ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Governance Model and Process Controls in Outsourcing Vendor Engagements

Governance Model and Process Controls in Outsourcing Vendor Engagements

| Published: 4/4/2013 7:46 AM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this Post | Comments (0)
Rajesh BhatiaRajesh Bhatia, CISA, CGEIT, PMP, MDP
Governance models need to be implemented in most outsourcing vendor engagements to gain value, efficiency, effectiveness, productivity and return on investment (ROI). This is because when working with a vendor, strategic alignment, value delivery, risk management, resource management and performance measurement need to be ensured (Board Briefing on IT Governance, 2nd Edition and COBIT 5). Operating in silos with a vendor is akin to walking into a deathbed. In other words, productivity, value and ROI will not be attained from the engagement.
In this regard, recently, I was asked to design a statement of work (SOW) for a vendor engagement for a transformation project at my company. I looked at the standard SOW templates and noted the presence of common requirements like project scope, timeline and milestones, high-level schedule, and acceptance criteria. Surprisingly, what I did not find in any template are the details on the implementation of the governance models and control processes.
The Global Status Report on the Governance of Enterprise IT (GEIT)—2011 clearly states that optimal governance enablers need to be in place to ensure direction and monitoring of vendor performance, procurement of services, definition of service level agreements (SLAs), and the review of demand and supply decisions on sourcing models. This is due to the fact that 93 percent of the responding companies had fully or partially outsourced some activities. Also, the report mentions that although the consulting companies had high capability of implementing governance solutions, they had also received scores from respondents placing them on the poor end of the spectrum.
This leads me to believe that with such a high rate of outsourcing, governance models and control processes need to be designed into the vendor engagements. A lack of design of governance models and control processes will probably lead to failure of the engagement and frustration on both sides.
So, I took it upon myself to modify the SOW template and include a section for governance models and processes. I started thinking about the things, like the alignment of goals, ensuring value is obtained from the engagement, monitoring and tracking vendor performance, risk management, typical governance structures (i.e., decision-making structures), processes, controls, and communications, that will be required. In this case, since we are dealing with a vendor, presence of adequate controls is essential to ensure appropriate project performance, vendor performance, vendor compliance with standards, and processes for escalation management, change control, etc. Thus, I came up with an essential list of controls that must be present, including phase gate reviews, peer reviews, SLA reviews, daily project management meetings and business sign-off. Now we have a comprehensive vendor SOW.
Read Rajesh Bhatia’s recent JOnline article:
Improving Governance Models,” ISACA Journal, volume 2, 2013.


There are no comments yet for this post.