Project management in IT outsourcing projects

Detailed introduction to a complex topic

// IT-Outsourcing

Even though IT outsourcing regularly becomes a topic (mergers, acquisitions, next generation sourcing ...), it needs a lot of expertise and experience. Without good project management, IT outsourcing will not be a success. Holger Bredenkötter has been working as an IT consultant on this topic for more than 20 years. In his article, he explores the question of why IT outsourcing projects always represent a state of emergency for companies, what IT managers need to pay attention to when the time comes and why you actually need four project managers.



Holger Bredenkötter

The topic

The term IT outsourcing refers to the fully responsible transfer of IT functions and/or business processes with a high IT content to legally independent - i.e. external - service providers for a defined period of time.

This article presents the biggest challenges in IT outsourcing projects that arise from this particular task. It starts with the fact that there is no such thing as THE IT outsourcing project; the facets range from the simple relocation of IT components to a new data centre to business process outsourcing, where entire business processes are to be handed over to a service provider.

And since IT outsourcing has been practised for many years (at least by large companies), next-generation outsourcing has also become a common project task. This involves the necessary measures to change the service provider at the end of the contract and to completely shift the IT infrastructure and support processes to a new service provider in the course of day-to-day business, so to speak.

In addition to deciding whether a company should outsource at all, the motivation, scope and expectations must also be defined and backed up with hard figures. Only in this way can the achievement of the project goals be proven later.

For project management, this means: communication and control at management level to drive strategic and tactical decisions, calculate business cases and, best of all, to be able to predict the future (after all, an outsourcing scenario must be planned for a period of 5 - 10 years). But also accompanying technical transformations and introducing organisational changes must be ensured by project management in such projects.

It is undisputed that a long-term project can only be successful with the help of a structured approach. But how can such a complex project be controlled with the usual project management procedures and tools?The topic

How do you manage IT outsourcing projects?

To be able to answer this question, one has to look at the peculiarities of an IT outsourcing project.

The outsourcing companies expect first and foremost a reduction in IT expenditure, and they also hope that the specialisation of the IT service provider will result in higher quality and more efficient use of IT. Through contractual commitment, transparent price models and agreed service levels, the outsourcing company also wants greater transparency and predictability of IT costs. Equally important is the relatively simple scaling of capacities that can be purchased from the IT outsourcing service provider as needed.

The provider is interested in the most extensive standardisation possible, as this is the only way he can achieve the essential leverage for economies of scale. It can only work profitably in the long term if it can achieve economies of scale through its services for different companies and realise synergy benefits through an increase in know-how. It is imperative that the service provider's total costs are lower than the operating costs of the outsourcing company.

For the business risk it assumes and the contractually assured service level agreements, it expects its customers to enter into long-term binding customer contracts and a corresponding risk premium.

This conflict of goals can only be resolved through a jointly developed understanding of expectations, performance promises and a realistic assessment of what is feasible.

Once the course for the project has been set, the project is divided into various sub-projects, each of which must be worked on separately and yet managed together.

  • The departments must work together on the question of which services with which service characteristics have been provided internally up to now - and what expectations will be placed on these services in the future.
  • The technical units have to collect data horizontally, which then map the IT landscape. Anyone who has ever tried to map business processes in a large company to IT knows the challenges of an IT data flow analysis.
  • The purchasing department and project management strive to find suitable service providers that fit both the task and the company - and also possible follow-up decisions in the future.
  • Before deciding which functions can be outsourced at all and with which vertical range of manufacture, the business case must be reviewed. For this purpose, normalised data from the as-is analysis is subjected to a price comparison.
  • And at the same time, an interdisciplinary project team has to review and develop its own organisation in order to achieve process maturity for the transformation of parts of the business. Transformation leads to changes in the organisation and that means changes in tasks and responsibilities for the people involved.

As soon as it has been clarified which functions can be outsourced (and these decisions are still very shaky at this point!) the tendering phase follows. Here a number of potentially suitable service providers are to be induced to bid on the requirements in as structured a way as possible (because this makes them comparable).

In the form of an RFP (Request for Proposal), all functional and non-functional requirements of the company for a potential service provider are formulated, the rules of the game for a tender are explained and binding deadlines for processing and submitting an offer are set.

At least in theory, one receives comparable descriptions of solutions with reference to the RfP document. In practice, a number of discussions up to and including due diligence follow in order to clarify detailed questions. In this process, the service provider makes a number of documents available for review in a data room.

After an evaluation of the offers received and clarification of the remaining question, the preliminary decision for a service provider follows, followed by a strenuous phase of contract drafting. Functional service requirements, service levels, asset valuation and staff transfer are just some of the contractual points to be clarified. Often forgotten but equally important are services in case of contract termination, escalation procedures and control processes.

Project management has the task here of coordinating the results of the sub-projects, facilitating the previously set deadline goals and communicating with the most diverse groups both internally and externally.

The stakeholder analysis plays an important role here. An IT outsourcing project affects very different people and functions in the company - and there are not only winners.

While management and cross-sectoral departments are often emotionally positive about the project, customers, partners and suppliers are unsettled and employees are nervous or even negatively tense.

The following phase model describes the different intermediate steps on the way to outsourcing IT at high altitude.

  • Phase 1: Analysis and target definition
  • Phase 2: Preparation for implementation
  • Phase 3: Implementation
  • Phase 4: Regular operation and control

Figure 1: 4-Phase Outsourcing

Phase 1 is addressed to the management and owners of a company. The basic motivation for outsourcing, the business case and the strategic orientation are developed and agreed with the owners. The result of phase 1 is a supervisory board resolution or a project mandate by the owner to the management.

Phase 2 is about preparing for implementation, i.e. operationalising the project mandate, creating prerequisites, project planning and provider selection. The highlight of the phase is the tender and conclusion of a contract with a suitable provider.

The third phase is the implementation, i.e. the transition or transformation to a new operating model. In addition to the technical shift of IT infrastructure, it is also or especially about adapting operating processes, setting up provider control and adapting one's own organisation to the changed situation. This section ends with the transfer of responsibility to the new provider (change of control).

Often forgotten, but nevertheless necessary, is the planning of phase four: regular operation and provider control. And only what can be measured can also be controlled; therefore, regular services, performance and availability must be constantly measured on the basis of constant prerequisites and compared with the service provider's performance promise. This includes service discussions, measures for continuous improvement and process optimisation in one's own organisation in the interface to the service provider as well as in the provider's delivery processes.

So if we have four phases with different stakeholders, durations, types of outcomes and responsibilities, how can such an undertaking be mapped in a project? The project manager of phase one: analysis and goal definition faces completely different requirements (and contacts) than the project manager for the technical transformation. Therefore the recommendation: form a programme with four projects and distribute the responsibility to several project managers. The programme is steered by a steering committee made up of the project leaders and the most important stakeholders.

And a few more project management basics

Even though it is now part of the standard repertoire: project management methods and tools are known to everyone, everyone knows the benefits, and yet the unloved formalities quickly fall by the wayside in long-running projects. In enough projects, flimsy Excel spreadsheets are created under the heading "project risks" and never looked at again, let alone worked through. A sad experience from a large outsourcing project: the risk list was maintained with probability of occurrence and monetary impact of damage, but then only measures with a probability of damage greater than 50% and an impact > 500,000 euros were considered. This is not risk management, but organised damage limitation.

Each project, regardless of the project task, can be divided into different sections.

And each section allows the use of predefined project management tools and methods.


Project initialisation

Project initialisation is about starting a project and defining the project outcome, setting the scope of change and looking at the impact.

This includes the following measures and tools:

  • Description of the project objective and scope
  • Assessment of the scope of change (business impact analysis)
  • Rough planning of the project cycle and the project phases
  • Preparation of a cost-benefit analysis
  • Stakeholder assessment
  • Start of risk management with assessment of initial risks


Project Planning

The concrete project planning based on the project objective from the project initialisation, the measures from the stakeholder analysis and the countermeasures from the risk assessment still requires further foundations and decisions. The following measures and tools can help:

  • Concrete content and scope planning
  • The time schedule
  • The provision of appropriate resources
  • The implementation of quality planning
  • The pre-planning of marketing measures and communication
  • The provision of procurement processes for the project
  • Establishment of processes and responsibilities for risk management
  • Implementation of the Project Kick Off


Project realisation

The planning is complete, the team is motivated and the tasks are clearly assigned. Now it is a question of working through the project as efficiently and purposefully as possible. The following guidelines and methods will help:

  • Rules for executing the project plan and change planning (change control)
  • Regular review of the project results and the framework conditions
  • Control of the scheduling and progress of the project
  • Monitoring the quality of partial deliveries and acceptance control
  • Pre-planned measures for team development and motivation
  • Introduction and maintenance of a reporting system
  • Conduct risk analysis, assessment and mitigation
  • Monitoring of contract execution and acceptance of interim results



Project Completion

The project results have been produced, the contractual services have been rendered; now it is time to clean up the project. Structures have to be dissolved, results secured and experiences documented.

  • Carrying out the formal project acceptance
  • Carrying out a cost-benefit analysis
  • Final quality check
  • Archiving documents and results
  • Preparation of a final documentation
  • Conducting a critical review of experience (lessons learned)

The IT Outsourcing Programme

Each of the four phases of IT outsourcing (analysis & definition of objectives, preparation for implementation, implementation and regular operation & control) has its own delivery items as a separate project and also very different levels of detail.

The phases can be represented as separate projects in the programme, are subject to a common programme control and follow the same overarching goals. This results in a high need for communication between the projects, a common programme structure and coordinated reporting and escalation channels.

Applying the project management methods to the four phases results in separate projects with defined sections for initialization, planning, realization and project completion:

Figure 2: Programme-Structure


Project 1: Analysis and target definition

The result of this project is the following work packages agreed with the management and owners.


IT outsourcing strategy

A specification for IT outsourcing derived from the business strategy, which general strategic goals are to be achieved within the framework of an outsourcing. This sounds easier than it is; the motivations of the owners and stakeholders can be very different.

From the management's point of view, mergers, corporate restructuring and changed business models are on the list of challenges, along with a shortage of skilled workers, globalisation pressure or necessary adjustments of own capacities to changed target markets.

The commercial management has its own view of the possible effects. The CFO expects better liquidity, cost transparency or the dissolution of investment backlogs. Decreasing turnover and optimisation of fixed costs are also on the wish list.

IT management associates very specific goals with IT outsourcing. In addition to the realignment of the IT landscape, standardisation should increase the quality of service, make the growing complexity manageable and at the same time enable innovations, create the necessary IT security and fulfil legal (compliance) requirements.

Even at first glance, the potential conflicts of objectives can be identified; only when the stakeholders are known, the strategy has been discussed and the real objectives have been bindingly defined can the next project step be tackled.


Read also the nc360° article: The time has come for a new sourcing strategy

Read also the nc360° article: IT RFQs and IT sourcing strategies in transformation


Determination of the units and services to be outsourced

After determining the outsourcing strategy, perhaps the most important decision follows: the selection of outsourcing candidates. Which business processes, organisational units or services are suitable for outsourcing? Which vertical range of manufacture is optimal? What effects can be achieved by outsourcing these candidates?

Basically, one can give the following advice: "Think big, start small". Even in IT outsourcing there is a learning curve to master and process maturity to develop. Far-reaching changes should be worked out step by step within the framework of an IT outsourcing roadmap and questioned again and again.

The selection of suitable outsourcing objects can be checked by a simple consideration: which processes, systems and people are the competitive advantage for the company? All parts of the company that are vital for the own business model and directly enable the core processes should also remain in the own hands. Other supporting processes and their IT infrastructure can be examined in detail for efficiency, cost situation and outsourcing capability. Examples of core processes that should not be outsourced: Trading platforms of a bank, logistics platforms at trading companies or customer relationship processes at an insurance company. On the side of solutions that can be standardised are, for example, accounting systems, personnel management or archiving processes.


The actual recording

If you knew everything you knew... .
Before deciding on a change, a company needs reliable data. What is the cost situation, which staff is deployed for which task, what is the company's own level of maturity, which framework conditions apply and which legal requirements have to be met?

It is difficult to measure one's own service quality, especially in relation to standard outsourcing service providers. Benchmarking the relevant costs and service groups and critically examining one's own strengths and weaknesses can help. The particularly relevant question of vertical integration must be answered in all service groups, both in terms of costs and personnel requirements, and in terms of service quality.

Within the scope of the actual recording, there are usually already easy-to-implement optimisation approaches (quick wins) that can be implemented independently of IT outsourcing with little effort.

An honest look at one's own organisation helps to gain insight into one's own process maturity in addition to the facts and figures. Is it possible to "dock" with a highly automated and standardised service provider? Is the organisation capable of managing an outsourcing provider?


Creation of a target definition

The strategic goals and the results of the as-is analysis are used to create the so-called "big picture" - a well thought-out description of the future operating model (also known as FMO, Future-Mode-Of-Operation). At a high level of abstraction, the target architecture, processes and responsibilities are defined and delineated against each other. The detailed task description for a tender later develops from the target definition.


The Business Impact Analysis

The scope of change of the measures from the outsourcing strategy can be far-reaching; therefore, the effects on all business processes must be considered in a structured manner at an early stage. This is the only way to actively evaluate a decision for or against measures. Identified effects are checked for risks and opportunities and the results are compared in a feasibility study.


The Programme Plan

The programme plan must make it clear which framework conditions apply to the programme. This includes a rough timetable, which key milestones must be reached and when, and how the programme management is to be set up. In programme management, all regulations and measures that apply across the projects are set up.
This includes a programme structure plan, the organisational structure and the necessary roles, control mechanisms and targets. The staffing of key roles is also described in the programme plan.


Project 2: Preparation for implementation

The second project builds on the results of the goal definition. The task of the project is to operationalise the management's specifications, to translate them into tangible plans and to select a suitable service provider.

The result of the implementation preparation is the successful tendering of the services and infrastructures to be outsourced and the preparation of the internal processes. The details for a transition / or transformation project must also be worked out in order to be able to plan the changes.

Figure 3: Work breakdown structure Implementation preparation

Preparation of the tender documents

What should be put out to tender? The details must be described unambiguously, the requirements clearly formulated and defined in measurable units. The requirements for individual services are specified in the form of Service Level Agreements (SLA), which are later also incorporated into a contract as a service agreement. The service agreements are specified by measurable quantities as far as possible (key performance indicators, KPI).

Which outsourcing variant is planned? Often there is a transfer of operations with all rights and obligations; in addition to a contract for work and services, a transfer of shareholder shares is also possible; or in an asset deal, fixed assets are sold to the outsourcing recipient (= service provider). However, all variants can have consequences under personnel law even without a transfer of business, e.g. negotiation of staff transfer, reconciliation of interests and social plans.

Which providers should be contacted?
The service providers in question must be examined according to specific criteria. Only those who make it onto the longlist will be asked for a bid in the tender (see box).

How should incoming offers be evaluated?
The incoming offers of a tender sometimes differ greatly; for an objective evaluation, the completeness, quality and weighting of the criteria can be compared via a predefined point system (see table: Example evaluation provider)

Which provider will be selected?
After the tender documents have been prepared, the potential providers
are invited to submit an offer based on the tender documents within the framework of the Request for Proposal (RfP). In practice, this phase is initiated by prior agreement on a non-disclosure agreement (NDA) - after all, detailed information has been included in the tender documents that one does not necessarily want to find again on the internet.

The tender documents consist of several parts. All performance-independent requirements for the outsourcing contractor are summarised in a framework document, e.g. tender modalities, general conditions, legal requirements and generic service descriptions. In addition, specific requirements are described separately by service group or trade in service specifications. In this way, the offers per service group can be graded and compared later during the evaluation.

Complex tenders are often followed by a project phase in which details have to be exchanged between the outsourcing donor and the recipient. Within the framework of due diligence, the suitability of the contractual partners is checked and additional information is provided. The data is made available in a closed data room.

Which providers are longlisted?

  • Rough coverage of the requirements according to the providers' own presentation
  • Company profile (locations, owners and participations, number of employees, customer structure, turnover, market share and development)
  • Suitability as a strategic partner (not active in competition)
  • Comparable in company size and culture
  • Reference customers and projects, industry focus
  • Certifications (e.g. TIER level, ISO/ITIL, SAS70], etc.);
  • Governance and Compliance Management and Experience
  • Existing contacts and personal experience!

Read also the nc360° article: "Outsourcing" ISO standard helps on more than just provider selection

Read also the nc360° article: Cultural Fit – matchmaking for providers in IT outsourcing projects?

Read also the nc360° article: noventum supports provider check in India


Planning the transition / transformation

Also part of the preparation for implementation is the planning of the actual change, whereby both organisational and technical changes have to be taken into account.

In the example of outsourcing the IT infrastructure to a service provider, there is detailed information to be collected before a change project can be requested in a tender.

In addition to the number, equipment, location and accounting valuation of the assets, the function in the IT landscape must also be described in the as-is inventory of the IT infrastructure. In practice, all relevant applications are assigned to the respective systems and network components in an application matrix. Through a data flow analysis, dependent systems, data flows and associated bandwidth requirements are assigned to the applications.

On the basis of this data, a sensible tranche planning can then be created for a transition project. The basis for reliable planning is detailed documentation and the implementation of surveys or measurements.


Planning the organisation

One of the prerequisites for outsourcing IT infrastructure or even entire functional areas to an outsourcing provider is integration into the company.

In addition to outsourcing tasks and infrastructure to an external company, joint work must be organised.

The outsourcing provider offers standardised processes and interfaces on his side, which are of course first of all due to his own interests. Process integration is thus usually on the client side.

For example, if the IT user service is outsourced, all support processes must be adapted to the new structure.

Figure 4: Example service organisation

In this example, there is joint responsibility for the operation of the applications. The client remains responsible for all activities above system support, including functional monitoring of the entire IT. The service provider is responsible for system operation, housing, hosting and third party supplies.

This construct describes a common PLAN-BUILD-RUN separation. Project development and implementation remain with the customer, the service provider takes over all tasks that arise in daily operation. This also includes the standardised services in user service, the operation of the telephony infrastructure and desktop service. Of course, the provider is also obliged to provide the necessary support processes such as emergency management, IT security, procurement, capacity planning and change management.

This is where the need for strict contractual regulation and advance planning of service levels becomes particularly apparent. Does the provider also have to work on projects? At what cost, with what capabilities and availability? Is a database update now system operation or application change? Is a virus attack on the workstations now a network malfunction, does the desktop service or the server operation have to cooperate?

Here are a number of typical roles that need to be agreed in the relationship between client and provider, depending on the units to be outsourced.

  • Overall responsible manager provider <> Overall responsible manager client
  • Contract Manager Provider <> Contract Manager Client
  • Change Manager Provider <> Change Manager Client
  • Incident Manager Provider <> Incident Manager Customer
  • Problem Manager Provider <> Problem Manager Customer
  • Technology Manager Provider <> Technology Manager Customer
  • Release Manager Provider <> Release Manager Customer
  • Demand Manager Provider <> Demand Manager Customer
  • Financial Manager Provider <> Financial Manager Client

For each role, responsibility, communication, staffing, authority, representation and escalation path must be defined.

The tender

In the tender documents, the results from project 2 (preparation for implementation) are formulated as a performance requirement.

It is advisable to keep to the following sequence

1. Creation of a longlist of potential providers. The list is compiled after conducting a Request For Information (RfI). This informal request to typical service providers provides a shortlist

2. Dispatch of the framework agreement with a rough description of the trades and agreement on a confidentiality arrangement with interested suppliers

3. Dispatch of performance certificates (lot) and technical as well as organisational requirements for the outsourcing and transition project

4. Offer of information meetings to explain the tender to potential providers, distribution of responses to all providers

5. If necessary, agree on a Letter Of Intent (LoI) and conduct a review phase with extended information (due diligence).

6. Internal evaluation of incoming offers from an announced deadline and selection of suitable offers

7. Invitation to the bidder presentation

8. Renegotiation of inconsistent contents and pricing

9. Decision for a provider

10.Initiation of contract negotiation, conclusion of contract

In order to facilitate the later selection of a suitable offer, potential providers are sent a binding template for answering. Pre-formulated questions are used to query the coverage of the requirements per service certificate.

The offers received are evaluated, e.g. by school grades, and compared with each other according to the weighting of the individual requirements, see table Example Evaluation Provider.


Read also the nc360° article When IT tenders become a stumbling block

Figure 5: Example provider rating

Project 3: Implementation

The actual change for the company starts in the implementation phase. Depending on the agreed outsourcing objects, the detailed implementation planning now follows on the basis of the contract concluded with the outsourcing provider(s).

This is the first time a project structure has to be set up with an external company. Care must be taken that there are no "loose ends" or undefined tasks and roles.

A steering committee to be jointly appointed with the provider controls the day-to-day implementation of the project. Now two project organisations (on the client and provider side) have to be established. Reasonable results can only be achieved together.

Figure 6: Project structure during implementation

Specification of the delivery items

The contract specifies the service agreements or the framework conditions. Now, however, the conditions must be created in detail so that these services can also be called upon. The provider provides process interfaces, documentation as well as specialists for the implementation.

The proposed solutions for the fulfilment of the agreed services are developed as specifications of the deliverables (scope documents) by the Provider and bindingly agreed with the Client.

Based on the scope documents, detailed project plans are now developed, described in implementation projects and started in parallel. In the process, the dependencies of the deliverables and milestones must be synchronised within the framework of multi-project management. Using the example of a data centre relocation, the following sub-steps are to be considered:


Read also the nc360° article: Challenge: Data centre relocation


1. Rough planning

Goal: Transfer information from client to provider, complete data collection, develop phase plan, decide on transition method.

Provisions by the customer:

  • As-is recording of network, cabling, racks, storage
  • Quantity structures, requirements for the data centre
  • Creation of an application matrix
  • Provision of high level data flow analysis
  • WAN planning, commissioning and provisioning

2. Detailed planning

Goal: tranche planning, test planning, fallback scenarios, release security

  • Work out relocation details
  • Create tranche planning
  • Risk assessment per tranche
  • Coordination with the customer

3. Transition

Goal: Dismantling, moving, setting up according to transition planning

  • Monitoring transition
  • Installation / relocation WAN by the provider
  • Functional tests and acceptance per tranche
  • Documentation, measurement protocols

4. Closing

Goal: Completion of the transition and handover to operations

  • Handover to regular operation
  • Handover documentation
  • Project completion


Read also the nc360° article: Provider change at ISTA INTERNATIONAL. Successful transition with perfect timing


Risk management

With the potentially large number of simultaneous activities in the implementation phase, risk management has a special position. All sub-project managers must conduct a regular risk assessment for their sub-project and report these risks across their own sub-project boundaries to the central project management. A recurring series of meetings in which the risks are compiled on both the client and the provider side has proven to be effective. The responsibility for this process lies on the provider side, even if the risks themselves may arise on the client side. The assessment and initialisation of countermeasures is decided jointly, progress is monitored centrally and the risk analysis is constantly updated.

A constant companion in a risk analysis is the time delay of operations on the critical path that affect other operations without buffer time. For example, the completion of a network concept is a prerequisite for ordering a wide area connection (WAN line), which in turn will affect the go-live date of a data centre. Once this risk has been identified, the creation of the network concept can be tackled with high priority, or at least the WAN planning can be decoupled. In order not to waste energy and time unnecessarily, a probability of occurrence must be determined for all identified risks.

An earthquake is certainly a risk for a project of this size, but the probability of occurrence depends very much on the planned operating locations and must be assessed in context.


Read also the nc360° article: Guideline for outsourcing practices


IT service management and operational processes

During the transition, all relevant operating processes on the customer side are checked to see to what extent the upcoming changes will have an impact on service quality.

Certain roles will be filled by the provider in the future, but during the project phase they will also be (still) partly taken over by own employees or even by the previous service provider. Since a transition phase can last several months, a secure and stable operation must also be guaranteed for this transition phase. Especially in projects with a large number of IT systems to be outsourced and a high level of vertical integration, an unstable interim situation will otherwise arise.

For this intermediate state, detailed planning and clearly delineated transitions of responsibility must be defined. In the so-called mixed mode concept, the increased risks and often also lower performance possibilities are recognised before the final state is reached and thus made controllable.

An example: a company has handed over the desktop service to a new operator, i.e. the PC workstations are already provided by a new provider. This means that the logon service (Active Directory Service) is also the responsibility of the new service provider. The application servers, which also have a connection to the logon service, are still operated by the previous service provider. Who is now responsible if a central application no longer allows any user to access its data? How do the technicians find out what changes have been made? Is the logon service even the cause of the error if the workstations can log on to the network? Who can do any troubleshooting at all?

The processing of faults is certainly carried out in some way in the interaction between the customer, the old service provider and the new service provider - but no responsibility in the sense of a service level agreement (SLA) is assumed by any service provider.


Business Continuity Management

Emergency management is a special case of an IT service management process. BCM is not an end in itself, but fulfils various legal requirements that a large number of companies have to meet

The emergency management tasks can be handed over to an outsourcing provider - but the responsibility for them cannot. And with the responsibility, auditing and reporting obligations remain on the side of the outsourcing company.

Legal obligations arise, for example, from the German Stock Corporation Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich), the US Securities and Exchange Commission (SOX Compliance) or the requirements of BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht).


Read also the nc360° article: Cloud computing in banking - overview of regulatory requirements


Acceptance and transfer of responsibility

The implementation phase is concluded by a formal, contractually agreed acceptance. Usually, however, responsibility for encapsulated parts is already transferred to the provider at partial results. At this change of control (CoC), the provider enters into operational responsibility with all agreed obligations. At this point, the respective agreed term for the outsourcing project also begins.

Project 4: Regular operation and control

Let's assume that all implementation projects have been completed; entire company divisions, IT infrastructures or individual services have been outsourced to an external operator.
How do you organise the daily joint work? And how does the company get out of this connection in one piece if necessary? How do I manage my service provider? How do I achieve ever-increasing quality?

This is the task for the project Regular Operation and Control.

This project is again internal to the outsourcing company.


Reporting and monitoring

Basically, there is only one way to manage something (or someone). You have to measure performance and compare it with historical data and the performance promise. This is the only way to identify improvements and deviations, to recognise trends in time and to counter them with measures.

Reporting obligations were defined in the service level agreements. For example, the service provider must provide monthly evidence of the achievement of defined targets, which are described by key performance indicators (KPI). Service discussions are held between the service manager provider and the service manager customer on a monthly basis, whereby all agreed KPIs are compared with the actual performance values achieved, possible deviations are identified and optimisations are planned.


Performance monitoring

The service talks based on the service level reports have one disadvantage - they are based on the provider's data. If you as a customer want to have your own database, you cannot avoid your own performance monitoring. An example of performance monitoring is the end-to-end monitoring of the availability of a central application in a third-party data centre. Here, predefined, automated routines are used to test the processing of content in an application, check the result and measure the processing time.

Even if the performance values were not absolutely guaranteed by the contract, trends, conspicuous load curves or recurring failures can still be documented - as a basis for the next service discussion.



In many long-term outsourcing contracts, an annual price review is agreed in order to react flexibly to changed situations, capacity fluctuations, price developments or business requirements. In order not to be at the mercy of a service provider's arbitrary pricing, an upper limit can be defined through corresponding corridors depending on quantity structures. However, we are also happy to agree on a price review through benchmarking.

In this process, an independent benchmarking service provider determines an industry-dependent price for standardised services, which is the basis for the price adjustment. These service providers use their own databases with comparative values for a service or a trade (usually in the form of a managed service).


Read also the nc360° article: Weighing all cost aspects using the noventum IT outsourcing strategy

Read also the nc360° article: How to successfully switch IT outsourcing providers

Read also the nc360° article: IT provider changes need a compelling concept


Continuous improvement

During the course of the project, both the client and the provider repeatedly identify potential for optimisation, the implementation of which, however, may not be covered by the original contract. In order to be able to discover and implement these potentials, a regularly recurring initiative is agreed with the outsourcing provider. At least once a year, these findings are collected together, evaluated and a decision is brought about.

The measures can be implemented as independent projects; the changes with a direct influence on the contract are incorporated into the existing services through a change procedure. The total term or overarching regulations from the framework agreement are not changed in the process.


IT outsourcing projects are heterogeneous; strategic planning, organisational change, technology project and classic change management all in one. And the results of the individual phases build directly on each other; successful implementation is business-critical and at the same time a project with maximum external impact.

And - last but not least - IT outsourcing is a special situation that a company really only wants to face every few years.

To make matters worse, the outsourcing provider has its own interests:

  • The customer wants to save costs - the provider wants to optimise his turnover
  • The customer expects individual solutions - the provider offers standardisation
  • The customer expects high flexibility - the provider has cross-customer plans
  • The customer expects constant improvement - the provider wants stability
  • The customer wants to hand over responsibility - the provider wants to minimise his own risks

In order to establish an eye-to-eye relationship between client and provider, the use of a specialist in the role of "client advocate" is advisable.

At this point, project management stands for methodological competence in particular. And project management training is not necessarily enough.

"Failure is not an option" - this is especially true for IT outsourcing projects.

noventum consulting

Holger Bredenkötter


Go back