Outsourcing Best Best Practices: The Sourcing Model for Clients from Carnegie Mellon


Best practices in IT outsourcing tend to be a dime a dozen. Advisory and consulting firms offer them. Professional organizations preach them. Service providers write them up into white papers. Magazines and web sites (like this one) proclaim them in headlines. Plug the terms into Google and you’ll get 22 million results.

So how do you separate out the outsourcing best practices you should really care about from the two-bit ones?

Carnegie Mellon, the same university that introduced the Capability Maturity Model (CMM) and its derivatives to the world, takes a more methodical approach. Several years ago, a team of researchers and academicians in the IT Services Qualifications Center invited a consortium of service providers and client organizations to meet together in a room with the promise of complete non-disclosure to hash out all of the issues, needs and problems they’ve experienced with their sourcing work. The list was considerable. Then, while doing a comprehensive review of literature published on the topic as well as interviews with people doing or providing sourcing, the school invited participants back over the course of several more years to develop that roster into a model upon which to build a list of practices that could truly be called “best.”

Eventually, in late 2001, the Center published the eSourcing Capability Model for Service Providers, which gives outsourcing vendors a standard by which to measure their existing capabilities in delivering IT outsourcing and other services. They can even be certified by the Center in a rather arduous and expensive process to prove their expertise.

But that was just the start.

In February 2006, the Center published part one of a two-part document intended to provide a comparable set of standards by which client organizations could gauge their abilities in sourcing. It includes 95 practices (many that match best practices in the service provider model) that define a world-class operation in sourcing. Likewise, a certification program is being set up.

Why Certify That You’re Good at Sourcing?

Why bother? Isn’t it the service provider that’s supposed to understand how to do this stuff?

Bill Hefley, PhD, Associate Director of ITSqc“There are clients who would like to go for certification because they believe they can use that measure to go back to the service providers and say, ÔLook, we’re about to enter into a new relationship. I am less risk. I am better performing at managing my sourcing activities, and I’m a better customer to you than [company] X-Y-Z down the street,'” said Bill Hefley, Associate Director for ITSqc. “ÔSo we should be able to come up with a better set of terms and conditions, a better relationship than you would find by just picking any customer at random.'”

Although service providers don’t often admit it, the best known are actually quite selective about the clients they’ll work with. Responding to requests for proposals, for example, is a time-consuming activity. So they’ll limit the number of proposals they bid on to those that have the best potential payoff, whether monetary or otherwise (such as signing up a high-profile client that will make for a good reference).

“[Certification] is a way of signaling to service providers, “Hey! Come look at me. I’m actually pretty good,” explained Hefley.

Another reason for client firms to certify their practices, he said, is to give people who are doing sourcing-related work a “standard to compare themselves against and prove what they’re doing is actually a real benefit to…the organization. So there is some pride and professionalism here. We’re really not a profession yet, but this is going to help drive that.”

A major goal for developing the models, said Hefley, is to establish, “the critical best practices you should have in place to be successful and ensure relationships and efficient operations.”

It’s common, he said, for an organization to take somebody who is good at a technical job and turn them into the outsourcing manager, practically overnight, without having the skills and capabilities they need for the new work they’ll be doing. He laid out how the scenario looks to the individual affected by the outsourcing decision: “Last week, I ran a data center. I had all these people working for me. I had all this hardware. I had all these facilities. I was king of everything. Next week, I’m going to hand all of that to X-Y-Zed, and all I’m doing is managing a contract.”

Dr. Jane Siegel, Director of ITSqcITSqc Director Jane Siegel pointed out that poor sourcing practices have a price tag most companies don’t acknowledge. “When we started looking at the situation in 2000, there were multiples cases in the news where companies were spending on the order of $10 million just on the litigation [involved in canceling outsourcing contracts],” she said. “And that didn’t take into account that they had personnel who were employees of corporation X who then were rebadged over to service provider Y and then ended up on the street with no place to go when things fell apart — not to mention the loss of control over intellectual property, which they might be at risk of losing when things got transferred back and forth.”

An Overview of the Model

The best practices, while focused on information technology, are just as applicable to business process outsourcing. They’re organized into 15 “capability” areas, equating to the major areas of effort involved in sourcing activities (whether outsourcing, offshoring or even insourcing — using in-house services in lieu of third-party vendors):

  • Strategy management, such as developing, aligning and documenting the sourcing objectives of the client organization.
  • Governance management, such as setting up and implementing procedures to manage internal stakeholders or service providers.
  • Relationship management, such as establishing and implementing procedures to manage issues and their resolution.
  • Value management, such as benchmarking processes by comparing performance to other organizations in similar sourcing relationships.
  • Organizational change management, such establishing and implementing HR plans to support the sourcing activities.
  • People management, such as making sure the people with sourcing responsibilities have the competencies they need to do their jobs.
  • Knowledge management, such as analyzing and using knowledge gained from sourcing activities.
  • Technology management, such as ensuring that product licenses are managed according to documented procedures.
  • Threat management, such as establishing and implementing procedures to ensure business continuity of sourced services.
  • Sourcing opportunity analysis, such as defining the criteria by which to identify sourcing opportunities.
  • Sourcing approach, such as performing impact and risk analyses of proposed sourcing actions.
  • Sourcing planning, such as defining and documenting service conditions.
  • Service provider evaluation, such as evaluating potential providers using documented criteria and procedures.
  • Sourcing agreements, such as defining the formal SLAs and performance measures for services.
  • Service transfer, such as planning and tracking the transition of the service.

The structure of the model, known as eSCM-CL, is to define each of the best practices in three dimensions: lifecycle, capability area and capability level. For example, the very first best practice cited, “Establish executive leadership for the client organization’s sourcing activities,” is part of the “ongoing” lifecycle phase, resides in the capability area of sourcing strategy management, and appears at level 2 of capability levels.

As with the CMM model, this one also has five levels. Originally, said Siegel, “when we started to do the work, we did not have the five levels.” But participants told the Center, “if you don’t do that, it will create a challenge for executives. It will make it difficult for them to be able to make sense of this… Giving them a profile on a sheet [of paper] that shows that an organization satisfies 84 out of 85 practices was not viewed as being as easy for them to digest as just saying, ÔYou’re at level X.'”

At level 1, a company is performing sourcing — for better or worse. There are no specific best practices that apply to this level.

At level 2, the company is not only doing sourcing, but it’s consistently managing it and following a set of procedures. But it may not have consistent practices across the whole organization; HR may be much more effective than IT in its sourcing practices, for instance.

At level 3, said Hefley, “We have a kind of standard defined across the organization. IT might have had a sourcing objective and HR might have had a sourcing objective. But now at [level] 3 we start talking about the organization putting together a sourcing strategy.”

At level 4, the focus is on adding value. As Hefley put it, “Are we doing the best we possibly can? Are we really adding value, being effective, looking at our capability baselines, benchmarking our performance, looking at whether the organization’s sourcing activities are really adding business value?”

Level 5 — the highest — is “unique,” Hefley said. “It has no practices associated with it.” Once an organization is certified at level 4, it can return in two years for its recertification. If it’s still implementing all practices from level 4, then it can be certified at level 5.

Getting Educated

Besides building the capability model described in the article to help cross the chasm between the services offered by outsourcing vendors and expectations of client organizations, Carnegie Mellon recently added a “service management” specialization to its Masters of Information Systems Management program. The first class, offered in Fall 2005, attracted 28 students.

Said ITSqc Director Jane Siegel, “If you look at where the world is moving and the growth of service areas as a place of employment, a lot of young people are starting to look at needing more [education].”

Eventually, she said, classes would also be available through distance learning.

The Evaluation Process

Becoming certified — whether as a service provider or client company — is anything but easy. According to Siegel, the people performing the evaluations must come in with “at least 10 years of prior experience doing quality audits or assessments to be one of our lead evaluators.” The Center observes them doing practice runs in pilot diagnostics, she said, before they’re authorized to go out and do this. Then when they constitute a team and do an evaluation for certification, it’s specifically a team of five to seven, each of whom has been “trained rigorously and observed by Carnegie Mellon.”

That team goes out onsite to the company being evaluated to collect data, interview staff members and observe demonstrations — all of which is also observed by a senior member of the Center.

Then the evaluation team submits its report to the Center, which has a three-person team review the material. The Center may decide to contact the applicant for additional information and then it makes a judgment call about the certification. After a period when the client company can dispute the findings, the certification is issued.

It’s valid for two years and is specific to a distinct part of the organization, not the entire company. For example, in the case of service provider certifications, it might be for a specific facility and a specific market segment within that facility. For example, in March 2006, the Center certified two IBM delivery centers in India at capability level 4, both for their business transformation outsourcing services in finance and accounting, customer relationship management, HR and procurement processes.

On average, said Siegel, the process from the time the evaluation is begun onsite to the time the decision is issued can run from 65 to 75 days. The Carnegie Mellon fees are $25,000 for the certification (with an additional $10,000 fee for expenses if international travel is involved). The evaluation process is an additional expense, set by the company doing it, such as Underwriters Laboratories, Deloitte Consulting or HP.

And lest you think an organization can buy its way into certification, the Center has set a rule that a client company can’t hire an audit firm from which it has received any consulting in the previous 36 months. “If somebody comes in and help s you write wonderful procedures, they can’t turn around and in six months and evaluate you and say, ÔGee. Aren’t those wonderful procedures?'” said Siegel.

In May 2006, the ITSqc site listed only six service providers that have been certified in the program. Hefley said he expects the first client organization to be certified within a year of publication of the new client model.

Part 2 of the model is expected to be issued, said Hefley, in the late part of 2Q06. It may even be out by the time this article is published. That’s where each of the 95 best practices are described in detail. Part 1 only lists them, along with some summary information about each.

Capability Model as Bridge

Getting to this point in the process of laying out the model has exposed the disconnect that exists between the two groups — client companies and service providers — that, at a micro level, points to the challenges faced by every organization involved in a sourcing effort.

In one workshop, participants were asked to rank the impact and relevance of a set of issues. Then the Center analyzed results, separating client data from service provider data.

“There were some telling results,” said Hefley. “We all talk about SLAs. The service providers look at making their numbers: ÔDid I hit my numbers?’ The clients are looking at it not for, did [the service provider] make [its] number, but did they do the right thing for the business? ÔDid they give me the business value I need?’ So this is really an interesting explanation for why we have these disconnects when we bring these two groups together.”

Said Siegel, “Sometimes it’s a bit of tightrope walk. The clients would rather have a set of processes where they can look at performance of their provider and be critical of them and place blame… The providers are clearly interested in trying to hold the clients responsible for some of the things that happen that aren’t always the ideal occurrences.”

Useful Links

The Carnegie Mellon IT Services Qualification Center

The eSourcing Capability Model for Client Organizations (eSCM-CL) Model Overview

The eSourcing Capability Model for Service Provider Organizations (eSCM-SP) v 2

The Carnegie Mellon Masters in IS Management Service Management program