people and
process, outsourcers stand a better chance of maintaining high
service levels and increasing profit margins.
Increased Demand Increases
Operational Complexities
Market analyst firm International Data Corporation (IDC)
recently reported on the upward trend for outsourcing by
discussing the overall revenue success of the 30 largest IT
services vendors. According to IDC’s Worldwide Quarterly
Services Vendor Revenue Tracker, an index of the world’s
largest services companies, the outsourcing segment of those
vendors’ businesses grew 17.9 percent in 2003 compared to
2002. For outsourcing service vendors, this increased demand
is placing greater operational pressures upon their business.
While several factors contribute to rising operational
complexity and cost, service levels and the cost of human
capital are perhaps the two most critical components of the
equation. For example, inadvertent mistakes or failure to
adhere to policies or procedures can cause unexpected
downtime that affects service levels. Gartner reported that
approximately 40 percent of downtime is caused by
operational errors, another 40 percent is caused by application
errors, most often misconfigurations, and the remaining 20
percent is caused by actual platform problems, including the
network, operating system or hardware.1 Further complicating
the issue, since applications now support an extended network
of customers, partners and related applications, constant
discipline and precision are critical to maintaining systems and
uptime and sustaining crucial service levels.
The cost of people is also on the rise. According to market
estimates, most companies spend more than 50 percent of an IT
budget on people. Market research firm Meta Group estimates
that by 2006 and 2007, IT salaries will again escalate, putting
labor costs at 55 to 60 percent or more of the IT budget.2 IDC
estimates that acquiring and maintaining one IT staffer probably
costs about US $110,000-$120,000 annually.3
With this increased complexity, along with requirements for
consistent and reliable service levels, service providers are
fighting to maintain costs on two fronts. Any disruption in
service will require service level credits back to the customer.
At the same time, operational inefficiencies translate into
higher costs for the service vendor. To counter this financial
erosion, the service vendor needs to establish a strong
operational framework around its people infrastructure.
Focusing on the People and Processes
First
To combat the increased cost and operational complexity
associated with managing the IT infrastructure, service vendors
must integrate people and processes with the technology.
Managing multiple clients among a shared pool of resources
requires rigorous adherence to well-defined and comprehensive
processes and procedures. The service vendor must understand
and manage the intricate and overlapping use of resources by
one customer, to avoid impacting another. IT personnel must be
equipped to facilitate these operations while maintaining
consistent and agreed-upon service levels for all customers.
The people infrastructure is often the most overlooked
component within the data center, with IT staffers relying on
outdated or inadequate tools and processes to guide and
orchestrate ongoing activities. IT organizations have a plethora of
network and system management tools and technologies, such as
HP OpenView, BMC Patrol and CA Unicenter, that provide
visibility into the health and performance of systems,
applications and networks. Unfortunately, there’s little visibility
into everyday activity and insufficient focus on building people
and process into the technology. Gartner concurs with this view
and believes that future network and system management (NSM)
investments should manage the “process, not the technology.”4
Companies have also leveraged a variety of service
management solutions such as Remedy or Peregrine to manage
the people and process associated with problem, incident or
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 5, 2004
change management. While these service management systems
are ideal solutions to assign and plan change activity, they fail
to deliver a comprehensive execution process extending to the
human IT level. As a result, the IT organization has little
insight or control over tracking the progress of an activity,
determining if the activity has been completed or ensuring that
the appropriate person is attending to the task. Additionally,
there is no method or process for tracking activities generated
outside the service management system. Ultimately, a gap
exists between service management systems and the service
delivery processes that support the underlying infrastructure,
leading to inefficiencies of people and technology.
With the right tools and processes in place, individuals can
better pinpoint problems and manage ongoing operations. For
a service vendor, the goal is to make the human element as
effective as the underlying technology.
Closed-loop Service Delivery
Strategies Address Key Challenges
Many companies and outsourcing service vendors are
implementing closed-loop service delivery strategies to extend
current tools and processes and close the gap between service
level management and service delivery (figure 1). Opsource, a
leading outsourced service provider that services many large
enterprises, has been one of several early service provider adopters
to create a closed-loop service delivery system. The operations
monitoring solution employed by Opsource tracks individual
activity by file changes, process activity and direct access. John
Rowell, Opsource’s vice president of operations, believes that “by
providing a consolidated view of individual activities across diverse
and complex infrastructures, operations monitoring allows more
precise assessments of operational effectiveness and ensures that
business objectives and agreed upon service levels are met.”
Figure 1—Closed-loop Service Delivery Strategy
Business objectives guide IT
objectives and processes
IS Service Delivery
IT Infrastructure
Reporting and Analytics
Operations
Policies and Procedures
IS Service Management
Improving Profitability Through
People and Technology
To capitalize on the revenue potential of a growing
outsourcing market, service vendors must first focus on the
people and policies that support IT. By addressing a long-ignored
area of how people’s actions affect service delivery and service
level management, service vendors replace “dusty binder”
procedures with consistent, closed-loop and accurate processes.
Empowering the IT organization with the proper mechanisms to
guide and manage their actions, service vendors create greater
accountability, boost morale and ensure improved reliability,
efficiency and security for the IT infrastructure. Ultimately,
service vendors will be able to maintain and grow profit margins
while creating tangible value for the customer and alignment
between business objectives and IT service delivery.
Business Objectives
IT Objectives
should include four additional capabilities:
• Track—Detect and collect all change activities. This includes
changes associated with an approved change request as well
as changes made without approval. All collected changes
should be available for real-time review.
• Enforce—Enforce the organization’s policies for how and
when changes can be made, and who can make them. For
example, if a change is approved for the specified time frame,
the change implementer should be prohibited from making
the change outside of the designated time frame.
• Validate—Validate that required change processes have been
followed. For example, if deleting a user account upon
employee termination is a six-step process, ensure that all six
steps have been completed successfully. Aggregate all of the
change activities and validate that the change took place.
• Report—Communicate the change results, time to completion
and any policy violations associated with the change.
By orchestrating, guiding and automating people’s actions in
support of IT, closed-loop service delivery extends service
management processes to the human IT level to provide
complete execution management while increasing efficiency,
reliability and security. Similarly, this strategy improves ongoing
operations by capturing a complete record of the activities of
users and applications across the IT infrastructure, providing a
comprehensive view of data center activity. This granular view
supports faster troubleshooting and more insightful forensics
when problems occur. Additionally, the same data can be used to
track overall availability and performance. The unique
procedures of each business process operation or IT function can
be used to manage and guide work in the data center. As a result,
the efforts of IT staff can be focused on the high-value tasks that
most benefit from human insight, while routine and low-value
activities become automated.
Define and manage service levels
specific to each business unit
IT service delivery targets the
human side of IT by tracking,
guiding and orchestrating actions
across the infrastructure
Servers, applications, databases,
networks, monitoring tools
Closed-loop service delivery strategies can also be
integrated with service management systems to enable IT
organizations to track and guide actions—from request through
execution to review and completion. These systems track
actual changes for comparison to approved changes, and the
specific policies for how and when changes can be made are
established based on skill sets, application, time, required
approvals and standard operations procedures. The goal is to
more accurately verify approved changes, detect or prevent
unapproved changes, and over time standardize how changes
are performed. Such an extended service delivery system
Endnotes
Lanowitz, Theresa; Tearing Down the Wall, Gartner Group, 2002
Passori, Al, Maria Schafer; Base Hit: IT Organization Field
of Dreams, Meta Group, 24 May 2004
3
According to Michael Boyd, Ph.D., International Data Corp.,
in Business Finance, May 2000.
4
Manage the Process, Not the Technology, Gartner Inc.,
September 2002
1
2
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 5, 2004
Randy Brasche
is director of product marketing at Active Reasoning. He has
more than 10 years of data center operations and marketing
experience. During his career, Brasche has held various strategy,
product management and marketing positions at Cable and
Wireless, Exodus, Oracle, Informix and Liberate Technologies.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 5, 2004