Risk Management Strategies for Offshore Application and Systems Development

Rudy Bakalov

During the past decade, offshore application and systems development has steadily gained credibility and acceptance among many US and European enterprises as a cost-effective alternative to traditional development options. The top 15 US financial institutions spent about US $1 billion on IT offshore outsourcing in 2003, a figure expected to grow to US $2.5 billion by 2008, according to Tower Group.

The enticement to IT departments and enterprises to use a developer who earns US $6-10 per hour in India—or even less in China—compared to five or ten times that amount for a similarly skilled programmer in the US is fairly obvious. McKinsey & Co. estimates that for software developers, the wage difference between the US and India is about 8:1.¹

Offshore application and systems development offers several advantages:

Lower labor and overhead costs
Faster time-to-market
High quality of final deliverables
Just-in-time access to relevant skill sets and overall manpower needs
"Follow the sun" support model

While experienced companies such as Citigroup and American Express have been outsourcing IT development and business back office functions for many years, inexperienced organizations may be rushing to jump on the offshore outsourcing bandwagon prematurely. Over the last year problems have surfaced, including security breaches, error-prone software development, and a high number of service quality complaints. Some high-profile examples include:

In March, Capital One cancelled its telemarketing contract with India's largest call center, Wipro Spectramind, after an Indian worker was accused of misleading US credit card company customers with unauthorized offers. The offers were uncovered during a routine internal inspection in January. Nearly 30 Indian employees were dismissed and another 65 resigned after being accused of offering incentives such as free gifts or membership discounts.
In December, Lehman Brothers cancelled its contract with Wipro for an employee computer help desk, saying it was dissatisfied with staffers' poor training. The deal was part of a US $70 million to $100 million contract signed in November 2002 with Wipro and rival Tata.
A disgruntled employee in Pakistan who transcribed medical files dictated by doctors at the University of California San Francisco Medical Center threatened to expose all voice files and patient records on the Internet if she wasn't paid the hundreds of dollars in back pay she was owed by her employer, the original contractor's subcontractor's subcontractor. A center spokeswoman could not confirm whether the woman was fired or is being prosecuted for the threat.

DiamondCluster, a Chicago-based global management consulting firm, surveyed 182 buyers of outsourcing services and found that 21 percent had prematurely ended their contracts, and 26 percent said they were dissatisfied with their outsourcing efforts. Outsourcing providers included companies from around the world. Reasons for ending a project ranged from the provider failing to deliver on promises to the buyer deciding to consolidate its outsourcing vendors.

To evaluate the risks and effectiveness of offshore development projects, enterprises should apply a risk assessment framework that includes quantitative and qualitative variables and considerations. Such a framework can minimize the risks of offshore projects and build a solid foundation for future success.

Understand the Business Case

Merely replicating application development processes in other countries will rarely realize the full potential of offshore outsourcing to deliver significant value. When evaluating the case for offshore outsourcing, enterprises should consider the total business impact, not just the reduction in labor cost. Wages represent a significant cost in the US, for instance, and operations are therefore designed to minimize labor while increasing productivity by deploying technology. However, this is not the case in India, where this strategy offers little value as wages represent only a minor fraction of the total costs; capital equipment, such as bandwidth, is often more expensive than it is in the US.

McKinsey & Co. suggests that the way to fully maximize the effect and reduce the cost of offshore operations even further is to reorganize and reengineer operations to take full advantage of these differences. In a low-wage country, the capital infrastructure—including office space, telecommunications lines, and computer hardware and software—should be used as intensively as possible.²

The cost advantage must be quantified in the context of the entire life cycle of the project, from concept to production. The billing rate for an offshore Java developer typically ranges from US $20-$40 per hour, compared with $150 per hour or more for a US-based developer. Gartner offers a useful guideline stating that significant cost savings will not be achieved unless at least 70 percent of the total labor hours can be executed remotely at an offshore location.³

In addition to cost savings, offshore arrangements are associated with certain costs. In general, they follow in the following categories:

Setup costs related to expenses for establishing the offshore base include logistics, recruiting, tools acquisition and training. In the case of service providers, examples of setup costs include vendor selection, internal processes and infrastructure redesign, transition and pilot testing. A recent study by the Boston Consulting Group (BCG) estimates that one-time costs can be anywhere between 25 and 75 percent of the first year's cost of operation.
Costs due to scaling down home country development include layoffs, writeoffs, new facilities, etc. These costs can be significant if a large percentage of company's development teams is offshored. In addition, enterprises should consider the bad will associated with sending high-paying IT jobs offshore. The media have been unforgiving in the past few months and have taken every opportunity to attack such efforts. A recent example includes Accenture's US $10 billion bid for work for the Department of Homeland Security where the US Congress and the media launched attacks against Accenture because the company is headquartered in Bermuda. The public outcry about offshoring has engendered so much corporate guilt that very few companies are keen to go on record publicly in this arena.
Offshore risk management costs are associated with monitoring the quality and speed of the offshore development team. BCG estimates these costs between 2 and 5 percent.

Productivity is another factor that should be considered when contemplating offshore development arrangements. In a New York Times article, Dev Ittycheria, CEO of Bladelogic, offered this assessment of his offshore experience: "The cost savings in India were three to one. But the difference in productivity was six to one," compared to programmers in the US. Once this became clear, he brought the work back to the US.

A recent Gartner study of 219 clients that outsource projects offshore noted that half the projects undertaken in 2003 did not deliver anticipated savings.

Enterprises should also understand the reality that not all application development efforts can or should be outsourced to offshore partners. For example, projects with clearly defined requirements that lend themselves to modular software development methodologies or remote development and QA, rather than highly iterative development processes, are more suitable for offshore development. Similarly, projects that do not require a high degree of face-to-face user interaction are more likely to succeed in an offshore development environment. Complex applications, on the other hand, that require significant integration with other applications and systems are the least likely to be successful in an offshore environment as it is difficult or often impossible to create a fully functional test environment that duplicates the onshore one.

Finally, organizations should take into consideration how offshore outsourcing projects could impact existing relationships and dependencies with vendors and customers. In November, Web.com and Dell Computer cancelled call center contracts in India after customer complaints of cultural misunderstandings and inadequately trained tech staffers. A Dell Computer company spokesman, Jon Weisblatt, confirmed reports that call center employees were no longer handling calls from corporate clients because of performance lapses. "Customers were not satisfied with the level of support they were receiving, so we're moving some calls around to make sure they don't feel that way anymore," he told the Associated Press.

Surveys released in February showed that, while Dell's market share has continued to grow, customer satisfaction has declined. Corporate customers account for about 85 percent of Dell's business, with only 15 percent coming from the consumer market.

Understand and Address Cultural Differences

Offshore development initiatives naturally involve managing multicultural teams across international and cultural borders and continents. Cultural differences are often at the root of many of the risks discussed (e.g., protection of intellectual capital and communications) and can create significant stress in offshore project team members. Different cultures have different value systems, different approaches to problem solving and different management styles. This can have a direct impact on the bottom line and success of offshore projects.

Unfortunately, project teams in the US often underestimate cultural differences and the associated risks due to the lack of experience in and appreciation for these cultural differences. Differences in culture and business practices can jeopardize offshore development initiatives, particularly for enterprises that have limited experience managing global projects with culturally diverse teams.

Development team members must be aware of major cultural differences and national characteristics such as expressions, habits, physical actions and corporate characteristics. Cultural sensitivity training may be a valuable investment at the start of an offshore development initiative. Enterprises in the US and other nations should follow the example of many Indian vendors that provide formal training on cultural sensitivity and communication styles for their staff.

Another alternative to bridging the culture gap is ensuring that a project leverages the multicultural talents of expatriates. A recent Gartner research note suggests that by deploying the right mix of expatriates and internal controls, enterprises can sidestep the common pitfalls associated with shifting operations to unfamiliar territory and better support successful offshore initiatives.⁴

Communicate, Communicate, Communicate

Distance, languages and different time zones add significant complexity to the offshore application development process. To accommodate this additional complexity and resulting risk, enterprises must develop and adhere to a well-defined set of communication rules as part of the application development project plan.

It is essential for the onshore staff to effectively communicate application and integration requirements and changes to their offshore management and development staff. Onsite team members have the benefit of additional knowledge of the project office, overall enterprise architecture, application support, infrastructure and operations. The offshore staff is unlikely to understand all of the issues or even to know when to ask the right questions. Worse, this technical knowledge is often shared through informal discussions, but the physical distance precludes those vital informal meetings.

To minimize the risk of project failure due to poor communication, enterprises should actively manage the communication process. The organization should develop communication protocols that clearly define roles, responsibilities and skills and then map the protocols to critical offshore communication channels. In addition, the project plan and budget should include regular face-to-face meetings to build team cohesion and understanding. Finally, as discussed previously, communication processes should acknowledge and manage cultural diversity.

Security, Privacy and Intellectual Property Rights

Among the main risks to consider are the risks to the security of physical assets and intellectual capital, including intellectual property rights, source code and data. SolidWorks Corp., a Concord, Massachusetts, USA-based software maker, prosecuted a programmer at its offshore outsourcing partner, Geometric Software Solutions Co., after he allegedly stole SolidWorks' intellectual property and tried to sell it to company competitors in his home country. The FBI helped local authorities arrest the employee, who is now awaiting trial.

Security issues get amplified in the offshore development model because the points of failure increase dramatically, and control over those points frequently rests outside the security policies of the enterprise. Enterprises should require their auditors or independent third parties to be allowed to perform physical and security audits at regular intervals, ensuring that the security policies of the offshore service providers are in line with the policies of the enterprise. Requiring large service providers to undergo a SAS70 attestation review can be a viable alternative as well.

US laws such as Health Insurance Portability and Accountability Act (HIPAA) require that companies safeguard patient data no matter where they are stored and processed. That also affects third-party vendors. There are similar laws governing privacy in the European Union. However, it is more difficult to protect information if it leaves the home country, especially if it goes to a developing offshore nation, which may not have the same safeguards or enforce them as readily.

Intellectual property risk is a unique risk in offshore development, primarily because of cultural differences. A good strategy to reduce the risk of intellectual property violations may include restricting access to the entire source code to a single team if the project has high intellectual property value. The offshore team can be required to use an onshore version control system for checking in and out portions of the source code.

To avoid disclosure of key intellectual property to competitors, teams working on competing products should be physically and virtually separated—but this is more difficult to enforce. For highly sensitive projects, each team member must sign confidentiality and nondisclosure agreements that are binding beyond the duration of the project. Bear in mind, however, that competitive information can "leak" through private conversations and "best practice sharing" or training sessions.

It is also a matter of legal differences, and therefore it is important to understand how local laws treat and assign intellectual property rights. Contracts should have a clear assignment of ownership for work product and inventions developed under the contract to ensure that the customer, regardless of the applicable local law, owns the developed source code or other products. The contract could mandate that the vendor has each of its employees, agents and contractors execute a similar assignment of rights.

Another area that requires consideration is the use of open source software (OSS). While attractive, the use of open source software has presented legal challenges to potential users, especially in the areas of copyright, patents and trade secrets. The recent high-profile SCO Group vs. IBM lawsuit in US court challenging the use of some open source code illuminates the need for companies to be even more vigilant about understanding the origin of their code, what restrictions it may bring, and the resulting potential liabilities and risks.⁵

To manage the risk associated with open source code, enterprises should identify and document all uses of such code. In addition, they must develop internal guidelines for the use of open source software, and train domestic and offshore developers to follow the guidelines. It is important to disclose and acknowledge the use of open source code, especially in any type of commercial application development that includes a software license.

Legal Considerations

It is known that Indian courts are severely backlogged and it can take years to settle a legal dispute related to contracts. For example, in India such cases can take 10-20 years. This illustrates the importance of considering the legal ramifications of offshore development before entering into such arrangements.

In the event the offshore developer fails to deliver and is in significant breach of contract, the organization may have to sue for damages. For this and other reasons the parties must agree under which legal system the contract will be governed.

For example, enterprises should make their best effort to ensure that contracts are within the jurisdiction of their own local court of law, the contracting parties are locally-based corporations and the offshore vendor is adequately capitalized in the home area, such that any assessed damages can be claimed against domestic assets. Enterprises should ensure that they do not have to sue in an offshore court or across national boundaries to try to get the developer to court and claim foreign assets.

Offshore outsourcing deals bring risks above and beyond those found in domestic arrangements. As enterprises evaluate their options for leveraging offshore development and integration resources, understanding the associated risks and developing mitigation strategies is of a significant importance to the long-term success of the outsourcing process.

Endnotes

¹ "Offshoring goes on the offensive," The McKinsey Quarterly, Number 2, 2004
² "Offshoring and beyond," The McKinsey Quarterly, Number 4, 2003
³ "Identifying Projects that are Suitable for Offshore Delivery," Gartner, DF-18-9521, 28 January 2003
⁴ "Expatriates Help Reduce Risks in Offshore Outsourcing," Gartner, TU-21-2151, 23 October 2003
⁵ "Solutions for Software IP Risk Management," Black Duck Software

Rudy Bakalov
is with Ernst & Young and has more than 10 years of information security experience, providing strategy, risk management and security consulting services to Fortune 100 companies. Bakalov is a frequent speaker at various conferences, including ISACA's Computer Audit Control and Security (CACS) Conference, Vanguard, MIS Training Institute as well as industry forums, such as the Pharma IT Summit and the Drug Information Association annual meetings.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs