Final Report SA/CEN/ENTR/371/2006-27 Project 2006/27.9 IT-Outsourcing

Final report SA/CEN/ENTR/371/2006-27 project 2006/27.9 IT-Outsourcing

1 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Table of contents Executive Summary ...... 3 1 Introduction ...... 4 1.1 Scope ...... 4 1.2 Objective ...... 5 1.3 Methodology ...... 5 2 Findings ...... 6 2.1 Desk research ...... 6 2.1.1 IT outsourcing ...... 6 2.1.2 Barriers in IT outsourcing ...... 6 2.2 Field results ...... 7 2.2.1 Stakeholders ...... 7 2.2.2 Current situation ...... 9 2.2.3 Current standards ...... 10 2.3 Stakeholder needs ...... 12 2.4 Potential for standards ...... 13 2.4.1 Standards reference framework ...... 13 2.4.2 Terminology standard for IT outsourcing ...... 14 2.4.3 Guideline for IT outsourcing ...... 15 3 Validation workshop ...... 16 4 Conclusions on the research ...... 17 5 Recommendations ...... 19 5 Next steps ...... 19 Annex A : Literature list ...... 21 Annex B : Desk research ...... 24 B.1 Standardization ...... 24 B.1.1 Standardization in general ...... 24 B.1.2 Economic principles behind standardization ...... 26 B.1.3 Characteristics of standards ...... 29 B.1.4 Characteristics ...... 31 B.2 IT outsourcing...... 32 B.2.1 IT outsourcing in general ...... 32 B.2.2 Advantages of IT outsourcing ...... 36 B.2.3 Economic principles on IT outsourcing ...... 36 B.3 List of 'standards'...... 40 B.3.1 ITIL ...... 40 B.3.2 ISO 20000 ...... 41 B.3.3 ISO 17799 ...... 41 B.3.4 PAS 77 ...... 42 B.3.5 ISPL ...... 42 B.3.6 CMM variants ...... 42 B.3.7 COBIT ...... 43 B.3.8 SAS 70 ...... 43 B.3.9 ASL ...... 43 B.3.10 BiSL ...... 44 B.3.11 eSCM ...... 44 B.3.12 Prince2 ...... 44 B.3.13 MoSCoW ...... 45 B.3.14 Software development standards – SDM, DSDM, XP, RAD...... 45 B.3.15 Overview ...... 45 Annex C : Questionnaire ...... 47

2 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Executive Summary The organizations of today are no longer asking themselves whether they should outsource, but rather how they should outsource their IT. The size of the global Information Technology (IT) outsourcing market was estimated to be between $200 and $500 billion in 2003 and continues to grow.

While IT outsourcing can provide large benefits to organizations, it is not a process without problems. The problems that are apparent in the general IT sector in the form of failed projects are also evident in the outsourcing of IT. Half of the IT projects still fail to meet their requirements. Outsourcing is a relatively new phenomenon that brings its own problems to the situation.

Standardization has proven itself over the course of years to be able to solve matching problems between parties. IT outsourcing can benefit from standardization by explaining relevant standards, providing guidance to involved parties and stimulating a common understanding. Latest research indicates that standards provide a real value for businesses when implemented. For instance production costs of software and risks to company IT have been significantly reduced because of standards. By verifying the list of problems and noting the needs of organizations in the interviews, a list of requirements for (a) standard(s) is created. Suggestions from the stakeholders are collected and taken into account when formulating opportunities for standards that can fulfill the listed requirements. The opportunities for standards result in three concrete suggestions for standards for IT outsourcing.

Therefore it is recommended to:

— Develop a standard for IT outsourcing: many respondents indicated they have trouble finding the right standard for the right situation in IT outsourcing. It is recommended to develop a standard for IT outsourcing as many respondents indicated it can benefit their organization. Such a standard can encompass the following elements:

I. Reference framework. Describing when which standard is suitable enables users to make an informed decision on the usage of standards. Implementing the standards for the right purpose will benefit the involved parties.

II. General processes. This can provide the guideline for all types of organizations and mainly for reference purposes of the framework.

— Standardization of terminology for IT outsourcing: notions are to be defined for better consistency and understanding. Such a standard language is seen by stakeholders as a useful tool, but is lacking at the moment.

— Develop a guideline for IT outsourcing processes: a process map and list of good practices will enable organizations to perform better. Organizations should be able to refer to the document, enabling a better understanding and a clear division of responsibilities between the involved parties.

If standards can bring change to the IT outsourcing situation by reducing the risk of failure, the impact on the European economy would be very large. As IT outsourcing projects make up billions of the European economy, any small reduction on the chance of failure of such IT outsourcing projects would have large positive consequences.

3 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

1 Introduction

1.1 Scope

The size of the global Information Technology (IT) outsourcing market was estimated to be $ 99 billion in 1998, $ 120 billion in 2002 and between $200 and $500 billion in 2003 (Willcocks et al. 1999, Lancellotti et al. 2003). Previous research shows that 50% of IT companies will outsource part of their company in 2006, which is up from 20% in 2003 (Hefley and Loesche, 2006). The IT outsourcing market in the European countries is growing rapidly as well (Forrester, 2007). The organizations of today are no longer asking themselves whether they should outsource, but rather how they should outsource their IT.

The three main reasons for the growing importance of outsourcing are (Lee, 2006): Cost and efficiency: Specialized service providers are often able to provide the service at lower costs while offering a wider choice of innovative products. This reflects the positive effects of competition – services provided in-house are likely to be shielded from competition, a condition which lowers the incentives to be efficient and innovative;

Competence: The increasing sophistication and the rapid evolution make it difficult for organizations to maintain competitive competence based on the services provided in-house. Maintaining competitive advantage requires the accumulation and maintenance of a knowledge base in diverse disciplines that in most instances firms would be hard-pressed to justify;

Specialization: The trend in recent years has been towards consolidation and concentration on core competencies, a development which has provides new opportunities for specialized suppliers of both goods and services.

The subject of IT brings in new dimensions over the outsourcing of other services. The following IT characteristics make the process of IT outsourcing increasingly complex compared to other business services: Pervasiveness of IT: IT permeates the entire organization/business processes;

Technological obsolescence: IT evolves rapidly;

Financial obsolescence: The underlying economics of IT changes rapidly;

High switching cost: technological lock-in.

The problems in the IT sector have been described in multiple researches. These show that in the past, half of the IT projects do not live up to expectations (Standish Group, 1995, Beenker, 2004). More resent research has proved that the current situation has not improved (van Heur, 2007, Ernst & Young, 2007). This implies that worldwide, around 300 billion per year is being spent on unsuccessful IT projects. The conclusion from these researches can be that there are many problems in the IT sector and they influence the performance of organizations.

Outsourcing the IT comes with risks such as high costs and ineffective IT as described above. Research (Allen, Kern and Mattison, 2002) shows that these risks are large for organizations. This is because the chances of failure are large while the effects of such failures are large as well. Minimizing the risks of failure should be an objective for the IT outsourcing industry.

4 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

1.2 Objective

The objective of project 2006/27.9 IT outsourcing is to investigate how standards can support the quality of the service of various components of Information Technology that can be outsourced: maintenance of the technical infrastructure, contract management, software development, IT-service management, and helpdesk activities. Therefore the study shall examine the needs of various stakeholders in the outsourcing process: European companies that are outsourcing their IT-services;

European IT-service providers;

IT-personnel.

1.3 Methodology

The main research question of this project is:

"What are the standardization possibilities for IT outsourcing?"

In order to answer this main question the following questions need to be answered: a) What is IT outsourcing? b) What are the barriers in the IT outsourcing process? c) What are the needs of the stakeholders involved in IT outsourcing? d) What are potential standards for IT-outsourcing?

The desk research provides a basis for the field research by answering the questions a) and b) above. By defining IT outsourcing and by listing the problems organizations face when outsourcing IT, the main topics are described and the scope for the rest of the research is set. The desk research forms the basis for drafting the questionnaire for the field research. In the field research Key terms, economics underlying IT outsourcing and current standards related to IT outsourcing are defined. These findings are described in Annex B. The questionnaire for the field research (Annex C) is built around the model for outsourcing following five phases. Problems are assigned to specific phases of outsourcing and are verified for relevance in the field research.

The field research aims to answer questions c) and d) above. A total of forty five interviews are conducted in The Netherlands, Denmark, France, Spain, and The United Kingdom. 21 Clients participated, 16 suppliers and 8 consultancy organizations. A full list of participating organizations can be found in Annex D. Respondents in the organizations are selected on the basis that they should have experience and an overview of the process when outsourcing IT. The results from the field research are condensed in to the essential needs and standardization possibilities. Based on this condensed information the research question can be answered and conclusions drawn. A final workshop is held to validate the conclusions and recommendations by engaging in a discussion with stakeholders.

5 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

2 Findings

2.1 Desk research

2.1.1 IT outsourcing First the foundation of the research is laid down by defining the key concepts in this research. In this clause first the main findings of the desk research are presented. The detailed desk research which describes Standardization and IT Outsourcing can be found in Annex B. Second, the findings of the desk research, are put forward to respondents. The aim is to have more information on what respondents think of the current situation, and what their needs are to improve the situation.

The desk research provides the following definition of IT outsourcing:

“1) The one time transfer of resources (human and/or material) to an external party; 2) after which the IT services, the management of resources and the activities required for producing these services are obtained from this external party for a period of time.” (Lee, 2006)

A model is adapted from literature to identify the phases in outsourcing. Beulen et al (2006) analyze the wide variety of phasing models for outsourcing and constructed the model accordingly (Figure 1).

Feedback loop

Decision making

Supplier selection Transition

Transfer

Transformation

Service provision

Contract termination

Figure 1: Outsourcing life cycle of the PON (Beulen et al, 2006)

The following clauses in this chapter make use of this outsourcing life cycle. The five phases of decision making, supplier selection, transition, service provision and contract termination are used to describe problems, needs and opportunities. The information from the field research interviews has been consolidated and is presented in clause 2.2 through 2.4.

2.1.2 Barriers in IT outsourcing These problems have been taken from a variety of sources, knowingly: Delen (2005), Dessing (2006), Egyedi and Verwater (2004), Huibers and Kooper (2005), Joha (2003), Lee (2006), Pol (2006) and de Vries and IJmker (2006). A complete list of problems distilled from this literature would have considerable overlap. In order to keep the list to a proportional size the notions that in their essence address the same issue are eliminated. For the resulting list of problems, categories are created to increase readability of the problems. This list of problems is used during the interviews to stimulate discussion.

6 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Category Problems in the process of IT outsourcing

Decision making 1. No cost saving achieved 2. Different local needs in an organization 3. Mismatching strategies between organization and IT 4. Unsustainable software design Selection 5. SLA is unclear 6. SLA is incomplete 7. SLA is inadequately enforcement 8. SLA is seen as a guarantee for success 9. Ambiguous agreements between parties

Transition 10. Short life cycle of ICT product: same roll-out time as life-span 11. Resistance to organizational change is not overcome 12. Unexpected interaction between handed over software 13. Complexity of the software is handed over Service provision 14. Supplier proves less competent than expected 15. Incorrect management from direction-organization (matching demand & supply) 16. Dependency on one party 17. Lack of innovative options in contracts 18. Distrust between parties 19. Insufficient communication between parties 20. Information-asymmetry between parties 21. Insufficient relationship management Contract termination 22. General lack of flexibility options in contracts

Table 1: Problems from literature

The first problem in the list in Table 1 houses a well-documented problem many companies face: No cost saving achieved. This single problem houses many causes why it occurs such as the high transaction costs and a long transition period discussed by Delen. Other issues such as the constraints in the current outsourcing contract as discussed by Huibers and Kooper can be found in the 16th problem in the list, the dependency on one party. This way, many causes for problems that are discussed in literature are still represented in this list, only as a cause to a listed problem.

Some problems that are indicated by organizations can also be nuanced. These problems are not so much a problem specific for the process of IT outsourcing but more a problem that is independent of the process. For example: “Often, interviewees fear that outsourcing leads to losing control over the processes. That fear appears to be unfounded as this already is the case for many processes in a company.” For instance, for many companies the salary administration already is a black box. Whether that black box is then situated internally or externally in a supplier‟s organization does no longer matter (Huibers and Kooper 2005).

2.2 Field results

2.2.1 Stakeholders Many categories of stakeholders are involved in the IT outsourcing processes. Generally speaking, three types of stakeholders can be identified:

7 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Type of stakeholders Characteristics 1) The party outsourcing its IT The party often has limited knowledge on IT, as this is not its core business. The party has limited knowledge on outsourcing as such processes are not frequent. 2) The party supplying the IT The party often has ample knowledge on IT, as this is its core business. The party has reasonable knowledge on outsourcing as such processes are not infrequent. 3) The party consulting on the process The party has varying knowledge on IT, depending on its specialization. The party has high knowlegde on outsourcing.

This study has taken into account all types of stakeholders. However, because of the knowledge asymmetry between these parties, having respondents from the client type is of high value to the research.

Table 2Error! Reference source not found. indicates the name of the organization, role and country of the respondent. French respondents indicated they wished to remain anonymous in the report. The names of the organizations are known to the author of this report.

Organization Role Country NEN Client The Netherlands ADIF Client Spain Amsterdam Client The Netherlands ARSYS Supplier Spain Axa Client The Netherlands Blinklane Consultancy The Netherlands Byggestyrelsen Client Denmark Capgemini Supplier The Netherlands Dansk Standard Client Denmark DHL Client United Kingdom Dimension Data Supplier United Kingdom FrontMedia Supplier United Kingdom GetronicsPinkroccade Supplier The Netherlands Hogeschool van Amsterdam Consultancy The Netherlands Hot ITem Supplier The Netherlands IBM Supplier The Netherlands IBM Consultancy The Netherlands IBM Supplier Denmark IECISA Client Spain ING Client The Netherlands InterWorld Supplier The Netherlands Kirkman Consultancy The Netherlands KLM Client The Netherlands Koncern IT Supplier Denmark KPMG Consultancy The Netherlands LaMark Supplier The Netherlands Large Software Services company Supplier France Large supermarket distribution company Client France Logica CMG Supplier The Netherlands Major IT Services Company Supplier France Major TV company Client France Min V&W Client The Netherlands Mitopics Consultancy The Netherlands NHS Client United Kingdom Port of Rotterdam Client The Netherlands Professional trade union Client France 8 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

RENFE Client Spain RTL Nederland Client The Netherlands Schiphol Client The Netherlands Selskabsstyrelsen Client Denmark SERVO Supplier United Kingdom Sogyo Supplier The Netherlands Telefonica Client Spain TU Delft Consultancy The Netherlands Twynstra Gudde Consultancy The Netherlands Table 2: Interviewed Organizations

2.2.2 Current situation Respondents were asked to indicate whether they recognize the problems listed from literature. This step is done to check whether problems in IT outsorucing are still apparent today. As can be seen in Figure 2, all of the problems found in the field research are recognized by a majority of the respondents. Recognition implies that the respondent faces the problem or has faced the problem recently. Ranging from 60 to 85% the problems found in literature are still apparent today among the respondents. The problems that are recognized the most are problems with contracting and SLA‟s and with distrust and insufficient communication.

Figure 2: Recognized problems

If the respondent recognized the problem, he was asked to indicate in which phase of the outsourcing phase it occurred. In Figure 3 one can see that most of the problems occur (38%) during the service provision phase. After this, the transition phase houses the most problems (26%), followed by the decision making (12%) and the selection phase (17%). The least problems occurred during the contract termination phase (7%).

9 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Figure 3: Problems by outsourcing phase

When confronted with the list of problems found in literature, respondents indicate that they face additional problems during IT outsourcing. This is addressed in the following clause where the organizations' needs are presented. Annex E provides more insight into the interviews, including some insight into the remarks made by respondents.

2.2.3 Current standards In this clause the usage of the described standards is presented, and relevant comments made by respondents during the interviews are noted.

In this section it will be described what standards are known, whether they are used and how they are valued. Figure 4 displays the acceptance of the standards and Figure 5Error! Reference source not found. shows the appreciation of the standards. Respondents could indicate whether they know a standard or not. This was put into a graph for all the standards that are described in this report.

Figure 4: Knowledge on and usage of standards

10 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Figure 4 shows that while some standards are very well known, others are relatively unknown. ITIL and Prince2 for instance are known to nearly all respondents, while PAS 77, eSCM and SA-CMM are unknown to many respondents. The percentage of respondents that currently use a standard has the same pattern as the knowledge on the standards. The difference is that its percentage drops from half to two thirds: for instance only 35% of the respondents use ISO 20000, while 70% know the standard. An important remark is that the age of the standards varies. SA-CMM, eSCM and ISPL for instance are relatively young standards. ITIL and SDM on the other hand have been around for a longer period of time. Figure 5Error! Reference source not found. Error! Reference source not found. displays what percentage respondents that know the standard found it valuable or even of high value. Only the respondents that know a standard are allowed to value it. Therefore, the percentages displaying unknown standards in this figure (such as the SA-CMM) cannot be regarded as representative.

Figure 5: Appreciation of standards

. Some key remarks that multiple respondents throughout Europe made are listed below. This list below is only summary of the remarks that led to the formulation of stakeholder needs in the following clause.

— "Good expectations-management is needed"; — "A common language and a Total Cost of Ownership model is needed for transparency and understanding"; — "The whole process of outsourcing needs to be mapped and essential aspects (legal, procurement, management involvement, complicance and HRM) for each phase needs to be indicated"; — "Simple and modular standards are needed"; — "The market comformity of (in-house) IT service delivery needs to be tested"; — "Does the strategy of IT outsourcing matches the vision of how IT services the business?"; — "A business case for non-core IT needs to be made"; — "How can procurement be structured in a way that it is comprehensible for all parties involved?"; — "Straightforward SLA's and contracts that leave room for innovation, flexibility and scale advantages are needed"; — "Managing expectations is key in IT outsourcing"; — "We are using standards increasingly to differentiate suppliers on a qualitative level"; — "Define success together. For instance, let the supplier have part of the benefits that are realised thanks to an improved and more efficient IT delivery"; — "Clearly define the roles of client and supplier. Competencies should be mapped to what each party can offer in the relationship"; — "A standard process for SLA's and RFP's is missing and companies are experiencing this lack of information and common understanding"; — "A standard should not be developed at a national level: an international focus is needed and for gaining the necessary support".

11 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

2.3 Stakeholder needs In this clause the needs for an improved situation in IT outsourcing are mentioned. These are based on data from the interviews with respondents. Respondents have been very open about their needs from a standard. Given the fact that this research is exploratory, a wide variety of responses were allowed in the research. However, to come to clear recommendations, responses have to be grouped into more general needs. Such general needs as listed below are however based on remarks made by respondents in the research.

The objective of the list in this clause is to present what organizations need from standards to help them improve the process of IT outsourcing. The list is constructed using the problems from the previous clauses and the input from respondents from the field research. A number of respondents had clear suggestions on what a standard requires to solve problems in IT outsourcing.

If a standard can fulfill a requirement from the list below successfully, it will solve (a) problem(s) in IT outsourcing. Some of the requirements in Table 3 address multiple problems. A single standard cannot fulfill all of the requirements as some of the requirements are mutually exclusive. The list of requirements should be used as a 'menu' from which a selection can be made to create a potential standard for IT outsourcing.

(A) Standard(s) for IT outsourcing should:

Quality 1. Be modular 2. Be compact 3. Be simple 4. Be interoperable 5. Be complete 6. Be adaptive to the situation (Constructed for specific aspects as client/supplier, profit/non-profit, geography, maturity and the scope and sourcing strategy of an organization) 7. Have a clients, suppliers, consultants and knowledge institutes involved in its development 8. Not be intensive to develop Focus 9. Facilitate clients as well as suppliers 10. Cover the IT aspects of functional management, application management and technical management. Relationship 11. Facilitate a win-win situation for clients and suppliers 12. Facilitate optimal relationship between parties (Establish a trust relationship between parties) 13. Facilitate understanding between parties (Facilitate better agreement on requirements & prioritize them, Prevent endless change in requirements) 14. Keep the client connected to the process 15. Cover procurement procedures 16. Aid in the creation of RFX‟s, SLA‟s and contracts. 17. Cover contract management 18. Cover expectations management 19. Cover the transfer of IT knowledge between parties Information 20. Provide a frame of reference to relevant standards gathering 21. Cover common terms and language 22. Facilitate gaining insight into the client‟s IT processes (alignment to the business as well as the supplier) 23. Aid in determining the core business of the client 24. Aid in determining the scope (people and assets) 25. Aid in finding out the exact requirements and their respective owners Decision 26. Explain which steps in outsourcing have to be taken making 27. Explain what aspects (legal, procurement, line manager, business, compliance, HRM) are important for each step 28. List essential issues to look into before determining a strategy 29. Provide a basis for certification or readiness for outsourcing 30. Aid in writing a business case 12 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

31. Aid in reorganizing IT processes before outsourcing Control 32. Aid in the control of the process (Facilitate process monitoring, Addressing Governance aspects) 33. Provide the user with tools to overcome resistances to change 34. Provide advice on transition management and reorganizations 35. Provide a method for project management 36. Provide means for the control of suppliers (Check market conformity, Provide ability to weigh quality and costs) 37. Provide means to organize the direction-organization 38. Provide means for continuous innovation Table 3: Requirements

2.4 Potential for standards In general, the requirements stated in the previous clause address the need for a common ground of communication between parties. Based on the requirements that are formulated, opportunities for standards can be found that can help solve problems in the IT outsourcing process, by fulfilling the requirements list that was generated using the data from respondents. Respondents provided valuable suggestions on which type of standard can provide benefits. Each of the standardization possibilities below is suggested by multiple respondents as a solution to problems listed in section 2.2 and can fulfill requirements as listed in section 2.3 of this report.

2.4.1 Standards reference framework A reference framework is suggested by multiple respondents as helpful in their situation. The framework is based on the matrices (Annex B, section 3.15) and is constructed using standards from Annex B. The framework‟s main purpose is to provide organizations guidance in selecting and combining standards for IT outsourcing.

For the guidance in selecting a standard, such a framework is useful according to multiple respondents. Two important functionalities should be incorporated into the framework. First, the basic processes of IT outsourcing should be described. This can be done on the basis of a general outsourcing standard for services as described in the Final report for project 10 "Outsourcing of services" (NEN, 2008). This standard can refer to such a general standard for the processes of outsourcing. Second, the framework should describe how the referred standards can be used in IT outsourcing situations. Practical advice should be available in the form of best practices on how to use the standard for this purpose. Guidelines on what terms are used in which standard should help the users of this framework to understand the interconnections between the standards in the framework.

An example of such a framework in makes use of two dimensions, knowingly the sourcing phases (decision making, selection, transition, service delivery and contract termination) and the IT aspects (functional, application and technical management, see Figure 6). Standards are appointed to these dimensions, and can, if necessary, span various sourcing phases and IT aspects. The standards are appointed according to their most important function in the IT outsourcing process. Depending on whether in the development is chosen for stability and compatibility or for user base, either de facto or formal standards can be referred to. In the final workshop the participants indicated a dynamic framework would be most useful to them. A dynamic framework would be able to cope with changing standards that are referred to. Dynamism can be obtained by deviating from the usual form of standards buy instead delivering a website that explains the reference framework.

Users are guided by the framework to a specific standard depending on what phase of outsourcing, what type of IT they are discussing and how they want to use the standard. For instance if a client is looking for standards while he is in the selection phase of outsourcing applications, according to the framework the client should use CMM and ISO 17799 in this case.

13 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Figure 6: Standards framework

In addition to selection of standards appropriate for the situation, the standard will explain the relations with other standards relevant for the situation. In the above example, the standard will describe that ISPL should be used for managing the current selection phase. Also, the framework will explain that Prince2 should be used for management purposes in the transition phase of outsourcing.

Respondents during the final workshop noted that it is important prior or during the decision making to measure how mature the client's IT is. Then during the supplier selection this can be matched to the suppliers' IT maturity.

This type of standard would primarily solve problems by:

— Providing a frame of reference to relevant standards;

— Providing an overarching terminology;

— Facilitating both clients and suppliers;

— Covering expectations management.

2.4.2 Terminology standard for IT outsourcing Multiple respondents in the research indicated a need for standardized terminology. A remark that was repeated by many respondents was that a common language is the basis of any relationship. Such a language is lacking at the moment. Miscommunication is seen by respondents as a major source of problems in IT outsourcing relationships. Complex notions on topics such as HRM, hardware, software, procurement, finances and service level agreements can be described in a terminology standard.

By referring to such a standard, organizations involved in IT outsourcing can benefit from a better shared understanding. Documents describing the relationship between organizations can benefit from a single source of terminology. Contracts and related documents would use less organization-specific terminology and more common terminology. Existing standards mentioned by the workshop participants are ISO Guide 2 on terminology and ISO 9126 which explains terminology in the IT field. Workshop participants indicated that such a terminology standard would be helpful in IT outsourcing as it would for instance enable better measurement of SLA's.

14 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

This type of standard would primarily solve problems by:

— Covering common terms and language;

— Facilitating understanding between parties;

— Aid in the creation of RFX‟s, SLA‟s and contracts.

2.4.3 Guideline for IT outsourcing The goal of this proposed standard is to guide its user(s) through the IT outsourcing process by providing a process map, good practices and common pitfalls. Organizations should be able to refer to the document, enabling a better understanding and a clear division of responsibilities between the involved parties. Taking lessons from literature as well as field research, the issues can be discussed step by step following the sourcing life cycle of Decision making, Selection, Transition, Service Delivery and Contract termination. Sub-processes can be appointed to each of these main processes, thus creating a process-map for the outsourcing cycle. Where applicable, specific processes for the three areas of functional, application and technical management can be assigned.

Best practices and common pitfalls should guide a user of the guideline to perform activities optimally. Such practices enable organizations to anticipate expected problems. The practices also suggest the actions that are to be taken by outsourcing partners. Examples of best practices are:

— In the decision making phase it is considered wise to test the market conformity of one‟s own IT services before making outsourcing the primary goal. Perhaps the company‟s own IT is performing quite up to market standards, but is the business simply not connected properly leading to a distorted view of the IT‟s performance. This forces the company to formulate the reasons why they want to start outsourcing. Testing the maturity is also wise because this provides valuable input in the selection phase. The potential suppliers will be able to consider more accurately what the best solutions are for the situation.

— In this selection phase it is important for the client to set up a proper business case for the supplier. Why would they want to be our partner? What is in it for them? Perhaps the business case is not very strong for a company‟s specialized systems, which may force the supplier to cut corners later on in the process.

— In the transition phase it is important for the supplier to keep the client involved in the process. Stimulating the client‟s IT staff to share all the knowledge on the context and the history of the IT systems is essential for smooth transition as well as future service delivery.

— An important aspect in the service delivery phase for both client and supplier is the construction of a good direction organization. The direction organization matches the demand of IT from the business with the supply of IT from the supplier. The client has to realize that while it does no longer have to directly manage its IT department, he does have to put effort into directing the supplier on what the client's business needs are.

— In the contract termination phase, it is important as a client to have the duration of as many contracts as possible lined up. This will enable the client more options what supplier to select for his IT: he can choose one supplier for all IT, use many different vendors or other sourcing solutions.

Workshop participants indicated that such a guideline would be very helpful to the market as clients for instance do not have clear indications how to decide, plan and take common pitfalls into account. Supplier have both similar issues as well as specific issues to deal with. Emphasis was placed not to start such a guideline from scratch but to use what is available in company and formal standards. It should be defined what the goals are for each party and what they are required to do.

This type of standard would primarily solve problems by:

— Facilitating understanding between parties; 15 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

— Covering all the common processes and explaining what is important in each process;

— Providing means for managing suppliers;

— Keeping the client connected to the process;

— Being modular (can be adapted to the user's needs).

3 Validation workshop A one-day workshop was organized on 27 May 2008 in order to validate the findings from this research by presenting them to stakeholders. The workshop was by twenty four participants1. A full list of participants is available upon request. In the morning the research data from this report was presented to the workshop. Specific attention was paid to how the standardisation proposals can address the needs of stakeholder in IT outsourcing. In addition, the workshop included a speaker from ABN-AMRO explaining the impact of IT standards on company policy and results.

The afternoon included a discussion session on the findings from the research. The workshop confirmed the findings of the research: feedback ranged from generally positive on the conclusions, to creative on additional standardization topics and types of standards to address IT outsourcing standardization needs. The workshop participants indicated that the needs correctly cover what is required by the IT outsourcing stakeholders. The participants indicated that a standardization reference framework can be useful, but which standards are portrayed to in which area of the matrix can be discussed. In general terms, the participants indicated that the conclusions and recommendations would be beneficial to the market. The participants were eager to find out on possible future programs of CEN on standardization of IT outsourcing.

1 The workshop was attended by: 7 service providers 2 client organizations 2 representatives of the European Commission 1 academic 6 consultants 6 standardisation professionals

16 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

4 Conclusions on the research While IT outsourcing can provide large benefits to organizations, it is not a process without problems. The problems that are also apparent in the general IT sector in the form of failed projects are evident in the outsourcing of IT. Outsourcing is a relatively new phenomenon that brings its own problems to the situation.

By verifying the list of problems and noting the needs of organizations in the interviews, a list of requirements for (a) standard(s) is created. Suggestions from the stakeholders are collected and taken into account when formulating opportunities for standards that can fulfill the listed requirements.

Both clients and suppliers that were approached in this research indicated that standardisation for IT outsourcing can be a benefit to the market as it can:

— Facilitate clients as well as suppliers by having a approach that describes the processes for both parties; — Cover the IT aspects of functional management, application management and technical management, building on the work of other standards; — Facilitate optimal relationship between parties (Establish a trust relationship between parties) by emphasizing the common gains that are possible; — Facilitate understanding between parties (Facilitate better agreement on requirements & prioritize them, Prevent endless change in requirements); — Keep the client connected to the process by defining when the client needs to be actively involved in the process; — Benefit procurement procedures by standardising the basis of the process and providing flexible additions; — Aid in the creation of RFX‟s, SLA‟s and contracts by providing a common ground to start from and by providing flexible additions; — Benefit contract management by standardising the basis of contracts, providing flexible extras with which to construct contracts recognizable by all parties; — Cover the transfer of IT knowledge between parties; — Provide a frame of reference to relevant standards; — Define common terms and language; — Facilitate gaining insight into the client‟s IT processes (alignment to the business as well as the supplier); — Aid in determining the scope (people and assets) of the IT outsourcing; — Aid in finding out the exact requirements and their respective owners; — Defines the processes of IT outsorucing; — Explain what aspects (such as legal, procurement, line manager, business, compliance, HRM) are important for each step, thus facilitating transition management and reorganizations; — List essential issues to look into before determining a strategy and the corresponding business case, facilitating a good foundation for a decision to start outsourcing, thus preventing the process from starting if it is done so on the wrong grounds; — Provide a basis for certification or readiness for outsourcing, allowing suppliers to know when a client is a good partner; — Aid in reorganizing IT processes before outsourcing by offering a series of structures based on other standards; — Aid in the control of the process (Facilitate process monitoring, Addressing Governance aspects) — Provide a method for project management by using standards for project management and adapting them to IT outsourcing needs; — Provide means for the control of suppliers (Check market conformity, Provide ability to weigh quality and costs); — Provide means to organize the direction-organization by standardising how to translate business needs to IT needs;

17 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

The opportunities for standards as indicated by the respondents result in three concrete suggestions for standards for IT outsourcing.

The first opportunity is a standards reference framework for IT outsourcing. A reference framework is suggested by multiple respondents as helpful in their situation. Its main purpose is to provide organizations guidance in selecting and combining standards for IT outsourcing. First, the general processes of IT outsourcing should be described. Second, the framework should describe how relevant standards can be used in IT outsourcing situations.

The second opportunity is a terminology standard for IT outsourcing. Complex notions can be described which enables documents such as contracts, SLA's and RFX's to be more consistent. Such a language is seen by stakeholders as a useful tool, but is lacking at the moment.

The third opportunity is a guideline for IT outsourcing. The goal of this proposed standard is to guide its user(s) through the IT outsourcing process by providing a process map, good practices and common pitfalls. Organizations should be able to refer to the document, enabling a better understanding and a clear division of responsibilities between the involved parties. Best practices and common pitfalls should guide a user to perform activities optimally.

18 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

5 Recommendations On the basis of the performed research, the following recommendations can be made in the field of outsourcing:

II. General processes. This can provide the guideline for all types of organizations and mainly for reference purposes of the framework.

IT service providers and IT clients have both indicated that they would be interested to participate in the development of a standard on IT Outsourcing. However, given the feedback received during the research, it seems unlikely that any of these stakeholders would take the initiative and allocate resources to start the development of the standard. Therefore it is recommended that CEN would initiate the creation of a Technical Committee to develop the standard(s) on IT Outsourcing. 5 Next steps

A CEN Technical Committee should be established to implement the recommendations that are mentioned above.

Because it is unlikely that sufficient funding will be found from stakeholders to establish a Technical Committee (i.e. funding of the technical management of the Technical Committee), it is recommended that CEN request the European Commission for financial support to the technical management of the Technical Committee.

In order to ensure the quick availability of a working document to enter the consensus building and validation process, it is recommended to establish a small project team with paid experts in the field of IT Outsourcing.

19 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Summary of next steps

Recommendation Next steps Responsibility Creation of a standard for IT- CEN requests European CEN Outsourcing, creation of a Commission for financial European Commission terminology standard for IT- support to the technical Outsourcing and creation of a management of the Technical guideline for IT outsourcing Committee on IT-Outsourcing processes

CEN requests European CEN Commission for financial European Commission support to establish a small project team with paid experts to draft a working document on IT- Outsourcing CEN establishes Technical CEN Committee on IT-Outsourcing

20 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Annex A: Literature list

Allen D., Kern, T. and Mattison, D., (2002) “Culture, power and politics in ICT outsourcing in higher education institutions” European Journal of Information Systems, 11. pp. 159-173

Aubert, B.A., Michel P., Rivard, R., (2003) “A tale of two outsourcing contracts, An agency-theoretical perspective.” Wirtschaftsinformatik 45, 2, P. 181–190

Bayens, G., (2007) “NORA: de Nederlandse Overheid Referentie Architectuur“ http://www.xml- holland.nl/HTML/frame_artikel/frame_element/artikelen/toepassing/nora/nora.html visited 09-05- 2007

Beenker, N. (2004) "Studie naar succes- en faalfactoren van complexeICT-projecten", Ordina (Dutch)

Beulen E., Delen, G., Heisteeg, van de, R., Wijers, G., (2006) ”Outsourcing van IT.” Platform Outsourcing Nederland, van Haren Publishing.

BSI (2007) “PAS 77:2006” http://www.bsi-global.com/en/Shop/Publication- Detail/?pid=000000000030141858, visited 07-05-2006

David, P.A. (1985), “Clio and the Economics of QWERTY” American Economic Review, 75, pp. 332- 336.

Delen, G., (2005) “Decision- en controlfactoren voor IT-sourcing” Van Haren Publishing, Zaltbommel

Dessing, R., (2006) “ICT uitbesteden: tijd investeren en prioriteiten stellen.” Outsourcing Magazine vol 6, DeltaHage, Den Haag, p. 23

DIN (2000) “Economic Benefits of Standardization” Summary of Results Final Report and Practical Examples, Berlin: Beuth

DTI (2005) “The Emperical Economics of Standards” DTI Economics Paper No. 12, June 2005

Egyedi, T.M. & Z. Verwater-Lukszo (2004) “Coping with Flexibility: Standards in IT and the Batch Processing Industry” in Francoise Bousquet, Yves Buntzly, Heide Coenen, Kai Jakobs (Eds.), EURAS Proceedings 2004, Vol. 36, pp. 105-120.

Egyedi, T.M., (2007), “Economic value of standards.” IEC Lecture Series, IEC, Geneva, Switserland.

Ernst & Young, Juni 2007, "ICT Barometer", www.ictbarometer.nl (Dutch)

Farrell, J. and G. Saloner (1988) “Coordination Through Committees and Markets”, RAND Journal of Economics, 19, pp. 235-252.

Goodin, R.E., (1998) “The theory of institutional design.” Cambridge University Press, New York

Hancox, M. and Hackney, R. (2000) “IT outsourcing: frameworks for conceptualizing practice and perception.” Information Systems Journal, Vol. 10 No. 3, pp. 217-37.

Hefley, W.E. and Loesche, E.A. (2006) “The eSourcing Capability Model for Client organizations v1.1” Carnegie Mellon University, Pennsylvania, USA

Heur, van, R. (2007) "Meer dan helft ICT-projecten mislukt" Computable (Dutch)

Holmstrom, B.R., Tirole, J., (1989) "The theory of the firm." Handbook of Industrial Organization, in: R. Schmalensee & R. Willig (ed.) “Handbook of Industrial Organization” edition 1, volume 1, chapter 2, pages 61-133, Elsevier.

21 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Huibers, T. and Kooper, M., (2005), “Nieuwe ronde, nieuwe kansen.”, KPMG, Amstelveen

ISACA (2007) “COBIT Frequently Asked Questions” http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/FAQ6/COBIT_F AQ.htm#1, visited 07-05-2007

ITIL & ITSM World (2007) “ISO 20000, BS15000 and ITIL” http://www.itil-itsm-world.com/itsm-kit.htm, visited 07-05-2007

Jacobs, K., (2005) “Advanced Topics in Information Technology Standards And Standardization Research.” Idea Group Publishing, New York

Joha, A.S.J.R. (2003) “The Retained Organization after IT Outsourcing” Delft University of Technology, Delft

Koppenjan and Klijn (2004) “Uncertainty and Institutions: Pattern, Rules and Trust.” TU Delft and Erasmus University Rotterdam, Institutional design in a Global economy, SPM 4410, Faculty of Technology, Policy and Management

Lacity, M. and Willcocks, L., (2003) “IT sourcing reflections Lessons for customers and suppliers.” Wirtschaftsinformatik 45 (2), pp. 115-125

Lee, J., (2006) “Sustainable IT outsourcing arrangements” Delft University of Technology, Delft

Leenslag, W., (2006) “Werkwijze ter beoordeling van IT Governance”. University of Twente, Twente.

LINFO (2006) “Economies of Scale definition.” http://www.bellevuelinux.org/linfo.html, visited 04-05- 2007

Looff, LA de (1996) “A model for information systems outsourcing decision making.” Doctoral Dissertation, Delft University of Technology, 1996.

McCain, R.A. (2005) “Essential Principles of Economics: A Hypermedia Text” http://william- king.www.drexel.edu/top/directory.html, visited 26-04-2007

Morgenstern, O., von Neumann, J., (1947) “The Theory of Games and Economic Behavior” Princeton University Press

NEN, 2008 "Outsourcing of services" Nederlands Normalisatie-Instituut

NEN-ISO/IEC (2005) “Information technology - Security techniques” NEN, Delft

NEN-ISO/IEC (2006) “Information technology – Service Managment 20000-1&2:2005.” NEN, Delft

Pol, M., (2006) “Uitbesteden van testen groot risico” Automatisering gids vol 48, p. 13.

Sante, van T., (2005) “Wegwijzer voor het gebruik van IT standaarden” Getronics PinkRoccade/Van Haren Publishing

SEI (2007) “CMMI coverage.” http://www.sei.cmu.edu/cmmi/faq/cov-faq.html visited 11-05-2007

Spool, J.M. (1997) "Market Maturity", UIE, www.uie.com, visited 2008-04-14

Standish Group, 1995, "The CHAOS Report into Project Failure", The Standish Group International

Viner, J. (1932) cited by: Holmstrom, B.R., Tirole, J., (1989) "The theory of the firm." Handbook of Industrial Organization, in: R. Schmalensee & R. Willig (ed.), Handbook of Industrial Organization, edition 1, volume 1, chapter 2, pages 61-133, Elsevier.

22 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Vries, de, H.J., (1999) “Stadards for the Nation” Kluwer academic Publishers, Boston / Dordrecht / London

Vries, de, F., IJmker, A., (2006) “Uitbestedingscontract ideale kans om te innoveren.” Automatisering gids vol 51/52, p. 17.

WTO (2005) “World Trade Report 2005: Exploring the Links between Trade, Standards and the WTO.” WTO, Geneva.

23 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Annex B: Desk research

B.1 Standardization

In this chapter the concept of standardization is introduced. Before any research can be done on the topic of standards for IT outsourcing, it is necessary to clarify what standardization exactly is and what the context of this concept is. Furthermore, the purpose of this chapter is twofold. First it is discussed whether it is viable to combine IT outsourcing and standardization. Second, characteristics will be used to typify existing standards, creating requirements for standards and constructing solutions in the form of standards that can improve the IT outsourcing process.

B.1.1 Standardization in general

In this section the notion of standardization will be presented. First it is important to clarify the definition on standardization. Standards and the standardization process are extensively described by De Vries (1999). In his work, classifications, definitions and the creation of standards are discussed. After consideration of various definitions presented by standardization bodies, dictionaries and other authors, de Vries comes to the following definition for standardization:

“Standardization is the activity of establishing and recording a limited set of solutions to actual or potential matching problems, directed at benefits for the party or parties involved, balancing their needs and intending and expecting that these solutions will be repeatedly or continuously used, during a certain period, by a substantial number of the parties for whom they are meant.”

In order to allow the definition to be well understood, the following terms have to be noted:

“1. matching problem Problem of interrelated entities that do not harmonize with one other. Solving it means determining one or more features of these entities in a way that they harmonize with one other, or of determining one or more features of an entity because of its relations(s) with one or more other entities. 2. entity Any concrete or abstract thing that exists, did exist or might exist, including associations among these things. Example: a person, object, event, idea, process, etc.” (De Vries, 1999, pp 19-20, bold writing from original text)

In the field of IT outsourcing, a wide variety of terms are used for solutions to matching problems. Terms such as frameworks, methods, frames of reference, best practices, libraries, norms and standards are common terms used in literature today. In this research all these types will be addressed by the notion of „standard‟, because all the above terms are essentially referring to solutions to matching problems. In this way, when something is addressed as a standard in this research it does not immediately imply that it is a standard practice accepted by many users. It does, however imply that it has the pretension to have a standardized approach for a certain domain.

B.1.1.1 Importance of standardization

A few examples can portray the importance of standards. Safety standards allow consumers to be confident about the safety of their purchase, whereas internet standards can allow software to communicate which allows us to send an email all over the world to any computer. Computer software as well as hardware has interchangeable parts because they all use common standards from which they operate. An unfortunate example of how the lack of a standard can be a problem was that during the great Baltimore fire of 1904 the firefighters from neighboring cities were unable to help fight the blaze effectively because their hoses would not fit the hydrants in Baltimore (WTO, 2005).

The fact is that companies can no longer be regarded as isolated organizations, especially in IT they are connected to other companies. Also the tendency to contract out activities means it is important to agree with suppliers on the specifications. The role of globalization makes the need for standards even larger as they can bridge international differences. The requirement of management to comply with 24 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

stricter regulations means they have to show they use a widely accepted standard that proves that they are in control (De Vries, 1999).

It should not be underestimated that the actual standardization process can also be valuable to companies. Participating in the standardization process means they can influence the outcome which will be used by a significant part of the industry. A survey held by DIN (2005) showed “that businesses which are actively involved in standards work more frequently reap short- and long-term benefits with regard to costs and competitive status than those which do not participate. Participating companies have more of a say in the adoption of a national standard as a European or International Standard. In this case, the company gains a competitive edge because it will not need to make extensive modifications in order to conform to a European or International Standard.”

B.1.1.2 Advantages of standardization

In this section the advantages of standardization will be presented. The intrinsic functions of standards can be concluded to be to: describe a set of agreed solutions to a matching problem, recording these, freezing them during a certain period, and providing elucidation to them (Bouma, 1989 as cited in Jacobs, 2005). The advantages of standardization range from strategic to practical. Below a general overview of the advantages of standardization is presented. This overview is created from a list from de Vries (1999) and matches other sources such as Huibers and Kooper (2005), Jacobs (2005), NEN- ISO/IEC (2006) and DTI (2006). The advantages are clustered into seven main areas.

1. The ability to make regulation work Official regulation or laws often refer to standards where many organizations have to comply to. This way not so many details have to be added or changes have to be made into the official legal system. This is a advantage as changes in regulations or laws take a considerable amount of time and effort. Especially in outsourcing, there is a need for confidence that the outsourced processes are in good hands. Under the influence of regulations such as Sarbanes Oxley Act and the Dutch Code Tabaksblad, it is compulsory for many organizations to show this confidence (Huibers and Kooper, 2005). Standards can be advantageous by providing transparency, laying down unambiguous descriptions and serve as a benchmark to base decisions on (Jacobs, 2005). In this way, standards make the legal system more adaptable for the regulators and more usable for the subjects.

2. The ability to provide attention to quality and environmental management With the help of standards, it is easier to pay attention to quality issues in other to improve the safety and health of employees. Also the quality of products can be guaranteed when standard procedures are used. Environmentally speaking an industry can have a level playing field when all companies agree to use an environmental standard, thus stimulating competition while protecting the environment (de Vries, 1999).

3. The ability to provide transparency Organizations spend a lot of effort on managing the organizations around them in the supply chain. Standards can reduce ambiguity in terms used and thus prevent misunderstanding. Standards can also aid in requesting and submitting and offer and provide consistent approaches for all parties in the supply chain. Suppliers who aim to apply a bench-mark on their performance or an audit on another organization can use standards to aid in this process (NEN-ISO/IEC, 2006).

4. The ability to reorganize the organization Standards can aid in practical issues such as raising awareness of employee‟s tasks and responsibilities such as security. They can aid in management tasks such as the redesign of the processes that are present in an organization. Strategically, they can aid in the standardization of part of the company, for either alignment with the company goals or preparing it to be outsourced (Huibers and Kooper, 2005).

5. The ability to benefit from IT Technical specifications chosen by the company have to fit the specifications of the company‟s environment. Without these standards, the exchange of information would be very problematic. IT as we know it today would not exist without standards. It is necessary to agree with suppliers on product specifications, product data communication protocols, and the quality of production and delivery processes. Because organizations usually have several suppliers each with several customers, the 25 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

most profitable way to solve these matching problems is by using widely accepted standards. (de Vries, 1999)

6. The ability to be objective Standards produced by a National Standardization Body (NSB) have two characteristics that are advantageous to the market. First, openness means the standards are available for all organizations. This characteristic is particularly important to small firms who otherwise would not get such easy access to standards. Second, credibility is guaranteed by government sponsorship and a wide variety of regulations on the NSB‟s that help to create confidence that a standard may achieve widespread use (DTI, 2005).

7. The ability to benefit on a macro-economic scale Standardization reduces the costs of products and services by economies of scale, reduces the growing variety of products and procedures for everybody, enables communication, contributes to safety, health and protection of life, protects consumer and community interests, eliminates trade barriers and reduces transaction costs (de Vries, 1999). The economic principles underlying this ability will be presented in section B.1.2.

B.1.1.3 Disadvantages of standardization

There are problems today with standards and the standardization process. These disadvantages of standardization have been taken from de Vries (1999, pp 4-6). As was the same case in the previous section, the list showed quite some overlap and is therefore clustered into three main disadvantages.

1. The complexity of standards For instance, users point out that it is difficult to study and understand hundreds of pages and to deduct the risks from it and to conclude what has to be done. Standards are often accused of being poorly written, being too detailed or lacking clear definitions of their scope. In addition, standards mix levels; instead of just describing a solution to one issue, they often present solutions to different issues. Another conclusion is that there are too many as well as too few standards in some parts of the IT sector, so standardization has not been serving the IT community as well as it should.

2. The power game of standardization Standardization is often criticized for its political or economical power game, although the topics discussed are mostly of a purely technical nature. As a result, standards often favor certain companies over others. However, even consensus is no guarantee for success as this means that not an optimal solution is chosen, for example resulting in less explicit standards. Consensus may also be political rather than technical, which results in weak standards.

3. The dialectics of progress If standardization begins too soon, it can damage innovation for the organization that standardized, or for an external party. For certain technologies and policies once a trajectory has been chosen it will be hard to adjust the course. This lock-in effect can hamper flexibility and thus innovation. From an external perspective, standards that set unusual or high level performance criteria can raise barriers for new competitors, especially for those from less developed countries. The economic theories underlying these issues will be discussed in the next section.

B.1.2 Economic principles behind standardization

In this section the main economic principles that are applicable to standardization will be described in brief. By doing so, a better understanding of the economic drivers behind standardization can be attained. Economic drivers behind standardization can justify assumptions about how standards can contribute to IT outsourcing processes. By discussing some common theories it is aimed to identify areas where standardization and IT outsourcing reinforce or resist the other‟s effects. After identifying these cumulative effects it can be justified to further research the topics and to take such effects into account.

This section will discuss the theories of economies of scale, free rider problem and bandwagon effect, information asymmetry, network externalities, transaction costs, switching costs, excess inertia and

26 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

lock-in. This list has been created by making use of a lecture on the “Economic value of standards” by Egyedi (2007). This list has been selected because this list corresponds to the common economic theories presented by Koppenjan and Klijn (2004). As some theories are closely related to each other, it is chosen to discuss these in the same section. For instance, the bandwagon effect is based on the same main discussed in the free rider problem.

B.1.2.1 Economies of scale

The theory of the economies of scale stem from the very first theories of the economy. The high abstraction level of the theory from neoclassical era means it holds true to the idealized notions of “free markets”. So called free agents move according to orderly patterns and the results can easily be calculated from them (Goodin, 1998). Theories on firm sizes by Viner (1932) analyze the long-run average cost curves. The term Economies of scale, or increasing returns on scale is used to refer to the situation where the cost of producing an additional unit of a product decreases as the volume of output increases. In economic terms the marginal costs will go down when the scale of production goes up. There are several reasons for this mechanism to occur, one of them is that larger production volumes allow fixed costs to be spread over more units of output. Large fixed costs, and hence large economies of scale, are prevalent in highly capital intensive industries (Linfo, 2007).

In the case of standards, economies of scale are essential, because standards reduce variety, thereby lowering the cost associated with the production of one unit thus creating economies of scale. Economies of scale are essential to take into consideration when choosing which standard to adopt; a critical mass representing the amount of products will have to be acquired in the market by participating organizations for the marginal costs to be as low where the organizations will start to make profit. Scale economies explain concentrated production while minimum average costs determine the optimal size. More substance can be added by specifying particular cost structures, more in-debt information on this matter can be found in Holmstrom and Tirole (1989).

B.1.2.2 Free rider problem and Bandwagon effect

The free rider problem is part of the larger game theory that is based on the work of Morgenstern and von Neumann (1944). There are other theories closely related to the free rider problem, one of them being the bandwagon effect. These two theories are explained in this section.

In short, the free rider problem is based on the fact that while some organizations do not contribute to the process, they can still get the same profit from it as others. Holmstrom and Tirole (1989) explain the free rider problem as follows: “Suppose it takes two workers to perform a given task and assume initially that the workers form a partnership. The design problem amounts to choosing a reward structure for each of the partners. How should the partners divide the proceeds from the joint output? If the inputs can be observed and contracted upon, the answer is simple. Pay one the cost of his input and let the other receive the residual. Then it will be in each partner's interest to set input levels in a way that is socially efficient. But what if inputs cannot be verified so that rewards must be based on joint output alone? This leads to a free-rider problem.”

The free rider problem can take two forms, one due to limited transparency of the situation, or due to the openness. In the case of limited transparency, where cheating cannot be detected, then there is no way of dividing the joint output in such a way that each worker receives his social marginal product in equilibrium. With even more players, the more anonymous each member tends to feel. Hence, self interest is likely to lead each individual in a large group to shirk the duty of contributing a fair share to the group effort. If the situation is open, as is the case with many standards, one person‟s use of the standard does not preclude others from using it. Public goods tend to be underprovided because of the free-rider problem. In the case of standards, the creation of standards involves certain costs, while the gains are not exclusively for the contributing parties. (Egyedi, 2007).

The bandwagon effect follows the same principle, only the organizations benefiting from another‟s effort are this time not pretending to be involved in the process. As Farrell and Saloner (1988) describe it, the “bandwagon effect occurs when an important agent makes a unilateral public commitment to one standard; if others follow the lead they will be compatible at least with the first mover, and

27 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

potentially with the followers.” Related terms to these economic theories are first adopters; those who take the highest risk, but also have the benefit of developing competence early on (David, 1987).

B.1.2.3 Information asymmetry

Information asymmetry is a market imperfection that implies that information about e.g. a product is available to one party (the producer) but not to the other (the consumer). It also implies that one party has the ability to use this information to his advantage when interacting with the other party. In the presence of information asymmetry, if buyers cannot differentiate between high and low quality goods, lower quality products can eventually drive out higher quality products. This is called adverse selection (Akerlof, 1970) and is also known as „Gresham‟s Law‟ (DTI, 2005).

It has been proven that the information provided by standards can reduce the problem of information asymmetry and thus market failure due to this. Standards can provide a minimum quality or quality discrimination which indicate a minimum level of quality in terms of functioning or safety of products, and signal the quality of products and services to customers (Leland, 1979). Another report concurs with these findings: “Standards therefore reduce the possibility that imperfect information creates market failures […]” (DTI, 2005, p23). If customers have information about the quality of products, good products have a better chance of survival.

B.1.2.4 Network externalities

The widespread adoption of a technology depends upon the existence of complementary products. Standards enable the compatibility for products, especially in the communications industry. Being compatible has effects on the entire network of which a product makes use. The theory of network externalities describes the effect a product and its connected network have on one another.

Katz and Shapiro (1985) define network externalities as “positive external consumption benefits” or “The benefit that a consumer derives from the use of a good [which] depends on the number of other consumers purchasing compatible items”. Positive network externalities are that a product might become more valuable because the amount of compatible products increases. In this way, suppliers can make their product more attractive when they conform to the existing standard, allowing their customers to exploit the existing economies of scale (Farrel and Saloner, 1985).

A distinction can be made between direct and indirect network externalities. Direct network externalities are of direct influence to the benefit of the product: every new fax machine increases the reach of the network. Indirect network externalities have indirect influence to the benefit of the product: more sold cars of the same brand means more dealers and spare parts will be available (Egyedi, 2007).

B.1.2.5 Transaction costs economics

Transaction Cost Economics (TCE) discusses issues about the actors and their environment in economical terms. In this way it is complementary to the neoclassical economics such as the previously discussed economy of scale. The theory of transaction costs economics is part of the New Institutional Economics. Herein, transaction costs are defined as “the costs involved in coordinating economic transactions.” In this way, it can be explained as costs that are not directly related to an economic exchange, but the time and resources required establishing a common understanding between parties.

TCE describes a number of factors that influence the resulting transaction costs. It starts off with assuming the bounded rationality of the involved actors, who all aim to minimize their transaction costs. Thereafter it discusses the various types of transaction costs such as search costs, information costs, negotiation costs, organization costs and more. Furthermore it describes the various governance structures for coordination.

Standards reduce the transaction costs for negotiation as they increase the understanding between producers and consumers as well as between producers alone. By improving recognition of technical characteristics, avoidance of buyer dissatisfaction and reducing search costs they reduce transaction 28 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

costs between producers and consumers. (Egyedi, 2007) Between producers it is important to trust the compatibility of their joint production (WTO, 2005).

B.1.2.6 Switching costs, Excess inertia and lock-in

The previous section of TCE forms the economic theory on which theories as switching costs, excess inertia and lock-in are based. They are discussed in the same section as they are all closely related to one another.

Switching costs refer to the costs associated with switching from one standard to another (Egyedi, 2007). The costs can be all types of costs; the economy of scale may suffer from it, there will surely be transaction costs involved and the network externalities of the product will also shift. The whole environment such as People and material will have to (be) adapted to the new situation.

Because switching costs play an important role in any strategy, excess inertia or eventually a lock-in can occur. Excess inertia occurs when users are reluctant to switch to another standard (Farrell and Saloner, 1986). Users are reluctant because from their point of view the benefits such as network externalities and the bandwagon effect are outweighed by uncertainty and switching costs. If there is no prospect for improvement for the benefits that they might outweigh the costs in the future, a lock in will occur, meaning that switching has become too difficult (Farrell, 1990). A good example of such a lock in is the continuous use of the QWERTY keyboard layout standard still in use today, because of the path dependency of its development (David, 1985).

B.1.3 Characteristics of standards

In this section the characteristics of standards will be described in more detail. By explaining the various characteristics of standards, differences between standards can be made. Also, standardization characteristics can aid in identifying requirements for the design of a new standard. There are many distinctions that can be made among standards as is described by de Vries (1999). However, as the large amount of and the terminology used to define these characteristics would only make the distinctions more complex where clarity is needed instead. Even by presenting these five characteristics the picture will be complex. As van Sante (2005) and Egyedi and Verwater (2004) discuss characteristics of standards more generally, their conclusions and the main findings of de Vries are used to provide an overview.

B.1.3.1 Openness

A distinction that can be made for many standards is the distinction between open and proprietary standards. Well known example is the difference between Linux and Windows in the computer operating system market. In the case of an open standard parties can openly influence the maintenance and development of a standard and its contents are publicly available. Such standards are usually controlled by organizations such as foundations, for a, groups or consortia. Linux is good example of an open standard. A proprietary standard is owned by one organization which can implement changes to the standard and set terms for its use (van Sante, 2005, adapted). A good example of such a standard is the Windows operating system. Microsoft is however under increasing pressure of the European Commission to open up its standards on the windows operating system in order to enable software developers to be compatible with the operating system. Microsoft‟s response focuses primarily on the core need to protect and promote the intellectual property covered by the standards.

B.1.3.2 Process

The development of standards can be the result of a conscious or an unconscious process. The latter can be the result of a historical trail as one man‟s choice gradually finds broader application, or it can be the result of factual standardization in which the circumstances determine the standard as there is no process of balancing the needs.

Within the former process of conscious standardization, a distinction can be made between formal, governmental and de facto standardization. Formal standardization is carried out in committees of 29 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

formal standardization organizations. These organizations can be internationally, regionally or nationally oriented, and can be specialized on a specific sector. Governmental standardization is performed by non-formal standardization organizations as described above. De facto standards are carried out by other parties than the two described above, for instance companies and consortia. Examples of such standards are the ITIL and CMM standards.

The term „formal‟ is dependent on the standardization organization‟s recognition. These recognized bodies also have a procedure on how to approach the process of standardization. Formal standardization organizations meet common interests, have and open standardization procedure in which all interested parties can participate, and the resulting standards are public, meaning they are accessible to all third parties (de Vries, 1999). Examples of such organizations are NEN at national level and ISO at international level. Accordingly, NEN and ISO standards such as the ISO 20000 are considered to be formal standards.

Formal standards can be the results of a new standard that is developed from scratch by a standardization committee. This is often the case when there is no de facto standard available or the responsible company denies the use of such a de facto standard. If a de facto standard is (made) available to the standardization committee, it can be used to base the formal standard on. This does require adaptation of the old standard into the family of formal standard as issues such notions and scope should be adapted. Finally, some standards come into existence to provide guidance for the usage of other standards. These merely facilitate its users on how to wield other standards. (de Vries, 1999) Such reference standards are currently being developed for technical IT standards at NEN.

B.1.3.3 Time

There are two time-dependent characteristics of standards: the aim and the acceptance. For the aim, de Vries (1999) identifies three time-dependent situations where standards have a different aims on the problems at hand. Anticipatory standardization tries to solve an expected matching problem, whereas concurrent standardization solves problems as soon as they occur. Finally, retrospective standardization aims to solve existing problems. An example of anticipatory standardization is the OSI reference model for computer networking design.

The impact of a standard depends on its acceptance. There have been many standards which have disappeared before they could have their influence on the problems because the required amount of mass was not attained. Successful standards however do have this mass. According to van Sante (2005), the infrastructure which successful standards need is made up of three elements. First, the more interested parties there are to support the standard, the more successful it will become. Second, a managing organization that has to carry out changes has to be in place, and has to keep adjusting the standard to the demands of the interested parties. Third, the users of the standard should support it on the long run for the standard to have impact. Betamax is a classic example of such a standard, which saw a diminishing user base as a prelude for the decreasing influence on the home video market.

B.1.3.4 Functionality

This degree of specificity mentioned can vary in a standard. While some standards only specify the required performance, others go into detail of how to implement specific products or services. Because specification standards do restrict implementation possibilities, performance standards are increasingly preferred over the former. Meek (1996, cited in Egyedi and Verwater, 2004) points out that options “come into two forms: take-it-or-leave-it, and this-way-or-that. They look like a form of over specification, but take-it-or-leave-it can mean under specification if one must “take it” to achieve the aims of the standard. This-way-or-that can mean under specification if the difference between the alternatives harms the aim of the standard and the standard fails to take a position on the matter.”

Functional inclusiveness is a way to cope with unforeseen demands. It advocates the inclusion of options in standards, sometimes providing similar or overlapping functionalities, sometimes complementary functionalities. Increasing functionality comes at a cost however, as it is a trade off with compatibility (Egyedi and Verwater, 2004). Finally, the same type of standards can still vary in

30 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

functionality from country to country. Because each country has its own processes and rules, the content of a standard can vary.

B.1.3.5 Purpose

In the history of standards, the nature of them has evolved substantially. Their purpose has extended from only quality standards and evolving to project, process and competence standards. The purpose of quality standards has always been very broad, as they describe general characteristics and properties of entities. Quality standards are an ongoing process that organizations can continue to use. Next, standards evolved into the project area where there was a need to manage time, money and generally the investments the right way. These standards are usually used one time, from the start until the end of the project. Following, the process standards ensure that no steps are left out of a process, address the efficiency, input and output which enable the user to improve the entire process. These standards are used occasionally when it is necessary to improve the process of for other reasons to check or alter the process. Finally, the latest development in the purpose of standards is the competence standards. These standards ensure that the users following the standards have the skills that are required by law, regulation or the client of the user. These standards are again used continuously as the requirements are laid down in contracts or regulations. The fact that standards have various purposes for their existence and vary in times when they are used (continuously, occasionally, one-time) means for an outsider the characteristics of standards are complex.

B.1.4 Characteristics

Based on the previous sections, Figure 7 can be drawn up which displays the characteristics of standards. The figure shows the five main topics of the standard‟s characteristics. The characteristics are worked out into more detail in order to clarify each characteristic.

Figure 7: Standard's characteristics 31 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

B.2 IT outsourcing

In this section the concept of IT outsourcing is defined and parallels will be drawn with standardization. Before any research can be done on the main topic of standards for IT outsourcing, it is necessary to clarify what IT outsourcing is and what the context of this concept is. Furthermore the purpose of this section is twofold. First it is researched whether it is viable to combine IT outsourcing and standardization. Second, problems that occur when companies engage in outsourcing are listed. These problems will be used to construct requirements to improve the IT outsourcing process. In this section the following research question will be answered:

2. What is IT outsourcing?

B.2.1 IT outsourcing in general

B.2.1.1 Background on IT outsourcing

Until the mid-seventies the IT service provision was mainly done by the internal service providers. During this period companies had their applications developed in-house. From the mid-seventies on capacity problems and a shift to distributed infrastructure led to a shift in the IT world. The hiring in of IT personnel by clients led to a structural relationship with IT suppliers. Gradually the IT suppliers started to carry out entire projects for their clients. These projects were however still initiated by the internal IT department of the client. Fast technological developments and the large numbers of external IT specialists hired in leads to information problems. Detailed descriptions of the business units‟ needs that are not in line with the company‟s IT strategy results in a suboptimal solution. Rising costs and low performance led into a new era: IT outsourcing (Beulen, 2002, adapted).

From the time on when Kodak decided to outsource its IT in 1989, an enormous stream of publications started of on the subject. Even though Business Process Outsourcing (BPO) has been around for quite some time at that moment, it did not create such turmoil as IT outsourcing did. Delen (2005) names several explanations for this contrast: 1. Information provision is of increasing importance for organizations and is developing in some branches from supporting to primary and even governing process. 2. The increasing importance means that the cost of IT services are rising. High debit items stimulate management to search for alternatives. 3. Information provision is increasingly interwoven with the processes that support it. This makes it increasingly risky for companies to outplace their information provision. 4. With the ongoing developments on IT hardware and software the knowledge on the latest developments are scarce. In order to retain access to such knowledge, external specialized suppliers are great sources for this, but dependency is a large risk.

In retrospect the development of system management in the early nineties enabled the establishment of the conditions that made IT outsourcing possible. According to Delen (2005), there are three mayor conditions: First, the separation between the demand and supplier side of the IT function. Second, the steering is done on the basis of results. Third, the control was centralized without any consequences for decentralized use. These three conditions were important as IT outsourcing is different from conventional outsourcing.

Lee (2006) names four key characteristics that support this statement. These IT characteristics make the process of IT outsourcing increasingly complex over conventional business functions. He names the following four characteristics: 1. Pervasiveness of IT: IT permeates the entire organization/business processes 2. Technological obsolescence: IT evolves rapidly 3. Financial obsolescence: The underlying economics of IT changes rapidly 4. High switching cost: technological lock-in

A fifth complexity that can be added to this list is that most of the services will be provided from a location other than the client‟s. Thanks to the modern communication means of internet the service

32 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

location can even be on the other end of the world. This off-shoring phenomenon has received increased attention in recent years, as clients increasingly use off-shoring to achieve more efficiency gains. This does come at a price however, as off-shoring requires around 50% more effort to coordinate the supplier (Beulen, 2004, in Delen, 2005). This research does not aim to go specifically into the dilemmas of off-shoring decisions.

B.2.1.2 What is IT outsourcing?

IT outsourcing has been discussed by many authors such as Beulen et al (2006), Delen (2005), Joha (2003), Lacity and Willcocks (2003) and Lee (2006) and thus many definitions are in use. Lee provides a clear definition after combining several definitions from other authors. Therefore his findings are used as a basis for the definition in this research. He defines two states in outsourcing; the dynamic and the static states, by using two definitions. Furthermore, the scope of both the activities and resources (human and material) are incorporated in the scope of the IT outsourcing definition. This last notion is important as this is what differentiates IT outsourcing from conventional IT services where only activities or resources are subject in the arrangement.

IT outsourcing is therefore defined as:

This first definition refers to the dynamic part of outsourcing. At the end of this dynamic transition, the IT outsourcing arrangement facilitates and guides all necessary transactions to obtain IT services from the provider. The term IT outsourcing arrangement refers to the static state of external provisioning. The following definition for IT outsourcing arrangement is used:

“An organisational arrangement instituted for the obtaining IT services, the management of resources and the IT activities required for producing these services, from one or more external IT provider.”(Lee, 2006)

These definitions are used in order to provide a consistent approach throughout the report. In this report the client will be referred to as the party that is transferring its resources to an external party, whereas the supplier will be referred to as the party that receives the resources and delivers the services to the client. Key concepts of these definitions comprise:

1) Information Technology (IT) refers to hardware, systems software and ready-made software packages that perform data processing tasks (generation, manipulation and distribution). The Information System (IS) is a system to support or perform a specific business function, by providing the information required to perform this function. The preferred term depends on the scope of the service defined in the contract. In this research the more common used and general term IT outsourcing is applied to cover both terms (De Looff 1996); 2) Organizational arrangement refers to the formal structure of responsibility and delegations of tasks within the IT management function (Lee, 2006); 3) IT service is defined as the application of business and technical expertise to enable organizations in the creation, management, optimization or access to information and business processes. (Lee, 2006, adapted); 4) “IT activities are activities needed to establish and sustain information systems. IS activities are: planning, development, implementation, maintenance and operation.” (De Looff, 1996).

According to the above definition, one-time software development performed by an external party is not considered to be IT outsourcing by us. Only when a client chooses to outsource all of its software development as one package, then it is considered to be IT outsourcing. In this the distinction made by Delen (2005, p.29) is followed.

33 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

B.2.1.3 Phases of outsourcing

There are several phases into which outsourcing can be broken up. Beulen et al (2006) analyze the wide variety of phasing models for outsourcing. Their findings on the sourcing life cycle are displayed in Figure 8 which displays the essential phases in outsourcing. The decision making phase is used to decide whether to outsource and whether this matches the strategy of the entire company. Also a thorough sourcing strategy will have to be set up, consisting of knowing what to outsource, why and for what purpose.

Feedback loop

Decision making

Supplier selection Transition

Transfer

Transformation

Service provision

Contract termination

Figure 8: Outsourcing life cycle of the PON (Beulen et al, 2006)

In the supplier selection phase the client makes a selection from a pool of possible suppliers. Usually this phase incorporates multiple rounds of information exchange between the client and each supplier. After each round, the number of suppliers is reduced and more detailed information is exchanged. Finally, this leads to the supplier(s) with which the client wants to start an outsourcing relation. The next phase can be started when a letter of intention has been signed, and the detailed contract can take shape when the transition is in progress. This allows parties to construct a fully detailed contract with company-specific information.

The transition phase that follows is made up of two steps; the transfer of resources and the transformation of these resources to fit the organization of the supplier. The transfer is an optional process that requires attention to be paid to the personnel, financial and customer relationship management. After the transfer, the resources will have to adjust them and the services they deliver to the suppliers‟ organization. It has two goals in a sense that integration has to be achieved while safeguarding continuity.

The phase of service delivery is an ongoing process that can continue for years. The communication structure, reporting obligations, change management and monitoring are all things that have to be arranged. Regular meetings should be held to communicate these topics.

The final phase is the contract termination. As these contracts usually have a time limit, a time comes when a decision has to be made what to do next. The contract can be renewed and might have to be adjusted according to the new situation, or the contract can be terminated after which some steps have to be taken. The contract will have to be evaluated and a re-transition plan will have to be constructed (Beulen, 2005, adapted).

B.2.1.4 Subdivisions in IT

When studying literature on IT, it becomes clear that many authors subdivide IT differently. This variety of subdivisions adds to the complexity of the notion of IT. In this section these differences will

34 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

be clarified and one clear breakdown structure of IT will be chosen that will aid us in achieving the objective of this research.

Most subdivisions on IT in literature span from business to technology with three divisions. In Table 4 the subdivisions found in the literature are presented. It is chosen not to follow Huibers and Kooper (2005) and de Looff (1996) for two reasons. First, they focus on outsourcing in general, including Business Process Outsourcing which is excluded from this research. Second, the distinction between the subdivisions such as primary and secondary is not clearly described. As this could lead to a lack of clarity in the research it is chosen not to adapt this subdivision. This leaves us with two possible options, following Bayens (2007) and Delen (2005) or van Sante (2005) and Leenslag (2006). It is chosen to follow van Sante and Leenslag for two reasons. First, Leenslag uses two dimensions in his model to make distinctions between IT and the activities associated with it. Because these activities (they range from planning, to acquisition, to implementation, to delivery & support) correspond well with our outsourcing phases, Leenslag and van Sante‟s subdivision of IT is preferred over that of Bayens and Delen. Second, van Sante has made his distinctions in order to classify standards. This means that the distinction is made in order to facilitate standards. Therefore, the subdivision can easily accommodate standards, and because some standards that are described are also described by van Sante, it is logical to select this subdivision over another.

Author(s) Subdivisions Huibers and Kooper Primary processes Secondary processes IT-processes (2005) De Looff (1996) Primary systems Primary support Secondary systems systems Bayens (2007) Business Information Technique Delen (2005) Business Information & Technology Communication Van Sante(2005) Functional Application Technical management management management Leenslag (2006) Functional Application Technical management management management Table 4: Subdivisions in IT literature

In general, the distinction between the types of IT in the selected subdivision is put by Leenslag (2006) as follows: “The objects that are managed vary, and with that the perspective with which a person looks at those objects vary. A functional manager manages functionality and looks at the organization from a business perspective; for him the alignment with the business processes and costs are important issues. Application managers mainly look at the maintainability, innovation and quality of the applications. Technical managers primarily manage hardware and networks, thus looking at availability and performance of the entire service.”

Objects that fall under functional management are SLA‟s, contracts, working instructions and general manuals for the organization. Common activities in this field are the strategical alignment of the IT with the business, providing support for the business processes and the users that are dependent on IT. Objects related to application management are system documentations and facilities that enable the production of information systems. Processes that relate to application management are service and future-oriented processes guiding the management and maintenance of applications. The objects that fall under technical management are for instance mainframes, data center support, desktops, telecommunication networks and system software. Managing and operating these technical systems and providing support for them are common activities in this field. IT outsourcing can cover all these areas. This provides us with the following picture portrayed in Figure 9.

35 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Figure 9: IT functions

B.2.2 Advantages of IT outsourcing

There are a variety of reasons why IT outsourcing is beneficial for a company. In this section the advantages will be listed, dividing them into three main types of advantages, knowingly organizational, technical and financial. In Table 5 the advantages of IT outsourcing are presented. This table has been created using Beulen (2002), Delen (2005), Huibers and Kooper (2005) and Joha (2003). The list emphasizes why organizations think it will be beneficial for them to start outsourcing their IT.

Organizational Technological Financial Improve business focus Provides access to expert Cost savings on IT can focus on new areas of knowledge in old and new equipment and development, core processes technology areas staffing and adding distinct value Can be leveraged to respond Access to technology Improve the return on IT quickly to regulations, new without capital investment by generating new technologies and business investment revenue by offsetting costs needs. Direct cash infusion Supplier brings better capabilities Complex, in-house projects can for resources to facilitate organizational be finished Eliminate needs for change No restrictions on the IT investments The supplier can guarantee the availability of qualified Cost containment quality and quantity of staffing employees Fixed costs are Faster time to market Stimulation of innovation changed into variable Redefine the business Quality of IT services is costs Free up resources, less improved Restructure of IT managers Technological improvements budgets Increase flexibility thanks to a Quality improvement Shared financial risk lean business Access to leading edge Improved turnover Transferal of risks to supplier technologies Challenge the business with Business IT alignment outsourcing to develop new Operational excellence ideas and methods Commercial exploitation Increased standardization of Improved security processes Replacing legacy systems Facilitate mergers and Be challenged by new ideas acquisitions and methods Able to confirm to regulation Table 5: Advantages of IT outsourcing

B.2.3 Economic principles on IT outsourcing

In this section the economic principles on IT outsourcing will be discussed. Economic drivers behind IT outsourcing can justify assumptions about how the IT outsourcing process works and why problems 36 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

occur. In this section the topics of the Rational expectations, Market maturity, Game theory, Agency theory and Trust are explained. Where applicable, it will be explained how standards‟ economics influence the economics of IT outsourcing at the end of each section. These interactions can justify that standards can influence the IT outsourcing process, thus making further research on this topic appropriate.

Some of the previous economic theories on standardization that were covered previously are also relevant to IT outsourcing. Primarily the economies of scale, information asymmetry and transaction costs are useful for explaining IT outsourcing. However, as they have already been explained, it is not necessary to discuss them thoroughly again.

B.2.3.1 Rational expectations

The theory of rational expectations states that expectations are rational if they make efficient use of all available information, allowing for the cost of the information. Because information can be costly, expectations can be rational and nevertheless still be inaccurate (McCain, 2007). This trade off between the price of acquiring information and the price for not having the information is made in the process of IT outsourcing. It would be priceless to have full knowledge of one‟s IT, as wielding this knowledge can mitigate mistakes made during the outsourcing process. On the other hand, acquiring this full knowledge is a costly process as IT has a complex nature.

B.2.3.2 Market maturity

“Users‟ expectations of a product depend on the maturity of its market. Markets for software products go through some predictable stages, each with a different emphasis” (Spool, 1997). This statement also holds for the market of IT outsourcing. Spool defines market maturity in four steps, knowingly: Raw Iron, Checklist Battles, Productivity Wars and Transparency.

Raw Iron is the phase where the user wants basic capability, the product works and the suppliers focuses on technical issues and delivery. At this stage it takes the first users and suppliers considerable effort to make the product work. However, as competitors quickly see opportunities, they join in to take market share from the pioneering organization. The phase of checklist battles is where the users want the product with the best set of features, and the suppliers focus on adding features and fixing bugs. The new entrants are adding feature to distinguish themselves from competitors. This stage ends when vendors run out of new features for the product that make a difference in the market. The Productivity Wars phase is where the users want to get their work done better and faster and the suppliers focus on performance support and reducing technical support costs. Suppliers aim to add low-cost support that keeps the customer satisfied. The next phase starts when the products in the genre have become a commodity. The final phase is Transparency where users focus on the lowest cost and the suppliers seek to reduce costs or to invest in new markets. At this stage, the product has essentially become invisible to its users and where these products become part of a bigger whole.

According to Huibers and Kooper (2005), the IT sector is only for 50% mature; “They have to mature; for the services that they offer as well as the customer relationship. For the latter we expect them to become transparent, pro-active and willing to carry risks.” IT outsourcing must be somewhere in phase two of Spool‟s scale. IT outsourcing has passed phase one as it has certainly proven to work, and competition is flourishing. The final phase of transparency has not been reached yet. As vendors are still seeking new ways how to perform outsourcing one can argue that also phase three has not been reached. Therefore, IT outsourcing is a not fully mature market.

Market maturity is affected by two economic principles behind standardization, knowingly the free rider problem and the bandwagon effect. The maturity of the IT outsourcing market can increase when organizations make use of standards that are developed by other companies. By looking at the standards which the most mature organizations use to arrange their IT outsourcing arrangements, the lower end of the market can raise their performance. Many standards published by organizations are available for organizations that wish to improve their performance. In this way the standardization‟s economics of the free rider problem and the bandwagon effect influence the IT outsourcing‟s economics of market maturity, and softens its bad influence on market performance.

37 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

B.2.3.3 Core competencies

In this section the theoretical background of the theory and its relevance for IT outsourcing will be discussed. A core competence can be defined “that part of the primary process in which the organization can distinguish itself from the competition by knowledge and skill” (Delen, 2003).

Core competencies theory suggests activities should be performed either in house or by suppliers. Activities, which are not core competencies, should be considered for outsourcing with best-in-the- world suppliers. Some non-core activities may have to be retained in house if they are part of a defensive posture to protect competitive advantage (Hancox and Hackney, 2000). Delen (2003) visualizes core competencies by using two dimensions as is displayed in Figure 10. Vertically are the various management levels of strategical, tactical and operational. Horizontally is the knowledge- dimension: varying from pure branch of trade knowledge (left) to pure IT-knowledge (right). He also explains which activities should be retained in house and which can be outsourced.

Figure 10: Core competences (Delen, 2003, p.13)

IT can be considered core at the corporate level, but some of its aspects, at lower levels, might be commodities. The ability to define IT requirements and to monitor their delivery by third parties may be some of the core IT competencies that any organization must have if it is to outsource IT successfully. It can be argued that the acts of specifying and managing supply contracts can give competitive advantage.

B.2.3.4 Agency theory

Agency theory is essentially about the delegation of work by one party (the principal) to another (the agent) via a contract (Aubert, Michel, Rivard, 2003). Agency models posit that parties are rational, although only limitedly so. Parties know that they cannot reasonably foresee every contingency that might be relevant to them. The theory also assumes that the contracting parties behave in their own interests, which are potentially conflicting. This is not to say that they do not have common goals, but that the interests of each are bound to clash in some circumstances. The focus of the agency theory is, unlike transaction costs economics, not on organizational boundaries. The choice of contract type depends on the agency costs, which include the principal‟s effort in assessing the agent‟s performance and the agent‟s efforts in assuring the principal of his commitment. An important aspect of the theory is that both principal and agent wish to avoid risk when dealing with each other. The principal may prefer to place risk with the agent via an outcome-based contract, whereas the agent may prefer to avoid risk by having a behavior-based contract.

Outcome-based contracts are claimed to reduce agent opportunism because the rewards of both agent and principal depend on the same actions. Clients in outsourcing arrangements (the principals) are increasingly steering towards outcome-based contracts, as the nature of IT is so complex that they do not have sufficient information to steer the suppliers (the agents) using behavior-based contracts. If

38 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

the clients opt for a behavior-based contract there is, among others, the risk of adverse selection (Hancox and Hackney, 2000).

Adverse selection will develop when the client cannot observe the characteristics of the supplier and cannot be certain of the validity of the supplier‟s claims. Failure to deal with adverse selection will make it difficult for the client to choose the right supplier and thus engage in risky contracts. In outsourcing contracts, the client will have limited information to select its supplier, while all potential suppliers will likely claim superior expertise. Information gathering and increasing the competition on an outsourcing arrangement are ways to protect the client from the risks of adverse selection.

Another risk in an outsourcing arrangement is the risk of imperfect commitment. Imperfect commitment is the limited capacity of both clients and suppliers to commit themselves. Clients or suppliers can break promises because of external influences or because the profits to do so are higher than the costs. In outsourcing arrangements it is seen that organizations are trying to make the perfect commitment by generating ever larger contracts and more extensive SLA‟s. However, no contract is immune from such behavior In addition, there are the tensions between client and supplier. The supplier wants freedom and loose contracts which leads to uncertainty for the client. The client in his turn wants certainty by means of strict contracting, which leads to restraints for the supplier. This makes agreeing on the right commitment for both parties problematic (Aubert, Michel, Rivard, 2003).

Agency theory is directly affected by two economic principles behind standardization knowingly information asymmetry and Transaction costs economics. As has been stated above, clients need information to properly steer their suppliers. In return, suppliers need information to properly supply their clients. Standards‟ economic theory of information asymmetry states that information asymmetry between parties is reduced and a minimum quality of the product can be guaranteed. The theory of transaction costs economics states that standards can reduce search costs, help avoid buyer dissatisfaction and improves recognition of technical characteristics between parties. Therefore, one can conclude that the economics behind standardization mitigate the problems foreseen in the IT outsourcing‟s economic theory of Agency theory.

B.2.3.5 Trust

Trust is defined as „a psychological state comprising the intention to accept vulnerability based upon positive expectations of the intentions or behavior of another‟. Trust is made up from three parts.

First, the stable perception of an actor about the intentions of another actor; trust is the perception of an actor and not an action or a choice by an actor. Second, trust is the expectation of an actor that another actor will abstain from opportunistic behavior even when an opportunity for it emerges. This concerns that the latter actor takes the interests of the former actor into account. Third, trust is related to uncertainty: in the case of trust, there must be some uncertainty about the behavior of a partner in future situations and advantages/benefits concerning how a problem will be resolved. If such uncertainty does not exist, trust is not necessary (Koppenjan and Klijn, 2004).

As the process of IT outsourcing has elements of uncertainty in it due to its complexity, trust is an aspect in the process to take into account. Because opportunistic behavior tends to lead to mutual disadvantages, both parties can benefit from a good relationship (Aubert, Michel, Rivard, 2003). Trust can lead to a reduction in transaction costs as it reduces risks, it stimulates learning, exchange of knowledge and innovation. Relationship management in order to build trust is therefore beneficial to the process of IT outsourcing. Trust can be build by past interactions, reputations, expectations of benefits and the nature of networks (Koppenjan and Klijn, 2004).

The theory of trust is directly affected by the economic theory of transaction costs. Gaining trust is essentially a transaction cost that has to be made, and by using standards one can reduce transaction costs. Therefore, situations with trust issues in IT outsourcing relationships can be improved with the help of standards.

39 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

B.2.3.6 Standardization and IT outsourcing

The importance of discussing the economics behind both standardization and IT outsourcing is not only to gain insight into both concepts, but to see where they reinforce each other. Such reinforcement has been noticed behind the principles of market maturity, agency theories and trust. It can also be seen that the economic powers behind standardization such as the free rider problem and the bandwagon effect can negatively influence the market maturity of IT outsourcing.

The economies of scale, information asymmetry and transaction costs have all been previously discussed. It is emphasized that these theories are also of importance to IT outsourcing. IT outsourcing benefits from economies of scale because suppliers are able to specialize and thus provide production efficiency (de Looff, 1996). In the standardization section on economies of scale it is found that standards enable larger efficiency by reducing marginal costs. Because parties engaged in IT outsourcing suffer from information asymmetry, an instrument that mitigates this asymmetry can improve the situation. Standardization reduces information asymmetry and therefore mitigates this problem in IT outsourcing. Finally, in the same way transaction costs are an important issue in IT outsourcing: bounded rationality and opportunism can increase the costs of IT outsourcing. By improving recognition of technical characteristics, avoidance of buyer dissatisfaction and reducing search costs standards reduce the overall transaction costs.

It can be stated that there is considerable overlap in economic principles when the concepts of standardization and IT outsourcing are discussed. Furthermore, the economic theories behind both concepts seem to complement each other. Therefore it can be concluded that the combination of the two concepts is a viable one. In other research, standardization is also seen as an important catalyst for the process of IT outsourcing (de Looff, 1996).

B.3 List of 'standards'

In this section the list of standards that are relevant for IT outsourcing are presented. For general information purposes, the following topics for each standard will be discussed:

General Description. What is the objective and benefits of the standard? Characteristics. What are the characteristics of the standard according to the set presented? Characteristics of the standard in the field of the process, the functionality and the purpose of the standard are described. Origin. Where did the standard come from? Who designed it and when? Relevance to IT outsourcing. Why is this standard specifically relevant to IT outsourcing? Links. What connections does this standard have to other standards listed here?

The following standards that will are discussed: ITIL, ISO 20000, ISO 17799, PAS 77, ISPL, CMM, COBIT, SAS 70, ASL, BISL, eSCM PRINCE2, MoSCoW, SDM, DSDM, XP and RAD.

In the field of IT outsourcing, a wide variety of terms are used for solutions to matching problems. Terms such as frameworks, methods, frames of reference, best practices, libraries, norms and standards are common terms used in literature today. In this Annex all these types will be addressed by the notion of „standard‟, because all the above terms are essentially referring to solutions to matching problems. In this way, when something is addressed as a standard in this research it does not immediately imply that it is a standard practice accepted by many users. It does, however imply that it has the pretension to have a standardized approach for a certain domain.

B.3.1 ITIL

ITIL (Information Technology Infrastructure Library) is a set of best practices for IT service management. It is published by the British Office of Government Commerce (OGC) in a series of books. At present, ITIL consists of seven books: Service Support, Service Delivery, Business Perspective, Application Management, IT Infrastructure Management, Security Management and Planning to Implement Service Management. ITIL is primarily known for its Service Support and Service Delivery books, which form the core of ITIL. The Business Perspective is also a key part in the 40 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

series as it describes how to link the issues to the value chain of a company. Understanding how infrastructure, people, technology can contribute to the value chains is the main objective of this book. Organizations can use ITIL to improve their IT-service processes and to improve cooperation. By acquiring knowledge on the IT processes, organizations can make better arrangements, less mistakes and correct problems faster. This results in financial value and quality in the IT organization.

In the nineteen eighties ITIL was developed by the British government to improve the control over the costs and the quality of the IT service provision. This was needed because after privatizations in the public sector the need for quality in system management was needed. Until that moment, most of the attention was paid to the development process and less to managing and exploitation of the information systems. The growing dependency on the systems and the awareness that most of the costs are made after the development, contributed to the need for best practices in management and exploitation of IT systems. Trainings and exams were set up in the Netherlands in a similar to the way in Britain. The IT service Management Forum (ITSMF) in the Netherlands functions as an independent body where companies can cooperate to improve the best practices. ITIL has grown into a de facto standard used worldwide in the private and the public sector.

ITIL is considered as a prerequisite for how companies function today. It is often a request by the client in outsourcing that the supplier should have ITIL procedures installed. The supplier uses ITIL to standardize his processes, thus enabling economies of scale. Because ITIL is so widespread in the IT world, it should be incorporated in a list that describes IT subjects. The ITIL standard is related to the ISO 20000 and ASL standards (Delen, 2005 and van Sante, 2005). The standard has the following characteristics: informal, specific, functional and competence.

B.3.2 ISO 20000

The international standard ISO 20000 for IT service management consists of two parts. Part one is the Service management specification which “promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements.” (NEN- ISO/IEC, 2006) Put simply, part one of the ISO 20000 standard that documents the requirements for an IT Service Management System. A company can be certified based on this first part. This is the main difference between ITIL and ISO 20000: ITIL best practices should be followed by companies using ITIL, whereas ISO 20000 shall be followed, otherwise companies cannot be certified for it.

The second part is the code of practice for service management, which is designed to work with the specification of part one. “These two parts specify service management processes and form a basis for the assessment of a managed IT service. Part 1 may typically be used by: organizations seeking tenders for outsourced services; organizations that require a consistent approach by all service providers in a supply chain; existing providers to benchmark their IT service management; as the basis for formal certification; and so on. Part 2 provides guidance to auditors, implementation staff and others.” (ITIL & ITSM World, 2007)

The ISO 20000 standard is intended to supersede the BS15000 which is based on ITIL. It is published by the ISO organization which is represented by national standardization organizations. This applies for all ISO standards. The ISO 20000 standard comprises ten sections: Scope, Terms & Definitions, Planning and Implementing Service Management, Requirements for a Management System, Planning & Implementing New or Changed Services, Service Delivery Process, Relationship Processes, Control Processes, Resolution Processes and Release Process. The ISO 20000 standard is related to the ITIL and ISO 17799 standards. The standard has the following characteristics: formal, general, compatibility and competence.

B.3.3 ISO 17799

The ISO 17799 standard provides a set of guidelines for information security management. It offers a common language and understanding which can aid in the development, implementation and measurement of security practices. By using this standard, an organization can improve the confidentiality, integrity and availability of information systems for their authorized users. The standard can be used for the certification of organizations, thus providing confidence in inter-company trading. Many suppliers of IT services use 17799 certifications to ensure the clients that they have a good

41 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

security practice in place. In any outsource deal the client would demand such a security practice for its service delivery.

The ISO 17799 standard consists of twelve sections: Risk assessment and treatment, Security policy, Organization of information security, Asset management, Human resources security, Physical and environmental security, Communications and operations management, Access control, Information systems acquisition, development and maintenance, Information security incident management, Business continuity management and Compliance. The standard has the following characteristics: formal, specific, compatibility and quality.

The current standard of 2005 is a revision of the version published in 2000 which was copied from the British BS 7799 standard. The standard is related to the ITIL and SAS 70 standards (NEN-ISO/IEC, 2005).

B.3.4 PAS 77

The British Standardization Institute (BSI) has published the PAS 77 standard for IT Service Continuity Management. This Publicly Available Specification (PAS) explains the principles and some recommended techniques for IT Service Continuity Management. Such a system can safeguard the performance of IT services both before and after an incident. By investigating, developing and implementing preventative and recovery options, an organization can be prepared and equipped to minimize and manage the threat. This can be useful for service providers seeking to live up to their SLA‟s. However, not only in a static state the systems are have to perform, but in the transition process of outsourcing the continuity of the systems must be safeguarded.

PAS 77 is an open standard, publicly available and developed by a group of companies interested in exchanging information on improving their continuity management. In partnership with these companies PAS 77 was developed, the latest version of this standards stems from 2006. The standard incorporates items such as assessments, planning, rehearsing, solutions and acquisition. It complements other existing and international standards such as ISO 17799 and ISO 20000 (BSI, 2007). The standard has the following characteristics: formal, specific, functionality and competence.

B.3.5 ISPL

Information Services and Procurement Library (ISPL) is a library of best practices for the contracting and realization of IT services by an external or internal supplier. In general ISPL allows for good arrangements between client and supplier which are based on a risk analysis for both parties. It describes the acquisition process in detail, from defining, strategy, proposal, contracting, monitoring and contract completion. By defining deliverables for each phase, ISPL supports client and supplier in the entire process (Beulen et. al., 2006). The fundamentals of the method are Situation driven planning, Emphasis on decision points and Emphasis on deliverables. For specific situations several „plug-ins‟ have been written that make ISPL adaptive to the situation. At the moment there are plug-ins for IT-services, website services and large migrations. ISPL allows future plug-ins to be written and incorporated in its library.

ISPL started out as part of the development of Euromethod in 1989. The development of this method started because in EU member states there was the need for clear procurement techniques. In 1999 a consortium of five European companies developed and published the new ISPL which would become the successor to Euromethod. The standard relates to eSCM, ITIL and Prince2 (Leenslag, 2006). The standard has the following characteristics: informal, specific, compatibility and project.

B.3.6 CMM variants

The Capability Maturity Model (CMM) is used to determine the maturity level of an organization which can be translated into improvement projects for an organization. There are many areas in the CMM standard, covering activities such as software engineering, systems engineering, project management, risk management, system acquisition, IT services and personnel management. The latest framework is the CMMI (CMM Integration) version where there are six levels that rank the organization according to its standardization of processes in the subject area being assessed. Improvement processes can 42 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

help management set goals, priorities and bring guidance to take their processes up to higher quality levels (SEI, 2007).

The CMMI framework leans upon the success of its predecessor, the Software CMM which developments were halted in 1997 in support for CMMI. The CMMI framework offers more activities and process areas to determine the maturity level of. Determining the maturity can be of interest in an outsourcing process at times before and after outsourcing. Before the process of outsourcing, an organization can look at its IT services and judge if it is in accordance with the market. It can also be used to improve its acquisition processes. Also after outsourcing an IT service the level of maturity can be determined to see how well the supplier performs (SEI, 2007). The CMM standard is closely related to COBIT and eSCM (Leenslag, 2006). The standard has the following characteristics: informal, general, compatibility and competence.

B.3.7 COBIT

The COBIT (Control Objectives for Information and related Technology) standard is an IT governance model that can aid in delivering value and understanding and managing the risks associated with IT. IT governance is concerned about two things: IT‟s delivery of value to the business and mitigation of IT risks. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained. The COBIT standard focuses on processes rather than functions or applications. This is because it is oriented towards results, which are more permanent in nature compared to functions or applications. The COBIT focus on processes is also because IT cannot be confined to a particular department and involves users, management and IT specialists.

The first edition of COBIT was published by ISACA in 1996 as an extension to their Control Objectives. More recently in 2005 they published version 4.0 which incorporated more components. The framework consists of six components: Executive Summary, Framework, Control Objectives, Audit Guidelines, Implementation Tool Set, and Management Guidelines. COBIT is related to CMM, ITIL, ASL and BISL (ISACA, 2007). The standard has the following characteristics: informal, general, functionality and process.

B.3.8 SAS 70

SAS (Statement on Auditing Standard) 70 is a standard by American Institute of Certified Public Accountants (AICPA), titled “Reports on the Processing of Transactions by Service Organizations”. Certifying against this standard indicates that a supplier has undergone a thorough audit on the control activities. The standard is related to the Sarbanes-Oxley (SOX) act. Under this law, suppliers in outsourcing arrangements are obliged to show that certain company processes are well managed. There are two types of Service Auditor's Reports: Type I and Type II. A Type I report describes the service organization's description of controls at a specific point in time. A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period.

The SAS 70 standard originates from 1992. With the passage of the SOX act in 2002 the SAS 70 standard has grown in importance as it allows companies to live up to the regulations. This standard is related to the ISO 17799 standard. The standard has the following characteristics: informal, specific, functionality and quality.

B.3.9 ASL

The ASL (Application Services Library) standard describes the management, maintenance and renewal of applications. This results in better service and deliverance on applications, less disruptions and the continuous adaptation of applications to the demands of the client. It does this by describing the responsibilities for parts of the applications and the services they deliver. ASL also provides a possibility to benchmark the organization, enabling comparisons and improvements. Finally, ASL provides insight in the activities and their costs. The ASL standard has several clusters: Management, maintenance and renewal, connecting processes, guiding processes, applications cycle management 43 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

and organizational cycle management. ASL can be valuable when outsourcing applications: IT service levels, product quality levels and the related costs can be agreed upon based on the ASL logic.

ASL was developed in the nineteen nineties by GetronicsPinkRoccade in order to manage the complexity of application management. By using parts of ITIL and CMM and making them application specific, a new management model was developed. By creating the ASL foundation in 2002, GetronicsPinkRoccade made ASL publicly available. The ASL standard is related to the ITIL, CMM, COBIT en BiSL standards (van Sante, 2005). The standard has the following characteristics: informal, general, functionality and process.

B.3.10 BiSL

As business units are increasingly dependent on information provision, the functional management of this information becomes more important. BISL (Business Information Service Library) is a standard that give a practical solution to the harmonization of the user organization and the IT organization. BiSL describes processes that are needed at the user‟s side and connects these to the application and technical side. Especially in the field of outsourcing, where these two sides become two different companies, managing the connection is important. By using BiSL organizations can improve their information support for business processes, steer their IT suppliers, improve the price-quality ratio and anticipate to changes in the user organization. The main processes are Planning and control, financial management, demand management and contract management.

BiSL is developed on the basis of FBM which was used in the Netherlands for functional management. In the same way as ASL, BiSL was made publicly available in 2005. The BiSL standard relates primarily to ITIL, COBIT and ASL. The standard has the following characteristics: informal, general, functionality and process.

B.3.11 eSCM

The eSCM-SP (eSourcing Capability Model for Service Providers) standard is a “best practices” capability model with three purposes: (1) to give service providers guidance that will help them improve their capability across the sourcing-cycle, (2) to provide clients with an objective means of evaluating the capability of service providers, and (3) to offer service providers a standard to use when differentiating themselves from competitors. In this way, the standard can be used for all the outsourcing phases, and be used for a variety of IT aspects.

The eSCM-SP was developed in 2001 by a consortium led by Carnegie Mellon University's Information Technology Services Qualification Center (ITsqc). The current version, the eSCM-SP v2, is composed of 84 Practices that address the critical capabilities needed by IT-enabled service providers. This document provides valuable information about the eSCM-SP, its implementation, and methods to evaluate and certify service providers (Hyder, Heston and Paulk, 2004a, page iv). The eSCM-CL (eSourcing Capability Model for Clients) has recently been published. This standard enables client organizations to "appraise and improve their capability to foster the development of more effective relationships, better manage these relationships, and experience fewer failures in their client-service provider relationship”. The eSCM standards are related to the CMM and ISPL standards. The standard has the following characteristics: informal, general, compatibility and competence.

B.3.12 Prince2

The Projects In Controlled Environment (Prince2) standard is a project management method that is generally applicable to all types of projects. It offers the project manager a method to better control projects resulting in projects that reduce the chance for late delivery, excess spending and not meeting specifications. Projects distinguish themselves from other processes in their unique and temporary character. Outsourcing projects have their impact on aspects of the organization that are otherwise very static. A static organization is generally not designed for handling dynamic risks (time, money, quality, information and organization) that come with projects. Prince2 aims to control the dynamic risks that come with a project such as outsourcing. The uniform working methods and terminology aims to make projects comparable, transferable and transparent.

44 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Prince2 has eight main processes: starting up a project, project planning, initiating a project, directing a project, controlling a stage, managing product delivery, managing stage boundaries and closing a project. In order to safeguard the added value of a project (and its various stages) the main starting point for a Prince2 project is a business case.

The method was published by the British Office of Government Commerce in 1989, and in 1996 Prince2 was published as a generic standard for all types of projects. In recent years Prince2 has grown to a de facto standard in the public and private sector in Europe. The standard is related to the MoSCoW, Software development and ISPL standards (van Sante, 2005). The standard has the following characteristics: informal, specific, functionality and project.

B.3.13 MoSCoW

The MoSCoW standard is a way to prioritize requirements for a project. The abbreviation MoSCoW stands for Must have (this requirement must return in the result), Should have (this requirement is highly desired), Could have (this requirement can only return in the result if time allows it) and Would have (this requirement will not be incorporated in the result but can be interesting in the future).

The MoSCoW standard is derived from DSDM and as such it is well suited for ICT projects. Its aims are to make IT-systems more flexible when it comes to investments of time and resources. In this same way MoSCoW can be helpful in IT outsourcing projects because it can make costs manageable. The standard is related to the Prince2 and the Software development standards (Dessing, 2006). The standard has the following characteristics: informal, specific, functionality and project.

B.3.14 Software development standards – SDM, DSDM, XP, RAD

In the sixties programming standards were developed to grow from one-of-a-kind systems to an industrialized way of systems engineering. A first standard (Pandata) for the planning the engineering process was developed in 1970 by PTT, Akzo and Nationale Nederlanden. From this standard the SDM (System Development Methodology) emerged, which would grow into the de facto standard for system development in the Netherlands. The standard is split into seven phases which are approached as a waterfall. This means that the next process can only start when the previous phase has been closed. A strong point of SDM is that it brings forward the conceptualization, after which the programming could be done in one go. Downsides to the method are that information could be lost between phases and that SDM could not cope with changing requirements during the development.

In reaction to this last problem the RAD (Rapid Application Development) standard was developed in 1980. RAD focuses on delivering early prototypes, decreasing complexity by reducing functionalities and focusing on usability. Related programming standards such as XP (eXtreme Programming) and DSDM (Dynamic Systems Development Method) also belong to the Agile software development family. XP prescribes a series of best practices for software development managers. DSDM focuses on facilitating projects that are characterized by tight budgets and schedules. It has nine main areas that can also be used in disciplines other than software development. The requirement of continuous communication between all stakeholders is one aspect that can be used in project management. This enables DSMD to grow from a software development standard to a project standard. In this way it can not only be valuable to IT outsourcing (because it was originally developed for IT) but also be valuable to a process as outsourcing (Delen, 2005). These standards relate to the Prince2 and MoSCoW standards. The standards have the following characteristics: informal, general, functionality and project.

B.3.15 Overview

By combining the phases of outsourcing and the subdivisions of IT an overview can be created using a framework. The standards that have been presented previously can be mapped to the framework. This mapping is done based on their descriptions in this section (Figure 11).

45 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Figure 11: Standards framework

This framework makes use of two dimensions, knowingly the sourcing phases (decision making, selection, transition, service delivery and contract termination) and the IT aspects (functional, application and technical management) Standards will be appointed to these dimensions and can, if necessary, span various sourcing phases and IT aspects. The standards are appointed on the basis of where their most important function lies in the IT outsourcing process.

It is important to realize that the standards portrayed can be used on other positions that indicated in the framework. Their positions as shown here merely indicate where they can contribute most in IT outsourcing. Users are guided by the framework to a specific standard depending on what phase of outsourcing, what type of IT they are discussing and how they want to use the standard. For instance if a client is looking for content standards while he is in the selection phase of outsourcing applications, according to the framework the client should use CMM and ISO 17799 in this case.

The purpose of the framework is not to portray reality but to sketch the general picture of the positions of standards in IT outsourcing. The goal of this picture is to make the standards presented in this section more comprehensible and to display the big picture.

46 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Annex C: Questionnaire

For suppliers, certain questions should be formulated differently.

1. General a. What is your personal background in this company? b. What is the history on IT services within this company? c. Which IT outsourcing processes have been finished or are currently running? d. What are the numbers of these projects (involved employees, budget)? e. Were these projects multi-sourcing arrangements? f. Which ICT services have been outsourced? i. Infrastructural processes (Networks, workplaces, computing centre, telecom services, data services) ii. Application processes (Software packages, application development, application management, supporting processes for operational management) iii. Company processes (Having a direct influence on the product and/or consumer, information supply, strategic IT processes)

2. Decision making a. How was decision making organized for these projects? b. Why were these IT aspects outsourced? i. Advantages? ii. Disadvantages? c. What were the reasons for good results in the decision making phase? i. No contractual limitations, were strategies aligned? d. What are problems specifically for this phase (use inverse questions 2.c.i)? e. What could contribute to the quality of this phase in outsourcing? f. Do you know any standards for IT outsourcing in this phase? If yes, which? g. How can standards contribute to the quality of this phase in outsourcing?

3. Supplier selection a. How is the selection phase organized? b. What were the causes for good results in this phase? i. Sufficient suppliers selected, proper demands, performance criteria, effective tendering strategy, adequate amount of involvement, right SLA c. What are the problems for this specific phase (use inverse of 3.b.i.) d. What could contribute to the quality of this phase in outsourcing? e. Do you know any standards for IT outsourcing in this phase? If yes, which? f. How can standards contribute to the quality of this phase in outsourcing?

4. Transition phase a. How is the transition phase organized? b. What were the causes for good results in this phase? i. Good management of employee transfer, good use of the SLA, no unspecified costs, roll-out time shorter than the life-cycle, the complexity of the project not passed on, no resistance to the organizational change, adequate cooperation and communication. c. What are the problems for this specific phase (use inverse of 4.b.i.) d. What could contribute to the quality of this phase in outsourcing? e. Do you know any standards for IT outsourcing in this phase? If yes, which? f. How can standards contribute to the quality of this phase in outsourcing?

5. Service provision phase a. How is the service provision phase organized? b. What were the causes for good results in this phase? i. Sufficient innovative and flexibility options in the contracts, no unanticipated changes, correct management from the direction-organization, competent

47 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

provider, sufficient relationship management, no unexpected interaction between software, no unsustainable software design, no different local needs in the organization, roll-out time shorter than the life-cycle, clear, complete and sufficiently enforced SLA‟s, no informal steering of former employees by managers. c. What are the problems for this specific phase (use inverse of 5.b.i.) d. What could contribute to the quality of this phase in outsourcing? e. Do you know any standards for IT outsourcing in this phase? If yes, which? f. How can standards contribute to the quality of this phase in outsourcing?

6. Contract termination phase a. How is the contract termination phase organized? b. What were the causes for good results in this phase? i. No constraints in the outsourcing-contracts, trust, good relationship management, no constraints in the handover c. What are the problems for this specific phase (use inverse of 6.b.i.) d. What could contribute to the quality of this phase in outsourcing? e. Do you know any standards for IT outsourcing in this phase? If yes, which? f. How can standards contribute to the quality of this phase in outsourcing?

7. Standardization a. Which problems in IT outsourcing have the highest priority? b. Concerning IT outsourcing, are your knowledge demands fulfilled? If no, where do the available provisions fall short? Why were there no standards used? i. Unable to find, unclear, incomplete, not what I needed c. Can a new standard contribute to fulfilling your knowledge demands? d. Can a standard help to improve the mutual understanding between clients and suppliers? e. Would you be willing to cooperate as a stakeholder on the development of such a standard? f. According to you, who would have to be involved in the development of such a standard?

48 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Outsourcing phases:

ice ice

making

Serv

Contract Contract

Decision Decision

provision

Selection

Transition termination Problems: No cost saving achieved

□ □ □ □ □ Complexity of the software handed over □ □ □ □ □ SLA is unclear

□ □ □ □ □ SLA is incomplete

□ □ □ □ □ Inadequate SLA enforcement

□ □ □ □ □ SLA is no guarantee for success

□ □ □ □ □ Short life cycle of ICT product: same roll-out time as life-span □ □ □ □ □ Different local needs in an organization

□ □ □ □ □ Mismatching strategies

□ □ □ □ □ Unsustainable software design

□ □ □ □ □ Unexpected interaction between software □ □ □ □ □ Complexity of the software handed over □ □ □ □ □

Insufficient relationship management

□ □ □ □ □

49 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Outsourcing phases:

making

Service Service

Contract Contract

Decision Decision

provision

Selection

Transition termination Problems: Resistance to organizational change is not overcome □ □ □ □ □ Supplier proves less competent

□ □ □ □ □ Incorrect management from direction- organization (matching demand & supply) □ □ □ □ □ Constraints in the current outsourcing- contracts □ □ □ □ □ Lack of flexibility options in contracts

□ □ □ □ □ Distrust between parties □ □ □ □ □ Ambiguous agreements □ □ □ □ □ Insufficient communication between parties □ □ □ □ □ Information-asymmetry between parties □ □ □ □ □ Lack of innovative options in contracts

□ □ □ □ □ Other: ………………… □ □ □ □ □ Other: ………………... □ □ □ □ □

Other: ………………...

□ □ □ □ □

50 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Comment:

used

Highly Highly

Known

valuable

Valuable Is currently Is currently Standards ISO 20000: Service management

□ □ □ □ ISO 17799: Information Security Management System □ □ □ □ PAS 77: IT service continuity management □ □ □ □ ITIL: Information Technology Infrastructure Library □ □ □ □ ISPL: Information Services Procurement Library □ □ □ □ DSDM: Dynamic Systems Development Method □ □ □ □ COBIT: Control Objectives for Information and related Technology □ □ □ □ CMMI: Capability Maturity Model Integration □ □ □ □ SAS 70: Statement on Auditing Standard 70 □ □ □ □ ASL: Application Services Library

□ □ □ □ SDM: System Development Methodology □ □ □ □ DSDM: Dynamic System Development Methodology □ □ □ □ BISL: Business Information Service Library, □ □ □ □ eSCM: eSourcing Capability Model

□ □ □ □

51 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl

Comment:

used

Highly Highly

Known

valuable

Valuable Is currently Is currently Standards: XP: eXtreme Programming

□ □ □ □ RAD: Rapid Application Development

□ □ □ □ PRINCE2: Projects IN Controlled Environments □ □ □ □ MoSCoW: Setting priorities for development □ □ □ □ SA-CMM: The Software Acquisition Capability Maturity Model □ □ □ □ Other: ………………… □ □ □ □ Other: ………………... □ □ □ □ Other: ………………... □ □ □ □

52 NEN Vlinderweg 6, 2623 AX Delft, NL – PO Box 5059, 2600 GB Delft, NL Telephone +31 (0)15 2 690 390, Fax +31 (0)15 2 690 190, Internet: www.nen.nl