United States: Does "Risk & Reward" Really Work in IT Services and Outsourcing Relationships?

Companies often talk about implementing risk & reward mechanisms in their IT services or outsourcing relationships, but what does "risk & reward" really mean in practice and is there really such a thing as a genuine, balanced "risk & reward" mechanism? Maybe there’s no single magic bullet, but what structures can be combined in a fair and balanced way?

Customers tend to focus on the risk element – in terms of shifting risk on to a service provider; whilst service providers are obviously more interested in the reward element and less interested in accepting risks over and above their standard model. This article looks at a number of risk & reward mechanisms and considers the pros and cons of those various mechanisms.

Risk & reward can mean different things to many people. Broadly speaking, the mechanisms fall into three categories:

• at the "conventional" level, the risks include a "penalty" payment for underperforming and the rewards include a cash bonus for over performing;
• at the "collaborative" level, the incentive involves a share of the improvement achieved or a percentage of the revenue achieved by the business; and
• at the "transformational" level, the incentive could be a share of a new business venture or the establishment of a new product line.

At the simplest level, risk & reward can mean introducing a system of service performance bonuses that is the mirror image of service credits in relation to service over-performance. So, for example, a service provider may receive a bonus payment if it consistently exceeds service performance over a defined period of time. The "bonus" for over-performance could, alternatively, be the ability to off-set or earn-back previously incurred service credits.

The most obvious way of measuring performance for the purposes of service bonuses is against defined service levels. Incentive mechanisms could also be linked to overall industry performance. The service provider could, for example, be rewarded with extra incentive if its performance in certain key measures over a defined period of time puts it in the top quartile of industry performance in that particular set of metrics. Or a customer may prefer to tie risk & reward less to monthly SLA measurements and more to key business events or overall customer satisfaction measures.

It’s important to realise, however, that a critical success factor in even conventional risk & reward mechanisms is that the mechanism should be aligned with the business needs of the customer. The mechanism should be focussed on what gives true value or benefit to the customer. There is little point in penalising a service provider for failing to meet a response time service level in a non-critical area of the business or, conversely, rewarding a service provider for meeting an availability target of 99.9% if a target of 98% has no material impact on the end-user’s ability to function effectively.

For this reason, as a general rule, the more successful risk & reward mechanisms tend to involve a reduced number of metrics albeit each with a higher stake associated to that metric. In particular, service providers often suggest that risk & reward involves ditching metrics that are too difficult and time consuming to measure (on a cost benefit analysis) and focussing at the metrics that have a real and meaningful benefit on the customer’s business. This may or may not be right for a particular customer: it depends whether one sees risk & reward operating as an integral part of service levels/credits, or as a separate overlying regime – i.e., is the customer comfortable with disregarding traditional service level metrics that measure all aspects of the supplier’s performance to concentrate on fewer, more critical metrics?

The more successful risk & reward mechanisms tend to focus on output metrics rather than input metrics. So, instead of focusing on traditional input service levels such as system uptime, it may be more appropriate to measure the number of orders or processes handled by the system in a particular measurement period. Output metrics tend not to be within the end-to-end control of the service provider – the number of customer orders processed by a system, for example, will depend on customer demand as well as the effectiveness and efficiency of the system. Output metrics, therefore, require a more collaborative approach between the parties.

Collaborative risk & reward mechanisms focus on business outcomes rather than measuring individual service lines. Gainsharing is one of the most commonly discussed methods of implementing risk/reward. Under a collaborative gainsharing, the customer may agree to make a bonus payment if the outsourcing helps the customer to achieve pre-defined cost savings. Alternatively, the parties may agree to share any increased revenue or profit generated by the improved outsourced services.

At a softer level, we have seen clients regard "end-user satisfaction" as a proxy for determining overall success in an outsourcing arrangement. So, for example, it is possible to construct bonus schemes that directly tie-in the performance and rewards for individual key personnel within a service provider to the levels of end-user satisfaction (e.g., at the simplest level, those key personnel get paid an annual bonus if the customer’s end-users express high levels of satisfaction over the course of the year; whereas no annual bonus is paid if pre-defined satisfaction levels are not met).

By their vary nature, collaborative measures cannot be purely within the control of the service provider. Accordingly, it is often very difficult to get the service provider to accept a significant element of the "risk" associated with failure. So whilst service providers are keen to discuss incentives such as sharing profits or bonus payments for positive business outcomes, they are very resistant to accepting effective "penalties" for failure to achieve an outcome which is not entirely within their control. In reality, the only risk that a service provider is often willing to take in these circumstances is the "risk" of not being paid a bonus. If a customer is able to persuade a service provider to accept a penalty for failure to meet business outcomes, it must, if possible, look carefully at the service provider’s risk pricing to ensure that any potential benefit to be derived from the penalty regime is not outweighed by the service provider’s conservative risk premium.

Transformational risk & reward mechanisms take the collaborative approach to the next level. They measure the success of major transformational projects and align incentives with enterprise-level outcomes such as market share or return on capital. The transformation might include the development of a new IT platform to support a new line of business or product. If a transformational project includes a significant new software development, as well as sharing in any increased revenue or cost savings associated with such transformational project, the parties may agree a mechanism to exploit jointly the intellectual property created as part of the project.

Gainsharing in this context can only be effective if both parties understand their responsibilities for realising the benefits of an IT services implementation. It also needs to be possible to quantify the benefits that might derive from a particular implementation. This can be done either by agreeing the extent of the cost reduction up-front at the preliminary design stage; identifying the cost that the project will affect; or using agreed mechanisms to quantify the benefits. Thereafter, it is necessary to agree the basis on which gains will be shared, likely using some form of banding arrangement.

Risk & reward mechanisms vary greatly and have different results. Whilst basic service credit and bonus mechanisms are simple to operate, they can be a rather blunt tool. Mechanisms that incentivise behaviour at a business outcome level can be more difficult to agree and manage but, ultimately, may encourage better performance in the areas that count. Either way, the customer must consider risk & reward very carefully and must construct a mechanism that is tailored to its business need. Good risk/reward contracts tend to be highly specialised and require careful and creative management.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved