Risk-based Sourcing
Classical business strategy distinguishes choices of where to compete and how to compete. One fundamental “how to compete” decision is whether to source IT services internally or externally. Given the wide variety of sourcing alternatives, strategists take a tough-minded view of internal sourcing, asking questions like these:

• What is the strategic value of delivering this activity internally?  Is it distinctive in a way that matters to customers or partners?
• How significant are the risks or costs of not delivering this activity extremely well?  Does it matter if we don’t meet the world-class risk and cost standards?

When operational activities don’t pass these tests, managers move them to external suppliers instead of investing their own resources. High-risk activities with low strategic returns are especially strong candidates for outsourcing. Data backup is a classic case: Few consumers select their bank on the strength of its backup plan —  its strategic value is relatively low. But the risks of providing poor backup are very high, including financial losses, public disclosure, and regulatory intervention. This combination of low strategic value and high risk makes backup a good candidate for outsourcing to a specialist.

Related sourcing questions address the number of outside suppliers and separation of responsibilities. Is it better to build a one- or two-deep relationship or hedge bets across several?  Once it was common to outsource all IT infrastructure to an EDS or a Perot Systems. But many enterprises are now abandoning single sourcing in favor of one or two generalists for commodity services, and selective outsourcing for specialized activities.

For infrastructure activities selected for internal delivery, balancing investments across people, processes and technology is the key to success.  Improvements in one area unmatched by changes in the other two yield diminishing returns. A recent study on ITRM found that the most effective organizations balanced their investments to perform better across the full range of people, process, and technology controls. Lower-performing organizations focused their resources on a smaller number of tactical controls, with disproportionate focus on technology controls.

These ideas about competitive strategy are well understood, but too seldom practiced. Instead of first deciding where a function belongs and then allocating investments in people, processes and technologies, many companies begin and end with technology or price. ITRM offers a framework of checks and balances to rein in this impulse.

Competitive Advantage Begins Now
With 60 to 80 percent of every IT investment dollar spent on infrastructure, getting the best return is an urgent concern. ITRM principles help clarify and communicate issues about where and how to source IT services to improve the firm’s competitive position. So, why wait?

The fastest start is to map the company’s strategy onto its internal and outsourced IT infrastructure, and then making choices that reflect business value and IT risks. With the active involvement of business and IT leadership, it provides an excellent start toward a winning infrastructure strategy.

Greg is the Group President of Symantec’s global services division. He manages enterprise-services operations.