This column was prompted by an article in the Toronto Globe and Mail's Report on Business during that post-Christmas period of year-end retrospectives. In "Earthquake. Tsunami. Floods. Here is how a battered industry is getting back on its feet" (Globe and Mail, December 27, 2011), Greg Keenan analyzed how Japanese automakers were affected by recent natural disasters: last March's powerful earthquake and tsunami and the Thailand floods. The devastating impact was aggravated by problems with the automakers' suppliers: the automakers suffered severe parts shortages but were unable to adjust to these problems because of their inability to obtain critical information from the suppliers. Interestingly, in the longer term, the automakers have responded by: (i) developing a more extensive and intricate knowledge of their supply base, one that now extends down to third and fourth-tier suppliers; and (ii) requiring more flexibility from their suppliers, including that the suppliers retain more inventory on hand and have the capacity to shift production between factories.

The issues that confronted the automakers are potential problems for any business that outsources. Outsourcing customers should be thinking about the consequences of disasters, both those affecting themselves and those affecting their service providers, and including appropriate provisions in the outsourcing agreement to deal with these impacts. In this blog, I want to discuss some thoughts about these disaster recovery provisions.

1. Disaster Recovery Services are not "Included" Services

During one set of negotiations, just after the customer discovered that disaster recovery services were not automatically included as part of the base service offering, the customer's lawyer said, with some dismay, words to the effect that:

Your client has data centres all across North America and you have described to us your extraordinary depth of information technology experience. Surely, if a disaster were to occur, you have the expertise, ability and capacity to migrate our systems to one of these other sites.

Respectfully, in these circumstances, the customer's lawyer missed the point. Certainly, the service provider will have the expertise to respond. And, at the moment the disaster occurs, the service provider may indeed have personnel and infrastructure not otherwise occupied that are available to assist. But all that is serendipity which is not a very strong foundation for the customer's disaster recovery plans.

Nor can an obligation for the service provider to provide the expertise, ability and capacity to respond to a disaster be inferred because the outsourcing contract happens to contain a "sweeps" provision such as the following:

The Services shall be deemed to include all other services, duties, functions or responsibilities that, while not specifically described herein, are reasonably and directly required for the proper performance and provision of the Services.

Even if it were possible to make this argument, it would be defeated by the force majeure provisions of the outsourcing agreement that excuse a party's non-performance resulting from events beyond its reasonable control.

In thinking about disasters, the customer should document its requirements for disaster recovery services in the outsourcing agreement so that it has firm commitments to which it can hold the service provider accountable.

2. Disaster Recovery Planning vs. Business Continuity Planning

A disaster recovery plan is not the same thing as a business continuity plan. The disaster recovery plan is a tactical plan, describing the process by which a business recovers from the disruption of a disaster. A business continuity plan, on the other hand, is more comprehensive. It describes how a business can continue to operate, and to make money, not just in the event of a disaster, but also following smaller disruptions, e.g. the departure of key employees such as the CEO, problems with suppliers, fraud or criminal activity, negative publicity or cyber-attacks. One definition of a business continuity plan I have seen is:

"Business Continuity Plan" means a description of procedures, information and advance arrangements that will guide the timely recovery and ongoing provision of services, programs and operations within a predefined period of time, following the occurrence of an event, including a Disaster, that interrupts operations or disrupts the delivery of the Services and includes a disaster recovery plan which details the back-up and recovery procedures to be followed by the Service Provider, in the event of a Disaster, for systems supporting essential services.

The disaster recovery plan will be a component of the business continuity plan and needs to be developed as part of the business continuity planning process. But it is not the same thing as a business continuity plan.

This means it is inappropriate for a customer to transfer the responsibility for developing, maintaining or updating the customer's business continuity plan to its outsourcing service provider. That responsibility should remain with the customer: it is the customer who needs to determine the level of interruption the business can sustain, the amount the customer is willing to pay for business continuity services and the role of insurance. The service provider's responsibility, within this context and using its technical expertise, is to develop the disaster recovery plan in conjunction with the customer and to provide the disaster recovery services according to this plan.

Still, there is one sense in which business continuity plays into development of the disaster recovery plan. Consider the new attitude of the Japanese automakers to their suppliers: the automakers are demanding more information about their supplier base including about the suppliers of their suppliers. In the same vein, as part of a customer's disaster recovery planning, and given the material adverse impact that a disaster affecting the service provider can have on the customer, the customer should be seeking information about the service provider's business continuity plan and perhaps about the business continuity plans of the service provider's material subcontractors.

3. Disaster Recovery Statement of Work

Although international standards exist (e.g. ISO/IEC 24762:2008: Guidelines for information and communications technology disaster recovery services), there is no well-defined level of disaster recovery services that can be incorporated into an outsourcing agreement simply by referring to "industry-standard levels of service". Instead, each outsourcing agreement should provide for a detailed description of the disaster recovery services to be provided to the customer including the steps to be taken before, during and after a disaster. This detailed description of services is normally set out in a separate statement of work and becomes, in effect, the disaster recovery plan.

The disaster recovery services statement of work should, for example:

(a) deal with the transition of responsibility for disaster recovery services from the customer to the service provider following signing of the outsourcing agreement;

(b) establish recovery point and recovery time objectives for the respective services;

(c) set out the obligations of the service provider to retain redundant resources or, if redundant resources are not to be provided, the steps to be taken following the occurrence of a disaster to replace resources impacted by the disaster;

(d) describe the services to be provided in response to different types of disasters;

(e) document the responsibilities for declaring that a disaster has occurred and the process to be followed;

(f) specify how frequently and in what manner (paper test versus simulation) the disaster recovery plan is to be tested and any rights of the customer to participate in the testing or to review the test results;

(g) require the service provider to remedy any deficiencies identified in the testing within a specified period;

(h) require the disaster recovery plan to be updated on a periodic basis and, in any event, following implementation of any material change in the services; and

(i) require the service provider to provide, within a specified period of time after declaration of the disaster, a report detailing the root cause of the disaster, the steps taken by the service provider in response to the disaster and any recommendations the service provider may have with respect to improving the disaster recovery plan for the services;

4. Force Majeure

One final point. Most outsourcing agreements will include a provision excusing a party's non-performance where the non-performance is the result of a Force Majeure Event:

"Force Majeure Event" means an event which is beyond the applicable party's reasonable control, and that interferes with, delays or prevents performance of the obligations of such party, provided that the non-performing party is without fault in causing or failing to prevent such occurrence, and such occurrence cannot be circumvented through the use of reasonable alternative sources, workaround plans or other similar means

The definition of Force Majeure Event should be subject to the service's provider disaster recovery obligations: the service provider should not be excused from performance of the services following the occurrence of a disaster to the extent that the disaster is within the purview of the agreed to disaster recovery plan.

Twenty-five years ago, outsourcing contracts discussed disaster recovery in the same breath as back-up and archiving of data. The agreements included provisions describing the frequency with which customer systems, information and data were required to be backed up, the applicable retention periods and storage locations and, occasionally, the service provider's obligations to verify its ability to retrieve data from tape. The agreements did not usually say much more about the services to be provided in the event of a disaster. But times have changed. Outsourcing agreement will now set out expressly how the parties are to deal with disasters and other interruptions of service. It is important however for the customer and the service provider to take a thoughtful look at these provisions to ensure that the parties' obligations in the event a disaster occurs correspond with their expectations.

Third party assurance reports have become an integral part of outsourcing transactions: they represent an auditor's report on the controls in place at a service provider that impact a customer's financial reporting. In this posting, I want to look at the new Canadian standard, CSAE 3416. Before doing so however, I want to consider third party assurance reporting in more detail.

Third Party Assurance Reporting

Third party assurance reports relate to the control objectives and controls established by a service provider, i.e. it is the service provider that is responsible for the control objectives relating to its business, the specific controls that are implemented and for the completeness, accuracy and presentation of its policies and procedures. In the third party assurance report, an auditor retained by the service provider audits the controls and expresses an opinion about the controls based on the results of its audit.

For example, a service provider may establish control objectives in respect of its business that relate to its procedures to ensure the confidentiality of information, the effectiveness of its change control procedures or its facilities being protected against unauthorized access. The service provider will also establish, for each of these control objectives, a series of controls that are designed to achieve the objective. For the control objective, the service provider's controls provide reasonable assurance that its facilities are protected against unauthorized access, the service provider's controls in support of this objective might well include the following:

1. the service provider's resources are subject to site access controls in the service provider's data centres;
2. the service provider's data centres are protected by a video surveillance system; and
3. the security and guard services at the service provider's data centres follow physical security procedures.

In preparing the third party assurance report, the auditor retained by the service provider will audit the controls in place at the service provider to obtain reasonable assurance about whether: (1) the description of the controls presents fairly, in all material respects, the aspects of the service provider's controls that may be relevant to a customer's internal control as it relates to an audit of the customer's financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily; and (3) the controls were in operation at a specified date.

Since 2006, in Canada, the standard to be applied by auditors in performing third party assurance reports has been the Canadian Institute of Chartered Accountants, Section 5970, Auditor's Report on Controls at a Service Organization, commonly referred to as a Section 5970 Audit or a Section 5970 Report. But that is now changing. The Canadian Auditing and Assurance Standards Board, the body responsible for developing and establishing standards and guidance governing auditing and assurance in Canada, has issued a new standard, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization ("CSAE 3416") that will become the standard for third party assurance reports issued for periods ending after December 15, 2011 (although earlier implementation is permitted).

ISAE 3402

The new Canadian standard was a response to developments internationally and in the United States. For many years, in the absence of an international standard for assurance engagements, service providers were forced to offer international customers reports done according to the U.S. standard or to undertake multiple audits according to varying local standards. To deal with this and other issues affecting third party assurance reporting, the International Auditing and Assurance Standards Board ("IAASB") developed and issued an international standard, International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization (ISAE 3402). The standard was published in December 2009, to be effective for periods ending after June 15, 2011 (earlier implementation was permitted). It was not the intention of the IAASB to replace national standards for assurance engagements. Instead, it wanted to provide service providers with an alternative to issuing multiple reports under varying local standards.

SSAE 16

The American standard, Statement on Auditing Standards No. 70, or SAS 70, had been issued by the American Institute of Certified Public Accountants ("AICPA") in 1992. In the intervening years, it had arguably become the gold standard for audits of internal controls at a service provider. As the IAASB was developing the new international standard however, the United States was reviewing its standards with a view to bringing them in line with the international ones. The Auditing Standards Board of the AICPA also used the review as an opportunity to re-consider service provider audits and whether the standards that applied should be considered "audit standards" as opposed to "attestation standards" (Statement on Auditing Standards (SAS) versus Statement on Standards for Attestation Engagements (SSAE)). In April, 2010 the Auditing Standards Board issued Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Services Organization (SSAE 16). As with the international standard, SSAE 16 was effective for periods ending on or after June 15, 2011 with earlier implementation being permitted.

CSAE 3416

In the "Basis for Conclusions" document prepared by staff of the Auditing and Assurance Standards Board relating to CSAE 3416 (available at http://www.aasbcanada.ca/basis-for-conclusions/item40880.pdf), the AASB's objectives in developing CSAE 3416 were identified:

The AASB's objective was to develop a Canadian Standard on Assurance Engagements equivalent to SSAE 16, making only minimal amendments to the wording of the SSAE to:

(a) avoid any inconsistency with Other Canadian Standards; or

(b) address circumstances particular to the Canadian environment where amendments are required to serve the Canadian public interest and maintain the quality of auditing and reporting in Canada.

Since SSAE 16 was developed on the basis of ISAE 3402 but amended to respond to U.S. requirements, in aligning the new Canadian standard with the U.S. standard, the Canadian standard would also be aligned with the international standard. Although the Basis for Conclusions document identified three areas where amendments were made to SSAE 16 in finalizing the Canadian standard, e.g. in respect of cross-references to auditing standards, it concluded that CSAE 3416 was aligned with the U.S. standard in all material respects.

CSAE 3416 does not represent a radical overhaul of the standards for third party attestation engagements. In many ways, the new standard is similar to CICA, Section 5970, for example:

• The scope of the attestation engagements under CSAE 3416 continues to be focussed on controls likely to be relevant to customers' internal controls over financial reporting;
• Two types of reports may be issued: a Type 1 report attesting to the fair presentation and design of the service provider's controls and a Type 2 report attesting to the fair presentation, design and operating effectiveness of the controls; and
• Use of the report is limited to management of the service provider, existing customers and their auditors. The CSAE 3416 report is not intended to be used by service providers in marketing their services to potential customers.

There are differences however that will impact service providers. These differences include:

• Management of the service provider is now required to provide a written assertion about the service provider's controls. This requires management to state, in the case of a Type 1 report, that the controls are fairly presented and suitably designed and in the case of a Type 2 report, that the controls are fairly presented, suitably designed and operating effectively to achieve the identified control objectives. It is not intended however, that the auditor report on the written assertion provided by service provider's management.

• If the auditor relies on the work of the service provider's internal audit in the engagement, this fact needs to be disclosed in the report.

Neither the similarities between CICA, Section 5970 and CSAE 3416 nor the differences between the standards that are identified above are intended to be comprehensive. However, as December 15, 2011 approaches, there has been an outpouring of information about CSAE 3416. It is important for outsourcing counsel to spend the time reviewing the material and getting an understanding of the new standard, if only to be able to appreciate the benefits and the limitations of third party assurance reports prepared in accordance with the new standard.

My last column focussed on customer and service provider concerns that arise with various aspects of long term outsourcing relationships. I now want to discuss structuring specific provisions to take those concerns into account. This week’s posting will look at price adjustment provisions and the one to follow will discuss change management.

The price adjustment provisions of long term outsourcing arrangements need to respond to the concerns of the customer and the service provider. For the customer, these concerns are based on the worry that, after a few years, the customer will be paying too much for its outsourcing services: perhaps because of the cumulative impact of year-over-year declines in market price, after a few years the pricing of the services it is purchasing will be uncompetitive. The service provider, on the other hand, is concerned that any price adjustment provisions that are designed to ensure the customer receives market competitive pricing will skew the pricing, eliminating deliberate back-end loading or the intentional cross-subsidization of low margin services by the higher margin ones. In either case, the impact of any price adjustment provisions will be to erode the service provider’s profit margins or, in extreme cases, force the service provider to provide services at a loss.

In designing the price adjustment provisions that will respond to these concerns, the customer and the service provider should consider:

(i) how the pricing is structured under the outsourcing relationship;

(ii) the information that will inform their decisions; and

(iii) the price adjustment process.

The Pricing Structure

For the price adjustment provisions to be successful, the customer and the service provider must have a clear picture of both the services being provided and the prices being charged for those services. In a recent ten year transaction, the monthly price for services was flat lined over the entire ten year term, with the customer paying the same aggregate fee each month of the term for all of the services it received. This meant that, on a daily basis, the customer and the service provider did not have a good sense of what the services were costing and whether someone’s pocket was being picked. Not surprisingly, neither party was happy with this pricing structure and it ended up being a source of irritation to both and ultimately of conflict. It is preferable if the services provided by the service provider are individually priced and accurately reflect the parties’ estimates of the costs of providing the services. This means, for example:

• Infrastructure and application services should be disaggregated to identify separately the individual components of the services;
• Transition and transformation services should be separately priced or, if blended into other pricing components, the amount being charged and for how long should be clearly identified;
• There should be a separate charge for the service provider’s account management services, i.e. for the general administration and relationship management services including change management provided by the services provider;
• Termination transition charges should be paid for on a time and materials basis, not blended into and recovered from ongoing services’ costs;
• For each service, there should be base charges that apply to a baseline level of resources with Additional Resource Charges (ARCs) and Reduced Resource Credits (RRCs) for variations from the baseline; and
• Inflation should be specifically dealt with, by geography.

Information

If the price adjustment process is to be successful, the customer and the service provider require information about the service provider’s charges and about market pricing.

Customers frequently refer to their requirement for information about the service provider’s pricing as the need for “transparency”: the service provider should be transparent about what its pricing includes. For example, if the service provider is providing the services using dedicated equipment, how frequently will that equipment be refreshed? If security services are not separately priced but, rather, included in the charges levied for the infrastructure services, what is included within the purview of those services? In the case of services that are charged on a fixed price basis, e.g. application maintenance or support services, what level of contingency has the service provider included to take account of risks including unforeseen circumstances and increased demand?

The need for information goes beyond just having details of the service provider’s current pricing. The customer and the service provider need information about the market pricing of the services that are currently being provided. Here, the customer may be at a significant disadvantage. The service provider should have insight into current market prices from being in the market and competing for new business or from any price adjustments it is forced to make to retain its existing customers. The customer lacks these insights.

For the customer, the best source of information about the market pricing of the services being provided is, of course, for the customer to re-compete the services and find out at exactly what prices competitors are willing to provide the services. But issuing an RFP is a costly exercise and the costs to transition to a new service provider, if that is the result, can be significant and outweigh any cost savings. Still, for the customer to have leverage in any price discussions, the customer needs reliable market information: this usually entails the customer having the ability to use third party benchmarkers such as Everest to obtain data about the market prices of similar services and to indicate how the service provider’s pricing compares to market, e.g. is it in the top decile? The top quartile? About the fiftieth percentile? This does not mean that the customer needs to actually carry out the benchmarking – often the threat will motivate the services provider to “sharpen its pencil” sufficiently and provide significantly reduced pricing that will be acceptable to the customer. However it is important for the customer to have the ability to invoke benchmarking.

There are other sources of information about services pricing that the customer should not ignore, although taking advantage of them will require effort, planning and dedication. The customer may be able to use freedom on information legislation for example to obtain the pricing from government outsourcing contracts. The customer may also be able to compile estimates of market price reductions by using publicly available information such as indices of hardware, software or labour prices.

Process

The customer and service provider should define in the outsourcing contract the price adjustment process that will be followed. This process will need to allow for exploratory discussions, the benchmarking, joint review of the results of the benchmarking and implementation of the results.

The price adjustment provisions in outsourcing contracts are frequently drafted to entitle the customer to invoke the price adjustment process at any time after, say, the second anniversary of the effective date but perhaps not more frequently than once per year. This ignores the reality that many outsourcing relationships take some time to stabilize. Two years may be too early in the relationship and too short a time there to have been significant adjustments in the market price, so that the price adjustment provisions will not be effective. Moreover, after a price adjustment has been implemented, both the customer and the service provider should be entitled to a stabilization period during which prices should not be subject to change and this period should be longer than twelve months. It may be preferable therefore for the customer and the service provider to agree on periodic price adjustments using a cycle that is aligned to the service provider’s likely hardware and software amortization cycles (or designed to take them into account), e.g. every four or five years, perhaps based on anniversaries of the effective date. This will introduce some certainty into the process as well as providing the customer with the benefit that the service provider may seek to pre-empt the price adjustment process by making unsolicited price reduction proposals just in advance of each price adjustment process.

Perhaps the most difficult issue to resolve in connection with the price adjustment process, and the one that cuts to the heart of the customer and service provider concerns, is how to use the results of any benchmarkings that may take place. There are a variety of options including:

• Using the benchmark results as input and information for negotiated price adjustments, without allowing them to be determinative
• Using the benchmark results to support the price negotiations and as the basis for an appeal to expedited arbitration if the negotiations are not successful
• Implementing phased reductions of the service provider’s prices based on the results of the benchmarking
• Implementing immediate reductions of the service provider’s prices to the benchmark standard, possibly with retroactive effect to the commencement of the price adjustment process
• Reducing the service provider’s prices to the benchmark standard, with immediate effect but subject to a maximum reduction in any price of (say) ten percent
• Causing immediate reductions of the service provider’s prices to the benchmark standard, with the service provider having a right to terminate any service towers (often with reduced termination transition fees) in respect of which the service provider is not able to provide the services on a profitable basis.
• Allowing the customer to terminate any service tower for which the service provider does not agree to reduce the price to the benchmark standard.

Which of these options is the right one in the circumstances will depend on more than just the parties’ objectives for the price reduction. It will also depend on the options available to them. For example, if it would require significant time or impose significant costs on the customer to transition services to another service provider, it may put the customer at a disadvantage to allow the service provider to terminate the arrangement if it disputes a reduction in prices based on the results of the benchmarking. In these circumstances, it may be a better option for the customer to specify phased reductions or to limit the magnitude of the price reductions that can be implemented in any one process.

If the customer and the service provider approach the price adjustment provisions having regard to the concerns of each party, it will be possible for them to draft provisions that accommodate the interests of both. In our next posting, we will take a similar look at change management.

The Clock for the Long Now, a project of the Long Now Foundation, is intended to keep time accurately for 10,000 years. It was conceived by Danny Hillis in 1986 as a way of connecting us with future generations. Unable to predict what the world would look like in 10,000 years, but faced with the challenge of developing an object that would last that long, keep time accurately over the duration and be useful, the designers were forced to abandon short term thinking in favour of the long term. They had to deal with the most fundamental issues such as the problem that no one has any idea what measure of time the human race will use in the year 12000. They began, not by trying to make existing time pieces last for longer and longer periods of time, but, rather, by identifying the basic design principles that such a clock would need to satisfy; things like longevity, maintainability, transparency and scalability. (For more information on the 10,000 year clock, see http://electronics.howstuffworks.com/gadgets/clocks-watches/10000-year-clock.htm or http://en.wikipedia.org/wiki/Clock_of_the_Long_Now.)

There is a connection between the Long Now Foundation and the outsourcing industry. And no, notwithstanding the secret wishes of service providers, the lesson is not that now is the time to start thinking about 10,000 year contracts. Instead, it is their approach to developing an object that would last, continue to function, and be useful for 10,000 years can act as a guide to the outsourcing industry as it grapples with how to design and implement long term outsourcing relationships. As the Long Now Foundation began by identifying the basic design principles of the 10,000 year clock, the right way to tackle the problem of long term outsourcing is to first identify the “design principles” that long term outsourcing relationships need to address, i.e. what are the concerns of the customer and the service provider with long term arrangements? Once the concerns have been identified, it will be possible to talk about the provisions that should be included in the outsourcing contract to deal with them.

This week’s posting and the one to follow will look at long term outsourcing relationships and will follow the approach suggested above. We will begin by identifying, in this week’s posting, some of the different customer and service provider concerns that arise from the long term nature of the relationship. The next posting will examine how to address these concerns in structuring the outsourcing relationship and in drafting the contract terms. 

One preliminary point is in order. For the purposes of this posting, a long term outsourcing relationship will be considered as anything with a term of six years or longer. Although the six year term is not critical for what follows, it does separate these contracts from those that typify the current trend to shorter term transactions. The webinar, The Canadian Outsourcing Market: At A Crossroads, presented by the Centre for Outsourcing Research and Education (CORE) on June 23, 2011, noted that the term of outsourcing agreements has gone from an average of 7 years in 2002 to 4.58 years in 2010. CORE did recognize however that some customers are resisting the trend to short term transactions by consolidating service providers and moving to longer term relationships.

The concerns that long term outsourcing agreements need to deal with include the following:

Pricing: This is one of the biggest issues, for both the customer and the service provider. Customers are concerned that, regardless of how competitive the pricing may have been initially, by the time six or more years have elapsed, they will be paying far too much. And the available price adjustment mechanisms do not appear to be particularly effective at responding to these concerns. Most favoured nation clauses are difficult to negotiate, hard to enforce and of limited value in keeping the service provider’s prices at market levels. Benchmarking provisions may be easier to negotiate into the outsourcing contract, but they are time-consuming and costly to exercise and implementation of the results can be contentious. Even where the customer anticipates that it will be able to use other mechanisms to encourage or compel the service provider to have discussions about pricing, e.g. the threat of re-sourcing, in-sourcing or terminating services, the customer will frequently be hamstrung in any resulting negotiations by the lack of meaningful information about the components of the service provider’s pricing. Often, for customers, the best guarantee of obtaining market competitive pricing appears to be a re-compete.

The service provider’s pricing issues are at the other end of the teeter-totter. In multi-tower transactions, the service provider may be concerned that when any price adjustment mechanisms in the outsourcing agreement are invoked, they will allow the customer to reduce the prices of the profitable services, without taking account of the fact that that pricing is cross-subsidizing the lower margin, less profitable services or that part of the reason for the higher price of these services is amortization of the costs of the account infrastructure that are not separately charged for. In back-end loaded deals where, frequently, the higher profit in the out years compensates for lower margins during the early, more costly years of the transaction, the service provider worries that the customer will quickly forget these trade-offs once the customer has reaped their benefit: the customer will push for market pricing in the later years of the outsourcing arrangement that never allows the service provider to recoup postponed profits from the early years.

Coping with Change: For both customers and services providers, the ability of long term outsourcing relationships to deal adequately with change is a serious concern. The change order processes that are customary in outsourcing contracts usually categorize the changes that are likely to occur, e.g. material changes, contract changes, operational changes and emergency changes, and define specific procedures to deal with each type of change. The change order processes can be well suited to dealing with these sorts of discrete changes and can do it very well over the entire term of the outsourcing agreement. What they are not as well suited to dealing with is the external events that, while they may affect the customer or the service provider, do not impact the services directly. Nor are the change order processes appropriate for dealing with the changes that occur gradually over the term of the contract but where the cumulative effect can be great.

The issues that these types of changes can create, and that need to be confronted in contracting for a long term relationship, touch all aspects of the outsourcing. They raise business, financial and technology concerns:

(i) Business Issues: The potential business changes that the customer should be considering are those relating to its business, the business of the service provider and the market place in general. On the one hand, the customer needs to recognize that its business will evolve over the term of the outsourcing relationship, whether as a result of Mergers and Acquisitions or changes in its production processes, locations, clientele, products or services: the customer should ensure that the outsourcing relationship is sufficiently flexible to accommodate these changes. But the customer also needs to worry about whether the service provider’s business will evolve to keep up with the market, changes in the financial condition of the service provider and even the possibility that the service provider ceases to do business. And, at a “macro” level, the customer should be anticipating changes in the vendor market place such as the disappearance of existing service providers and the emergence of new competitors, product offerings and solutions.

For each of the potential business changes that the customer should be anticipating, there are reciprocal service provider issues. The service provider needs to consider how its business will evolve – what happens if the market evolves away the specific services being purchased by the customer but the customer refuses to move with the market and insists on staying with the same services? The ability to leverage costs across multiple customers that enable the service provider to provide cost effective services may evaporate in the future, leaving the service provider supporting a costly, dead-end service. Or changes in the customer’s business may undermine the outsourcing by removing, from the scope of the outsourcing, services that were fundamental to the service provider’s solution. And, again at the macro level, changes across an entire industry segment can fundamentally alter the nature of the outsourcing transaction and create challenges for the service provider such as occurred in the financial and automobile manufacturing sectors following the recent recession. 

(ii) Financial Concerns: We touched on some of the financial issues in the discussion on pricing above. One specific aspect of the customer concerns that, over the term of the outsourcing relationship, its pricing will become uncompetitive, is the cumulative impact of gradual year-over-year declines in market price: although initially the customer’s pricing may have been ahead of the market, after six or more years of small declines in the market price, the customer’s pricing may be significantly above market. Correspondingly, the service provider may be worried that, in the absence of appropriate Cost of Living Adjustment (COLA) provisions in the outsourcing agreement, increases in its costs of providing the services will not be properly accounted for and its profit margins will gradually be eroded over the term.

(iii) Technology Change: The technology changes that the customer needs to anticipate relate to the specific services that are being provided to the customer as well more general technology change. The customer will want to ensure that the hardware and software being used to provide the services are refreshed every three to five years and that the service provider does not continue to operate using outdated or end-of-life systems that barely scrape by. How to build these technology refreshes into an outsourcing agreement and to properly account for the costs in a market where equipment costs are declining and labour costs are stable or increasing is a challenge. But the technology issue encompasses more than just contracting for periodic technology refreshes. The customer will also want to know that the service provider has kept up with changes in technology, both gradual evolutionary change and “the next big thing”, and that the functionality of the solution the service provider is offering is at market. The customer does not want to find itself locked into a technology solution under a long term outsourcing that it would not accept if the services were being re-competed.

Equally, however, the service provider has to deal with customers who are, for whatever reason, reluctant to embrace new technologies. For the service provider, it will be important that any technology currency obligation that, say, requires the service provider to remain at “n-1”, apply equally to the customer and that the customer be responsible for the costs the customer incurs in so doing. If the customer does not remain current, in a long term outsourcing relationship, the service provider may well find itself forced to provide costly support on a dedicated basis (because no other customer is using the technology) for outdated technology.

Qualified Personnel: In contemplating a long term relationship, the customer may be concerned because, over the term of the relationship, the representatives of both the customer and the service provider who were involved in the initial negotiations will move on to other activities, taking with them both their understanding of contract terms and their appreciation of the trade-offs that were involved in negotiating the contract. Their replacements may not have the history of the transaction or a good understanding of the contract terms. The customer needs to anticipate how it will maintain the perspective and knowledge of the transaction that it requires to manage the outsourcing transaction in future in the face of these challenges.

Lack of Attention: As the customer considers entering into a long term outsourcing relationship, the customer will be concerned that it not be taken for granted over the term of the relationship. Early on in the term, the service provider will willingly dedicate its “A team” to addressing customer requirements, will provide new technology and will propose innovative ideas. But outsourcing relationships frequently coast into middle age where the services and the technology become stale and outdated and whatever proposals the service provider delivers no longer address customer concerns or delight the customer. The challenge for the customer, at the time it enters into the outsourcing agreement, is how to maintain the initial, high level of intensity throughout the term.

Conclusion: This list of concerns set out above is not intended to be comprehensive. However it is intended to identify some of the issues that the customer and service provider will need to consider if they are to structure long term outsourcing agreements for success. In the next posting, we will look at some sample contract provisions that respond to these concerns.

As service provider’s counsel, I watched it happen many times. After the Service Provider worked diligently to prepare a response to a Customer RFP and was down-selected based on the Service Provider’s proposed solution, the scope of services was reduced. The reasons varied. Sometimes they were financial: the Customer was not able to afford particular aspects of the solution or the benefits arising from parts of the solution no longer justified the expense. In other cases the reasons were operational or delivery-based: the Customer lacked the necessary infrastructure to implement components of the solution or it would have taken the Service Provider too long to develop certain parts. Regardless of the reason for which the Customer was seeking to remove scope, the Service Provider usually concluded that, in the circumstances, it had little option but to agree with the Customer that the work was “off the table”.

But that was never the end of the story. Just because some part of the work was no longer in scope, that did not mean that it could not be referred to in the outsourcing agreement. Indeed, the Service Provider was usually anxious to ensure there was some reference to the omitted scope in the contract. These contractual references were referred to, colloquially, as a way to “protect the Service Provider’s birthright” or to “preserve the Service Provider’s inheritance”.

In this posting, I want to discuss three ways that the Customer and Service Provider can deal, in the outsourcing agreement, with committed scope that ceases to be committed or that evaporates during the negotiating process (referred to below as the “Potential Scope”). The focus will be on how to deal with the Potential Scope in the outsourcing agreement. Clearly, the Customer will also need to ensure that it is able to do so under its procurement regime, but that is a separate issue.

There are benefits to both the Customer and the Service Provider from doing so. For the Customer, dealing with the Potential Scope explicitly can provide it with contracting flexibility to incorporate the work into the agreement in the future quickly, efficiently and without having to comply with procrustean procurement processes. For the Service Provider, while these approaches do not guarantee that the Customer will award the Potential Scope to the Service Provider, they can provide the Service Provider with a leg up and a reference point in the contract from which it can argue that the parties contemplated the work might be awarded to it.

The avenues open to the Customer and the Service Provider to deal with the Potential Scope include the following:

1. Right of First Proposal: In recognition of the fact that the Potential Scope formed part of the Service Provider’s original RFP response but was subsequently removed, the Customer and the Service Provider can agree to include a Right of First Proposal in the outsourcing agreement. The Right of First Proposal requires the Customer to invite the Service Provider to make a proposal for the implementation of the Potential Scope before the Customer is entitled to solicit or accept proposals from third parties relating to such implementation. This right does not require the Customer to accept the Service Provider’s proposal, only to invite the Service Provider to submit one.

The Right of First Proposal can be included in the outsourcing agreement in the following terms:

“(a) If the Customer intends to implement the Potential Scope or a material part thereof (the “Proposed Additional Scope”) at any time or from time to time during the term of the Agreement, the Customer shall provide notice thereof (each, a “Potential Scope Notice”) to the Service Provider. The Potential Scope Notice will describe the Proposed Additional Scope the Customer intends to implement and include reasonable details of any specific requirements, conditions or terms of the Customer affecting its implementation, e.g. scheduling constraints or geographic restrictions affecting the solution. The Potential Scope Notice will be considered to be a Change Request delivered by the Customer and will be subject to the Change Order Procedures, provided that:

(i) the Customer shall not solicit third party proposals for the implementation of the Proposed Additional Scope until such time as the Service Provider shall have had a reasonable opportunity to submit a Change Proposal therefor in accordance with the Change Order Procedures or the Service Provider shall have informed the Customer that it will not be submitting such a Change Proposal; and 

(ii) the Customer shall review any Change Proposal in respect of the Proposed Additional Scope submitted by the Service Provider in good faith in accordance with this Section but nothing in this Section shall require the Customer to accept any Change Proposal in respect of the Proposed Additional Scope that is submitted by the Service Provider.

The Customer shall not be required to deliver a Potential Scope Notice to the Service Provider if the Customer implements the Proposed Additional Scope internally without the use of subcontractors or third party personnel

(b) This paragraph shall apply if the Customer receives an unsolicited proposal from a third party (including another service provider or supplier of the Customer) for implementation of the Potential Scope or any material part thereof which the Customer wishes to accept or to discuss with the third party or any other person. Before accepting the third party proposal or discussing the third party proposal with the third party or any other person, the Customer shall provide the Service Provider with a Potential Scope Notice. The Potential Scope Notice shall relate to any part of the Potential Scope that the Customer will consider implementing including any part that is included in the third party proposal that the Customer wishes to accept or discuss with the third party or other person and the provisions of paragraph (a) shall apply, with necessary changes, to such Potential Scope Notice.”

The Right of First Proposal is not the same thing as a right of first refusal. A right of first refusal may well be problematic for Customers: any third party proposal that would be subject to the right of first refusal would also likely include confidentiality obligations in favour of a third party that would prevent the Customer from sharing the contents of the proposal with the Service Provider.

2. Option: If the parties can define the Potential Scope precisely and the Service Provider is able to determine both the resources it requires to deliver the services and the price of performance, then the parties can accommodate the Potential Scope in the outsourcing agreement by way of an Option. The Option entitles the Customer to require the Potential Scope to be implemented for a specified period of time on notice to the Service Provider. The Option can be phrased in the following terms (where the Service Provider resources required to implement the Potential Scope are referred to as the “Potential Scope Resources” and the price of performance is the “Potential Scope Charges”):

“(a) The Customer shall have the option (the “Option”) to require the Service Provider to implement the Potential Scope using the Potential Scope Resources for the Potential Scope Charges. The Option shall be exercisable for a period of 180 days after the Effective Date on written notice (the “Notice of Exercise of Option”) from the Customer to the Service Provider referring to this Section but may not be exercised thereafter. Upon the Service Provider’s receipt of the Notice of Exercise of Option, the Service Provider and the Customer shall cooperate in good faith to implement the Potential Scope as set out above pursuant to the Change Order Procedures.

(b) The Customer acknowledges that the Potential Scope Charges do not include the Service Provider’s charges:

(i) to re-work any Services that will already have been performed for the Customer by the Service Provider prior to the time at which the Option is exercised by the Customer pursuant to paragraph (a) and the Potential Scope is implemented pursuant to the Change Order Procedures; and

(ii) for additional testing, acceptance and project management effort necessary if the Services for the implementation of the Potential Scope are not integrated with other services being provided by the Service Provider.” 

Unlike the Right of First Proposal which can endure for the term of the outsourcing agreement, the Option normally survives for only a limited period of time. This is because the longer the option period, the more difficult it will be for the Service Provider to be confident about its costs. There will come a point at which the risks to the Service Provider associated with lengthening the option period will outweigh whatever benefit the Option provides to the Service Provider in terms of preserving its birthright. 

3. Acknowledgement of the Potential Scope: The Customer may be unwilling or unable to provide the Service Provider with a Right of First Proposal and the nature of the Potential Scope may be such that it is not practical to include an Option for the Customer to implement the Potential Scope in the outsourcing agreement. In these circumstances, the Customer and the Service Provider have the option of including an express acknowledgement in the outsourcing agreement that the Potential Scope continues to be “potentially in scope”. This acknowledgement can be phrased as follows:

“The potential scope of the Services to be provided by the Service Provider during the term of this Agreement includes the following, subject to the implementation of such Services at the discretion of Customer in accordance with the Change Order Procedures and other applicable terms of this Agreement:

1. the Services that are described in the Statements of Work as being in-scope for this Agreement; 
2. the Potential Scope; and
3. any other potential scope for the project described in the RFP issued by the Customer.”

It is easy to question the value of such an Acknowledgement. Regardless of whether it is included, the Service Provider can always make a proposal to the Customer to bring the Potential Scope into the outsourcing agreement. And the Acknowledgement does not compel the Customer to award the Potential Scope to the Service Provider. So what, ultimately, is the point of including the Acknowledgement in the agreement?

The point, for the Customer, is about having options to deal with scope in the future without assuming obligations to do so. And, for the Service Provider, the Acknowledgment provides a vehicle to award the work to it. Including the Acknowledgement in the outsourcing agreement removes possible roadblocks. It prevents the Customer from forgetting that the Potential Scope was ever part of the agreement. It eliminates claims that a separate procurement process with open bidding is necessary. And, if the Service Provider is fortunate, it changes the nature of the discussion from “should the work be awarded to the Service Provider” to “under what terms and conditions should the work be awarded?” Wayne Gretzky captured the Service Provider’s perspective well when, in a different context, he said “I miss 100% of the shots I don’t take.” 

My previous posting examined three issues relating to confidentiality obligations in an outsourcing agreement where care and attention may be needed to ensure that the parties achieve the results they are intending. I want to continue along the same path in today’s posting, looking at four more issues relating to confidentiality obligations in outsourcing agreements that the customer or the service provider do not always get right. 

4. Restrictions on the disclosure and use of Confidential Information

Confidentiality obligations frequently limit the ability of a party to use or disclose the confidential information of the other party in terms similar to the following:

“A party may use, disclose or make available relevant aspects of the other party’s Confidential Information:

(a) only to its personnel and subcontractors to the extent that: (i) the use, disclosure and making available thereof is necessary for the performance of the receiving party’s rights or obligations under this Agreement; and (ii) such persons have an actual need to know such information and have signed non-disclosure agreements as required by this Agreement;”

However there are many reasons for which a party may wish to use the confidential information of the other party that involve disclosure to persons other than its personnel or subcontractors or that transcend performance of the party’s rights or obligations under the outsourcing agreement including:

(i) to permit disclosures required under applicable law;

(ii) in connection with audits, reviews, investigations or disputes under the outsourcing agreement;

(iii) to its legal counsel, auditors or other professional advisors in order to obtain their advice;

(iv) internally or to its parent or affiliated entities as part of the party’s internal approval processes;

(v) to banks or other financial institutions in connection with the party’s financial arrangements;

(vi) in the event of an amalgamation, merger or acquisition or proposed amalgamation, merger or acquisition affecting a party;

(vii) to other service providers where the customer has adopted a multi-sourcing strategy; and

(viii) as part of a re-procurement where the customer is not renewing the outsourcing agreement.

Some of these situations are likely to be covered by express provisions of the outsourcing agreement, e.g. outsourcing agreements normally provide that it is not a breach of the confidentiality obligations for a party to disclose confidential information to the extent required by applicable law. Other circumstances, such as disclosure in connection with a party’s internal approval processes, may arguably be shoehorned into agreement provisions relating to “performance of the receiving party’s rights or obligations” (so long as the reviewers or approvers fall into the permitted class of individuals to whom information may be disclosed under the agreement).

This does not mean though that all uses or disclosures of confidential information can be justified on the basis that they are necessary for performance of a party’s rights or obligations. To avoid having to seek consent in the future, each of the customer and service provider should identify, before the outsourcing agreement is signed, the various circumstances in which it may wish to use or disclose the confidential information of the other party. It should then review the outsourcing agreement to ensure that such use and disclosure of the other’s confidential information is permitted.

5. Including Personal Information within the definition of Confidential Information

Customer Confidential Information is sometimes defined in outsourcing agreements along the following lines: 

 “Customer Confidential Information” means any technical, business, financial, personal, employee, operational, scientific, research or other information or data of the Customer … and including any Personal Information … .

Unfortunately, without more, the confidentiality obligations of the outsourcing agreement may provide poor protection for any personal Information that the customer entrusts to the service provider. This is not just because traditional exceptions to the scope of information required to be retained in confidence (e.g. information that is in or subsequently becomes part of the public domain) may serve to exclude personal information from the protective cloak of the confidentiality obligations. There are also issues uniquely associated with the service provider’s possession of personal information that should be identified, discussed by the customer and service provider and, if appropriate, dealt with in the outsourcing agreement. These issues include:

(i) restrictions on the transfer of personal information outside Canada or the access to such information from a location outside Canada;

(ii) requests received by the service provider directly from individuals for access to personal information about them collected by the service provider in performing the services;

(iii) data breach notification;

(iv) in the context of business process outsourcing, limitations on the service provider’s ability to develop “consolidated views” of individuals, i.e. to link personal information about the individuals from different sources that may well have been collected by or on behalf of the customer for other or restricted purposes; and

(v) responsibility for compliance with existing statutory obligations relating to privacy, personal information and personal health information and for dealing with any changes to such laws.

The inclusion of personal information within the definition of Customer Confidential Information in an agreement does provide a short hand way of addressing certain of the customer’s personal information obligations. However the Customer also needs to review the confidentiality obligations to ensure that standard exceptions do not vitiate whatever protection is provided and to identify any additional obligations relating to the types of personal information to be made available that should be flowed down to the service provider.

6. Including Proprietary Materials and/or Intellectual Property Rights within the definition of Confidential Information

Very often, one of the thorniest issues in negotiating an outsourcing agreement (after limits of liability) involves the ownership of and rights to use work product, e.g. systems, IT and business processes and related materials developed during the performance of the outsourcing agreement. From the customer’s perspective, it is paying the service provider for the services including for development of the work product: therefore, it should have the ownership of and the exclusive rights to exploit anything that may be developed in performance of the outsourcing agreement. The service provider sees the issue through a different proprietary lens: in developing the work product, the service provider is leveraging its existing expertise and knowledge and the amount the customer is paying does not compensate it fully for this expertise and knowledge, nor for the risks of non-performance being assumed. The customer’s rights to the work product are not pre-ordained but, rather, need to be agreed to by the parties. In all events, at least according to the service provider, it should not be precluded from using the work product in its business.

One of the ways that the ownership of work product issue can be resolved is to provide that: (i) the customer owns work product developed under the outsourcing agreement; and (ii) the service provider has the right to use in its business any residual knowledge (ideas, concepts, know-how, skills and experience) retained by it in intangible form. Regardless of the exact basis on which the ownership issue is resolved however, the customer and the service provider should take care to ensure that their intended resolution survives the intersection of the intellectual property provisions and the confidentiality obligations of the outsourcing agreement. Often, the definition of Confidential Information will include wording similar to: 

“Confidential Information shall also include, whether or not designated as “Confidential Information” … the Proprietary Materials of either party.”

If this is the case and the definition of Proprietary Materials includes work product developed under the agreement, there may be a conflict between: (i) restrictions on the service provider’s ability to use customer confidential information imposed by the confidentiality obligations; and (ii) the residual rights or other ownership provisions of the outsourcing agreement. The customer and the service provider should trace the residual rights and ownership provisions through the confidentiality obligations to confirm that the result reflects their intended agreement.

7. Third Party Beneficiaries

As indicated in item 4 above, there are many different situations in which one party may wish to disclose the confidential information of the other to a third party, e.g. the service provider may wish to disclose confidential information of the customer to its subcontractors or the customer may need to disclose confidential information of the service provider to other entities providing services to it in order for the various services to inter-operate. The outsourcing agreements will normally allow for such disclosures (sometimes with prior approval), so long as: (i) the receiving party has a need to know such information; (ii) the receiving party agrees to terms and conditions substantially the same as or equally protective as the confidentiality provisions of the outsourcing agreement; and (iii) the party disclosing the information remains responsible for the performance of the receiving party. 

These provisions may provide the customer or the service provider with some comfort concerning the disclosure to third parties of its confidential information. This comes from the expectation that the other party to the outsourcing agreement will be exercising diligence in selecting and monitoring the entities to which confidential information is disclosed because the other party is responsible for any breaches by the third party.

These provisions do not however provide the customer or service provider with the ability to enforce the third party’s compliance with the confidentiality obligations flowed down to it or a direct right of action against any third party for the third party’s breach of such confidentiality obligations. To achieve this result, it will be necessary to specify in the outsourcing agreement that the customer or service provider is a third party beneficiary of any agreement entered into by the other under which the customer or service provider’s confidential information is disclosed, e.g.:

“All agreements entered into by the customer or service provider under which the Confidential Information of the other party (the “Owner”) is disclosed or made available to a third party in accordance with this Agreement shall … include the following:

(i) provisions under which the third party agrees to and is bound by the confidentiality obligations set forth in this Agreement in respect of the Confidential Information of the Owner; and

(ii) provisions naming the Owner as an intended third party beneficiary of such confidentiality obligations set forth in the agreement with the third party, with the right to enforce such confidentiality obligations in respect of its Confidential Information directly against the third party and providing for the delivery by the third party of a certificate to such effect to the Owner on request from the Owner.”

It should not be taken for granted however that each party will automatically agree to include such a third party beneficiary provision in the outsourcing agreement. Either the customer or the service provider may not agree, as a matter of business philosophy, to allowing the other to have a direct right of action against its subcontractors or other service providers, or the arrangements it has implemented with the subcontractors or other service providers may not provide for such arrangements. If the inclusion of a third party beneficiary provision is important to a party, the issue should be raised early in the negotiations.

There is one additional item with respect to confidentiality obligations in outsourcing agreements that is worthy of comment: the standard of care that the parties must meet in protecting the confidential information of the other. That concern will be the subject of a future post. 

Confidentiality obligations are a fundamental part of all outsourcing agreements. As part of an outsourcing transaction, the customer and the service provider each agree to make Confidential Information available to the other but subject, in each case, to the limitations on use, disclosure and retention that are agreed to in the contract. Unfortunately, customers and service providers don’t always get it right and the parties sometimes find, after signing the agreement, that information intended to be kept confidential need not be or that information intended to be freely available is subject to unwelcome restrictions that limit its usability. In this posting and the one to follow, I want to discuss a potpourri of issues relating to confidentiality obligations where care and attention may be needed to ensure that the parties achieve the results they are intending.

1. Return or destruction of Confidential Information on expiration or termination

The confidentiality obligations of many outsourcing agreements require each party to return or destroy the Confidential Information of the other party on expiration or termination of the Agreement, in words similar to the following:

Upon the expiration or termination of the Agreement or on completion of a party’s obligations under the Agreement, the party shall return or destroy, as the other party may direct, all material in any medium that contains, refers to or relates to the Confidential Information of the other party.

Such provisions are problematic. First, in the digital age in which we now live, it will be economically impractical if not virtually impossible for a party to return or destroy all copies of the Confidential Information of the other party made during the term of a multi-year outsourcing agreement. Copies of the information will be located across the enterprise in storage systems, on backup or archival tapes, in the email systems, on individual laptops, on flash drives and in hard copy form. It is not clear that the customer or the service provider could ever locate and expunge all copies of the other’s Confidential Information. Nor is it clear that, so long as the information continues to be subject to the confidentiality obligations of the outsourcing agreement, there is any significant benefit to be gained from so doing. This is the reality of the digital age.

Second, and this has long been the case, there may well be legitimate reasons for a party or its advisors to retain a copy of the other’s Confidential Information after expiration or termination of the Agreement. Either party may be subject to statutory obligations requiring it to keep copies of the Confidential Information for a specified period of time or, in the course of performance of the agreement, need to provide the information to professional advisors such as auditors whose professional obligations will require them to retain copies. The customer may require use of Confidential Information of the service provider in connection with its re-procurement activities. And the service provider could potentially be involved in disputes with its subcontractors that survive the term of the outsourcing agreement and for which it requires copies of the customer’s Confidential Information.

The real issue is how to treat Confidential Information at expiration or termination and this is not being properly addressed in outsourcing agreements: many contracts still require the return or destruction of all Confidential Information at end of term. However there are ways of dealing with the issue that recognize the parties’ interests in protecting the confidentiality of their information including, perhaps, through the following two-pronged approach. As a first step, the parties should agree to the obligations that will apply generally on expiration or termination of the outsourcing agreement. (A sample provision is set out below.) Next, the parties should identify any Confidential Information for which the general provision is not adequate and that must absolutely be returned or destroyed at end of term. For any such information, once it has been identified, the parties should discuss: (i) how such information will be collected, used, processed and stored during the life of the agreement so that it is capable of being returned or destroyed at end of term; and (ii) their respective responsibility for the costs thereof. If the customer and the service provider are realistic and reasonable in negotiating the general provisions, there may well not be any Confidential Information that requires such special treatment.

This approach to the return or destruction of Confidential Information may be based on a general provision such as the following: 

 Upon the expiration or termination of the Agreement or on completion of a party’s obligations under the Agreement, the party (the “Expunging Party”) shall use all commercially reasonable efforts to return or destroy or cause to be returned or destroyed, in a prompt manner, all materials in any medium that contain, refer to or relate to the Confidential Information of the other party which are in the Expunging Party’s possession or control or in the possession or control of any of the Expunging Party’s permitted representatives. The Expunging Party’s obligations under this section include the obligation to use all commercially reasonable efforts to expunge all Confidential Information of the other party from any systems or equipment in the possession or under the control of the Expunging Party or into which the Confidential Information of the other party was programmed or inserted by or on behalf of the Expunging Party or its permitted representatives. Notwithstanding the foregoing, each of the Expunging Party and any of its permitted representatives shall be permitted: 

1. to retain and use one copy of the Confidential Information of the other party for the sole purpose of compliance with and to the extent and for so long as required by: (1) any law applicable to it; (2) any court, regulatory agency or authority to which it is subject; or (3) the professional standards of its professional governing body (to the extent in possession of the Confidential Information in a professional capacity); and
2. to retain any electronic records and files containing Confidential Information of the other party which have been created pursuant to the automatic or normal course archiving and back-up procedures of the Expunging Party or its permitted representatives.

Any Confidential Information of a party that is not returned or destroyed pursuant to this section shall continue to be subject to the confidentiality and non-disclosure provisions of this Agreement notwithstanding any expiration or termination of this Agreement.

2. Including Agreement terms and conditions within the definition of Confidential Information

It is not uncommon to see a provision equivalent to the following in an outsourcing agreement:

Confidential Information shall also include, whether or not designated as ‘Confidential Information’: 

(a) the terms and conditions of this Agreement, any schedules or exhibits thereto or any Statement of Work;

This provision leaves me feeling a little confused. While the provision confirms that the terms and conditions of the outsourcing agreement are confidential, it does not spell out precisely whose Confidential Information it is. Presumably we are to infer that the terms and conditions of the Agreement are the Confidential Information of both parties.

Presumably we are also to infer that, just because the Agreement is the Confidential Information of a party, that does not entitle the party to use or disclose the information as it sees fit. Since the Agreement is also the Confidential Information of the other party, the consent of the other party is required for any disclosure of its terms. If, for example, the customer or the service provider wanted to disclose the outsourcing agreement in connection with an M and A transaction or to disclose pricing to a third party, it would require the consent of the other party to do so.

Even so, the consequences of declaring the terms and conditions of the outsourcing agreement to be confidential may still be unclear. In particular, precisely which terms and conditions are confidential? Are the “boiler plate” provisions? Or is it only the provisions describing the fundamentals of the deal? What if the outsourcing agreement were to have been developed based on the template of one of the parties? Do the confidentiality obligations applicable to the outsourcing agreement now trump any proprietary rights the drafter may have in its template agreement? Or can the party rely on the exceptions to the confidentiality obligations for information previously known to it to claim that anything developed by it independently of the other is not the confidential information of the other party?

There are other ways of dealing with the Confidential Information in an outsourcing agreement than by simply specifying that the entire agreement (terms and conditions, schedules, exhibits and statements of work) is confidential. It is open to the parties to identify the specific components of the agreement that are confidential, whose confidential information it is and any special circumstances under which the information may be disclosed. While this may appear to be an extraordinary amount of work, it will avoid the situation in which the customer or service provider discovers, after the fact, that it requires the consent of the other to the use or disclosure of the outsourcing agreement (which consent may not always be forthcoming or be given subject to restrictions that make it unworkable). 

There is one other further aspect of this issue – declaring the outsourcing agreement to be confidential – that private sector service providers entering into outsourcing transactions with government entities should be aware of: it usually doesn’t work, at least with respect to the government entity. Regardless of what the outsourcing agreement says about the confidentiality of the Agreement terms and conditions, it will be extraordinarily difficult for the service provider to prevent the terms and conditions of the agreement being disclosed in response to third party access to information requests. Moreover, such disclosure is unlikely to be a breach of the agreement because most outsourcing agreements with government entities will carve out of the confidentiality obligations any disclosures required by freedom of information legislation or applicable law.

By way of example, in Ontario, under section 17(1) of the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31, the head of a government institution is required to refuse to disclose scientific, technical, commercial, financial or labour relations information supplied in confidence if the disclosure could reasonably be expected to have one of the consequences set out in paragraphs (a) – (d) of the section. However, as service providers have discovered in attempting to prevent the disclosure of their agreements, the question of whether disclosure will engender one of the consequences set out in paragraphs (a) – (d) is largely academic. The investigation usually never gets beyond the petard of “information supplied in confidence”. Because outsourcing agreements are negotiated by the parties, they can almost never satisfy the condition of having been supplied in confidence. Order PO-2018 (2002) of the Office of the Information and Privacy Commissioner (Ontario) (available at http://www.ipc.on.ca/images/Findings/Attached_PDF/PO-2018.pdf) indicated:

Because the information in a contract is typically the product of a negotiation process between two parties, the content of contracts involving an institution and an affected party will not normally qualify as having been “supplied” for the purposes of section 17(1) of the Act. Records of this nature have been the subject of a number of past orders of this office. In general, the conclusions reached in these orders is that for such information to have been “supplied”, it must be the same as that originally provided by the affected party, not information that has resulted from negotiations between the institution and the affected party.

The fact, however, that a contract is preceded by little negotiation, or that the contract substantially reflects terms proposed by a third party, does not lead to a conclusion that the information in the contract was “supplied” within the meaning of section 17(1). The terms of a contract have been found not to meet the criterion of having been “supplied” by a third party, even where they were proposed by the third party and agreed to with little discussion (see Order P-1545). 

(See also, by way of example: (i) Office of the Information and Privacy Commissioner (BC), Order F09-04, available at www.oipc.bc.ca/orders/2009/OrderF09-04.pdf; (ii) Office of the Information and Privacy Commissioner (BC), Order F08-22, available at www.llbc.leg.bc.ca/public/pubdocs/bcdocs/156693/2008/orderf08_22.pdf ; and (iii) Office of the Information and Privacy Commission (British Columbia), Order F10-39, available at www.oipc.bc.ca/orders/2010/OrderF10-39.pdf.) 

3. Definition of Confidential Information

Confidential Information is sometimes defined in an outsourcing agreement as:

any technical, business, financial, personal, employee, operational, scientific, research or other information or data in whatsoever form or media, whether in writing, electronic form or communicated orally or visually that, at the time of disclosure or within thirty days thereafter is designated as confidential (or like designation).
(emphasis added)

The provision entitling a party to designate information, for a period of thirty days after its disclosure, as Confidential Information is a hangover from the world of standalone NDAs and is of dubious value. It leaves open the question of what the impact of this ex post facto designation of information as confidential is in respect of any pre-designation disclosures. Is a party prohibited from disclosing confidential information for a period of thirty days lest it subsequently be determined to be confidential? Are the third parties to whom such information has been disclosed free to use the information without restriction but the party to the agreement (who now realizes the information is confidential) is prohibited from doing so?

There is a serious issue here, namely how to deal with the disclosure of information that, while confidential, is not specifically identified as such at the time of disclosure. In these circumstances, it may be preferable to address the issue by resorting to an objective standard, e.g.:

Confidential Information” shall mean all information provided or made available, whether directly or indirectly, by one party to the other that: (i) is marked confidential, limited distribution or with a similar designation; or (ii) if unmarked, which the receiving party should reasonably know is confidential.

In my next posting, I will continue to look at issues relating to confidentiality obligations in outsourcing transactions where special attention may be needed including with respect to designating personal information and intellectual property as confidential and in respect of third party beneficiaries.

In his July 30, 2010 posting, Plus Ça Change, Dan Logan of Torys talked about the difficulty of addressing the implications of change as part of a long term outsourcing arrangement. Dan referred to the results of a recent Gartner Group survey that indicated:

• 55% of organizations have renegotiated their outsourcing agreement terms within the lifetime of the contract;
• 15% of the renegotiations occurred within the first year;
• 23% of the organizations did not expect to enter into the renegotiations; and
• nearly 8 in 10 outsourcings will go through renegotiations.

The Gartner Group survey identified one of the major issues leading to this level of contract renegotiation as a lack of sufficient flexibility in the outsourcing contract to accommodate the unforeseen changes. Dan’s July posting, and his follow-on posting on October 13, 2010, Managing Change in Contracts, used this point from the Gartner Group survey (the absence of the flexibility necessary to accommodate change) as the launch pad for an examination about anticipating and accommodating change in an outsourcing. They are worth the time to read and I don’t want to repeat or disagree with his analysis.

It is not just ineffective change processes or unanticipated issues that give rise to the necessity to renegotiate an outsourcing agreement. At least as frequently, the requirement to renegotiate an agreement stems from the failure to resolve issues at the operational level on a regular basis: the issues then fester, or the consequences of the failure to resolve an issue expand to infect the relationship, reaching the point where the unresolved issues overwhelm the ability of the normal governance processes to accommodate them. What I want to look at, in this posting, are three sets of circumstances that inhibit the ability of the parties to resolve issues effectively at the operational level and that, in my experience, have been significant factors leading to the renegotiation of an outsourcing agreement.

I. Lack of Continuity of Key Personnel

The lack of continuity of the key personnel of the service provider and customer can set up the conditions leading to a renegotiation. In an outsourcing transaction, relationship history and an ongoing commitment to the arrangement can be as much a factor in resolving issues as the contract wording itself. If the representatives of both parties have the same history, understand the compromises that were made on contentious issues and appreciate the points that were left unresolved, they have the opportunity to resolve issues more quickly, if for no other reason than that there will be a shorter learning curve. And if the key personnel are also committed to working on the transaction for an extended period of time, they are more likely to take a longer term view of the outsourcing relationship. The shorter learning curve and longer term perspective may more easily allow the two parties to resolve issues in the best interests of the outsourcing. 

Conversely, when the parties’ representatives do not have the history of the outsourcing relationship and are there only for the short term, they are more likely to approach issues on a standalone basis and seek a “win-lose” solution. As in a gun fight, there isn’t much motivation or inclination to compromise. Minor irritants that should be resolved as part of normal day-to-day operating or governance procedures quickly evolve to become major problems that are not easily dealt with as part of regular governance procedures and that can require a renegotiation or contract restructuring to resolve. 

There are clear benefits to the outsourcing transaction, therefore, if both the service provider and the customer commit to maintaining continuity in their key personnel. Unfortunately however, in most outsourcings, the commitments around key personnel are one-sided. Customers will typically include “Key Supplier Personnel” clauses in their agreements that require the service provider to identify its key management, technical and perhaps business personnel and that restrict the service provider’s ability to replace these personnel. Yet the outsourcing agreements that include any corresponding commitment on the part of the customer appear to be few and far between. This is to the detriment of the parties’ ability to resolve issues in the relationship.

II. Misalignment of Interests

Outsourcing relationships almost always impact more than just the customer and the service provider. For each party, there will be a coterie of other persons who are interested in or impacted by the outsourcing, e.g. for the customer, its stakeholders may include other business units within the customer, affiliated entities, clients or other contractors. If the parties do not deal with the interests of these stakeholders in the outsourcing agreement in an appropriate manner, they may be creating circumstances in which normal operational procedures are unable to deal with day-to-day issues and a renegotiation is the only option. 

 These circumstances are best illustrated by an example. Consider an application development agreement between a government entity and a private sector service provider. While one government ministry is the contracting party and responsible for the costs of the development, the resulting application will be used by, say, three other government ministries. In recognition of the critical interest that the three other government ministries have in the functionality of the application, the service provider agrees with its government ministry customer to establish an Executive Committee comprised of representatives of the three other government ministries and that the Executive Committee’s approval will be required at critical junctures in the application development, e.g. for approval of the functional and technical specifications.

In these circumstances, it may be extraordinarily difficult for the government customer and the service provider to resolve the issues that inevitably arise in an application development. The principal interest of the Executive Committee is the functionality of the application and this interest is not tempered by the practical concerns around costs that often motivate the parties to reach an equitable resolution.

While this is a hypothetical example, the underlying problem it is meant to illustrate is not. The customer and the service provider have created a situation in which the interests of the parties are misaligned and where the normal governance procedures may not be adequate or able to resolve the resulting issues.

III. The Dangling Change Process

It is customary for outsourcing contracts to include comprehensive change processes dealing with all varieties of change from minor production changes right up to mandatory changes that allow the customer, in urgent situations, to mandate implementation of a change. One of the purposes of the change processes is to allow the parties to deal with unanticipated change and avoid the necessity of renegotiating the agreement. In at least one respect however, most change processes fall short of this objective. 

The change processes normally require the service provider to submit a change proposal for the customer’s review and consideration within a specified period of time of the customer’s request or on the service provider’s own initiative. The customer then has a defined review period within which to accept the service provider’s change proposal, to reject it or to request that the change proposal be amended. It now appears to be the norm (arguably unlike the 1990’s) that where the customer does not accept the service provider’s change proposal within the applicable review period, the change proposal is deemed to be rejected.

That is usually the end of the matter as far as the change processes are concerned. They do not deal with the consequences of the customer’s failure to accept the service provider’s change proposal. And those consequences can be very severe, e.g. the idling of teams of software developers, significant delays in development or the failure to implement new systems in a timely fashion. These are just the sort of consequences that can easily lead to the necessity to renegotiate aspects of the outsourcing agreement.

The outsourcing agreement should include, as part of the change processes, specific procedures for dealing with change requests that are not accepted by the customer. It should no longer be sufficient just to say that the change proposal is deemed to be rejected. Instead, in the interests of dealing with issues as part of normal governance, the change processes should require immediate escalation within governance of: (i) any change proposal that is not addressed by the customer during the applicable review period; and (ii) change proposals that are identified by the service provider as “Essential” that are not accepted by the customer.

IV. Conclusion

The three sets of circumstances identified above were not suggested by any proper survey so they may lack the statistical validity of the Gartner Group results. Still, they identify issues, in addition to inadequate change management processes, that drive the parties into renegotiating their outsourcing and that should, therefore, be dealt with as part of the agreement.

The provisions of outsourcing agreements relating to employees have grown more complicated. There was time, in the early 1990s, when the obligations of the service provider under the Outsourcing Agreement focussed almost exclusively on describing in detail the services to be performed. There was little mention of the service provider employees used to perform the services (or privacy, software or subcontractors for that matter). The times have changed however: in my experience at least, it is now customary for outsourcing agreements to include extensive provisions relating to the personnel used by the service provider to perform the services.

In this blog posting, I want to consider the different perspectives with which customers and service providers approach the employee provisions of an Outsourcing Agreement. If each party understands the interests and objectives of the other, it may be easier to reach an agreement that will support the long term health of the outsourcing arrangement and avoid creating a standard that the service provider will never be able to satisfy or that will leave the customer unprotected. I have also included, as part III and for completeness, some provisions from a sample outsourcing agreement.

One preliminary point is in order. The provisions being discussed here deal with the service provider’s employees who will be providing services after signing. In that sense, these provisions are concerned with the future relationship. Many outsourcing agreements also involve a transition of employees from the customer to the service provider. There is a separate set of issues around employee transitions, e.g. pre-and post-transition liabilities, the service provider’s concerns about the ability and experience of the transitioning employees and the customer’s obligations to disclose past misconduct, that also need to be considered but that are beyond the scope of today’s posting.

I. The Customer Perspective

The customer’s objectives in negotiating the employee provisions of the Outsourcing Agreement depend of course on the circumstances of the specific outsourcing. It is not uncommon for the customer’s concerns to include the following:

(1) Avoid a bait and switch: The customer may be looking for certainty around the employees who will be providing the services to it. The customer does not want to contract with the service provider on the basis that the services will be provided by the “A team” indentified in the service provider’s RFP response only to discover, some months later, that the A team is now working on the next pursuit and it is the candidates for the service provider’s C team who are actually attempting to deliver the services to the customer. To avoid this outcome, the customer is likely to require that key service provider personnel be identified in the Outsourcing Agreement and that such personnel not be replaced (except in circumstances beyond the service provider’s control) without the customer’s consent.

(2) Risk mitigation: The customer may attempt, through the employee provisions in the Outsourcing Agreement, to mitigate the risk that the service provider will be in breach of the agreement or, even if not in breach, that the services will be sub-standard or only barely rise to the level of acceptability. This interest involves the customer trying to impose an additional set of obligations on the service provider that, if complied with, will increase the likelihood that the services will be satisfactory and will achieve the customer’s objectives. This is equivalent to focusing on a building’s foundation, on the basis that, if the foundation is solid, the building is less likely to fall down. These obligations may include provisions that: (i) the personnel performing the services will have the knowledge, skills and experience necessary to perform their responsibilities under the agreement or even that such employees have specific certifications; (ii) the personnel will comply with customer’s policies; (iii) the employees will perform the services to the standards set out in the agreement; and (iv) the service provider will provide the employees with regular training on critical issues to ensure the employees’ knowledge and skills remain current.

(3) Maintenance of control: Notwithstanding that the services have been outsourced, the customer may continue to want significant control over how the services are to be performed. In effect, the customer is demonstrating a concern about whether the service provider will be sufficiently proactive in identifying issues or, if an issue is identified, whether the service provider will respond appropriately and in a timely fashion. And, in the customer’s mind, if the service provider cannot be relied upon to take the appropriate action, then the customer needs to retain the ability to do so. I have heard this expressed by one counsel as wanting the ability “to have the train track repaired without having to wait for the train wreck to happen”.

The desire to maintain control can manifest itself, in the employee context, by requests for control over employee screening, the number or location of the employees used to perform the services or the training to be received by them. It can show up in the customer’s insistence on the right to require that individual employees be prohibited from providing services to the customer. It can even be translated into requirements for input on employee base or bonus compensation (which may or may not be funded by the customer). In the government context, this emphasis on maintaining control can reveal itself in the establishment of whistleblower hotlines and requests that the employees provide direct confidentiality or other covenants in favour of the government customer.

(4) Competitive Concerns: The customer may well understand that the service provider delivers services to other customers in the same industry segment. Indeed, one of the critical factors in the customer’s selection of the service provider may well have been the service provider’s deep industry knowledge and experience. That does not mean that the customer is willing to have the service provider use the knowledge and experience it gains in delivering services to the customer for the benefit of other clients of the service provider, whether in the same or different industry segments. Nor does it mean that the customer will be satisfied with the standard confidentiality and non-disclosure provisions of the Outsourcing Agreement. The customer will focus on the service provider employees who are performing the services for the customer and try to limit their ability to perform work for the customer’s competitors. These limitations may take the form of restrictions on the service provider’s ability to transfer its employees. In some cases however, the customer’s competitive concerns may be such that the customer requires that the limitations be flowed down to and accepted by the employees who are providing the services.

The customer will certainly have other interests and concerns that it will attempt to address through the employee provisions of the Outsourcing Agreement, e.g. ensuring that any commitments or employment guarantees made by the customer are honoured by service provider. Rather than attempting to enumerate all of customer’s issues however, I now want to consider the some of the countervailing interests of the service provider. 

II. The Service Provider Perspective

The customer tries, through the employee provisions in the Outsourcing Agreement, to restrict the service provider’s freedom and flexibility in order to prevent the service provider acting in a manner detrimental to the customer. In contradistinction, the service provider is generally attempting to minimize the customer’s control over the service provider’s employees and to preserve as much freedom as possible to determine how and by whom the services are provided. The service provider’s objectives may be based on the following interests:

 (1) Limiting Control over how the Services are provided: The service provider’s fundamental responsibility to the customer is to deliver the “Services” and the service provider wants the freedom to direct and manage its resources – the ability to re-align, rationalize, replenish or even reduce resources as it deems appropriate – to achieve this objective. From the service provider’s perspective, it has the knowledge, experience and expertise to know how best to deliver the services, at least as compared to the customer, and it will bear the financial or other consequences under the Outsourcing Agreement for any failures to comply. Therefore, the service provider will be focused on preserving its ability to manage the services and minimizing the control of the customer. Employee provisions that the customer sees as necessary or beneficial to its interests will be viewed through the service provider lens of whether they restrict the service provider’s ability to manage the services and fulfill its responsibilities under the Outsourcing Agreement. If they do, the service provider may well object to the employee provisions on the basis that they constitute “micro-management” by the customer. For example, if the customer’s interest in having dedicated service provider employees who are focused on providing services to the customer restricts the service provider’s ability to develop a planned leveraged service offering, the service provider will object on this basis. Accommodating any controls requested by the customer is problematic for the service provider because, in evaluating any such limitations, the service provider needs to consider both the immediate impact and how such controls will play out in the future when the employees, technology, environment and business will have changed.

(2) Maintain control over costs: Under most Outsourcing Agreements, the service provider is delivering cost savings to the customer: there are very few customers who are really interested in entering into an agreement with a service provider where the cost of the services will be greater than the amount the customer is currently spending. If the service provider is going to turn a profit on an outsourcing transaction, the service provider will need to manage its costs. As personnel costs will be a significant component, if not the most significant component, of the service provider’s costs, it will be important for the service provider to retain the ability to manage these costs. This means that the service provider is likely to resist any employee provisions requested by the customer that will impose additional costs on the service provider (e.g. the costs of additional employee screening) or limit the service provider’s ability to manage its costs (e.g. limitations on the personnel reductions), unless such costs have been explicitly included as part of the service provider’s cost model or can be passed through to the customer. 

(3) Manage the Work Force: The service provider will be fundamentally concerned to maintain the ability to manage its workforce and will view many of the employee provisions requested by the customer as unreasonable or counter-productive attempts to restrict its ability to do so. For example, the service provider wants the ability to promote or provide new challenges to high-potential employees and to allow its employees to seek new opportunities without the employees having to terminate their employment relationship and go elsewhere. (Some service providers have even established personnel policies that allow employees to request a transfer to a new account or to a different position after a certain period of time.) The service provider is likely to resist provisions that require employees to be dedicated to a customer indefinitely or for more than some reasonable period of time. From the service provider’s perspective, these provisions will make it difficult to attract qualified employees and will not likely achieve their objective of retaining skilled resources on the customer account: such employees, faced with what they perceive to be a life sentence to a specific account, will look elsewhere to the detriment of both the customer and the service provider.

In a similar vein, it is important for the service provider that its employees be focussed on the service provider’s business objectives and that they understand that their career and compensation depend on their level of performance at the service provider. But it is exactly this principle that the customer is seeking to counteract when it asks for input on employees’ base or bonus compensation: the customer is seeking to undermine the employment relationship and to motivate the service provider employees to act in the best interests of the customer, not the service provider. It is analogous to the situation in which a bank is asked to determine the compensation of a bank loan officer based on how pleased borrowers are with their borrowing experience and not with the loan officer’s adherence to prudent lending practices. Not surprisingly, it may be problematic for the service provider to allow the customer to provide input into any employee assessment programs or to impact the employee’s base or bonus compensation.

(4) Grow the Business: The service provider wants to be able to grow its business. This requires the flexibility to respond to new situations and to pursue new opportunities using its available resources including those employees who are currently providing services to the customer. Employee provisions such as those requiring the customer’s consent before key service provider personnel can be transferred or that impose a “cooling off period” before the employees can provide services to a competitor of the customer undermine the service provider’s ability to grow. The service provider can also argue, not completely disingenuously, that such restrictions are not in the interests of the customer. This is because the larger the service provider’s customer base in a specific industry segment, the more likely the service provider is to be able to develop leveraged tools or leveraged service offerings or make investments in providing the services.

III. Sample Provisions  

Without attempting to define what the appropriate balance between the interests of the customer and service provider is (something that is impossible to do in the abstract), the employee provisions in an Outsourcing Agreement may be similar to the following:

IV. Conclusion

Reaching agreement on the employee provisions of an outsourcing agreement involves reconciling the customer’s desire for control over the employees providing services to it and the service provider’s insistence on having the flexibility to manage how and by whom the services are provided. This reconciliation can best be accomplished if each of the customer and the service provider understand the interests and objectives of the other. While the customer and service provider interests that are identified above can in no sense be regarded as a complete list, they provide an indication of the nature of the interests that need to be taken into account to reach agreement.

On more than one occasion, clients have complained to me about what happens after the outsourcing contract is negotiated. The customer or service provider is sobering up from the euphoria brought on by signing the contract, often after months of intense, complicated discussions. They are starting to grapple with the overpowering reality of managing a complex outsourcing relationship on a day-to-day basis. That is exactly the moment when large components of the negotiating team disappear, usually including the lawyers who have supported the delivery organization throughout the contract negotiations. Members of the delivery team aren’t lawyers, but they are left with the responsibilities of digesting, managing and delivering to a complicated contract that often runs to hundreds of pages.

These complaints are not really focussed on the disappearance of the lawyers but, rather, on the loss of the knowledge, insight and expertise accumulated over the months of negotiations. It is an ironic point. As a lawyer, during the contract negotiations, I would have focussed on a “Key Personnel” provision to ensure that critical members of the pre-contract delivery team did not evaporate on contract signing. I would also have worried about the “Transition Out” clauses, reviewing them closely to confirm that they mandated, on termination of the outsourcing contract, the appropriate transfer of knowledge from the service provider to the customer or new service provider. However, the transition of knowledge, from the legal team that negotiated the deal to the “Stay Behind” organization, often did not get the same attention as the negotiations of these clauses did.

I want to focus on that transition – the transition of knowledge from the Legal team – by discussing the contents of a sample Transition Memo. There are many other activities that should be completed as part of shutting down negotiations and starting-up the outsourcing, e.g. the collection and archiving of documents in accordance with an organization’s Record Retention and Destruction Policies or presentations on the new outsourcing contract, but they are beyond the scope of today`s comment. 

The content of the Transition Memo will be influenced by the reasons for which it is being done. These reasons may include:

(i) Education: to provide an introduction to the outsourcing relationship for new personnel;

(ii) Contract Management: to assist with the day-to-day management of the outsourcing relationship by identifying the rights and obligations of the parties; and

(iii) Knowledge Retention: to maintain a record of issues, agreements, compromises, trade-offs and open points as background to future questions about the interpretation of specific clauses or in case of a renegotiation of the outsourcing agreement. 

Because the contents of the Transition Memo will depend on the reasons for which it is being prepared and the specific circumstances of the outsourcing, it is not possible to define any universally applicable template. The information that is identified below is a sample only, prepared in the abstract, and it will need to be adapted to reflect the individual outsourcing transaction. Before looking at it however, two preliminary points are in order. First, the contents of the Transition Memo should not be dictated by any “Entire Agreements” clause that may be included in the outsourcing contract. The tests to apply to determine if information should be included in the Transition Memo are: (i) whether the information will facilitate a smooth handoff from the Legal team; or (ii) will the information be useful in future?; and not whether the document may be produced as part of a subsequent dispute. Second, some of the material proposed to be included in the Transition Memo may raise questions of legal privilege that are beyond the scope of this comment but that should certainly be considered by counsel in the course of preparing the memo.

The Transition Memo may include the following parts:

I. Introduction:

The focus of this part is to provide an introduction to the Transition Memo and a roadmap to the key documents. It should:

(i) set out the purpose of the Transition Memo;

(ii) specify who is the audience for the memo or at least for specific parts;

(iii) identify key players in the outsourcing negotiation and the role they played. This will be helpful in the years after signing, when the deal team is no longer present and memories have faded, in locating the individuals involved in the different aspects of the pursuit; and

(iv) provide an index to and the location of the pursuit documents. The Transition Memo is not intended to be a Closing Book for the outsourcing. Instead, it should identify the RFP, its various amendments, the RFP response, any related contracts such as non-disclosure agreements or (in the case of the service provider) teaming agreements, meeting minutes, cost models and due diligence information as well as stating where copies of the information can be found. 

II. Outsourcing Overview

The purpose of this part is to provide a general overview of the business deal and the structure of the contract. It should include:

(i) a history of the transaction. It can be especially important, where the outsourcing has evolved perhaps by additions to or deletions from scope or extensions or reductions in the term, to document the changes while the details and circumstances are still fresh in the participants’ minds;

(ii) an overview of the business relationship. This should include information about the structure of the transaction, the parties’ objectives in entering into the contract and high level information about the contract itself, e.g. the term of the agreement. This is the “executive summary” and it should establish the context for the detailed contract information identified below.

III. Contract Terms

The part of the Transition Memo is intended to summarize key aspects of the contract. As set out above, this will depend on the contract. However, a sample of the issues that this part may cover includes:

(i) scope of the outsourcing relationship. This section should describe the current scope of the outsourcing relationship and the impact of any “sweeps” clause. It should also refer to any scope that was originally part of the outsourcing relationship but was subsequently removed and what rights, if any, the service provider has to perform this scope in future;

(ii) service commitments and services levels. Service quality issues are likely key to the customer and it is worth summarizing the parties’ obligations in this area very carefully. What are the service provider`s obligations with respect to the services including with respect to service levels? How do any service level credit or earnback regimes operate? What rights does the customer have to adjust the services levels, whether as part of an annual planning process or otherwise? 

(iii) financial matters. The Transition Memo should describe the financial aspects of the outsourcing relationship including: (1) invoicing and payment provisions; (2) interest obligations; (3) rights of hold back, set-off and dispute; and (4) benchmarking or most favoured customer clauses; and

(iv) contract timeline and the timing of deliverables. This is an opportunity to provide a calendar of the outsourcing obligations and deliverables that takes account of the time required by the parties to perform their obligations. Such a calendar will be very helpful in the day-to-day management of the outsourcing. This may also be the right section in which to summarize any activities designated as follow up matters in the outsourcing agreement.

In addition to the four sample items identified above, it may also be appropriate to include sections in the Transition Memo dealing with items such as confidential and personal information, personnel and assets, unusual or contentious provisions and open points.

Properly prepared, the Transition Memo should provide information to the Stay Behind team that will be useful on a daily basis. Regardless of whether the contract “ends up in a drawer”, the Transition Memo should not.

These days, service levels are an integral part of outsourcing relationships. Reflecting the principle that “What gets measured, gets managed.” , the parties to an outsourcing relationship will establish specific metrics to be achieved by the supplier in performing services under the agreement, e.g. 99.99% server uptime in an infrastructure outsourcing or a call abandonment rate of less than 6% for help desk services. The service levels will be linked to penalties for failure to perform and termination rights in the event of consistent under-achievement. Suppliers may not love the idea of committing to service levels, but they recognize the benefits that come, to both parties, from having objective measure of performance and exact information on a regular basis about the level of performance actually provided. The result is that the customer and supplier no longer argue about whether the service levels ought to part of an outsourcing relationship. Instead they focus on “getting it right”: (i) selecting service levels that measure what is important in the relationship for the customer (outcomes, not interim measures of performance); (ii) defining appropriate targets and measurement methodologies; (iii) stating precisely how penalties will be calculated (100/225?); (iv) documenting the availability, if any, of earnbacks; and (v) specifying any concomitant rights of termination available to the customer.

The parties do not usually spend a lot of time talking about establishing service levels for the customer. The response to any suggestions that customer service levels be included is normally either that: (i) the customer’s only material responsibilities are to pay the supplier’s invoices; or (ii) the customer’s obligations cannot be quantified and objectively measured in the same manner as the obligations of the supplier can. This is regrettable, because there is a role for customer service levels in outsourcing relationships, especially in areas where the customer’s performance can have a significant impact on the supplier’s ability to fulfill its commitments under the contract. 

Let’s consider a couple of examples of how customer service levels might be used in an outsourcing transaction. First, consider a transformational outsourcing arrangement with a government based on the implementation of a new technology solution across all government departments. In these circumstances, during the term of the agreement, the supplier may need to coordinate multiple site visits to hundreds or thousands of government offices to survey the premises, remove existing equipment, install the new solution, provide training and perform maintenance. To avoid disputes during the term about whether the technology was rolled out and maintained in a timely fashion or why the supplier did not obtain the timely and sufficient access to government premises originally contemplated, the customer and the supplier might establish a customer service level at the time they enter into the agreement. The service level would measure the service provider’s ability to gain access to government offices in accordance with the contract schedule with specific targets to be achieved, e.g. each month, the supplier will gain timely access to 95% of the premises according to a schedule for the month agreed to with the customer sixty days in advance. If performance against this service level were reported on a monthly basis, access issues could be identified early on in the relationship, providing the customer and the supplier with the opportunity to take remedial action at an early stage.

The second example is based on the fact that, in most outsourcing relationships, there are numerous areas where the supplier requires input, advice or direction from the customer. Under system development agreements, for example, there will be many items such as functional or technical specifications, document formats and test results produced by the supplier that require a response from the customer and in respect of which the supplier cannot proceed until that response is received. In these circumstances, the parties should think about establishing a customer service level that measures the responses received from the customer within specified review periods. The customer service level could be calculated, on a monthly basis, as the total days provided for review according to the contract divided by the total review days (with anything less than 100% indicating the customer is not responding within the required periods). Establishing such a service level will not solve any “deemed approval” issues but it will ensure that, when the parties come to discuss delay issues at governance during contract performance, they will have both well-defined expectations and concrete evidence of performance on which to base their discussions. 

These examples illustrate that customer service levels can be used in an outsourcing relationship as a management tool for areas where the supplier’s ability to fulfill its obligations depends upon customer performance. The process of defining the service level will compel the parties to identify these interdependencies and to agree on what level of customer performance is acceptable. The implementation of the customer service level will focus the customer on fulfilling its obligations (remember the adage above about “what gets measured, gets managed”) and provide objective information during the course of the relationship about the level of performance actually achieved.

For this idea to work however, the parties will need to think about the same issues in respect of customer service levels as arise with respect to supplier service levels. This includes defining service levels that measure what is important in the relationship to the supplier’s ability to perform, selecting appropriate targets and ensuring the customer has the ability to measure its performance. It should also include a penalty mechanism that establishes consequences for the customer’s failure to perform. This may be a monetary amount, e.g. a quantification of the additional costs incurred by the supplier as a result of the customer’s substandard performance, but it need not be. The parties might agree, for example, that the customer’s failure to achieve a service level creates an earn back that can be used by supplier to excuse its failure to achieve a supplier service level or, alternatively, that, each time the customer fails to perform, the due date for payment of invoices is reduced by five days. The objective of the penalty mechanism is to establish consequences to substandard performance and it is open to the parties to agree as to what those consequences are.

The idea of customer service levels is not just “tit-for-tat”. Rather, they are and should be seen as a governance tool that can be used to improve the overall health of an outsourcing relationship. With that idea in mind, it is time to focus on defining the appropriate customer service levels, not reject the idea out of hand on the basis that however far partnership goes, it does not go that far.