Posts in Sourcing
Outcomes-Based Outsourcing Continues to be an Innovation Tool

Creating effective, high-performing and well-governed outsourcing deals was one of the key services Capto offered at our launch in 2009. SYNAPTIC Outsourcing is still a key service we offer our clients. The fundamentals remain solid, but how we help make these deals successful has evolved dramatically. I’ll explain how we’ve applied our SYNAPTIC Sourcing methodology differently over time.

SYNAPTIC Outsourcing was born out of our personal experience supported by extensive research that confirmed our hypothesis at the time: IT outsourcing was broken. Deals were under-performing economically and operationally when compared to other broad business trends such as supply chain management.

 “54% of IT Executives report challenges in managing vendors and improving this situation is crucial, because failure to manage vendor relationships effectively can destroy up to 90% of the value expected from the contract” - CIO Executive Board Survey, 2009

Suppliers and their clients complained that most outsourcing relationships failed to meet objectives for many reasons, but we found a few key reasons that profoundly impact outsourcing relationships that are still true today:

  • Buyers tend to be over-prescriptive, dictating not just the what, but the how. Resulting in diminished ability of the supplier to innovate – or, as some call it, “outsourcing my mess for less”.
  • Suppliers and buyers engage in a zero-sum game where what is good for the buyer must be bad for the supplier rather than invest up front in mutually beneficial, outcomes-based relationships.
  • Buyers fail to solicit the ecosystem to properly harvest the best ideas as part of their procurement process through the over-use of RFPs rather than more open-ended RFI’s to refine their requirements prior to formally entering a procurement cycle.

In 2010, we reviewed and found tremendous merit in research done by the University of Tennessee for the US Air Force that resulted in a progressive outcomes-based outsourcing arrangement as initially described by Kate Vitasek, Mike Ledyard, and Karl Manrodt, in the book “Vested Outsourcing: Five Rules That Will Transform Outsourcing”.  The guiding principles of Vested Outsourcing are[1]:

  1. Reciprocity – commitment to fair and balanced exchanges.
     
  2. Autonomy – the party with more power will not use that power unfairly to promote a narrow self-interest.
     
  3. Honesty – each party must be honest about their intentions and the facts of the relationship.
     
  4. Loyalty – being loyal to the relationship and not act in a self-serving way.  Through acts and deeds you support and promote the partnership.
     
  5. Equity – understand and look critically at the distribution of the rewards in the relationship.  This is not always a 50:50 split, for example, one party may be given a reward for taking on additional risk.
     
  6. Integrity – acting in a consistent trustworthy fashion.

We agree, and still believe, that these six guidelines provide the fundamental underpinnings of a high-performing, collaborative sourcing relationship.  The ways in which we have gotten our clients and their sourcing partners to embody these principles, the sustainment of long term deal performance, and the types of disruptive technology projects we have done are what has evolved over the past seven years.

The Business Environment - What Has Changed and How Capto Has Responded

The technology executives we talk with initially try to convince us that they have “been doing outsourcing for a long time; we know how it is done”. However, when we do an evaluation, we typically find that the deal is underperforming and sometimes is actually failing. Usually for the same reasons found seven years ago.

If the past seven years of putting progressive, outcomes-based sourcing deals together has taught us anything, it is that this approach isn’t just theory. It works. And it works really well for those open-minded enough to try a new approach to outsourcing. It requires a shift from short-term tactical thinking to using outsourcing as a longer-term strategic tool focused on outcomes and innovations[2].

Disruptive technologies such as robotics, Internet of Things (IoT), and cognitive process automation continue to unsettle existing businesses. We believe outsourcing can assist forward-thinking enterprises to more quickly and successfully harness these technologies and processes.

The workforce skills deficit in fields such as healthcare informatics[3] , data scientists[4], and technical staffing in general provides a strong rationale for the use of outsourcing and “as-a-service” models to meet staffing requirements.  Getting the most from your partner relationships takes on new urgency with these new challenges.

Initially, we focused more on the strength of the client/partner relationship and the partner’s ability to bring a strong staffing mix to the deal. While these two areas continue to be of importance, over the last seven years we have had additional focus on the following areas as the rate of business innovation and change has escalated:

  • New Technologies, Business Disrupters and Innovation – Use of outsourcing to harness new technologies and processes with a focus on time to market, that affect the foundation of our client’s business enterprise.  Outsourcing can be used to boot strap implementations of Internet of Things (IoT), advanced analytics and big data, and cognitive process automaton efforts.
     
  • Governance - Instituting a well-focused governance process has been shown in practice and research[5] to facilitate a successful win:win relationship – we have therefore focused significant efforts on implementing a strong governance process for all our deals.
     
  • Organizational Change Management (OCM) – Spending more time and effort on OCM has become a priority.  Additional training is needed so both parties understand the deal and don’t revert to old habits.  We provide training in the tools included with the deal to influence behavior, for example: new metrics, dashboards, governance, as well as contractual items like hold backs and the use of incentives.
     
  • eSCM (eSourcing Capability Model) – We have integrated the sourcing framework – eSCM - created by Carnegie Mellon University, into the Capto methodology.  We do not require that our clients adhere to eSCM as it a relatively complicated framework. However, it provides a strong industry standard methodology, which ensures we cover all avenues in our analysis and implementations. 
     
  • Business Case Focused– Our background in M&A (merger and acquisition) work makes us more financial and business case focused.  Building and using a business case is occasionally something clients have to be trained to do so it becomes integral to our OCM efforts.

Having now implemented and governed numerous deals using SYNAPTIC Outsourcing the importance of -- strong governance, implementing and adhering to a transition strategy that is phased and based on success metrics, and putting in place a comprehensive OCM program – is clear.  We continue to be optimistic about the future of outcomes-based outsourcing to meet the innovation goals and objectives required for business success.

 

[1] http://www.vestedway.com/step-3-establishing-the-six-essential-relationship-principles/

[2] “Global Outsourcing Survey 2016” http://www2.deloitte.com/us/en/pages/operations/articles/global-outsourcing-survey.html

[3] “Missed Opportunities?  The Labor Market in Health Informatics, 2014” http://burning-glass.com/research/health-informatics-2014/

[4] “Help Wanted: Black Belts in Data” http://www.bloomberg.com/news/articles/2015-06-04/help-wanted-black-belts-in-data

[5] “Theorizing the IT Governance Role in IT Sourcing Research” Association for Information Systems 2016:  http://aisel.aisnet.org/amcis2016/SCU/Presentations/15/

Sourcing, Strategy, Media and Telecom, Healthcare, M&ANick VennaroOutcomes Based Deals
Sourcing for Outcomes: Why Isn’t Everyone Doing It?

Transaction-based sourcing agreements are ineffective and broken. Providers often find themselves being asked to deliver a Cadillac on a Chevrolet budget. Clients, on their side, are under continuously increasing demand to deliver more at a faster rate. They really need those Cadillac outcomes from their sourcing partner. This imbalance means transaction-based sourcing agreements often don’t move a company to its strategic goal efficiently.

The result: Tensions rise between company and sourcing partner, resulting in no one’s satisfaction.  

Stop relying on what you have always done. Manage your daily tasks smarter.  In 2016, make the change from buying activities to sourcing outcomes.

Outcomes, not activities, shift an organization. Outcomes move an organization struggling to meet operational and financial objectives to the front of the pack. Focus on outcomes forges industry leadership through innovation and strategy execution.

The opportunity for success can be greatly increased when a partnership is suitably selected and focuses on desired outcomes. We recommend companies take a fresh approach to their sourcing strategies in 2016 by following these three simple steps:

  1. Buy outcomes, not activities. Consider the outcomes your department needs versus the number of bodies required to complete the work. This shift likely requires an alternative path to identifying the right partner to help you meet these outcomes.  Capto’s SYNAPTIC methodology uses an “active RFI” process to move sourcing agreements from transactional activities to outcomes-based contracts. This fosters collaboration during the bidding process, in contrast to the old model of starting at the beginning of a signed agreement. Taking a teamwork approach yields higher success rates and mitigates frustration.
     
  2. Source for competitive edge. Most companies outsource for cost, benefit or capacity. While outsourcing for strategy or competitive advantage has typically been viewed as giving away a company’s biggest secret—its edge. This thinking is shortsighted. In fact, outsourcing strategic elements can dramatically speed things up, giving you more of a competitive advantage.

    For example, pharmaceutical companies often outsource R&D, which is core to their business and highly protected intelligence. Outsourcing their R&D allows expertise to flourish and moves the pharma company to market more quickly because it can engage several specialist R&D firms as needed rather than waiting on a linear R&D in-house process. The outcome is twofold. By partnering with highly specialized, outsourced staff, pharma companies can maintain focus on their marketing and distribution strengths while they pipeline new drugs into the marketplace. 
     
  3. Use an outcomes-based sourcing model. Traditional sourcing is broken, but there is an answer. Make a commitment to focus on outcomes in 2016. A comparison of outcomes-based vs. transaction-based sourcing shows why:

Transaction-based                           Outcomes-based
Focus on how                                     Focus on what
Number of activities performed     Clearly defined outcomes
Pricing guarantees                            Pricing incentives
Oversight governance                      Insight governance

In the long run, recognition comes from results, not from how the project got done. Commit to making your 2016 business resolution all about outcome-based results.

SourcingTracy Currie
Cyber Security: Leveraging an Audit to Reduce Risks

Cyber security has garnered substantial media coverage in recent weeks, and CIOs and CISOs (chief information-security officer), along with their bosses, are probably wondering if they are doing enough to protect their company’s mission-critical data/information.

If you want to know if you are doing enough, conducting a security assessment/audit is a great place to start. But the key to assurance is on the back end—taking prescriptive steps for mitigating risks the audit uncovers and considering the use of a Managed Security Services (MSS) provider.

The flow of a security assessment/audit looks like this:

 

 

> Discovery—During this phase, the auditor performs reconnaissance to identify the client’s infrastructure and obtain information, both public and private, about the target environment.

> Target Profiling—Using the information obtained during the discovery phase, the auditor further evaluates the client’s infrastructure in order to develop a targeted testing approach.

> Examination—This is the phase where the auditor conducts detailed vulnerability scans against the prioritized target groups. Usually the auditor will use a combination of commercial, open-source, and proprietary tools. The objective of this phase is to identify potential security vulnerabilities that affect the client’s overall security posture.

> Risk Validation—The auditor reviews the vulnerabilities to determine their impact on the client’s overall security posture and performs targeted penetration testing that focuses on the high-risk vulnerabilities. Exploitation of these vulnerabilities often yields access to critical systems and sensitive information vital to the client’s operations. The objective of this phase is to provide the client with a clear understanding of the risks associated with the identified vulnerabilities.

> Evaluation—The auditor evaluates the security impact of the identified vulnerabilities as well as the effectiveness of applicable remediation procedures. The auditor should prioritize vulnerabilities based on a combination of factors, including previous experience, ease of exploitation, impact to the client’s overall security posture, and the required remediation effort. The deliverable for this phase should be a roadmap for remediation that can be effectively executed. Most importantly, you should ensure that the auditor presents the findings in a clear and detailed manner.

Some vendors add an assurance phase consisting of ongoing assessments to ensure that the remediation and mitigation steps outlined in the evaluation phase have been properly implemented.

In summary, it is helpful to think of cyber-security audits as an end-to-end process which not only raises the level of awareness regarding risks/vulnerabilities, but is also prescriptive in what proactive steps are necessary to reduce risks.

“An ounce of prevention is worth a pound of cure.”

― American Remembrancer, 1795

From Audit to Implementation:

For companies ready to take the next steps towards implementing a means for keeping their sensitive and mission-critical company information secure, one option is to seek assistance from a Managed Security Services (MSS) provider. Gartner defines MSS as “the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers, not through personnel on-site.”

We recommend selecting two top-tier providers, one to manage the environment and one to conduct the assessment and review and to oversee the deliverables promised.

A key benefit to outsourcing is fast deployment of functions of that do not fit into a company’s core competency, yet must be done well. Another benefit is reduced costs. MSS are available at a fraction of the cost (hardware, software, and staffing) of adding capabilities in-house.

 

 

 

 

 

 

 

 

SourcingNick VennaroSourcing, Outsourcing
Getting to Know Managed Security Services

SourcingFocus.com recently ran a story about outsourcing trends that pointed to “a growing appetite for managed security services” due to the rising complexity and volume of cyber threats. Keeping the enterprise secure is becoming a primary consideration over other business initiatives.

With the increased focus on security, it is important that business and IT leaders understand Managed Security Services (MSS)—what they are, when to use them, and how to maximize the outcomes of a company’s outsourced MSS efforts.

What are Managed Security Services?

Gartner defines managed security services as "the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers, not through personnel on-site.”

MSS broadly includes:

  • Monitored or managed firewalls or intrusion-prevention systems (IPS)
  • Monitored or managed intrusion-detection systems (IDS)
  • Distributed denial-of-service (DDoS) protection
  • Managed secure messaging gateways
  • Managed secure web gateways
  • Security information and event management (SIEM)
  • Managed vulnerability scanning of networks, servers, databases or applications
  • Security vulnerability or threat notification services
  • Log management and analysis
  • Reporting associated with monitored/managed devices and incident response

Firewall/intrusion prevention, intrusion detection, and log collection form the core of most MSS engagements. The Fortinet survey referenced in the SourcingFocus.com piece confirms that, noting over three-quarters of IT leaders in large enterprises say “functions like firewall, IPS and email protection would be suitable to apply to an outsourcing strategy in their organization.”

Why Outsource Managed Security Services?

The primary reasons companies seek a MSS provider are:

  • Improved visibility to threats: An experienced MSS provider has trained specialists with the tools and know-how needed to deal with potential issues/threats and can do so in a timely manner.
  • Advanced security or compliance demands: In some industries, like financial services and healthcare, there are strict compliance requirements and specialized requirements. A MSS provider who has deep knowledge of those industries can quickly and efficiently ensure their client is operating by the book. Also, since cyber security is their area of expertise, these specialists will have access to innovations and leading-edge technologies that can be rapidly deployed.
  • Accelerated Time to Market: A key benefit to outsourcing is fast deployment. The services mentioned above probably do not fit into a company’s core competency, yet they must be done well. Rather than climbing a time-consuming learning curve, hiring a seasoned MSS provider can ensure all the necessary security requirements are met quickly.
  • Reduced Costs: MSS is available at a fraction of the cost (hardware, software, man-power) of adding capabilities in-house.

A recent study calculated that a large investment management firm achieved a return on investment of 109% and cost savings of $3.36 million, with a nearly immediate payback period, by partnering with an MSS provider.

The report concludes that the organization achieved comprehensive, enterprise-level security monitoring at a lower cost than the alternative of implementing and maintaining an in-house, 24x7 security operations center. The firm also achieved a lower risk of loss due to security breaches and were better able to track security performance for audits and reporting, thus building credibility for their security program within the organization and with customers.

Source: “The Total Economic Impact Of Dell SecureWorks’ Managed Security Services,” a commissioned study.

How to Use Managed Security Services:

When considering whether or not to bring an MSS provider on board, it is important to engage an advisor who can assist in the following areas:

  • Conducting an MSS provider assessment to ascertain how ready your business is for outsourcing MSS and to determine which provider best fits your company’s needs, competencies, and culture.
  • Communicating the cost/benefits at the executive level so management understands all relevant aspects of implementing proposed services.
  • Determining and explaining what changes are needed in your environment for successful implementation of an MSS.
  • Deployment, implementation, and integration; which includes provider selection, contracting, and implementation support of the provider offerings.

Also, make sure that your advisor, as well as the candidate service providers, are communicating in a concise, jargon-free manner. Business terms should be clearly spelled out: what am I getting, for how much, and what are the risks?

Selecting a Managed Security Services Provider:

We recommend that companies pick at least two top-tier providers:

  • One for managing the environment
  • One for assessments, testing, reviews etc. for ensuring services deployed are performing as promised.

______________

Keeping to the progressive, outcomes-based, SYNAPTIC thinking we use here at Capto, we highly recommend that the contracts with MSS providers structure incentives and payment schedules based on reviews, penetration tests, etc.

______________

Closing Thoughts:

It is no surprise that keeping sensitive and mission-critical company information secure has moved to the top priority among those managing enterprise IT functions.  By moving swiftly and proactively to outsource MSS that includes both crisp communication and checks and balances, you can better prepare for the threats that are increasingly part of doing business in today’s dynamic, global environment.

SourcingNick VennaroSourcing, Outsourcing