Executive Summary

The State Services Commission, with the support of the Office of the Privacy Commissioner, Archives New Zealand and other agencies, has developed advice for government agencies on managing the risks around the use of offshore ICT service providers.

Stewardship requires an informed balance between sometimes competing drivers. Advances in technologies such as software-as-a-service or cloud computing, the cost advantages of offshore service centres, or access to offshore expertise and its transfer onshore can make the use of offshore information and communication technologies (ICT) providers very attractive. However, agencies may dismiss potential opportunities to take advantage of these offerings because of uncertainty about their ability to meet obligations under legislation, regulation or policy.

The advice is intended to assist agencies to meet their obligations under existing procurement policies, international obligations, the Public Finance Act, the Privacy Act and the Public Records Act. It does not introduce any new policy nor does it create any new requirements for agencies. It explains the risks that may accompany doing business with offshore ICT providers and also describes possible strategies to mitigate those risks.

The advice consists of four main sections: introductory material, explanations of ten key risk areas and their possible mitigations, and some further resources.

The introductory material covers existing obligations when procuring ICT services, security obligations on information held by government, a brief mention of the kinds of risks that may arise when data or data management are outside New Zealand and the elements of a risk management approach to assessing the relative benefits and costs/risks of a particular outsourcing opportunity,

The bulk of the paper introduces readers to the risks under ten general headings and then provides more specific information about particular risks and how to mitigate them. The ten areas of risk and some examples of mitigations are:

1. Big picture risks: "show-stoppers" - risks that may put a proposal out of consideration regardless of its other virtues, e.g. formal advice from GCSB about security hazards in certain countries or standard terms and conditions that conflict with section 65ZC of the Public Finance Act relating to third party indemnities.
2. Trust and public confidence risks: how a proposal may adversely affect the Trusted State Services Development Goal for the New Zealand State Services, e.g. public perception that a service or data offshore is riskier or unacceptable because of the sensitivity of the information. A mitigation strategy is to assess data for sensitivity before issuing a tender request so that potential vendors can respond adequately.
3. Control risks: the need to maintain control and long term access to data as required by, for example, the Public Records Act 2005.  To reduce that risk, contracts can include prohibitions against sub-contracting without the written permission of the government agency. Agencies can also avoid providers that won't give assurance of long-term data access.
4. Governance, management, and project risks: areas where extra care may be needed related to geographically dispersed management of a business function or project.  Here, contracts could be structured to require compliance with SSC Guidelines for Managing and Monitoring Major IT Projects or other relevant best practice documents.
5. Economic risks: following procurement policy on open tendering while considering possible effects on the larger New Zealand economy or parts of it. For large projects, it may be advisable to seek advice from the Department of Labour, Ministry of Foreign Affairs and Trade or the Treasury on the net economic effects of particular proposals.
6. Business continuity risks: agencies are responsible for maintaining vital business capability in the event of an emergency or a service provider failure. Normal business continuity planning may need boosting to ensure that some local capability and backup services are provided and that effective change management processes are in place to ensure that locally held information is current.
7. Security and integrity risks: includes data interception or corruption, industrial espionage, social disruptions, and terrorist threats. Effective formal governance structures, and monitoring, reporting and backup processes can mitigate risks in this area. Agencies should assess if some threats are more likely to eventuate than others and anticipate what they will do if these occur.
8. Privacy risks: agencies are responsible for control over disclosure of and access to government held personal information even if sent offshore. Risk will vary dramatically depending on the location but there are many tools to help manage these situations starting with a privacy impact assessment before contracting, followed by adapting internationally accepted standard data protection clauses for contracts, and ascertaining if there are international agreements on enforcement of privacy laws with that jurisdiction.
9. Legal, jurisdictional and commercial risks: practical and legislation-related risks of doing business outside New Zealand. These make a fast moving target so that contracting for New Zealand governing law and jurisdiction is one important avenue to mitigate these risks. If this is not possible, check that the meaning of terms used in the contract for service are fully understood and applicable in New Zealand law.
10. Fiscal risks: currency fluctuations, offshore taxes, and other financial risks. These types of risk may be more to the front of mind at the moment but standard commercial risk mitigations such as money market hedging or forward contracts may be useful.

The final section has a list of possible topics to discuss with an agency's legal advisors and a detailed list of resources (and how to access them) that are referenced in the body of the document. This list also includes information about the risk management training being offered by the Government Technology Services unit of SSC (moving to DIA in July 2009).

[ Previous | Next ]