IT Governance and Outsourcing

The question of whether to outsource IT has become part of the strategic thinking process for a growing number of companies across a wide range of industries. Companies are increasingly evaluating what is core to their business and weighing the benefits of turning non-core, but often critical functions, such as IT over to outside partners. The benefits are compelling. Through outsourcing, organizations can benefit from greater expertise, lower costs and higher quality, as well as free up management to focus on more strategic endeavors.

While the case can be made that outsourcing, at least in the area of IT, is potentially a higher value alternative to internal delivery, its success rate, viewed from the perspective of broad customer satisfaction, has not been equally overwhelming. The absence of good IT governance leading up to the decision to outsource and perpetuating thereafter is often cited as a key reason for failure of the relationship.

Role of IT governance

IT governance exists within the context of corporate governance, and the principles are essentially the same. IT governance is an accountability framework and management process that helps to define and communicate what must be done and provides the rigorous oversight to ensure that it is. It drives interactions and provides feedback mechanisms that encourage communication and desirable behaviors.

The accountability framework is typically made up of well-defined roles and responsibilities reflecting decision rights among the participants in the IT management process and is reinforced by effective reporting.1 Making sure decision rights are clearly defined is critical to resolving a myriad of issues around strategy, standards, monitoring and change introduction.

In an outsourced environment, clarity and communication of decision rights is fundamental. Left un-addressed, both parties are likely to make assumptions that can lead to conflict and unmet expectations. Typically, the outsourcer will want decision rights around the mechanics of service delivery and will defend its authority regarding how services are delivered. Dissatisfaction and conflict arise when the client does not give up decision rights around key components of service delivery.

The flip side of this problem can occur when the client assumes that the outsourcer has all decision rights and abdicates its role in managing an effective IT environment. The outsourcer runs a great risk in trying to fill this void. As much as the outsourcer needs to defend its decision rights around service delivery, the client needs to maintain authority over critical components of IT strategy. Decisions around architecture, security, standards, project priorities and communication are areas where the outsourcer's role is advisory at best.

Decision rights, once defined, are executed through a management structure and the results are monitored through reporting. In an outsourced environment, both components are critical. Not being a part of the client's organization per se, the outsourcer needs to ensure that an effective management and reporting framework is put in place to gain visibility into the client's evolving needs and to continually ensure that it is in step with the client's expectations.

IT governance and the outsourcing contract

Because good IT governance is so essential to establishing an effective IT environment and even more essential to a successful outsourcing relationship, it should receive priority attention during the negotiation and contracting phase of an outsourcing deal. By focusing on governance in the negotiation stage of the relationship, both parties can clarify their respective roles and responsibilities to ensure the relationship's success. Incorporating an IT governance structure, responsibilities and reporting mechanisms into the contract increases the likelihood that the IT governance model will be implemented with the required discipline and rigor. Indeed, good IT governance should be viewed as a principle value of outsourcing.

Contracted IT governance should cover three areas in particular:

  1. Roles and responsibilities
  2. Management structure
  3. Reporting

Roles & Responsibilities

At a high level, four stakeholders are involved in a good IT governance model and their decision rights should be clarified in the contract:

  1. Business unit or functional leadership
  2. Business executive leadership
  3. Senior IT leadership
  4. IT delivery leadership

Business unit or functional leadership typically defines what IT deliverables are essential for meeting the organization's business requirements. The outsourcer will typically not want to undertake initiatives without clear business ownership and clarity around deliverables. The contract should go so far as to state that all projects will require a business owner and that the realization of business benefits from each project is the business owner's responsibility. Otherwise, the outsourcer often ends up being held accountable for non-realized project value when its responsibility was only the technology component.

The role of business executive leadership is likewise important to contract. As in all areas of an organization, business executive leadership sanctions and funds IT activities. Within the contract it must be clear what activity can and cannot happen without executive approval. Typical items contracted as requiring executive approval include:

  • All major projects
  • Changes to critical service levels
  • Major pricing changes or changes to contracted terms and conditions
  • Major IT directional changes

By contracting the requirement for executive ownership of key decisions, the outsourcer ensures that it is brought to the table in critical areas of IT management.

The role of senior IT leadership must be clearly defined to prevent conflict between the outsourcer and the "stay-back" team. This definition should be included in the Statement of Work, which should look very much like an RACI (Responsible, Accountable, Consulted, Informed) chart for outsourced processes. At a higher level, the contract should define the expectations and deliverables of senior IT leadership in the area of IT plan definition, as well as the role of senior IT leadership in the execution of approved plans and in the monitoring of the outsourcing relationship. This clarity ensures that senior IT leadership understands the role they play in ensuring a successful relationship.

The role of IT delivery leadership in an outsourcing contract is generally the best defined as deliverables are articulated in terms of service levels around key processes. What should also be contracted, however, are the management responsibilities of IT delivery leadership, such as their responsibility to provide guidance on evolving technologies, to monitor performance and to perform capacity planning, etc.

Management Structure

Equally important to defining roles and responsibilities is contracting a management structure to support the execution of those roles and responsibilities. A forum must exist wherein requirements can be reviewed and approved and where execution can be monitored. Ideally, this type of structure would already exist within an organization. Too often, however, this is not the case and the contract is an ideal opportunity to create the necessary structure.

A three-level structure made up of the following committees can be built into the contract, ensuring that stakeholders participate and execute their roles and responsibilities:

  1. User committees
  2. Operation committee
  3. Executive committee

User committees formed around business units, technology groupings or business processes are ideal forums in which to review emerging business needs and service delivery. By articulating the need for and the structure of such committees in the contract, the outsourcer establishes a forum for interaction with the client's user community.

The operation committee is generally composed of senior IT leadership and IT delivery leadership. Bringing together the IT leadership of the outsourcer and the client, the operation committee is charged with overseeing approved initiatives and service delivery. It is critical that the composition, agenda, frequency of meetings and deliverables of such a committee be contracted, as it is an essential factor for a successful outsourcing relationship.

The executive committee is the forum for approval of IT directions and initiatives, and the contract should specify the composition, agenda, frequency of meetings and deliverables of this committee as well.


While outsourcing contracts typically require service level reporting to some extent, outsourcers are in an ideal position to introduce a broader scope of IT reporting and support the roles and responsibilities articulated in the contract. User committees would generally require progress reporting on approved projects, enhancement backlog reporting to monitor request status, and of course service level reports on critical processes. The operating committee would require similar reporting and, based on its responsibility for the execution of all IT services, supplemental financial information.

The executive committee reporting requirement would be highly summarized and may take the form of a balanced score card report, touching on four or five critical dimensions, such as business contribution, service quality, budget, user/client satisfaction and strategic direction.

The outsourcing contract should specify the reporting required to manage the relationship and services and, indeed, examples of required reporting should be included within the contract.


While companies are now treating IT as a key element of their business, they often fall short in the area of IT governance, especially when outsourcing their IT functions. By making good governance an essential part of the contract, outsourcers and clients can do a better job of setting expectations and increase significantly their chances of creating a win-win situation for all.


1Peter Weill & Jeanne Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, HBS Press 2004.

About the Author

Warren White joined CGI in August 2002 as vice president of business engineering. A professional accountant with an MBA, Warren has held senior IT leadership positions as well as functional leadership positions (procurement; strategic planning and finance) in a number of global organizations, including Alcan, Dominion Textile, Johnson & Johnson and Lafarge.

Copyright © 2004 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.