business & technology sourcing...sourcing to a single provider are giving way to strategic and...

Issue 21 | Winter 2014

Business & Technology SourcingREVIEW

1 Current Critical Issues in Outsourcing

4 Contracting for ERP Implementation Success

7 Considerations in Exiting Outsourcing Deals

10 Protecting Privacy Interests in Outsourcing

13 Key Considerations in Cloud Contracting

16 MitigatingandManagingtheImpactofInflationinIFMEngagements

About Our Practice

Mayer Brown’s Business & Technology Sourcing (BTS) practice is one of the global industry leaders for Business Process and IT Outsourcing as ranked by Chambers & Partners, The Legal500 and the International Association of Outsourcing Professionals (IAOP). With more than 50 dedicated lawyers—many having previous experience with leading outsourcing providers and technology com-panies—the practice has advised on nearly 300 transactions worldwide with a total value of more than $100 billion.

mayer brown i

Welcome to the Winter 2014 edition of the Mayer Brown Business & Technology Sourcing Review.

Our goal is to bring you smart, practical solutions to your complex sourcing matters in information technology and business processes. We monitor the sourcing and technol-ogy market on an ongoing basis, and this Review is our way of keeping you informed about trends that will affect your sourcing strategies today and tomorrow.

In this issue, we cover a range of topics, including:

• Current Critical Issues in Outsourcing

• Contracting for ERP Implementation Success

• Considerations in Exiting Outsourcing Deals

• Protecting Privacy Interests in Outsourcing

• Key Considerations in Cloud Contracting

• Mitigating and Managing the ImpactofInflationinIFMEngagements

You can depend on Mayer Brown to address your sourcing matters with our global platform. We have served prominent clients in a range of sourcing and technology arrangements across multiple jurisdictions for over a decade.

We’d like to hear from you. If you have any suggestions for future articles or comments on our current compilation or if you would like to receive a printed version, please email us at [email protected].

If you would like to contact any of the authors featured in this publication with questions or comments, we welcome your interest to reach out to them directly. If you are not currently on our mailing list, or would like a colleague to receive this publication, please email [email protected] with full details. u

Editors’ Note

Lei ShenChicago+1 312 701 [email protected]

Kevin A. RangChicago+1 312 701 [email protected]

Derek J. SchaffnerWashington DC+1 202 263 [email protected]

mayer brown 1

The critical issues in outsourcing have evolved with changes in the market-place, the growth in second- and later-generation outsourcing, and the new technologies such as cloud and big data. Lawyers handling outsourcing deals thus deal with new challenges in a wider variety of deals.

This article will discuss those chal-lenges and how you can mitigate the risks for your company as an outsourc-ing customer.

DEMAND FOR AN EFFICIENT BUT EFFECTIVE NEGOTIATION PROCESS

Early strategies of broad scale out-sourcing to a single provider are giving way to strategic and specialized sourc-ing to multiple providers. The smaller deals still involve mission critical services,sosacrificingdiligenceorcontractual protections can create substantialrisk.Fortunately,youcanget good results with the tools, pro-cesses and experience now available. These include proven contract and schedule templates, checklists, guides to help the business team gather and record needed information, a process designed to reduce the number of cycles to get to closure, and the experience both with the tools and processes as well as with the counter parties and similar transactions.

RESOURCING NOT OUTSOURCING

The traditional outsourcing model assumed that the provider was taking responsibility for an existing internal function.Forexample,thetraditionaldragnet clause requires the provider to perform all the functions previously performed by the customer at the existing service levels (unless those functions are explicitly excluded). As more customers are moving toward second-or-later-stage transactions, they need new approaches, including more robust service descriptions.

Early strategies of broad scale outsourcing to a single provider are giving way to strategic and specialized sourcing to multiple providers.

NEED TO INTEGR ATE ACROSS SERVICE PROVIDERS

As customers have an increasing number of outsourcing providers, the customers increasingly need to inte-grate and ensure close working relationships among providers. To build a working provider ecosystem, customers need to establish rules and relationships that protect the vital interests of each provider and reward collaboration. Because this approach is different from the traditional separa-

Current Critical Issues in Outsourcing

Paul J.N. Roy Brad L. Peterson

This article was published previously in Inside Counsel.

Brad L.PetersonChicago+1 312 701 [email protected]

Paul J.N. RoyChicago+1 312 701 [email protected]

2 Business & Technolog y Sourcing Review Issue 21 | Winter 2014

tion between competitors, you need to address this requirement early in the sourcing process and follow through in governance.

THE DOUBLE-EDGED SWORD OF SHORT-TERM DEALS

In the face of increased uncertainty and dramatic change,customershavesoughttoincreaseflexibilitywith shorter terms. While customers may believe shorter term contracts protect them, the reality is that exit would be costly, time consuming and disruptive. Consequently, you would be prudent to include long-term contract protections even if the nominal term of the contract is short.

As providers increasingly deliver with a global service delivery model integrated with provider processes and technology, traditional “step in” rights increasingly provide false comfort.

ESTABLISHING RIGHTS IN CRITICAL PROVIDER TECHNOLOGY

Customers are increasingly outsourcing to use provider technology instead of to find a lower-cost workforcetooperatecustomertechnology.Forexample, there is a rise in SaaS and cloud transac-tions. While customers still retain rights in their data, the bigger issue is what replacement system will be used to process that data. The risk can be mitigated by obtaining options to license some or all of the provider’s technology and commitments to provide replacement systems and transition support at predictable costs for substantial periods.

SECURING “BIG DATA” RIGHTS AND SERVICES

Advances in “big data” technologies have allowed companies such as Google and Amazon to create spectacular value with secondary uses of data. Traditional and even current service contracts often permit these secondary uses without com-pensation.Forexample,contractsoftenpermitproviders to retain aggregate and anonymized

copies of customer data which allows the providers to benefit from data. In addition, customers often overlook opportunities to partner with their providers to gain the benefit of insights that be generated from the provider’s broader market data.

RETAINING RIGHTS TO PROTECT BUSINESS

As providers increasingly deliver with a global service delivery model integrated with provider processes and technology, traditional “step in” rights increasingly provide false comfort. However, customers continue to face the risk of providers becoming financially, operationally or otherwise unable or unwilling to perform specific mission-critical functions. To protect their businesses, customers increasingly value options to take spe-cific work back quickly (including rights to take over assets and license materials) and commitments to provide information on an ongoing basis to make these options effective.

MINIMIZING RISK, COST AND SURPRISES ON EXIT

With more transactions reaching end-of-life, we too often see customers surprised by their vulnerability on exit when they seek to move the services to a replacement provider. Whether due to lack of motivation by the replaced provider, a lack of governance attention by the customer or a problem relationship, common complaints include (a) exit rights designed for the technology at the signing date not fitting the technology at exit, (b) incom-plete or poorly organized data, and (c) inadvertent waivers of exit rights needed to transition the services. You can mitigate these risks with f lexible exit rights, including rights to key data, and by conducting regular audits of the data and using financial incentives for the provider to properly maintain that data.

GOVERNANCE AND FOLLOW-THOUGH (AND FOLLOW-THROUGH, FOLLOW-THROUGH, FOLLOW-THROUGH)

Too often, carefully drafted contracts are ignored and both parties operate without regard to the

mayer brown 3

carefully considered processes and allocations of risk. Customers can, and frequently do, lose value by overlooking an important right, cost or protec-tion for a long period. Like internal operations, outsourcing agreements must be persistently monitored to retain and build value. Adjustments to the contract should be ref lected by deliberate mutual agreement and not by default.

RESOLVING DISPUTES WHILE PRESERVING (OR EVEN BUILDING) THE REL ATIONSHIP

Disagreements in outsourcing agreements are inevitable, but resolving them is not. Experienced outsourcing customers have found that disputes that accumulate and remain unresolved can fester, weaken trust and destroy an otherwise productive

relationship.Findingwaystoquicklyandefficientlyforce a resolution is the best way to maintain, and perhaps even build, trust and a strong working relationship. There are various strategies for accomplishing this ranging from novel governance structures to using third parties identified in advance to finally resolve disputes within specified dollar ranges.

THE OUTSOURCING MARKET IS GROWING MORE COMPLEX AND RISKS ARE INCREASING

Yesterday’s contract will not overcome today’s challenges. However, you can manage that complex-ity and mitigate those risks using tools, processes and best practices developed over the decades of outsourcing. u

Stories of ERP implementation disasters are numerous and stunning in scale and frequency. These failures are so common that reading the literature on the subject leads to the conclusion that successes are in the small minority. In fact, one recent study estimated that only 6.4% of ERP projects are completed on time and within budget.1 The reported costs of abandoned projects can be enormous—$125 million in the case of Avon. But the costs of an improperly implemented system are equally high. Hershey and Nike each reported $100 million in lost sales and significantdropsinstockpriceduetoproblems in their new ERP systems.2

[O]ne recent study estimated that only 6.4% of ERP projects are completed on time and within budget....But the costs of an improperly implemented system are equally high.

While many of the risks in an ERP implementation project are beyond the control of the lawyers supporting the project, understanding why these projects often fail and what success looks like will help you guide your business clients to a contract structure that promotes success.

Why Do ERP Implementation Projects Fail? Companies routinely underestimate thecomplexityanddifficultyofERPimplementation projects. Among the most-cited reasons for implementation failures are (1) lack of a clear understanding of what the company wants to achieve, (2) lack of a detailed plan for achieving what the company wants, (3) underestimating the effort required by the company’s management and personnel, (4) unplanned reports, interfaces, forms and enhancements, (5)insufficienttesting,(6)insufficienttraining of company personnel impactedbytheproject,(7)insufficientwork done to overcome the natural resistance to the changes needed to adapt to the new systems, (8) incentives for the implementation provider to expand the project and (9) inadequate project management.

How Can the Legal Process and Contract Structure Support Success?The contract can promote success in threeimportantways.First,thecontractcandefinekeyprojectdetails,includingdeliverables, milestones and acceptance criteria. Second, the contract can provide the process for how the parties will work together, including making changes and obtaining required approvals. Third, the contract can

Contracting for ERP Implementation Success

Paul J.N. Roy Paul A. Chandler

Paul A. ChandlerChicago+1 312 701 [email protected]

Paul J.N. RoyChicago+1 312 701 [email protected]



provide incentives for the service provider to achieve the company’s desired outcome.

What is the Best Contracting Approach?

DEVELOP A PROJECT PL AN

A solid project plan would set forth a detailed list of activities,staffing,interimandfinaldeliverablesandassociated milestones. The project plan should be linked tothecontractthroughtheuseofdefinedtermsandmilestone dates from the contract. Each milestone should clearly identify all required completion criteria. Contentious milestone discussions often signal that the partieshavenotclearlydefinedanddocumentedtheproject’s goals and scope.

The best choice of structure depends on the project, and the company’s skills, risks and service provider. Available structures fall into three main categories: “Assist;” “Deliver;” and “Shared Risk.”

ALLOCATE RESPONSIBILITIES BETWEEN THE PARTIES

This can be done using a matrix that details project activitiesanddefineswhichpartywillberesponsiblefor each activity. “Joint Responsibility” should not be used since that may mean neither party will be in breach if there is a failure. Likewise, assumptions should be removed unless there is a clear outcome if an assumption fails. If there is a constraint that may be exceeded, it is best to have a clear change process and default pricing in case price changes cannot be agreed.

CHOOSE A DEAL STRUCTURE

The best choice of structure depends on the project, and the company’s skills, risks and service provider. Available structures fall into three main categories: “Assist;” “Deliver;” and “Shared Risk.” Each structure has its own unique features.

In the Assist structure, the service provider works at the company’s direction and is paid on a time and materials basis. This approach allows the company to start quickly and make changes at its discretion, but

the company bears the entire risk of budget overruns and schedule delays.

In the Deliver structure, the service provider commits toworkaccordingtoaspecifiedscheduleforafixedfee.This makes the service provider highly motivated to completetheprojectquicklyandefficiently,butmayresult in the company having to sign change orders thatincreasethefixedfeeandextendtheschedule ifthecontractfailstoclearlyandcompletelydefinedesired outcomes. These risks are heightened by the serviceprovider’sfinancialincentivetounderstatescope and price to win the deal.

The Shared Risk structure is designed to reduce overall risk by aligning incentives and creating a spirit of partnership. It does this by establishing a target budget with shared risks and rewards if the service provider exceedsorstayswithinbudget.Forinstance,theservice provider’s hourly rate may be progressively discounted as it exceeds the target budget and, conversely, increased if it comes in under budget. However, like the Deliver structure, the Shared Risk structure requires an up-front investment in carefully definingdesiredoutcomes.TheSharedRiskstructurealso requires more sophisticated contracting to address changes in scope and direction because of their impact on the target budget and incentives. This requires, amongotherthings,definingclearboundariesbetweenchargeable and non-chargeable changes.

What is Legal Counsel’s Role After the Contract is Signed? Contractual processes and protections are only valuable if understood and properly applied by the parties. Legal counsel supporting an ERP implementation project should train the company’s project team and key stakeholders on the key operational elements of the contract, including the importance of aligning project activities with the responsibility allocations in the contract, and documenting changes using contract processes and documents. Legal counsel should then periodically check in with the project team to make sure the project is staying on track and to address questions that arise from time to time that require legal interpretation and guidance. If disputes arise, legal

mayer brown 5

counsel should assist in promptly resolving those disputes to help foster a productive project environment.

While the success or failure of an ERP implementation project lies primarily with the operational, technical and business teams, a well-crafted, well-managed contract can dramatically increase the opportunity for success. u

Endnote 1 November 2013 article by Analys Evenstad of Denver IT

consultant Panorama Consulting Solutions citing a Standish Groupreport inCFO.com.

2 “10FamousERPDisasters,DustupsandDisappointment,”March24,2009CIOFeaturebyThomasWailgum.


Considerations in Exiting Outsourcing Deals

Daniel A. Masur Derek J. Schaffner

Exiting an outsourcing deal requires careful planning. A well thought-out exit plan can help transitioned-out activities proceed in a more orderly manner. However, there are often problems in the customer-supplier relationship that make a successful exitdifficult.Forexample,thecustomermay be unprepared at exit because it has not governed the relationship effectively. Likewise, the outgoing supplier may be unmotivated to provide adequate disengagement assistance and could even act in a hostile manner. This article will discuss items that inside counsel should consider and how to mitigate the risks of exiting an out-sourcing relationship.

Exit Plan and Timing ConsiderationsExiting customers should ensure that an exit plan is developed to allow adequate time to complete all activi-ties, especially time to complete transition-out tasks. Inside counsel and impacted business stakeholders should work together to develop the exit plan to ensure that legal and operational issues are addressed. To the extent possible, the plan should be developed before termination or non-renewal notice is given to the supplier. If the services are not being moved in-house, the customer should also assess the timing required to reach agreement with a new supplier

and provide adequate time for transition-in activities.

Exiting customers should ensure that an exit plan is developed to allow adequate time to complete all activities, especially time to complete transition-out tasks.

Utilize Contractual RightsA well-crafted outsourcing agreement should contain options that can help the customer move from one supplier toanother.Forexample,acommonobligation will require the supplier to perform disengagement services for a period of time, regardless of the reason for termination. It is common for the supplier to perform disen-gagement services in accordance with the same standards used to perform steady-state services, including adherence to service levels.

If there are supplier personnel whom the customer believes are critical to the success of disengagement services, the supplier should retain those employees on the customer’s engagement for the required dura-tion. However, the supplier will be motivated to pull its best employees off the engagement as quickly as possible. If your outsourcing agree-ment does not contain an obligation to retain such employees, consider cashing in some IOU’s in exchange

Daniel A. MasurWashington DC+1 202 263 [email protected]

Derek J. SchaffnerWashington DC+1 202 263 [email protected]


mayer brown 7

for assurances that critical talent and knowledge will not leave shortly after notice of termination is given.

The agreement may also specify certain rights regarding software, equipment, and other materi-als used to perform the services. All customer- owned materials, including materials developed by the supplier, should be delivered to the customer upon request. Despite contractual obligations to maintain an inventory of all developed materials, customers may find that these lists have not been adequately maintained. The disengagement plan should include a work stream to verify that all such materials are accounted for and delivered to the customer in a timely manner.

Certain rights to supplier intellectual property may also be documented in the agreement. However, the rise of cloud computing and other IT “as a service” offerings are diminishing the customer’s need for (and the supplier’s willingness to provide access to) supplier intellectual property.

Information and Data ConsiderationsThere are several data items that a customer needs to plan for when exiting an outsourcing relationship. Customer data should be returned to the customer upon request in a format reasonably requested by the customer. This is a bit more challenging in a cloud environment,though.Forexample,determiningwheredataresidescouldbemoredifficultinacloudenviron-ment and the supplier may be reluctant to provide the data in a different format without additional compensation. Some cloud providers may have policies that automatically delete data a short period of time after termination, so a customer with data in the cloud will need to quickly develop a plan for return of its data.

If a customer plans to solicit proposals from other suppliers, it needs to determine what information from the current agreement can be shared with other suppliers to enable them to formulate a

proposal. While suppliers have traditionally resisted sharing financial information, some suppliers have also taken the stance that operational data, such as service level performance, is confidential informa-tion and thus cannot be shared. New proposals will more closely ref lect customer requirements as more information regarding the current environment can besharedviatheRFPprocess.Ideally,it’soptimalto define these information requirements during negotiation of the agreement to avoid a “blind spot” ontheRFP.

Despite the right to have critical supplier personnel retained for the engagement during the performance of disengagement services, there are other supplier personnel who are not included in this group and are most likely anxious to move to new assignments. This presents a challenge for knowledge transfer.

Knowledge Transfer and CooperationDespite the right to have critical supplier personnel retained for the engagement during the perfor-mance of disengagement services, there are other supplier personnel who are not included in this group and are most likely anxious to move to new assignments. This presents a challenge for knowl-edge transfer, but early planning will help identify the transfer activities that need to occur so job shadowing can be built into the disengagement plan. Customers may also consider payment of retention bonuses to ensure that supplier personnel remain in their roles. However, a well-crafted agreement can avoid this financial carrot by specifying certain activities that the supplier needs to perform as part of disengagement services, such as training customer (or new supplier) personnel, cataloging all business processes and work proce-dures, and assisting in parallel operations until the services have been successful transitioned.


Ensuring cooperation between exiting and incoming suppliers is another challenge that can be mitigated by obligating the exiting supplier to cooperate with the new supplier as part of disengagement services. However, suppliers should be motivated to provide such cooperation instinctively out of fear of develop-ing an “uncooperative” reputation.

[T]he key to successfully exiting an outsourcing agreement starts with proper planning to assess all the activities and timing necessary to transition the services to a new provider.

Other ConcernsIn the event that an agreement is terminated due to a material breach by the supplier, the customer needs to evaluate whether curing that material breach is

necessary before exit. That may not be possible for some breaches, but perhaps there are fundamental operational issues that must be addressed before a new supplier begins to provide the services.

If the relationship between the customer and the supplier is acrimonious, problems of trust may develop. A supplier may be unwilling to provide waivers or simply refuse to perform its obligations. In such instances, involvement by senior executives of both parties may be required.

In summary, the key to successfully exiting an outsourcing agreement starts with proper planning to assess all the activities and timing necessary to transition the services to a new provider. This requires inside counsel to work closely with busi-ness stakeholders with an eye to leveraging the contractual rights in the outsourcing agreement. u

mayer brown 9

An increasing number of companies are outsourcing internal functions to provideasignificantcostsavingsandotherbenefitstothecompany.Whileoutsourcingcanbeextremelybenefi-cial, companies must carefully manage the risks created by placing data into the hands of an outsourcing provider. Outsourcing frequently results in a company’s data being stored outside of thecompany’sfirewalls,ofteninsystems managed by the outsourcing provider. Outsourcing can also result in movement of the company’s data to new and different countries, particu-larly when the outsourcing involves cloud computing.

Placing company data into the hands of an outsourcing provider raises various risks, perhaps none more pronounced than in data privacy and security. New laws and regulations, an increase in technology solutions and providers, and increased cybersecurity threats heighten the concerns in this area. Companies must respond to these increased risks in three key ways, through: (a) security assessments that lead to a comprehensive written data security plan, (b) the careful selection and monitoring of outsourcing provid-ers and (c) well-crafted contractual protections with those providers. This article discusses some of the key considerations for companies to evaluate in implementing privacy and security protections in outsourcing.

First, Know Thyself Having a written information security plan has become the standard of care to establish minimum compliance with privacy and related security laws in the US. Companies that have not done so should undertake a privacy and security assessment. This should be aimed at understanding where the greatest risks and vulnerabilities lie for data protection, particularly with respect to personal data, which is more highly regulated than most other types of business data.

For particular outsourcing deals, prior to the selection of a provider, a company should understand what types of data it will be providing to the outsourcing provider, and the privacy and security laws and regulations that apply to that data.

After the assessment, the company should update or create its written information security plan to address those material compliance gaps and risksidentifiedwithrespecttodataprotection. Given the growth of outsourcing and use of third parties that have access to regulated data, a written information security plan must address the selection and use of third parties. These procedures for evaluating and selecting a third-party

Protecting Privacy Interests in Outsourcing

Rebecca S. Eisner Lei Shen

Rebecca S. EisnerChicago+1 312 701 [email protected]

Lei ShenChicago+1 312 701 [email protected]



provider, as well as for ongoing monitoring and updating of requirements in the contractual relation-ship, must be consistently implemented with all third-party providers who will have a material role in processing and securing company data.

Forparticularoutsourcingdeals,priortotheselectionof a provider, a company should understand what types of data it will be providing to the outsourcing provider, and the privacy and security laws and regulationsthatapplytothatdata.Forexample,certaintypesofpersonaldata(e.g.,namewithfinan-cial account number or social security number) may triggerdatabreachnotificationlawsintheUS.Knowing the country of origin of the data, and the countries in or from which the outsourcing provider is likely to store, process and remotely access such data, is also important. Countries in the EU and several others have special requirements pertaining to personal data and its movement outside of their borders to other countries. Companies must under-stand these legal requirements so that they may incorporate the correct obligations around the collection, use, security and transfer of company data.

Carefully Select and Monitor ProvidersThe written information security plan should include policies and procedures for the company to follow in the selection and ongoing monitoring of the out-sourcing provider. Selection procedures may include use of third-party checklists and evaluation tools, on-site due diligence visits, interviews with key security personnel, review of third-party or internal auditreportsandcertificationsmaintainedbytheprovider, review of security procedures and informa-tion security plans maintained by the provider, and other similar activities. Once the provider is under contract with the company, the company should designate company representatives to monitor the provider’s ongoing privacy and security compliance. This may be done through repeating some or all of the procedures used during the initial selection process, as well as periodic meetings to assess whether changes are necessary due to legal develop-ments and new security threats.

Contract for Data Security To adequately protect its data, a company must ensure that an outsourcing provider is contractually obli-gated to have reasonable and appropriate security measures to protect regulated data. However, many lawsandregulationsdonotprovidespecificguidanceabout what constitutes “reasonable and appropriate measures.” It can be challenging and often impracti-cal to attempt to collate the company’s requirements into one comprehensive contract security schedule. As a result, company requirements may come from reference to a variety of sources. These may include: (i) laws and regulations applicable to the company (such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and other laws with data security require-ments), (ii) the company’s own written information security plan and implementing procedures, (iii) the audit control objectives used by the company, (iv) industry standards to which the company adheres (such as the ISO 27001 series), (v) restrictions from the company’s own customer agreements and third-party contracts, and (vi) various other sources (such astheFederalTradeCommission’scomplaintsandenforcement actions, and various government publica-tions,suchasNIST’sCybersecurityFramework).

Management of privacy and security risks in outsourc-ing involves three major steps for a company: an assessment leading to a written information security plan, careful selection and ongoing monitoring of outsourcing providers, and inclusion of reasonable and appropriate security measures in those contracts.

Forbespokeoutsourcingarrangements,liketraditional IT outsourcing, incorporation of these requirements is routine. However, for newer IT solutions, such as cloud computing, it may be more difficult to incorporate particular company requirements into the agreement. Many cloud providers offer standardized platforms with their own chosen levels of security. Because of standard-

mayer brown 11

ization, cloud providers are often not able to customize security requirements for individual customers. In those cases, the company may need to assess the security and compliance levels offered by the provider, and determine whether the offer-ing can satisfy the company’s own requirements.

Management of privacy and security risks in out-sourcing involves three major steps for a company:

an assessment leading to a written information security plan, careful selection and ongoing monitor-ing of outsourcing providers, and inclusion of reasonable and appropriate security measures in those contracts. By following these steps, companies can proactively manage privacy compliance and security threats, thereby reducing risk and maximiz-ingtheintendedbenefitsofoutsourcing.u


The economics of cloud computing are compelling and cloud solutions offer customers the f lexibility to rapidly provision and release comput-ing elements. As a result, use of cloud services is clearly growing. However, buying cloud services is different from buying traditional outsourced services. Cloud providers are able to offer low cost, f lexible solutions because they standardize their offerings for multiple customers. Accordingly, cloud providers are less likely than traditional outsource providers to adapt their solutions to the customer’s needs or negotiate contract terms to meet the customer’s requirements. The key to successful cloud computing is to find the right fit between the cloud solution and your business needs.

Given the limited ability of the provider to customize a cloud solution (in particular, in a public or hybrid environ-ment), you must conduct thorough due diligence on the cloud solution to determine what gaps exist between your requirements and the provider’s services and whether there are work-arounds to fill the gaps.

Approach to Cloud ServicesYou need to carefully select the cloud solution to meet your needs and

manage the associated risks. The following are important steps in that process.

Know Your RequirementsYou should start with an understand-ing of the attributes of the outsourced function. How critical are the out-sourced services to your business? Is the data involved personal data or competitively sensitive? These attributes will drive important requirements for the cloud services.

Select the Right CloudYou need to understand the cloud options available from your provider. Cloud solutions can be deployed in several distinct ways: private cloud, under which cloud elements are dedi-cated to the customer; public cloud, under which cloud elements are used for multiple customers; and hybrid solu-tions.Privatecloudsofferflexibilityinterms of the solution and contract terms but come at a higher price; public clouds offerlittleflexibilitybutareavailableata low cost; and hybrid clouds fall somewhere between private and public cloudsintermsofcostandflexibility.Apublic cloud may work well where the outsourced service is not critical and the data is not sensitive, but a private cloud may be a better solution for critical services involving sensitive data.

Key Considerations in Cloud Contracting

Linda L. Rhodes

Linda L. RhodesWashington DC+1 202 263 [email protected]


mayer brown 13


Good Due Diligence is EssentialGiven the limited ability of the provider to customize a cloud solution (in particular, in a public or hybrid environment), you must conduct thorough due diligence on the cloud solution to determine what gaps exist between your requirements and the pro-vider’s services and whether there are workarounds tofillthegaps.Thisshouldincludeanunderstandingoftheprovider’sdataflows,securitystandardsandoptions available to address your compliance require-ments, and the provider’s change process.

In public cloud contracts, services are often described at a high level with little detail, and providers are reluctant to give general performance warranties, which limits the customer’s ability to bring claims for damages for deficient services.

Key Risks and ChallengesCriticality of the Outsourced Services. Below are some of the key risks and challenges in contracting for cloud services to be considered and managed.

Continuity of ServicesCustomers have more risk as to continuity of services in cloudtransactionsthanintraditionaloutsourcing.Forexample, cloud providers demand suspension rights for non-compliance with rules of use. Customers can often negotiate some protections around such suspension rights, such as limiting the suspension to the minimal extent necessary to address the violation and prompt reinstatement of services upon cure of the violation.

Provider Rights to Change TermsCloud contracts typically incorporate by reference other provider terms and conditions, and the pro-vidermaintainsflexibilitytochangethosetermsandconditions without the customer’s approval. Some providers will agree to compromises in this area, such as a requirement that the changes not degrade

the services or ease security requirements or that notice of changes be given, with a right for the customer to terminate if the changes that are unac-ceptable to the customer.

High Level Service Descriptions with Few WarrantiesIn public cloud contracts, services are often described at a high level with little detail, and providers are reluctant to give general performance warranties, which limits the customer’s ability to bringclaimsfordamagesfordeficientservices.Providers may agree to include core features of the services and limited performance warranties.

Service LevelsCloud contracts may contain few service levels, typically with no methodology for allocating at-risk amounts across service levels. Service level credits are relatively small, and providers often demand that service level credits constitute a customer’s sole and exclusive remedies. If your company is considering using cloud services for critical functions, you should consider whether you need more protections than those offered by the provider. Providers of private clouds may agree to higher incentives and language permitting damages if another claim can be made under the agreement.

Data Privacy ComplianceAs noted above, it is essential to consider the sensi-tivity of the data to be placed in the cloud. Cloud solutions are often designed to permit the provider to move data from location to location. However, movement of data is often at odds with the custom-er’s need to comply with data privacy laws and policies.Forexample,privacylawsrequiresafe-guards around the collection, processing, storing and transferring of customer data and that customers know where there data is located. In selecting a cloud solution, you need to understand how the solutionwillhandletheflowofdata.

Standard Security OfferingsProviders have a standard cloud security protocol to offer customers and typically will not customize the security safeguards to a customer’s particular needs. You need to understand whether those security protocols allow you to meet your obliga-tions. Some providers may warrant that they will maintain certain certifications, such as ISO 27001, but you need to consider with which certification standards the provider complies.

Other Compliance RequirementsYou need to consider compliance obligations beyond justdatasecurity.Forexample,willtheproviderbeable to effect litigation holds on data in the cloud? You may be able to manage compliance risks by retaining the compliance obligations yourself as long as the solution provides the tools you need to meet those obligations.

You can successfully use cloud solutions if you make informed decisions about the solutions selected, understanding the needs of your business, the ability of the provider to meet those needs and the contrac-tual terms that can be obtained. u

mayer brown 15


As companies move to outsource their FMservicesglobally,theyareencounter-ing more and more often the question of howtoaccommodateforinflation,especially with respect to its impact on FMsupplierssavingscommitments.TheFMsupplierwilltellyouthatit’sinequi-table to ask them to shoulder the risk andtheburdenforinflationincertaincountries. They will ask that any savings commitments they make be automati-cally reduced to account for the amount ofinflationexperiencedeachyear.Whilethere’s no disputing the inequity in askinganFMsuppliertoshouldertheentireburdenandriskinhighinflationenvironments, it behooves the customer to take a closer look at the costs that are actuallyimpactedbyinflationinordertodetermine the most fair and equitable way to mitigate and allocate the associ-ated risk and the burden.

The FM supplier will tell you that it’s inequitable to ask them to shoulder the risk and the burden for inflation in certain countries.

Breakdown of Costs in an IFM Engagement:To cover the provision of hard services (i.e., work often capable of being per-formed by skilled labor) and soft services

(i.e., work often capable of being per-formed by unskilled labor), there are the following cost categories: (A) the sup-plier’sinternaloverhead(back-officelabor, goods and services costs), (B) the supplier’s labor, (C) third party services (subcontracted services), (D) goods, and (E) software and related IT services.

In order to determine how best to deal with inf lationary impact on these costs, let us examine in more detail the level of control a supplier has over such costs. The analysis below assumes a pass-through, gross maximum price (GMP) pricing model:

SUPPLIER’S INTERNAL OVERHEAD COSTS

These costs are typically included within the management fee charged by the supplier. The management fee is often tied to volume of business and is expressed as either a square foot cost or a percentage of overall spend, depending on the structure of the deal. We do not typically see suppliers asking for the management fee to be indexedtoinflation.Anysuchrequestshould be refused as the supplier has sole control over these costs and the customer has no visibility into such costs or any ability to mitigate or otherwiseinfluencesuchcosts.

Mitigating and Managing the Impact ofInflationinIFMEngagements

Kevin A. Rang Rohith P. George

Rohith P. GeorgeChicago+1 312 701 [email protected]

Kevin A. RangChicago+1 312 701 [email protected]


mayer brown 17

SUPPLIER’S L ABOR COSTS

Suppliers will raise wages as necessary to retain their workforcebutwilltypicallynotmatchinflationunlessrequiredtodoso(e.g.,aninflationmatchingprovisionin a collective bargaining agreement). Absent such a requirementtoraisewagestomatchinflation,suppliersareunlikelytocompletelyoffsetinflationwith wage increases for all of its employees. With respect to their skilled workforce, however, there will be more pressure on suppliers to raise wages, espe-cially as customers will want continuity in such workforce in order to avoid disruption in service delivery in areas that could have a more material adverse impact on the customer. The customer should only be responsible for the actual increases in wages incurredbythesupplierresultingfrominflationandshould not agree to a mechanism that assumes an increasethatmatchesinflationforthesupplier’sentireworkforce.

[I]nflation will increase the costs of a supplier, but such costs are not all impacted equally by inflation. The first thing suppliers should be required to do is to use best efforts to mitigate inflation.

THIRD PART Y SERVICE PROVIDER COSTS

Inflationmayhavesomeimpactonthecostofthirdparty services depending on the nature of the service (i.e., skilled vs. unskilled) but, as such contracts are often volume-based and nationwide or enterprise-wide, thesupplierhassignificantleverageoverthesethirdparty suppliers. They have the ability to move from one vendortoanother,offeringasignificantamountofbusiness in exchange for lower rates. The supplier will have to actively bid services and monitor the market for the best services at the lowest rates, but that is part of the value it should be bringing as part of its service offering. Thus, third party service costs may increase becauseofinflation,butsuppliersshouldbeactivelyworking to mitigate those increases.

GOODS, MATERIALS AND PRODUCT COSTS

Costs for goods, especially when unique or tailored for thecustomer,willincreasebecauseofinflation.Similarto third party services, suppliers may be able to better mitigate the increased costs for commodity goods by actively searching the market for the lowest cost. Even with such mitigation measures, the supplier’s costs for goodsmayincreaseasaresultofinflationbutdepend-ing on the nature of such goods, such cost increases may not,intheaggregate,equaltherateofinflation.

SOFTWARE AND IT SERVICES COSTS

Typically software costs are priced on a long-term basis (i.e.,thesupplieragreestoafixedlicensefeeoveralong-term period). Such licenses may be seat-based or otherwisevolume-influenced,butthosecostdriversareconsumption-basedandindependentofinflation.ITservice costs may increase due to higher labor costs, but any increases should be less than the actual rate of inflationforthereasonsdiscussedabove.

ConclusionAswe’vediscussed,inflationwillincreasethecostsofasupplier, but such costs are not all impacted equally by inflation.Thefirstthingsuppliersshouldberequiredtodoistousebesteffortstomitigateinflation.Thepartiesshould then determine the actual increase in costs directlyattributabletoinflation.Thecustomershouldthen decide whether to offset such increased costs with cost savings resulting from measures like reducing head count or decreasing required service levels or whether it would rather increase the budget and reduce the supplier’s savings commitment to offset such increased costs. Regardless of which of those options the customer elects, for the reasons discussed above, automatic budgetadjustmentsmatchingtherateofinflationshould be avoided. u

18 Business & Technolog y Sourcing Review Issue 21 | Fall 2014

PAUL CHANDLERCounsel

Paul Chandler is counsel in Mayer Brown’s Business & Technology Sourcing practice in Chicago. He represents clients in connection with the outsourcing of information technology functions and business processes. In addition, Paul assists clients that are working to develop, license, market, distribute and acquire rights in a wide variety of technology-related products, services and intellectual property, including computer software and hardware, open source software, databases, cloud services and telecommuni-cations systems. He also represents clients interested in forming technology joint ventures and other strategic alliances.

REBECCA EISNERPartner

Rebecca Eisner,apartnerintheChicagooffice,serves on Mayer Brown’s Partnership Board and is a co-leader of the Business & Technology Sourcing practice. Her practice focuses on complex global technology, licensing and business process outsourc-ing transactions, including IT infrastructure and licensing, cloud computing, applications development andmaintenance,backofficeprocessing,ERPimplementations,financeandaccounting,payrollprocessing, call center, HR, technology development, system integration and hosting. She also regularly advises on complex data protection and data transfer issues, frequently as part of transactions, as well as privacy issues and electronic contracting and signa-tures. Chambers USA has ranked Rebecca as a “Band One” lawyer for as long as it has ranked outsourcing lawyers and notes that sources perceive Rebecca to be “an incredible resource” who “knows her subject matter and is very open and engaging.” Rebecca is also one of a small group of lawyers given the top rank by Legal 500.

ROHITH GEORGEAssociate

Rohith George is an associate in Mayer Brown’s Business & Technology Sourcing practice where he has advised clients in complex global outsourcing transac-tions, including facilities management, project management, transactional real estate services, food services, lease administration, network management, infrastructure, help desk, call center, cloud computing and application hosting, development and maintenance.

DANIEL MASURPartner

Daniel Masur, a partner in the Washington, DC office, has represented national and international clients in a broad range of on-shore, near-shore, and offshore information technology and business process sourcing transactions involving global and niche outsourcing providers, offshore captives and various hybrid structures. Prior to joining Mayer Brown, Dan served as General Counsel of I-NET, Inc., a provider of outsourcing services. Dan is recognized as one of the leading lawyers in the outsourcing field by Chambers Global, Chambers USA, Legal 500 and Best Lawyers in America.

BR AD PETERSON Partner

Brad Peterson,apartnerintheChicagooffice,co-leadsthefirm’sBusiness&TechnologySourcingpractice and focuses on business process and informa-tion technology outsourcing, joint ventures, strategic alliances and information technology transactions. Brad has represented customers in dozens of large outsourcing agreements with, cumulatively, over $10 billion in contract value. He has represented clients in all major types of outsourcing transactions andhasnegotiatedoppositeallofthefirst-tierandmost of the second-tier providers. Brad has also represented information technology buyers in hun-dreds of technology transactions, including cloud computing, software licensing, software development agreements, hosted services agreements, and ERP implementation agreements.


mayer brown 19

PAUL J.N. ROYPartner

Paul J.N. Roy is a partner in the Business & Technology Sourcing practice in Chicago and represents clients in a broad range of information technology and business process transactions, includ-ing technology development, implementation, support and outsourcing transactions. He regularly advises clients with outsourcing of IT infrastructure services and support, application development and mainte-nance, network management and support and help desk/call center services. Paul also advises clients on thesourcingoffinanceandaccountingfunctions, HR/employeeservices,CRMandfinancialservicesoperations, among other business process functions.

KEVIN R ANGPartner

Kevin Rang is a partner in Mayer Brown’s Business &TechnologySourcingpracticeintheChicagoofficewhere he represents clients in transactions involving the outsourcing of business process functions, includ-ing facilities management for laboratory, warehouse andcorporateofficespace,manufacturingplantfacility maintenance, manufacturing plant production maintenance,employeebenefitsandaccountspay-able; and the outsourcing of technology functions, including network management, help desk, call center, telecommunications, application hosting and application development and maintenance.

LINDA RHODESPartner

Linda Rhodes, partner in the Washington, DC. office,focusesherpracticeoncomplexcommercialtransactions, with a primary focus on business and technology sourcing. She has represented a wide spectrum of clients, including large multinational corporations, in a variety of industries, such as information technology, telecommunications, phar-maceuticals,healthcare,financialservices,insurance,energy, chemicals and consumer products. She has substantial experience in leading contract negotia-

tions, bringing complex transactions to successful closure and effectively managing the international aspects of global transactions.

DEREK SCHAFFNERCounsel

Derek J. Schaffner is counsel in the Business & Technology Sourcing practice of the Washington DC office.Herepresentsclientsincomplexinformationtechnology and business process outsourcing transac-tions, as well as other commercial contracting matters such as custom software development agreements, technology and pharmaceutical licenses, end user license agreements, website development/terms of service agreements, and content/distribution agree-ments. Derek has represented clients in a variety of industriessuchasconsumerproducts,financialservices, hospitality, telecommunications, health care, pharmaceutical, food products, retail, and mining.

LEI SHENSenior Associate

Lei Shen is a senior associate in the Privacy & Security and Business & Technology Sourcing practice groupsinMayerBrown’sChicagooffice.Leifocusesher practice on privacy and security, technology and business process outsourcing, and information technology transactions. Lei regularly advises clients regarding privacy, security, data transfer, data breach notification,ande-commerceissues,includingelectronic contracting and signatures, web site design and review, and mobile and telematics services. She has extensive experience drafting privacy policies, terms of use, and other policies and procedures to comply with privacy laws.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

This publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein.

© 2014 The Mayer Brown Practices. All rights reserved.

About Mayer Brown Mayer Brown is a global legal services organization advising clients across the Americas, Asia and Europe. Our presence in the world’s leading markets enables us to offer clients access to local market knowledge combined with global reach.

We are noted for our commitment to client service and our ability to assist clients with their most complex and demanding legal and business challenges worldwide. We serve many of the world’s largest companies, including a significant proportion of the Fortune 100, FTSE 100, DAX and Hang Seng Index companies and more than half of the world’s largest banks. We provide legal services in areas such as banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; US Supreme Court and appellate matters; employment and benefits; environmental; financial services regulatory & enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and wealth management.

Please visit www.mayerbrown.com for comprehensive contact information for all Mayer Brown offices.

1214

Americas | Asia | Europe | www.mayerbrown.com

business & technology sourcing...sourcing to a single provider are giving way to strategic and...

Documents