Sourcing readiness: revival of a millennium theme

Sourcing, tendering and contracting of IT and IT-related services are more complex than ever in a highly regulated time like today.

It is still all about the best solution, the best provider and sharply calculated prices. Where 15 years ago standardization projects decided on future viability and cost-based benchmarking decided on contract extensions, today solution providers and interested customers from midsize companies, corporations and small businesses are driving each other forward through regulatory complexity. How were sourcing projects successful in 2005, what has become obsolete, what is still valid today and what needs to be done now?

Sourcing: Out, In, Multi – it doesn’t work without experts

But also not without a holistic understanding of services.

Regardless of whether we are talking about IT, accounting, services in the broadest sense or logistics: Only with the right provider do companies today become successful in areas that are not part of their core competency. When I founded my first company more than 20 years ago, shared services such as accounting, goods shipping and online services were still in the hands of just a few providers. Outsourcing was a niche term. Today, it’s perfectly normal to decide to no longer operate separate departments for certain services – which is in fact true for companies of all sizes and thus for more and more types of services. Neither a large mobile operator that wants to ship its SIM cards nor a small business with an online store needs to set up everything itself. Own structures are just as unnecessary for the operation of servers as an own mailroom or personnel accounting. Almost everything is now available as an on-demand service, app, store or cloud service. These options mean that anyone, no matter how small or large they start, can appear professional from the outset and, in the best case, scale without worry. 10 customers today, 10,000 tomorrow – no problem. No investment, no risk – really?

Almost 20 years ago, the requirements were still clearly on the side of the users. After the dot-com bubble burst, the digitalization industry was desperately looking for valid ways to build resilient business concepts and actually make money. But the market was a classic buyer’s market: the good practices came from the established departments, and advertisers had to align their services accordingly and market them in a way that could be consumed. A common project for consultants at the time was the topic of sourcing readiness: Is a department ready to outsource parts of its work? Which providers meet the requirements? Does it pay off? What options are there for the workforce and how do we ensure the transfer of know-how?

Turning the tables – welcome to 2022

Fragmented industries, thousands of providers, lots of regulation.

Almost 20 years later, the world looks very different. Large companies, SMEs and small businesses are struggling with the pull of digitization, experiencing a shortage of skilled workers and a flood of options when it comes to contracting out services. Sourcing readiness is experiencing a revival: The question is no longer which provider meets the technical requirements, but whether the requirements are even sufficiently defined for a resilient bidding process due to their complexity – or whether they can be defined at all. At the same time, service providers are confronted with so many requirements of a regulatory and economic nature that they often no longer dominate the market and must constantly adapt.

The example of data protection and compliance quickly illustrates this. It is no longer purely technical performance or the product portfolio, quantities and price frameworks that are decisive, but the fulfillment of all framework parameters around the core topic itself. Let’s assume we are talking about a medium-sized financial company – banking, insurance, transaction services or similar. As part of the group’s goals on growth and efficiency, the onboarding of service providers and providers should ensure that innovative, digital services emerge as differentiators, while at the same time onboarding more customers, maintaining the number of employees and keeping them employed. The topic of sourcing readiness first classically asks about the processes, the systems and applications, as well as the skills of the employees, in order to determine whether one is ready, ready for starting a tender – or in new German: sourcing, bidding process.

The world has become more complex – why?

What was not considered in the complexity of today are requirements, regulations and international pitfalls in data protection and compliance. In fact, security, fraud prevention, and hacker attacks were almost never discussed until around 2010. Laws and regulations were on the horizon, but received little attention via standards such as ISO27001 or QM to ISO9001. Data processing outside the EU? Not a problem. Regular security updates were more a matter of taste. An awareness of the risk of becoming the victim of a ransomware attack tomorrow by choosing an insecure solution simply sounded like the future.

Today, this leads to new aspects, which arise on the part of the bidders. The differentiation point “good service” has moved far to the back and is virtually seen as a commodity. It doesn’t matter whether it’s a cloud service, a fulfillment provider or a software provider: In purely technical terms, the solution must be perfect anyway. Due to the sameness of offerings, such a perception is also artificially created on the market. But can anyone who advertises the supposedly best product also keep up with the latest security standards that are relevant in the client’s particular industry? Is it possible for the provider to meet the requirements of the market even at the level of compliance with laws, ordinances and regulations, while still remaining flexible for upcoming changes? At the latest since the ECJ ruling “Schrems-II”, it dawned on many providers who offer their services on the basis of US cloud providers that today it can very quickly become a matter of questions that no longer focus solely on the actual product and its features. But the contracts have been concluded, technology lock-ins have occurred, in-house know-how has migrated – what now?

Sourcing readiness as the ideal test

Sourcing readiness as an ideal litmus test for business resilience, compliance and continuity

From the golden age of sourcing, companies on both sides of the service divide can now learn to position themselves for the future and allow less dependency:

1. Sourcing scoping

Business process, scope, quantities and acceptance points. What sounds banal at first, only shows its complexity in many companies during sourcing: How do we delimit what exactly is needed from the service provider to be selected? How do we ensure that he receives the tasks for which he was selected? How do we integrate his deliverables, what do dependencies mean, how do we deal with documentation obligations and third-party risks? What level of standardization have we achieved, what level do we need? What happens if the supplier is no longer able to deliver?

2. Business case and tendering

Beyond scope, a robust, monetarily meaningful business case should be developed. Again, it’s not just about the upside, as exit scenarios, penalties, liability issues, and all the things you might not think about at first are becoming increasingly important. This helps one in the preparation of the tender, the actual tender package. At this point, a healthy dose of distrust is also recommended: A high proportion of award projects experience documents being arbitrarily “adjusted” before submission – to the bidder’s advantage. Tender documents must therefore be tamper-proof and audit-proof. At the same time, the small print must be formulated in a robust manner – in the end, it is important that both parties know today how they want to deal with a termination of the contractual relationship.

3. Sourcing Compliance

GDPR, the former EU-US Privacy Shield and the upcoming e-Privacy Regulation may be stressful topics. But just as we take laws on general equal treatment (AGG), occupational health and safety, and product liability for granted, digital goods – in the broadest sense, data – are not just the new oil, but something where we have yet to learn to put on our seat belts as a matter of course. The choice of the right or wrong provider may ultimately determine whether the company is considered exemplary or negligent in the next data protection incident and pilloried accordingly. Despite all preferences for the large cloud providers, it is important to position oneself in such a way that one can quickly change the economic area of digital processing in the event of changes in the framework conditions. On the IT side, this is not a problem in itself thanks to virtualization, container technologies and a significantly changed infrastructure, which means that the readiness analysis should also think about an end to the status quo here early on.

He who buys cheap buys twice

Because quality costs and is always reflected accordingly.

Beyond these points, it is still important to align sourcing processes with established standards such as TPI/ISG, to prepare tenders and bidder discussions professionally, and to cultivate a sense of seriousness. The results must be documented in an audit-proof manner so that transparency can be ensured at an early stage and every detail can be proven in the event of a dispute. Unfortunately, many companies award existentially important services either according to the watering-can principle, gut feelings about sales people, or the classically worst criterion: the supposedly best price.

Philipp Schneidenbach ist Experte für Governance, Risk und Compliance, Enterprise Architecture und IT Service Management. Seine Rolle beinhaltet auch die interne Verantwortung für Legal und Compliance sowie Digitale Transformation. Philipp teilt seine Insights als Sprecher auf internationalen Events und hier bei MoreThanDigital.

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More