Provider failure - critical risks in IT sourcing

IT risk management is essential, so every business and public sector organisation manages its IT risks - to some extent. Typically, measures are defined to minimise the likelihood of damage and to ensure continuity of IT services in the aftermath of major disruptive events. High-profile incidents such as floods, fires, plane crashes, terrorist attacks and cyber-attacks dominate the discussion.

Beyond these tangible events, however, there are other risks which customers have tended to ignore, but whose impact on IT service delivery can be just as massive. In particular, we want to look at one which has recently come to the fore: the economic difficulties of a central IT service provider.

Complex structures in IT sourcing

Particularly in the case of IT services or business process outsourcing (BPO), it is usually impossible to implement alternatives to a failed supplier at short notice due to the highly complex cooperation between two contracting parties. It is not without reason that in some sectors, such as the banking industry, the external outsourcing of IT services is only approved by the supervisory authority if a concept for the continuation of services in the event of the failure of the service provider is submitted at the same time (e.g. DORA).

Poor results under pressure

For example, the turbulence surrounding the solvency of IT provider Atos in 2024 painfully reminded many customers that an unplanned change of IT service provider is virtually impossible for a number of reasons. Customer situations have repeatedly confirmed that an RFP process without preparation and under time pressure is not successful. In addition, the systematic selection of a new service provider usually takes between six and twelve months. Even in an abbreviated process, where all usual procurement rules are disregarded, outsourcing would hardly be achieved in less than three months - a period which virtually no company can survive without a functioning IT service.

Uncertainty about a service provider's economic survival may initially affect its service quality. This may include reduced staffing levels, the cancellation of maintenance cycles and innovations, an extension of the normal life cycle of components, and the cancellation of planned and ongoing projects. Customers have to expect quality, if any, to be at the lower end of the agreed service levels and any change, however small, to be charged. Over time, the service provider will endeavour to terminate all customer contracts which generate no or low margin at the earliest possible opportunity.

Strategies to protect against the failure of an IT supplier

Bank guarantees from the service provider or insurance to cover migration costs: This solution is mainly required in the environment of international, public companies. However, it is not a solution to the problem as such, and only serves to mitigate the economic consequences of the emergency.

Close monitoring of key suppliers: The aim is to identify economic difficulties at an early stage to enable appropriate countermeasures to be taken if necessary. The challenge here is to obtain sensitive information before the worst-case scenario materialises. This is where sourcing consultancies can identify and validate emerging supplier problems and pass them on to their customers.

Implementation of a two-vendor strategy for the IT service portfolio: By connecting to two service providers, it would be possible to switch between them at short notice, as the technical and contractual groundwork has already been completed. Although this approach provides more significant security, it also means maximum economies of scale cannot be achieved.

Willingness and ability to insource: If an internal IT team can take over all IT operations, at least temporarily, the risk of failure of a service provider is reduced. An additional requirement is for the internal staff to have appropriate authorisations for systems (which must still be operational). The team's level of knowledge should be tested through regular emergency drills.

Change of service provider - single source process: Potential new service providers are invited through an RFI to present their transition and delivery capabilities. Experience and customer references as well as their willingness to take over all services "as is" play a central role. The decision on the future partner is then made without going through the usual stages of a sourcing process. For example, to ensure commercial attractiveness of the offer, we check service prices from our customers' RFPs to a market price benchmark. The results build the basis for a new contract. The whole process should be completed within a few months so the transition to a new service provider can be implemented promptly.

In principle, business operations should be continued by successor companies. In such cases, however, considerable difficulties and quality losses are to be expected, not to mention the complete cessation of activities for the further development and innovation of services. A modular contractual framework for IT outsourcing services, for example, promises to ease the situation. On the basis of this framework, companies can contract binding services with the service provider at a specified quality. At the same time, it offers sufficient flexibility to avoid unwanted dependencies.