Risk transfer in outsourcing contracts

Practical Law UK Articles 2-518-7949 (Approx. 12 pages)

Risk transfer in outsourcing contracts

by Dan Burge, Catherine Bingham and Amanda Lewis, SNR Denton

Retained risks

It is easy to assume that outsourcing will transfer all risks and responsibilities to the supplier and fully protect the customer from the consequences of failure. However, whatever the business area and whatever the terms of the contract, it is almost impossible for a customer to fully insulate itself and the practical remedies available may not be sufficient to recompense the customer. The primary remedies for a supplier's failure to deliver outsourced services are payments (whether in the form of indemnity claims, general damages, service credits or liquidated damages) and termination. Although other remedies may be specified under the contract (for example step in) or generally available as a matter of law (such as specific performance), in practice these additional remedies are rarely practical or used.

However, even before considering the questions of exclusion of liability and recoverability of compensation, most outsourcing customers find that neither termination nor payments eliminate the risks to their business. For example, a business which depends on a critical outsourced supply may be fatally compromised if that supply fails. Even if the supply is restored in due course, an interruption may prove terminal to the customer's enterprise. In such circumstances, the available remedies of termination and compensation after the fact cannot place the customer back in the position it should have been in.

A customer should therefore consider whether it can ensure that there is no single point of failure for its business. In some markets this might be achieved by ensuring that only ancillary (rather than critical) supplies are outsourced and in others ensuring a resilience of supply by dividing between multiple suppliers. These types of risks may be regarded as structural since mitigation strategies may dilute or even inhibit the primary objectives for the outsourcing project. In all such cases, it is important to balance the risks (both in severity and probability) against the opportunity and other costs of the mitigation strategy.

Limits on liability

Limitation of liability clauses are probably the most extensively negotiated element of risk retention by customers. To the extent that a cap on liability prevents the customer from recovering financial compensation, the customer carries the excess responsibility. The most common forms of limitation structure:

Cap the supplier's liability to a sum determined by reference to annual revenue. From the supplier's side this is driven by a desire to align its risks under the contract with its rewards. However, it does nothing to ensure that the supplier shares proportionately in the customer's risks, even where those risks flow directly from the supplier's failures.
Categorise the potential supplier liabilities so that some fall outside any cap (for example claims relating to death or personal injury caused by negligence or intellectual property claims) or receive more generous treatment (for example losses relating to damage to tangible property).

Customers negotiating a higher limit on liability and expanding the classes of uncapped liability therefore reduce the retained financial risks. In most cases, liability issues are non-structural in the sense that there is no correlation between the operational effectiveness of the outsourcing arrangements and an increased limit of liability. At any given price point a higher limit will always be better for the customer. However, a proper mitigation strategy should include a consideration of the risks of different types of potential losses and the relative positioning of the contract relative to the supplier's other arrangements. In particular:

Limits of liability must be considered in the context of the types of claim which could arise and the appetite and ability to terminate and switch suppliers. For example, if the nature of the outsourced supplies is such that a limit of liability can only be met by continuous breach over an extended period of time then termination can form an effective part of the risk mitigation strategy. If the nature of the supplies is such that there is a risk a single cataclysmic event would very rapidly cause losses which exceed the cap then a higher cap may be appropriate (a non-structural solution). Alternatively, the customer may need to invest in a more effective means to move supplies to another provider quickly (whether through a "warm backup" arrangement or structuring the services and solution to ensure that the outsourced operations can quickly resume).
If the nature of the outsourcing means that a systemic problem can arise (for example an outage of a shared data centre) a customer must ensure that the supplier prioritises a remedy for it over the supplier's other customers. A limit of liability which is likely to be exhausted by a single outage has the potential to expose the customer not only to inadequate financial remedies but could also place the customer at the back of the supplier's queue relative to other customers which have ongoing recoverable losses. If systemic problems are a possibility the customer should also make a realistic assessment of the impact on the supplier's solvency if all of the supplier's customers assert similar claims at the same time.
Liability limits must be focused where they are most useful. Suppliers often have relatively arbitrary rules linking the level of liability they will accept for a deal according to the revenue or profit which they anticipate. While it would be wrong for a customer to accept those rules as being completely immutable for any given deal, they should ensure that the aggregate liability "budget" which it can negotiate in any case is deployed in relation to those elements of the project where it will serve the greatest good both as a potential source of compensation and a driver of supplier behaviour. In particular, it is important to look at the limits of liability in the context of types of compensation which can actually be legally recovered both as a matter of general legal principle and after considering the specific exclusions of liability which may apply in any given case. These two elements form an important part of the matrix of retained risk for a customer.
The customer should ensure that the retention of risk implicit in the limitation of liability provisions dovetails with the customer's own insurance cover.

Exclusions of liability

On the same principles as above, exclusions of liability by a supplier (for example in relation to consequential loss) represent risks retained by the supplier. Again, a customer should give careful consideration to the types of risks inherent in the specifics of a project against the proposed exclusions in the contract. For example, while it is relatively common to see exclusions of liability for loss of data on many outsourcing projects, an attempt to include such a provision in a cloud data storage services contract may be met with considerably less enthusiasm. Exclusions of liability have a different effect on the retained risk profile than limits on liability in that they apply from the start of the relevant breach rather than requiring thought about the cumulative effect of breaches based on the likely frequency and distribution of different severities of incidents.

For obvious reasons suppliers are usually more flexible in relation to accepting additional categories of loss which will fall within any cap on liability than they are in accepting any additional uncapped liabilities. Customers should be wary of taking a "one size fits all" approach to exclusions as the precedent set by one project may be completely inappropriate to another set of outsourced services.

Ensuring a co-ordinated approach between the exclusions of liability and the customer's insurance cover is important. However, there is often a significant mismatch between the term of the outsourcing arrangement and the term for which insurance is readily available on fixed terms, so this should not be regarded as a complete solution.

Legally irrecoverable losses

It is also vital for a buyer of outsourcing services to understand what will and will not be recoverable as a matter of general law. Particularly common misconceptions about the extent of retained risks often arise from:

Assumptions about the recoverability of compensation for wasted management and internal time spent dealing with problems. In practice, such sums are difficult to recover and may represent a significant element of retained risk for the customer.
Misconceptions about what is recoverable in the event of termination for fault. In particular, many customers (and even suppliers) think that if the contract is terminated for fault (for example because service credits have exceeded a specified threshold) that costs of replacing the failed outsourced solution with a new solution will invariably be borne by the supplier in all cases.

Therefore, if a customer identifies a risk that it wishes to give the supplier financial responsibility for, but which would be difficult or impossible to establish at common law (whether as a source or compensation or simply as a driver for supplier behaviour), it should consider an appropriate indemnity and the relationship of that indemnity to the limitations and exclusions of liability.

Reputational issues

Even if the probable worst-case scenario for a failure of the outsourced services will not result in a complete failure of the customer's business, a customer will almost always potentially suffer damage to its reputation. The fact that the supplier's brand may suffer alongside the customer's may drive the supplier's behaviour to avoid failures but will do nothing to protect the value of the customer's brand in the event that something does go wrong. Given the value of reputation and brand to many business activities, it is arguably surprising that one of the most common types of loss to see excluded are those relating to loss of reputation and goodwill. The question of liability for reputational damage is likely to have an increasing profile in outsourcing negotiations following the case of GB Gas Holdings Limited v Accenture (UK) Limited [2010] EWCA Civ 912, which concerned the development of new billing systems that were intended to improve customer relations and customer service. When the systems failed the court was willing to accept that the supplier should be responsible for the ex gratia compensation paid to clients of the customer in an attempt to restore goodwill.

The impact of an outsourcing failure on a customer's brand is generally a structural issue. The more direct, extensive and externally visible the impact of an outsourcing failure on the customer's external operations, the more serious the brand damage is likely to be. Many organisations have shied away from outsourcing directly consumer-facing elements of their business in recognition of their retained risks of reputational damage. However, such a restrictive strategy also has the potential to significantly limit the potential benefits which outsourcing can bring to an organisation, particularly where there may be good commercial reasons to believe that the customer-facing functions would perform better if they were outsourced.

Supplier solvency

Whatever deal a customer can negotiate in relation to compensation provisions will always be subject to the supplier's ability to fund that compensation. Supplier solvency can have a major impact on the ability of the supplier to provide the services at all but the retained risks are worthy of consideration in their own right (see below, New risks; Supplier solvency). Indeed, from a customer perspective one of the few consolations about the traditional negotiated showdown to secure an adequate limit of liability is that it shows a level of supplier prudence about exposure and solvency across its business. A glance of the volatility of credit ratings for major suppliers will clearly demonstrate how difficult it can be to confidently predict the financial strength of any organisation over the full term of a major project.

Mitigation strategies for solvency concerns have probably been the subject of more consideration in recent times than any other topic in the field. It is beyond the scope of this article to examine all of them in detail but consideration should be given to:

Seeking financial security from a bank or group company. However, such security will never be perfect and is becoming increasingly expensive. In particular, there has been a dramatic rise in parent companies seeking to make an explicit charge for providing a guarantee which is in turn inevitably and transparently passed through to the customer to discourage them asking for the commitment in the first place.
Seeking termination rights for a decline in the supplier's credit rating. It is becoming increasingly common to see customers seeking a right to terminate contracts on the basis of a declining credit score. Suppliers are highly resistant to such an approach on the basis of the perceived subjectivity of the credit scores and the momentum which such clauses can build to convert a loss of confidence into a real business crisis.
Shorter term contracts. A shorter term contract may provide a higher level of certainty as to the direction of the supplier's business. However, this needs to be balanced against the adverse pricing and strategic impacts of a shorter term.
More effective exit strategies. In appropriate cases, customers may conclude that it is better to accept possible operational inefficiencies to ensure that the customer's services can be safely excised from the supplier's general operations.

Adequacy of service descriptions

Perhaps the most obvious form of retained risk arises from service descriptions which describe only the process to be followed rather than the end result to be achieved (for example, a reasonable or best endeavours obligation to seek to attain a particular goal). Such service descriptions obviously have their place and almost always represent the conscious and considered choice of the parties as to where to draw the service boundary. However, it is all too frequent to see insufficient investment being placed in the service descriptions such that items are inadvertently missed.

It can be tempting for customers to avoid omissions by using "sweepers" of part of the statements of work, for example requiring that the supplier undertake:

Any activities and provide all services which should reasonably be implied from the express service descriptions.
Activities which have historically been undertaken by the outsourced function (whether or not documented) to the same standard as was the case during a pre-outsource reference period.

Such constructs can have their place in an arrangement to ensure that a full service is provided but in practice this can come at a high price of creating uncertainty, perpetuating redundant business process steps and stifling innovation. A proper investment in the statement of work is always preferable, despite the fact that this can sometimes be a time consuming and tedious task. If the timescales and resources of the project really do not allow this then in some cases it may be possible to include a process for the ancillary activities to be documented and reviewed after the contract award with appropriate revisions to the resourcing and payment models.

Regulatory compliance

Generally, obligations to comply with regulations cannot be outsourced but the activities which underlie them can be. For example, in relation to the financial services sector, the FSA requires regulated firms to notify it before entering into material outsourcing arrangements (FSA Handbook, Supervisory Provision 15.3.8g(1)(e)) and stresses that firms cannot contract out of their regulatory obligations (FSA Handbook, Senior Management Arrangements, Systems and Controls (SYSC) 3.2.4G(1)).

Since the customer necessarily retains certain regulatory compliance risks, mitigation strategies must focus on structuring any outsourcing in a way that provides the customer with maximum assurance that any relevant regulations will be complied with by the supplier. In particular this may involve:

Careful consideration of which areas of operations to outsource.
The customer specifying or retaining some control over the technical and organisational measures to be taken by the supplier to protect against regulatory breach. Usually this is coupled with appropriate monitoring provisions (and this is an FSA requirement under SYSC 13.9.4G).
Incentive mechanisms to guide the behaviour of the supplier towards investing sufficient resources to ensure that there is no breach.

New risks

An outsourcing may also create a new set of risks which are not present in the in-house model (such as, the additional risks flowing from any supplier insolvency). From the customer's perspective it is important to recognise that outsourcing is not just a question of dividing up the risks it has when undertaking the outsourced function in-house. The outsourcing arrangement itself may give rise to the creation of a new category of risks for the customer which needs to be identified and either mitigated or accepted.

Risk arising from loss of control

If the customer insists on controlling the way in which services are delivered as well as the ends which they are to be attained, the supplier is unlikely to be able to deliver much in the way of enhanced value (whether that is measured in price, better delivery capability, improved output service capability or quality, or otherwise). However there are two distinct strands of risk which may follow from a transfer of control:

The risks flowing from the ability of the supplier to effect change. A supplier with the power to alter services and operations may use those powers to make both benign and adverse changes. In many cases, the short term benefits of changes may accrue to both parties. For example, an elimination of redundant capacity may result in costs savings which are shared under a gainshare arrangement. However, the longer term risks will tend to reside unevenly with the customer (for example if the redundant capacity transpires to be required to provide resilience).
The risks flow from the refusal of the supplier to effect changes. The customer's control of an in-house function ensures that it is able (within its skill and resource constraints) to keep the services relevant to its evolving business needs. However, a supplier acting in the short term may not be willing to make the kinds of investment and expose itself to the operational risks that change would require, except to the extent that this creates savings in which the supplier shares (for example, by streamlining the operation or moving it onto the supplier's common platform).

The transfer of control to a supplier should not be treated as an all or nothing proposition. An appropriate mix of freedoms and safeguards can be designed for each project based on the stability of the operations which are outsourced and the need and likelihood for major change. A detailed discussion of those checks and balances is beyond the scope of this article but may include:

An understanding of the supplier's target operating model as at the date of contract award.
An appropriate level of definition of the solution which the supplier is required to use to allow customer review of major changes or matters which may significantly affect the overarching approach to exit.
An appropriate change control procedure that does not leave the customer vulnerable to the superior negotiating position and inertia of the supplier (particularly in relation to types of change where the customer will effectively have not a choice, such as those driven by change in the law).
Requirements for market review, benchmarking and continuous improvement.
A contract term that is commensurate with the planning horizon for the outsourcing project under consideration.
Reasonable rights of termination for convenience, balancing the investments and commitment expected of the supplier with the ultimate need for customer to have flexibility in running its business.

Loss of capabilities

In entering into an outsourcing arrangement the customer will transfer or otherwise lose its in-house capabilities. A customer must consider whether this exposes it to the risk of being unable to re-acquire that capability within a required timescale. In particular:

Will there continue to be an identifiable "unit" within the outsourcer dedicated to servicing the customer? A supplier which intends to provide a leveraged solution where its staff and assets will be dynamically shared amongst multiple clients will often be able to provide dramatic savings but it is likely to be significantly more difficult to extract an operating unit from the shared resources on exit.
Will the services be provided onshore or in a territory where staff will transfer to a new provider of services? An onshore unit dedicated to providing the customer with services will usually be subject to the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) on termination and this might mitigate some concerns about losing strategic knowledge and skills. However, a unit which has a high turnover or which is based in a territory where the staff are as a matter of law or practice unlikely to transfer to a new supplier will have greater issues about service continuity.
Do the services require proprietary infrastructure which will not be freely available to the customer or a new supplier on termination or expiry? Some forms of outsourcings are susceptible to technical lock by choices made when the provider seeks to use its own solutions. In appropriate cases it may be important to examine whether the lock-in is acceptable if the work product is free from restrictions.
Are the services of a commodity nature (and will they remain so) so that it is reasonable to take a view that the general market will be able to provide them in the future? A service such as office cleaning which is entirely generic, requires no specialist infrastructure and carries no work in progress presents very little risk to the customer. Conversely, an outsourced maintenance service for mission critical bespoke software is likely to merit a carefully designed structure to ensure its availability.
What would the lead time be to re-procure the outsourced services or take them back in house (if that is available)? While a customer should ensure that its exit plan will work in the context of a planned re-procurement exercise on expiry of its first generation contract it should also consider whether it could secure replacement capability on an unscheduled event such as supplier insolvency.
For how long can the customer cope without the outsourced services?

There is no substitute for a well-designed exit plan that takes account of the specific characteristics and circumstances of the services and the means by which the supplier will deliver them. The operational detail of the plan is highly likely to evolve gradually alongside the services but the broad assumptions underlying the design of the exit plan (for example whether the services may be provided using shared facilities) must themselves be protected from unilateral change by the supplier. Arrangements where the workload can be rapidly switched between completely independent suppliers (as might be the case for a retailer's payment card acquisition function for example) provide excellent protection but often the nature of the outsourced services means that a parallel supply arrangement is not viable or cost effective.

Supplier solvency

In addition to the impact of supplier solvency on the customer's retention of risk (see above, Retained risks; Supplier solvency) solvency concerns represent an additional risk as an insolvent supplier is unlikely to be able to provide the service. The administrator of an insolvent company also has the power to escape from onerous contractual commitments. However, an administrator will usually try to sell an outsourcing business as a going concern and so such powers would not be used against a customer lightly. Nonetheless, customers should consider where they would stand if the administrator exercised its power to disclaim responsibilities in relation to the exit provisions of a contract.

The additional delivery risks which would arise from a supplier insolvency are substantially the same as those discussed above, that is, providing assurance of continuity of supply and due performance (for example a parent company guarantee) and ensuring that the services can readily be moved elsewhere. Where possible within the context of an exit strategy, customers should consider where exposure to contract disclaimer by an administrator can be reduced. For example, there is all the difference in the world between a contract which:

Requires daily transfers of data to the customer (a practical remedy not vulnerable to disclaimer).
Requires the transfer on termination of title and possession of the server holding the customer's data (an additional contractual obligation which might be disclaimed).
Transfers title to the server on contract commencement (giving the customer property rights which cannot subsequently be reversed on insolvency).

Loss of competitive advantage

Outsourcing a function can be extremely useful to bring a customer up to the then applicable market standard in a shorter time than they would have been able to manage themselves. However, it is also likely to sacrifice any element of market leadership in relation to that function. Clearly the risk is most acute where the supplier will provide the outsourced services on a leveraged basis since, by definition, the same solution will be made available to others to the same quality and, often, for the same price. Where the solution is not provided on a leveraged basis, there is nonetheless a risk that any competitive advantages which the customer enjoys on day one will be:

Made available to competitors in the future. Often the protections offered by general intellectual property rights are inadequate to prevent this.
Eroded if the supplier invests less aggressively than the customer or its competitors going forward.

The best protection against loss of competitive advantage in this way is to outsource only "commodity" functions rather than those which are of strategic importance to the customer or those which (while not necessarily central) provide a competitive advantage. However, failing this, customers may consider including provisions in the outsourcing arrangement, such as:

Intellectual property right protections to prevent or limit the use of the core technologies and knowledge contributed (or paid for) by the customer other than for its own benefit. However, we are aware of a number of projects in which customers solely relying on intellectual property rights protection have found suppliers competing more directly than they expected. The difference between prohibited copying and legitimate learning from experience can be difficult to prove. The reputation of the supplier is therefore likely to be of paramount importance.
Non-competition provisions to keep the supplier out of defined markets. Clearly the supplier may strongly resist restrictions on its ability to expand its business, particularly if it has developed its own proprietary solution for a particular function. While strongly resisted by the supplier community in most cases, non-competition covenants which meet the necessary constraints of public policy and competition law have the attraction of removing the need to prove the intellectual property infringement.
Pricing protections and gainshare provisions to ensure that even if the customer has to accept the risk of equivalent services being provided to its competitors, it may have a financial advantage or, at the least, will not be subsidising them.

Liabilities to suppliers and third parties

By entering into an outsourcing arrangement the customer may expose itself to a new set of potential contractual and legal liabilities. In particular:

For many types of supply, the contract will require the customer to take full responsibility for all actions undertaken using the log in details it provides (regardless of whether they are actually used by its staff). Arguably there is no theoretical difference between the outcome of such a requirement and the position in-house if there is no outsourcing arrangement. However, the difference in the profile of the supplier (they may be a bigger target for hackers for example) and lack of control over the security infrastructure may create a significant practical distinction.
Customers may be required to indemnify the supplier against any damage which their use of the system causes to shared facilities.
Customers are often required to indemnify the supplier against third party liabilities, for example in relation to the content of information or (in perceived high risk industries) in relation to third party claims against the supplier which exceed the cap.
The customer may be exposed to third party claims in relation to any intellectual property embedded within the services or deliverables by the supplier. Although the supplier will typically offer an indemnity in relation to such claims, the value of that indemnity will be limited by any applicable contractual provision.

Apart from those arising in relation to intellectual property, the customer's liabilities to the supplier and third parties tend to be ones created by the contract and therefore can be mitigated by appropriate negotiation and risk management.

Conclusion

As will be apparent, the risk profile of a customer in an outsourcing arrangement can be highly complex. This article covers the most significant common elements of retained and project-created risk. However, in reality each project carries its own risk profile and many may include unique and specific risks. It is often said that the role of commercial lawyers is to ensure that the risks of a project are properly allocated. However, in the case of outsourcing there are a number of risks which are essentially structural. There is therefore a symbiosis between the design and specification of the project and the design of the accompanying legal and procurement terms and neither should be unilaterally imposed on the other. The sheer variety of the possible approaches to the scope and procurement terms of an outsourcing project can appear daunting at first sight. However, in most cases an early strategic assessment of the high level risks involved allows the rapid identification of a cohesive and practical solution to the design of both the project and the procurement.

Contributor details

Dan Burge

SNR Denton

Image 1 within Risk transfer in outsourcing contracts

T +44 20 7320 6896
E [email protected]
W www.snrdenton.com

Qualified. England and Wales, 1990

Areas of practice. Strategic sourcing and outsourcing; technology procurement, development and licensing transactions, particularly in the energy and financial services sectors.

Recent transactions

Projects in relation to software development, systems integration, cloud, data centres, smart metering, trading platforms, payment systems and technologies.

Catherine Bingham

SNR Denton

Image 2 within Risk transfer in outsourcing contracts

T +44 20 7320 6367
E [email protected]
W www.snrdenton.com

Qualified. England and Wales, 1988

Areas of practice. Strategic sourcing and outsourcing; technology procurement, development and licensing transactions, with particular focus on public sector, infrastructure and the energy sector.

Recent transactions

Leading teams advising on several complex long-term public sector partnering deals; technology transfer and R&D focused transactions; and a number of high profile technology PPP deals.

Amanda Lewis

SNR Denton

Image 3 within Risk transfer in outsourcing contracts

T +44 20 7320 6680
E [email protected]
W www.snrdenton.com

Qualified. England and Wales, 1992

Areas of practice. Strategic sourcing and outsourcing; technology procurement; development and licensing transactions (particularly in the financial services, transport, infrastructure, retail and public sectors); commercial and IT disputes.

Recent transactions

Amanda has negotiated over 210 major outsourcing agreements over 25 years, covering the outsourcing of IT, telecommunications, disaster recovery, printing, mailing, training, call centre services, customer services, human resources, pensions administration, finance and accounting, audit, fleet management, vehicle supply and vehicle servicing, revenues and benefits, insurance claims processing, credit card processing, lease payments processing, custody, fund administration, derivative processing, transfer agency, underwriting support, claims management, cash pool, trade finance processing, engineering consultancy, logistics, research, catering, cleaning and various other facilities management services.

Risk transfer in outsourcing contracts | Practical Law