The cost of IT outages - from the legal side
- Summary:
- How tough should organisations be when it comes to negotiating those all important terms and conditions? Do you really need that all-encompassing SLA? Or is there another way forward?
In the final part of this series looking at IT outages - parts one and two here - the legal perspective comes into focus.
Risk mitigation in relation to IT outages ultimately comes back to the need for good governance, suggests David Isaac, partner and head of the Advanced Manufacturing Technology Services sector at legal giant Pinsent Masons:
"Poor governance is what we see in the contracts that go wrong - poor governance, probable bad planning and bad communications.
"Where there's an outsourcing situation it is much worse because of having to communicate with not just one supplier but usually a variety of suppliers. How to address those issues is probably more important than the technology damage.
"It is more to do with achievement than technological frailty. Why do we continue to get it wrong? There are probably always going to be outages, but what do we do to ensure that we keep those to a minimum and deal with legal and reputational risk accordingly?
"Good governance and effective communications up and down the chain is obviously incredibly important, but the majority of problem contracts that we see are that way because of poor contract arrangements, because of lack of money, because of poor governance and because of poor contract management."
Buy side organisations need to shoulder responsibility for risk mitigation, adds Isaac, and must not underestimate the complexity of what is involved:
"It is a risk-based judgement. Whether it's around SLAs or contractual risk that you're shifting to a supplier or suppliers.
"You can't actually just assume the risk has gone away and you can check the box in relation to assurance and governance. That isn't sufficient."
Don't get carried away with your expectations or assume that you don't need to plan for worst case scenarios when engaged in contract negotiations, he advises:
"Part of the problem [with outages] is that everyone demands complete continuity and doesn't imagine or plan for anything that is going to be wrong. That means you probably don't get very much attention paid in relation to how you're going to negotiate contractual terms.
"Sometimes it's difficult to negotiate them anyway because, depending on where you are in a customer or supplier supply chain, you don't necessarily always proceed to a position of strength as there is a desire to move quickly without complexity."
And make sure you devote enough attention to the contract terms once they are in place and not get caught up chasing other objectives:
While organisations make great play of the need for tough contracts, in the event they often don't pay enough heed to them once they are in place, he observes:"There is massive complexity. We probably need to slow down. We need to be stronger with those at the top of the office who want outcomes faster than the systems underpinning the business can deliver.
"We can deal with legal risk contractually, but actually it's what happens when the contract ink is dry and then what happens in practice to manage that and ensure delivery."
"Contracts are often a vehicle to camouflage major transformation projects. Typically our experience is that most people don't look at their contracts.
"The SLAs are completely and unnecessarily over the top, honoured in the breach rather than the observance. Things tick along quite nicely until there's a major outage and then things unravel."
Changed days?
On a positive note, Isaac does detect a change in the nature of contract expectations from the buy side:
"What's happening in the contractual landscape is much more focus on incentivisation and payment by results on proactive remedies, rather than a more penalistic and negative approach to entering those sorts of arrangements.
"That's all good if the rhetoric is transferred into the reality of what is contained in the contract - a genuine shift away from the old liability-based, very expensive and transferring-risk-out-of-the-business-to-vendors approach."
Not that the rhetoric does always translate to reality, he admits:
"It really does take a very significant shift in the way in which these contracts are governed and managed. We see lots of RFPs which say this is how we want to do it, we really are going to shift to a new approach.
"But the reality is that price means that some of those things are not necessarily going to be signed off, so again we see a bit of a disconnect between rhetoric and reality."
Isaac concludes with a simple assessment of what organisations really need as a starting point from which to mitigate damage from IT outages:
"Output contracts that incentivise, good governance, proper risk analysis and constant communication.
"They are not going to stop outages, but by proper planning and organisation, we can minimise their impact."