Every year, we survey Morrison & Foerster's Global Sourcing Group lawyers around the world to create a snapshot of the current state of the global outsourcing market and to identify emerging trends that are likely to shape that market over the next 12 months. This year our lawyers comment on the challenges of cloud-based outsourcing, driving long-term value in engagements, and vendor profitability, as well as the impact of such factors as the recent U.S. presidential election, cross-border deals, growing regulation, and the proliferation of employee-owned technology in the workplace.

Costs and Flexibility

Finding Clarity in the Cloud

Cloud computing has rapidly become a key part of the outsourcing landscape. But companies need to anticipate the risks as well as the opportunities that it brings.

As cloud computing changes the economics of the entire IT industry, it is also becoming more prominent in the outsourcing sector. According to ISG, a leading sourcing advisory firm, some 300 IT outsourcing contracts included cloud platforms in 2012, up from 220 in 2011 and 110 in 2010. In addition, ISG reports that the majority of surveyed vendors expect cloud services to grow faster than traditional IT outsourcing.

The potential benefits of cloud-based outsourcing are clear and appealing, but there are a number of issues that complicate this shift. While continued growth is inevitable, the potential scale of that growth will be tempered as vendors and customers work through the issues.

In the past few years, a great deal of attention has been paid to the growth of public cloud vendors. Public clouds offer economies of scale by providing services to a broad range of customers on the same infrastructure, as opposed to private cloud platforms, where a company has internal or external cloud resources dedicated to its needs. In the last year or so, more organizations have overcome their initial reservations about public cloud services and moved portions of their data and functions to such providers. The reason: public cloud providers offer low costs and relative ease in getting started.

Private or hybrid cloud solutions offer a potential alternative, and for non-commodity solutions, such approaches are being constructed by providers and taken up by customers with some regularity. Often, however, adopting organizations need to team with an experienced partner in order to integrate cloud solutions into their environment.

Many companies struggle with the tactical complexities of moving from their current sourcing arrangements to new cloud-based arrangements. "A big question for many is how to adopt cloud and even Big Data solutions into their existing outsourcing contracts," says Spencer Izard, a research manager at IDC, a market intelligence and advisory firm. "A company may have its Information and Communication Technologies (ICT) handled by five different outsourcers, with each contract in a different stage and with different nuances regarding services and the ability to move to new technologies." Aligning those agreements to enable a coordinated shift to the cloud "is a major challenge for a lot of people," he adds.

The strategic shift in the outsourcing market, therefore, has been to commingle cloud- and non-cloud- based sourcing options. The challenge has been to create a successful cloud/non-cloud cocktail while avoiding the inherent pitfalls.

Commodity vs. Customization

More broadly, companies are starting to run into some fundamental realities that make public cloud services more problematic than traditional arrangements. Public cloud outsourcing works because it is a commodity offering, which allows the provider to offer a very economical service, but typically allows for little or no customization of contract terms. Factors such as security, access to data, availability, business continuity, and so forth are usually not negotiable. Or, if they are, the customizations drive up the price, which cuts into cost advantages. Companies need to consider the trade-off between costs and the flexibility of the terms that govern the public cloud service.

We have found that some of these click-wrap terms can be surprisingly stringent, with conditions that companies would probably not accept in a traditional contract. Under the Amazon Web Services customer agreement, for example, a company essentially agrees not to sue AWS, its affiliates, customers, vendors, business partners, or licensors for IP infringement in connection with web services made available by AWS and its affiliates. The agreement also prohibits AWS customers from helping or encouraging any other party to pursue IP claims against AWS, its affililiates, customers, vendors, business partners, or licensors. That obligation continues even after a company stops using AWS services. Thus, companies with patents or trade secrets covering Internet or cloud-related technologies might want to think carefully before entering into such an agreement.

There are other areas where these types of cloud-based outsourcing arrangements can increase a company's risk profile. For example, cloud providers might store data in various locations in different countries and, over time, move it to new locations to get the most cost-effective service—often, without the customer company knowing where its data is kept. This can have significant data privacy implications, and could cause companies to inadvertently run afoul of laws that require them to know where their data is and restrict the movement of personal data across borders.

Protecting the Data

The issue of data privacy in the cloud is serious enough that in early 2012 the European Union published an opinion paper noting that "the wide-scale deployment of cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where, and by whom the data is being processed/sub-processed." Such concerns have been echoed in the U.S. Last year a group of federal agencies expressed concern over security and data integrity in cloud environments, noting that "a financial institution's ability to assess compliance may be more complex and difficult in an environment where the cloud computing service provider processes and stores data overseas or commingles the financial institution's data with data from other customers...."

In general, many cloud agreements provide little in the way of assurances about data privacy. The customer may have almost no control over how its outsourced data is managed, but because it collected the information in the first place it is still legally responsible for that data. None of this is to say that such issues will stop the move to cloud-based outsourcing or that companies should avoid the practice. But outsourcing customers need to recognize not only what the cloud can do for them, but what it cannot do in terms of reducing risk and addressing compliance issues. Companies can consider strategies such as hybrid clouds, maintaining backups in-house, and encrypting data sent to the cloud. They need to perform thorough due diligence, carefully weigh the legal risks and business benefits involved, and determine how best to take advantage of the cloud.

Those decisions may become easier as the marketplace evolves and adapts. We now see some cloud outsourcing providers recognizing that large corporate customers—and especially companies in regulated sectors with heightened security concerns—will ultimately need more than the basic, one-size-fits-all agreement. These providers are exploring ways to set up their infrastructure and design their services to meet the needs of corporate customers and proactively offer more flexibility while still keeping costs down.

Similarly, we expect to see more vendors working to address data privacy issues in order to appeal to the corporate market. For example, rather than leaving it up to the customer to worry about legal compliance an approach typical of public cloud providers—a vendor could offer assurances that its operations will keep personal information in certain countries and be in compliance with European Union data protection laws. This approach may be especially effective for less prominent providers that are trying to compete with the Amazons of the world.

Still, the upside of cloud-based outsourcing is too powerful to ignore. Fortune 500 companies are interested in these services, and vendors want to tap into that interest. We believe that marketplace realities will drive vendors to find new flexibility and data protection solutions—and the cloud will be a core ingredient in the outsourcing formula.

Questions for the Cloud

With cloud-based outsourcing in general, and public clouds in particular, due diligence is more important than ever. Companies considering a public cloud vendor should ask such questions as:

  • Where are the servers housing our data located?
  • Will our data be moved during the life of the agreement?
  • Will the vendor use third-party providers to store our data?
  • Will our data be sharing computing resources with data from other companies/competitors?
  • Has the vendor been sued for service/data protection issues?
  • What security and data protection practices does the vendor use?
  • How will the vendor handle service disruptions and business continuity issues?
  • Will our data be used by the provider for other analytics-driven commercial purposes?
  • Can we get our data back at the end of the agreement—in a usable format?
  • Can we easily access/search our data for discovery in the event we are sued?
  • Will our confidential data be deleted from the provider's servers at the end of the agreement?

Measurement

The New Focus on Sustaining Value

Companies and outsourcers are looking for ways to conduct smaller, more frequent performance measurements that allow them to make incremental adjustments as needs change.

With two decades of outsourcing experience, vendors and client companies have become adept at forging agreements that focus on value for money being spent. They have learned to create contracts that balance cost benefits with broader business benefits such as innovation, transformation, and entry into new markets. But, too often, the focus is on initial value for money. Organizations have been less effective when it comes to establishing the kind of oversight and follow-through needed to ensure that the expected deal value is delivered and sustained over time.

Over the past year, however, we have been seeing more contract discussions where companies and vendors are taking steps to drive and sustain results over time, throughout the life of the engagement. The issue of sustained value is not new, of course, but perhaps as a legacy of the wave of outsourcing deal realignments during the recent global recession, organizations appear to be more conscious of looking for ways to continue the value-for-money promise.

Traditionally, signing a contract has been considered an endpoint. Now there is growing interest in establishing mechanisms to monitor performance, make mid-course corrections, and continue to drive the delivery of value, even as conditions change.

Previously, organizations might have put all their eggs in the benchmarking basket as a way to realign deals. But benchmarking can be costly and cumbersome, and too often requires agreement on results before implementation. Our experience is that "little and often" corrections offer a better approach to securing ongoing value than infrequent "big stick"-type mechanisms.

Underlying the "little and often" approach is the need to establish governance processes that include regular discussions about performance gaps, changes in the business or technology environment, and improvements and innovations to enable the continued delivery of business value. This means formally putting the tracking and pursuit of value on the governance agenda, rather than relying on the trajectory of the original agreement to achieve results.

With that in mind, some companies are rethinking the use of benchmarking in assessing results. Traditionally, contracts might call for a benchmarking exercise every two or three years to see how performance measures against the company's peers. The problem is that many things can change in a few years, and such assessments may come too late for a meaningful response to new conditions. And benchmarking can lead to lengthy discussions about data validity, rather than taking the actions needed to keep the operation on track to value.

As a result, companies and outsourcers are seeking ways to conduct smaller, more frequent performance measurements that allow them to make incremental adjustments as needs change. Gain-sharing agreements—in which vendors and customers alike benefit from productivity improvements, cost reductions, increased revenue, etc.—are being used to keep both parties focused on value. Some agreements spell out how technology upgrades or process improvements will be triggered, or establish processes that incentivize the vendor to keep bringing best practices to the company's operations.

We are seeing this renewed emphasis on sustaining value across various industries—and in both IT and business process outsourcing deals. It is especially prominent in complex, transformation/ innovation focused engagements where business value extends beyond cost reductions and the ability to adapt and exploit new opportunities is especially key.

Looking for Flexibility

The search for sustained value is also prompting companies to look for greater flexibility in contract terms. These might cover how often and quickly personnel adjustments can be made, the frequency of technology improvements, or even the ability to bring in another provider midway through a contract if performance is falling short. "In many of the deals I've worked with in the last year or 18 months, companies are trying to be immensely more flexible in terms of being able to switch on and switch off costs and services, with limited penalties," says Julian Hamilton, the EMEA sourcing lead, IT & Telecoms, at Procurian.

Companies have long been interested in such flexibility, but that interest is now heightened by economic uncertainty and the need to deal with rapid change, as well as concerns over being locked into a vendor's processes and technologies and being left behind. There's a mind-set change at work, Hamilton says. As on-demand cloud computing becomes more practical, "that kind of thinking about the cloud is spreading into perceptions of other outsourcing services," he says.

Of course, not all vendors have come to such conclusions. "I am seeing that clients want flexibility, but suppliers don't want them to have it," Hamilton says. "So there are some struggles going on." But there is a potential carrot for vendors in that picture. Recent years have seen a trend toward smaller, more narrowly focused outsourcing engagements. But if there is more flexibility in contract terms, customer companies might be more willing to sign up for longer-term deals.

Finally, the pursuit of value for money is leading some companies to reassess what they need from an outsourcing engagement. In the wake of the economic crash and the scramble to find cost savings, some companies have decided they did not need "gold-plated" service. That perspective seems to be sticking as the economic recovery moves forward, and it may be part of the value-for-money equation for the foreseeable future.

The Struggle for Profitability

Like so many companies, large outsourcing vendors found themselves under a great deal of pressure during the economic downturn. Some of them continue to face financial challenges due to a number of structural factors in the industry. Vendors today have to deal with the commoditization of some forms of outsourcing via cloud and as-a-service offerings; the increasing strength and growing market share of what were once "tier 2" providers, particularly companies from India; and relentless pressure from customers to bring prices down. The result, often, has been little or no top-line growth, thin margins, and elusive profitability. In addition, the past few years have seen a number of mergers and acquisitions of large technology companies and service providers, such as HP and EDS, Xerox and ACS, and Dell and Perot Systems. Some of these matchups have struggled to find the right business model and build the integrated cultures needed to provide outsourcing services profitably.

As a result of these challenges, we have been seeing vendors declining to renew low-profit deals and more discussion of "firing" customers and aggressively ending deals. In at least one case, a vendor took the highly unusual step of simply terminating an engagement midway through the contract: essentially walking away from the business and its obligations and risking litigation because of its difficulties in making the deal financially viable. At this point, that may be an extreme example, but if it ends up being an approach adopted by other struggling vendors, it could signal a significant paradigm shift in the industry.

Vendors aren't holding still, of course, and many are trying to streamline operations to boost margins, for example, by relying more on offshore operations, automating more work, and reducing layers of management. Such moves could, in fact, increase vendor responsiveness and agility from the customer perspective, as well as help shore up vendor profitability.

Nevertheless, companies need to keep a close eye on vendor financials, and due diligence on that front is perhaps more important than ever. They should also consider the inclusion of contract provisions that will allow them to terminate an agreement if there are early signs of vendor financial instability—if, for example, the vendor's credit rating falls below a certain point. This approach will at least give the company some control over timing and the ability to transition to a new vendor, rather than be abruptly left in the lurch by a vendor's bankruptcy. And finally, companies in contract negotiations should balance their interest in low costs with the realistic need for a vendor to make a profit—that is, look for a deal that works for both parties.

Outsourcing Without Borders

As business becomes more global, companies are looking to manage across borders in a more integrated fashion—and outsourcing is playing a part in those efforts, resulting in more deals that encompass operations in several countries.

Traditionally, multinational business operations have tended to be siloed by country to accommodate differences in regulations, language, and culture. Increasingly, we are seeing companies looking to consolidate management functions across regions and even globally, and some are turning to outsourcing vendors. For example, Morrison & Foerster recently helped set up an arrangement in which the vendor provides centralized facilities-management services for a pharmaceutical company's 22 sites in four European countries.

Such cross-border deals can be complex to work out and operate because they require a balance of local flexibility and central control, as well as an understanding of which local practices can be standardized and which can't. But the payoff can be significant in terms of economies of scale, increased efficiency, and the use of consistent performance metrics to drive continuous improvement. In some cases, companies view reliance on an outsourcer as a way to drive change and the standardization of global processes, which can be difficult to achieve as internal initiatives.

The vendor community is building the frameworks and sophistication needed for this type of deal. And with the ongoing globalization of business, we expect more of these arrangements to emerge.

Workforce

Outsourcing and the BYOD Challenge

While the "bring your own device" trend may help reduce technology costs and improve productivity, companies need to factor the challenges it creates into their IT outsourcing arrangements.

Companies today are seeing an influx of employee-owned smartphones, tablets, and laptops being used for work, in and out of the office. In response, many are embracing this "bring your own device" (BYOD) trend and encouraging employees to use their devices for company business. Others, however, view the risks as outweighing the benefits. (For more on the pros and cons on BYOD see http://bit.ly/17aJDnO.) Advocates see BYOD as a positive development that can help reduce technology costs and improve productivity. But the advent of BYOD is creating some significant challenges for IT—and companies and vendors should factor this reality into their IT outsourcing agreements.

In this environment, companies need to develop policies covering areas such as the privacy of employee communications and the ownership of IP developed on employee devices. There is considerable room for improvement here: according to the Ovum analyst firm, only about 20 percent of employees using their own devices at work have signed a company BYOD policy. Once a policy is in place, companies need to make sure that their outsourcing vendor can support it from a process and technology standpoint.

Data security typically requires special attention. Protecting against data breaches in a secure data center is difficult enough, and the challenge is vastly more complex in an environment where mobile, far-flung employees are using and sending company information. What tools and technologies will the vendor use to ensure security? This is especially important for companies in regulated industries. However, the guidance from regulators on ensuring compliance with BYOD technology has not been clear to date (if, indeed, such guidance exists at all). As a result, companies and vendors need to be prepared to act quickly when firmer rules are eventually put in place.

Contracts also need to spell out how a vendor will address IT support in a BYOD era, where IT has less control over technology. How will it provide assistance for a variety of different devices, with new ones appearing all the time? How will it handle the various kinds and versions of software on employee devices?

Finally, companies need to determine how a vendor will support the need for discovery in the event of litigation. How will it track and access relevant information that is spread across many non-company devices?

The BYOD era brings complex challenges to IT. Managing information and technology in a this environment will require new tools—and with IT as their core business, outsourcing vendors may be in better position to find the best fit and apply those tools.

The guidance from regulators on ensuring compliance with BYOD technology has not been very clear.

Politics

The U.S. Presidential Election: Beyond the Rhetoric

While outsourcing was hotly debated during last fall's election, it remains both an effective business practice and a competitive necessity for global businesses.

For several election cycles now, outsourcing has been a prominent political issue, and, in the 2012 presidential election, it was a hotter topic than ever. This is not surprising, perhaps, given the ongoing concerns about job security and the economy. And as always, the politics were undoubtedly complicated by the fact that the public often fails to distinguish between the outsourcing of work from a company and the offshoring of work to another country. Many people, says a Deloitte survey report, "confuse outsourcing with offshoring. Many respondents still see the two processes as inseparable—even though many times outsourced work never leaves the originating country."

What is surprising is how little impact the anti-outsourcing rhetoric has actually had in the real world of business. Outsourcing is an effective business practice that is almost a competitive necessity in a global business environment, and even months of high profile speeches and debate haven't changed that fact.

More specifically, many large companies today take advantage of offshoring relationships, and that is likely to continue. Yes, some companies have "reshored" manufacturing back to the U.S. from overseas, but there appear to be limits to how extensive that trend will be. For one thing, labor arbitrage is still a significant factor; although wages have increased in places such as India, labor in those markets is still cheaper than in the U.S.—and in a global marketplace, many companies are hard-pressed to give up those lower costs.

The most important factor, however, is the availability of the right talent—and a shortage of technical skills in the United States.

The most important factor, however, is the availability of the right talent—and a shortage of technical skills in the U.S. As many have noted, the U.S. education system hasn't been producing enough technical graduates to keep up with demand. At the same time, the current administration has been tightening H-1B visa requirements, making it more difficult to bring technically skilled people from overseas to work in the U.S. Morrison & Foerster has worked with at least one U.S. client that has reshored some overseas manufacturing operations to the U.S., and then found itself struggling to make it all work because it couldn't find enough people with the skills it needed.

One company that is interested in doing more in the United States is Apple, which is expected to start building a line of computers in the U.S. in the near future. But Apple is not likely to completely reshore its manufacturing. When a reporter asked Apple CEO Tim Cook about moving even more production to the U.S., he pointed out that "It's not so much about price, it's about the skills...." And when the skills aren't available, companies have no choice but to look overseas in order to get work done—a fact that transcends the campaign rhetoric.

Asia: Growing Capacity, New Markets

Global companies are consolidating data centers into regional hubs for efficiency. In Asia, service providers are responding with increased capacity, driving a data-center building boom in high-bandwidth regional hubs such as Hong Kong and Singapore. This trend will likely be reflected in mainland China, in part because the new government is expected to revise local regulations to encourage investment in cloud computing services.

At the same time, government outsourcing is set to grow as Asian countries look to modernize a wide spectrum of public sector service— particularly healthcare delivery—and turn to outsourcers to streamline back-office and user-information systems. Many governments still prefer local providers, but global vendors with deep healthcare skills are increasingly able to participate via joint ventures with local providers. However, some caution is in order because the IP and technology transfer regimes in many developing Asian jurisdictions are idiosyncratic and typically favor local companies and employees.

That points to a fundamental change: Asia's emergence as a major outsourcing market and a source of services. With the low cost of capital and slow economic growth in Europe and the U.S., much investment has flowed into countries such as Malaysia and Indonesia. Businesses there are now struggling to keep up with demand. Many are looking for software, platform, and infrastructure as-a-service providers to help them get up to speed— further fueling outsourcing growth.

Regulation

The Privacy Bar Gets Higher

As the amount of data being stored increases, so too do concerns about the safeguarding of personal information—and that is having a direct impact on outsourcing.

Data privacy laws have been around for some time—most notably in Europe, where EU-wide regulations cover the protection of personal data and its movement across national borders. Such regulations are familiar to most companies that have business relating to EU countries.

But less familiar, perhaps, are some of the privacy regimes now taking shape in Asia and Latin America. In 2012, many countries in those regions created or significantly updated their laws governing the protection of personal information.

In Asia, for example, the Philippines and Singapore each passed comprehensive new data privacy laws for the first time, and Australia, Hong Kong, and Taiwan amended their existing privacy laws. In 2013, Malaysia is poised to implement its privacy law, which was adopted two years ago.

Latin America, Colombia, Costa Rica, Nicaragua, and Peru have broad new omnibus privacy laws. Eleven countries in the region now have such laws, and Brazil is considering one.

Unlike EU law, which provides some consistency across the continent, these laws often differ significantly from place to place, creating a complex patchwork of regulation for outsourcing arrangements that extend across borders.

Some countries' laws are creating particularly daunting challenges. For example, South Korean law was the first to require that personal data be encrypted when "at rest" in a database, not just when it is in transit—which is likely to lead to cost and performance problems for outsourcers. And in Costa Rica and some other countries, new laws require a company to get consent from each customer before sharing his or her information with an outsourcing vendor, which poses some obvious and huge practical problems.

Unlike in the EU, where there is some consistency across the continent, laws in other regions differ from place to place, creating a complex regulatory patchwork.

Dealing with Breaches

Evolving technologies are also creating regulatory complications. In the U.S., 46 states have laws requiring companies to notify their customers when there is a data breach involving personal information. But under some public cloud outsourcing agreements, the outsourcer is not required to let customer companies know when there is such a breach. Thus, a company might find itself out of compliance when it is not even aware that there has been a problem.

We expect data privacy regulations to continue to create challenges for outsourcers and their customers. In this environment, all parties need to think carefully about what data is kept where— and allow time in deal negotiations to work through these issues.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved