A stunning confession of fraud by the CEO of India's Satyam Computer Services sent major corporate customers into damage-control mode half a world away. State Farm Insurance, for one, was able to react quickly. In two weeks it reprioritized key outsourcing projects, redistributed work among other vendors, and severed its ties to the fourth-largest Indian IT outsourcing firm.
The Satyam scandal not only led to the arrest of CEO B. Ramalinga Raju and CFO Srinivas Vadlamani (among others), but also tarnished an outsourcing industry that seemed poised to boom as companies look for more ways to cut costs. Many offshoring firms have been working diligently to expand their offerings beyond core IT services to more-sensitive (and higher margin) work, including finance and accounting. Now many companies may question just how much they put at risk when they ship work overseas.
"The industry is built on relationships that imply some level of trust and confidence and integrity," says Peter Allen, a partner and managing director for outsourcing advisory firm TPI. Indeed, many agreements have ballooned over the years without an adequate review of risks. Modest projects that began with a handful of people routinely turn into broader arrangements that employ 1,000, with the growth propelled by little more than a handshake.
That seems likely to change. "I wouldn't want to be a CFO who tells my board that Satyam was running our accounts receivable and now it's running out of cash," says David Rutchik, a partner at outsourcing advisory firm Pace Harmon.
Cause to Pause
Indeed, nearly 200 Fortune 500 companies that did business with Satyam, including Cigna, Cisco Systems, Caterpillar, Ford, and General Electric, deny any material fallout from the vendor's troubles. But they do admit to spending more time monitoring the situation. "We have detailed contingency plans," Cigna spokesman Joe Mondy insists. "Regardless of what happens with any of our vendors, the processes we have in place are designed to ensure that customers continue to receive consistent, reliable, cost-effective service."
Experts predict that recent events will spur more-comprehensive scenario planning regarding potential offshoring vulnerabilities, including performance problems, power outages, terrorism, and fraud. "It's causing a lot of people to pause for a second and say, 'Oh my God, there are more unknowns and risk than I thought,'" says Robert E. Kennedy, executive director at the University of Michigan's William Davidson Institute, and author of a book about offshoring called The Services Shift.
Even the most rigorous due diligence may fail to detect certain kinds of problems. "If you look at the WorldCom, Enron, and Madoff scandals, there is no way to completely protect oneself against individual fraud," Rutchik admits. It can be even harder to get a look inside family-run foreign corporations (see "The Right to Remain Silent?"). But to mitigate business disruption, Rutchik cautions companies to scrutinize vendors to the best of their abilities and keep all documentation up to date. Below are some ways to balance the cost savings gained from outsourcing with the serious risks posed by moving work to distant shores.
Involve Finance. Outsourcing experts urge finance executives to get more involved in a decision-making process that is often left to their technology-minded counterparts. The information-technology department is concerned mainly with a vendor's particular skills, says Jean Cholka, CEO of China IT outsourcer Freeborders Inc. A CFO brings a more analytical, risk-management expertise to the assessment of third-party relationships. CFOs are in the best position to ask questions about a vendor's ability to attract and retain talent, manage its costs, meet its growth targets, and stay financially viable.
There was a time when failure to perform on the part of the outsourcing service provider meant that an IT project would be late. Today it may mean that a company can't pay its bills or meet its payroll. "If a service provider isn't able to manage the risk of employees not getting paid on time, that's a business risk most companies can't swallow," says TPI's Allen.
Diversify. State Farm spreads outsourcing risk among several service providers. That's how companies can, with the least amount of pain, pull projects from vendors that falter.
Even outsourcing firms themselves recommend this practice, although smaller clients may need to stick with a single vendor to get any pricing leverage at all. U.S.-based outsourcers Accenture, Hewlett-Packard, and IBM may become more popular if confidence ebbs in foreign firms. This trend is giving a lift to so-called nearsourcing, the term for vendors that set up low-cost operations outside high-wage areas, such as in Eastern Europe, Mexico, and even the United States. But always verify that nearsourcers are not offshore vendors in disguise, since some may ship the bulk of the work to distant shores.
Do More Due Diligence. One common piece of advice has been to stick with well-known brands that trade on U.S. exchanges and are subject to the U.S. securities laws. That will get you only so far: Satyam is registered with the U.S. Securities and Exchange Commission, and both Raju and Vadlamani certified the company's most recent annual report.
Talk to competing vendors to learn about the different ways a given project or workload might be handled, and to gain some pricing leverage, say experts. This way you can also have potential alternatives lined up if something goes wrong, says Nick Benvenuto, a managing director at risk advisory firm Protiviti.
Check customer references, make on-site visits, get acquainted with a vendor's management team, and kick the facilities' tires. Find out who will handle the work, and beware of dog-and-pony shows that obfuscate this aspect of a potential engagement. Frequent on-site visits can provide real insight regarding whether employees seem happy and well cared for, an item that is too often overlooked. "It's surprising how many companies will sign on to an offshoring agreement without a company visit or more than just a perfunctory, one-day visit," Kennedy says.
Have internal auditors comb vendors' financial records. CFOs should confirm that finance executives at potential contractors have similar principles, suggests Surjeet Singh, CFO of Patni Computer Systems, who regularly meets with prospective clients. He also recommends meeting a vendor's board members and reviewing its independence and governance policies.
A Statement on Auditing Standards No. 70 audit can provide insight into a service provider's controls. However, these reports are limited in scope and driven by the vendor, not its auditors. "SAS 70s are a good starting point, but they're only one of the tools of good practice," says Robert Stroud, international vice president of ISACA, a trade organization for IT-governance professionals.
Update Contracts. Review contracts at least twice a year, paying particular attention to how the corporate data that resides with the outsourcer would be retrieved if a problem should occur. Legal access to information is one thing, but if a vendor goes belly up, getting hold of the data quickly and seamlessly is a separate matter. Contracts should stipulate that data is backed up on a daily or weekly basis to a third party, or even to a site near your headquarters.
Shorter, more-flexible contracts can ease a parting of the ways and have become more common. A four-year service contract, for example, may now include yearly renewal triggers. Contracts should spell out how problems or disagreements will be resolved, and give clients a relatively hassle-free out if they're unhappy. Hard to obtain but worth exploring, says Rutchik, are surety bonds or letters of credit posted by a vendor's parent company that back the future performance of its subsidiary. Post-Satyam, he predicts they will be easier to come by.
Know the Exit Signs. Consider your company's response to various worst-case scenarios. At the top of the list: What if the vendor goes out of business? What if the service levels decline? What if you decide to change your business strategy halfway through the contract? What if confidential information is stolen?
Don't get bogged down by the endless possibilities regarding things that can go wrong, cautions Stan Lepak, managing director of global research at outsourcing advisory firm EquaTerra. Nail down the most dire risks and your potential responses. Also, keep in mind the nature of the projects and how difficult each type would be to unwind. Services limited to off-the-shelf software projects may merely be annoying to move. More painful to uproot are more-customized jobs that involve not just coding but knowledge about the company's core systems and processes.
The Satyam scandal reverberates far beyond the world of Indian offshoring. Although an isolated case, it's also a wake-up call that, in turning to service providers of all kinds, in all locations, companies can't simply take the savings and run; they have to continually monitor these business partners. Shortly after the scandal, Satyam said that 90 percent of its clients were staying with the firm. That may be so, but it seems a safe bet that a solid majority of them will take a far different attitude toward such arrangements. They certainly can't say they weren't warned.
Sarah Johnson is a senior writer at CFO.