I am not claiming to be an expert on the pros and cons of outcome-based contracts! However, I am interested in exploring the ways that risk and compliance are managed in this alternate landscape.
Before I sat down to write, I read some views of others who are experts in this field, in particular Professor Irene Ng at the University of Essex, and a number of key success factors really stood out as being relevant to risk management:
It’s a partnership
Both the client and service provider need to buy into and have a common definition of the desired outcome. This also means both parties sharing the same goal and having a committed stake – for the client it will be the delivery of business objectives that add value to the organisation, for the service provider there may well be an incentive for achievement of the outcome.
One case study I read was of an airline ticket website. The airline wanted to sell tickets, so agreed to pay the web developer a small percentage of each sale. The end result – a focus by the web developer on encouraging the customer to book, rather than on delivering a site that met the technical spec.
But not at arm’s length
I think there may be some perception that outcome based contracts mean that the client has little or no say in the process of achieving the outcome. And whilst it is true that the service provider is the expert in the area outsourced and will specify the “how”, the client as a partner has much to add as the expert in their business sector and the needs of their organisation. This may be best delivered by setting clearly defined KPI’s and SLA’s so that the business objectives are met.
A simple handover of responsibility that only requires the delivery of the desired outcome without involvement on an ongoing basis, is, to my mind, high risk. If emergencies arise, business requirements change, key personnel leave, an arms-length relationship will cause real challenges. It may also impact the client’s statutory compliance requirements, which cannot be delegated.
To reduce and manage the “arm’s length” approach in respect of statutory compliance, the outsourced expert must provide a fully transparent process that gives the client full visibility of all programme dates and subsequent reports and closure documents to enable the client to demonstrate to internal audit that the process is robust. A simple assurance in a monthly report that “all is fine” is, to my mind, inadequate.
Governed by agreement
If both parties are not in agreement about the outcomes – and the definition of what success looks like – the contract must surely be doomed to fail.
Governance will also cover accountability and responsibility, not just in terms of the outcomes, but also remedying defaults. In my mind, this should also cover risk and compliance.
Part of the governance should include a contractual risk register, so as to enable both parties to mitigate and control the levels of risk. It may help if a third party is used to audit and advise independently where greater resilience can be added. Going beyond that, I would also suggest a systematic process for horizon scanning and scenario planning for potential external risks would be of great benefit.
Which is measurable
I have heard some suggest that outcome based contracts require “arms-length” management by the client. I would suggest this is a very high risk strategy – for both parties!
Progress and performance need to be stated in terms that can be measured, and then tracked on an ongoing basis. When defaults happen, both parties need to be able to identify and address them quickly. Of course, measurement and analysis will also point out what is working well and can be expanded.
And is clear on the difference between outputs and outcomes
Outputs are intermediary steps that lead to the achievement of the outcome. They are important stages but are more likely to be functional and therefore not to be confused with the desired outcome.
From a risk perspective, I believe that both parties should be clear about how and where outputs can place the outcome at risk, as well as clarity over other external factors that may place the outcome at risk.
Going back to the airline ticket website, outputs may have included a functioning website, security of user data and server uptime. All are important and each has risk management requirements. However, while each output contributed to the outcome, none actually delivered it.
Because the service is co-created
It is often not possible for the service provider to deliver the service without a degree of co-creation by the customer. For example, the way equipment is used by the client will impact the service. This usage also impacts strongly on risk management.
When services are co-created, both parties will need transparent visibility of delivery and progress at any point. However arms-length the client may be, they still need visibility of performance and management information, especially risk factors.
Whilst an outcome-based contract will place the means of delivery in the hands of the service provider, the specification and achievement of outcomes is definitely a joint activity.
If, in the unfortunate event of a failure, the liability may sit with the service provider, but the damage to reputation and business continuity will largely affect the client.
In my view, outcome-based contracts do not remove from the client the need to measure the service delivery and manage their risk and compliance. If both parties are working in partnership and sharing information, I think that it is less important who is monitoring and managing risk, as long as it is being done.
The management of risk and compliance is just as vital as in any other form of contractual relationship.