Governanceof OutsourcingIT GOVERNANCE DOMAIN PRACTICES AND COMPETENCIESThe IT Governance Institute®The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advanceinternational thinking and standards in directing and controlling an enterprise’s informationtechnology. Effective IT governance helps ensure that IT supports business goals, optimisesbusiness investment in IT, and appropriately manages IT-related risks and opportunities. The ITGovernance Institute offers original research, electronic resources and case studies to assistenterprise leaders and boards of directors in their IT governance responsibilities.DisclaimerIT Governance Institute (the “Owner”) has designed and created this publication, titledGovernance of Outsourcing (the “Work”), primarily as an educational resource for chiefinformation officers, senior management and IT management. The Owner makes no claim thatuse of any of the Work will assure a successful outcome. The Work should not be consideredinclusive of any proper information, procedures and tests or exclusive of other information,procedures and tests that are reasonably directed to obtaining the same results. In determining thepropriety of any specific information, procedure or test, chief information officers, seniormanagement and IT management should apply their own professional judgement to the specificcircumstances presented by the particular systems or information technology environment.DisclosureCopyright © 2005 by the IT Governance Institute. All rights reserved. No part of this publicationmay be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system ortransmitted in any form by any means (electronic, mechanical, photocopying, recording orotherwise), without the prior written authorisation of the IT Governance Institute. Reproductionof selections of this publication, for internal and noncommercial or academic use only, ispermitted and must include full attribution of the material’s source. No other right or permissionis granted with respect to this work.IT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.7491Fax: +1.847.253.1443E-mail: [email protected] site: www.itgi.orgISBN 1-933284-13-7Governance of OutsourcingPrinted in the United States of America2 Governance of OutsourcingIT Governance Institute 3AcknowledgementsFrom the PublisherThe IT Governance Institute wishes to recognise:The ITGI Board of TrusteesMarios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, International PresidentAbdul Hamid Bin Abdullah, CISA, CPA, Auditor General’s Office, Singapore, Vice PresidentWilliam C. Boni, CISM, Motorola, USA, Vice PresidentRicardo Bria, CISA, SAFE Consulting Group, Spain, Vice PresidentEverett C. Johnson, CPA, Deloitte & Touche (retired), USA, Vice PresidentHoward Nicholson, CISA, City of Salisbury, Australia, Vice PresidentBent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice PresidentFrank Yam, CISA, FHKCS, CIA, CCP, CFE, CFSA, FFA, Focus Strategic Group Inc., Hong Kong, Vice PresidentRobert S. Roussey, CPA, University of Southern California, USA, Past International PresidentPaul A. Williams, FCA, CITP, Paul Williams Consulting, UK, Past International PresidentEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, TrusteeRonald Saull, CSP, Great-West Life and IGM Financial, Canada, TrusteeErik Guldentops, CISA, CISM, Belgium, Advisor, IT Governance InstituteThe Authors and ResearcherAlan Simmonds, CMC, GovIndex, UKDavid Gilmour, MBIM, MICSA, MITM, GovIndex, UKLighthouse GlobalThe IT Governance Institute Steering Committee Tony Hayes, Queensland Government, Australia, ChairGeorges Ataya, CISA, CISM, CISSP, ICT Control SA/NV, BelgiumReynaldo de la Fuente, CISA, CISM, DataSec SRL, UruguayRupert Dodds, CISA, CISM, FCA, KPMG LLP, New Zealand John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, SingaporeEverett C. Johnson, CPA, Deloitte & Touche (retired), USAJean-Louis Leignel, MAGE Conseil, FranceAkira Matsuo, CISA, CPA, ChoAoyama Audit Corp., JapanSerge Yablonsky, CISA, CPA, SYC SA, FranceTom Wong, CISA, CIA, CMA, Ernst & Young LLP, CanadaThe ReviewersSteven De Haes, University of Antwerp Management, BelgiumStacey Hamaker, CISA, Shamrock Technologies, USAGary Hardy, ITWinners, South AfricaAustin Hutton, Shamrock Technologies, USAWim Van Grembergen, Ph.D., University of Antwerp, BelgiumPaul A. Williams, FCA, CITP, Paul Williams Consulting, UK4 Governance of OutsourcingTable of ContentsACKNOWLEDGEMENTS .............................................................................31. EXECUTIVE SUMMARY ..........................................................................52. WHY IS GOVERNANCE OF OUTSOURCING IMPORTANT?.............73. CURRENT OUTSOURCING GOVERNANCE APPROACHES ...........104. BEST PRACTICES FOR GOVERNANCE OF OUTSOURCING.........145. LIKELY FUTURE TRENDS AND CONCLUSIONS .............................186. RECOMMENDED GENERIC STEPS.....................................................207. SOURCES ..................................................................................................23Note: This publication is part of the IT Governance Domain Practices andCompetencies Series from the IT Governance Institute. The titles include:Information Risks: Whose Business Are They?Optimising Value Creation From IT Investments Measuring and Demonstrating the Value of IT Governance of OutsourcingIT Alignment—IT Strategy Committees1. Executive SummaryOutsourcing is a US $180 billion-plus industry with more than 75 percent ofIT organisations using it in some form.1Outsourcing of some or all of theservices within larger companies is seen as a way to contain, if not diminish,costs and simultaneously increase control over revenue utilisation. Theincreasing costs arise, to a substantial extent, from the difficulty of retaininginternal technical expertise in a 24x7x365 global, dynamic market. A strategicorganisational response is to disaggregate the value chain and push the serviceprovision out to third parties. There is a perception that the result will be quicker, faster service that willcope more expeditiously to gain advantage from technological evolution.Another hope is that the specialist suppliers will adapt more readily in the faceof regulatory pace and evolution, especially in the global environment whereregulations with outwardly similar intent may require substantially different,and sometimes