What's worse: Downtime or brand damage?

Global legal firm Norton Rose has released a study that reveals a telling disconnect between how an outsourced IT provider and a customer each perceive risk.

The study asked the CIO, legal counsel or procurement manager at 70-plus large firms a series of questions around outsourcing risks, and asked some of the same questions of service providers.

The report [pdf] found that the majority of customers view damage to reputation or brand as a ‘Tier 1’ (primary) risk when entering an outsourcing contract.

This varied somewhat according to the customer's business model: organisations in retail, consumer goods, transport and energy tended to rate downtime as more crucial than financial or professional services firms, which were more concerned with data breaches and reputational risk.

Suppliers and service providers considered damage to a customer's reputation or brand as a secondary risk to service interruption/downtime.

“In the current economic climate, suppliers should be more aware of the importance their clients place on reputation,” the report recommended.

That might even stretch to resisting the temptation to offshore customer-facing jobs, the report said.

Who is managing your data?

The report also asked some interesting questions around the extent to which large organisations conduct due diligence on service providers.

Norton Rose was concerned that customers were not paying enough attention to doing due diligence on key personnel at outsourced service providers before signing a deal.

One in three survey respondents said they did no such due diligence, a further third did basic due CV checks, and a final third did full background checks on the provider’s staff, including verification of qualifications.

“Some suppliers actively sought to discourage this kind of investigation and also were unwilling to name key personnel in the contract,” the report noted.

“We were surprised at these results. A project manager who has ‘misrepresented’ his qualifications might fatally damage a project.

"In light of the fallout from rogue employees at Satyam and EDS, we think that customers should review their processes to ensure they are properly protected.”

What do you think? Should a CIO order due diligence be conducted on the staff of an outsourced IT provider? What about a cloud computing provider?