HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA


What should be the guiding principles for determining and reaching agreement on the optimal percentage of operations that ought to be recovered in the event of a contingency by our outsourcing service provider? I am aware of business impact analysis (BIA) and risk assessments (RA) as tools and ways and means to help determine this—both of which I consider to be mere theoretical inputs. From a practical point of view, based on your experience, what should be our approach to determining and reaching agreement on the optimal percentage of business operations that must be or can be recovered in the event of a crisis? In other words, what percentage of the operations must be recovered by the service provider at notional costs, and at what point should the service provider start charging us for continuity arrangements?

A Good questions. While you have said that you are well aware of BIA and RA processes, your question is not clear on a number of things and, hence, I am compelled to make assumptions. You have not said the nature of services that you have outsourced, nor is it clear to me whether you have a single vendor from whom you source the services, or whether you have multiple vendors.

First, let us try to list the guiding principles behind the determination of the optimal percentage of operations that can be recovered at notional costs; of course, the list is not exhaustive:

  • Nature of the business—This plays an important role in the decision. If the business is something that operates round the clock, 365 days a year, like an online bank, then the need for recovery strategy can be different from that of another company that is engaged in a manufacturing business, for example, in which the production process can wait for a day or two, if circumstances demand. Another important consideration is whether the nature of the internal service includes offering some services to other entities that are dependent on the company’s continual functioning.
  • Number of service providers—Does the organisation have a single service provider that operates from a single location, or is the provider capable of offering services from multiple locations/cities within a country or many countries? Or, does the organisation procure the same services from multiple providers? There can also be scenarios in which multiple providers offer different components of the overall business services.
  • Level of automation—How people-intensive are the business operations? By people-intensiveness, I mean the quantum of people required to carry out the business processes to meet the business objectives. The more automated the business processes, the less people-intensive the operations become.
  • IT dependency—Automation and dependency on IT pose different sets of challenges. Availability of systems, applications and processes to carry out the business processes is essential.

Given all of these guiding principles, in an ideal scenario, the service provider may offer to recover approximately 10 to 15 percent of the outsourced operations within about four to six hours at notional cost as part of standard offerings. Anything over and above this may be subject to additional cost. This is the standard offering that I have come across with different service providers.

When the service provider caters to multiple clients from the same facility using a shared infrastructure, recovery operations will be a challenge in terms of prioritising clients. The outsourcing service provider cannot determine the priority for recovery based on the revenue earned from each client. This would mean that the client who has the smallest deal in terms of revenue would be accorded the lowest priority, which is never an acceptable scenario. Every client will be left worried in this scenario because no one wants to be accorded priorities on a relative basis. Buyers of the outsourcing services may always want to be dealt with on absolute terms.

It is true that some clients are more important than other clients, but in general, clients should receive specific services in the event of contingency as per the contract provisions and commitments signed with them originally. Outsourcing service providers normally offer special recovery arrangements in the event of a contingency at an extra cost.

The question in front of us is:  How much extra cost should we be prepared to pay to ensure continuity of service arrangements? One of the key benefits of outsourcing is that it results in reduction in costs of internal operations. If so, why spend money to procure services to be delivered in the event of a contingency, if they are not required from a business point of view? This is the point at which the RA and the BIA play a key role. You need to be able to make an informed decision on potential risk scenarios that can be material to your operations.

I cannot prescribe an absolute number—in terms of percentage—for you to consider while determining your recovery arrangements. The trend in the industry, based on my experience and that of my colleagues from whom I sought input, is arrangements in which the vendor realistically restores 10 to 15 percent of the operations immediately. In some instances, it could go up to as much as 25 percent, depending on the industry and the scenario. If someone is promising you 100 percent recovery immediately, there is enough scope to reduce your outsourcing cost by reducing the contingency service arrangements component of the outsourcing package.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.