Selecting IT Service Providers: Common Mistakes and How to Avoid Them

The selection of IT service providers is a crucial step in any IT or outsourcing project. This process goes through several phases: after the tender documents are completed, suitable providers are identified and invited to submit proposals. Then, the received offers are negotiated, leading to the selection of the contractor. Unfortunately, mistakes are often made during this selection process, which can significantly impact the quality and success of the project. In this blog post, we highlight the most common mistakes and provide valuable tips on how to avoid them.

Typical Approach to Selection

Many companies do not follow a sufficiently structured approach when selecting IT service providers. Often, the focus is placed on price and a few other criteria, while other important factors such as experience, expertise, infrastructure, and long-term collaboration are neglected. This approach can lead to suboptimal decisions: choosing the “wrong” provider often results in performance issues and difficult cooperation later on.

The 5 Most Common Mistakes

Based on our experience, here are some of the most frequent mistakes companies make when selecting IT service providers:

 

1. Inadequate Assessment of Technical Expertise

It is essential that the provider has the necessary technical knowledge and experience in the requested service area.

Tips:

• Request specific reference projects from the recent past. Ask for data that allows a realistic assessment of the provider’s experience.
• Ask for contact persons for the reference projects to speak with other clients about the provider’s experience and staff expertise.
• Assess the competence of the provider’s staff through requested short profiles and (where appropriate) certification evidence (e.g., Cisco CCNP, Microsoft MCSE).
• Company certifications (e.g., ISO 9001, ISO 20000, ISO 14001) can ensure a certain level of quality and maturity of the provider’s organization. These certifications should be relevant to the requested services.
• If industry-specific knowledge is required, ask the provider to demonstrate this as well.

2. Insufficient Consideration of Security and Compliance Requirements

Security standards and compliance requirements should always be a priority when selecting IT service providers.

Tips:

• Specify relevant security standards for the requested service and ask the provider to detail how they comply.
• If international standards (e.g., Tier classes for data centers or EN 50600) or certifications (e.g., ISO 27001) exist, ask the provider to prove compliance or possession.
• List compliance requirements individually and have the provider confirm adherence. If necessary, ask for additional measures to ensure compliance.

3. Lack of Flexibility and Scalability

The provider should be able to adapt to changing requirements and grow with your company.

Tips:

• Request the revenue related to the service segment over the past 3 years. This reveals the provider’s competence and the importance of the segment to them.
• In reference projects, ask for details on how changes were handled, especially if changes are critical to the requested service.
• Contact persons for reference projects allow you to discuss the provider’s flexibility and responsiveness to change requests.
• Include provisions in the contract for handling change requests. The contract should be modular to easily incorporate and commission changes.

4. Neglecting “Soft Facts”

When selecting a provider, not only technical and financial aspects should be considered, but also cultural fit and collaboration. This aspect is difficult to specify in a request for proposal.

Tips:

• Choose providers for whom your project is at least as important as it is for you. This ensures a basis for cooperation and flexibility.
• During pre-selection, assess the provider’s culture through their public presence and preliminary discussions.
• Reference project contacts allow you to learn about the provider’s culture and behavior in daily service before awarding the contract.
• Address cultural and behavioral aspects in the contract: define how the provider should interact with you and third-party providers.

5. Time Constraints

Preparing and conducting the tender, as well as internal coordination, require sufficient time. A tight schedule can lead to inadequate documents and poor decisions.

Tips:

• Start with a project plan for the tender and allocate enough time for developing and aligning selection criteria with all internal stakeholders. Also plan sufficient time for evaluating providers and their offers.
• If time becomes tight during the project, speak with your current provider early and negotiate a contract extension. This is easier if they can also participate in the tender and if the scope of services increases compared to the current contract.

General Recommendations for Selecting IT Service Providers

To avoid the above—and other—mistakes, a structured approach is essential. Companies should first define clear selection criteria and integrate them into an evaluation process. Criteria and processes should be tailored to your specific service request.

Once the criteria are defined, they should be weighted to determine their relative importance. This helps ensure a balanced evaluation of providers. A scoring system can be useful for objectively comparing offers and making the best choice.

By following a structured approach and considering the right selection criteria, companies can ensure they choose an IT service provider that is not only cost-effective but also guarantees long-term project quality and success.

Constructive Communication in Managing Service Providers – When to Communicate in Writing and When to Speak in Person?

Let’s take a closer look at constructive communication in service provider management – when is written communication appropriate, and when is it better to talk in person?

Friday afternoon, just before the end of the workday in Bernd Baumann’s office:
“Just quickly send that email to our service provider. They’ve complained again about missing the deadline. But honestly, they have no clue… I’ll give them some feedback…”
The email is sent, and we can already guess what’s coming next – a reply that’s just as sharp.

Many are familiar with the escalation that can arise from email ping-pong. That’s why this blog focuses on choosing the right communication channel when criticism and conflict need to be addressed.

 

Let’s start by acknowledging what ALWAYS happens in interpersonal communication: there is a factual level and a relationship level.

In written communication, the relationship level is barely perceptible. Non-verbal signals such as facial expressions, gestures, tone of voice, and body language are missing. This leaves it up to the reader to “fill in” the missing relationship cues. This often leads to interpretations of tone and intent that may not have been intended.

If I assume that the other person means well, I’m less likely to perceive conflict in the message. But if I suspect a strained relationship, I’m more likely to interpret the message negatively.

Here’s a helpful guide to choosing the right communication channel to avoid escalation and conflict:

Level 1: Written Communication

Suitable when there are few or no issues on the relationship level, or as a supplement to personal communication when written documentation is needed for security.

Level 2: Chat, SMS, WhatsApp

Emojis can convey emotions to a limited extent. A smiley can help emotionally contextualize potentially ambiguous messages.

Level 3: Voice Message

Tone and emotion are more apparent through voice. However, it still feels somewhat “artificial” because there’s no immediate response. The sender knows the recipient has time to prepare a reply, which may not be spontaneous. This delay can hinder trust-building.

Level 4: Phone Call

Tone of voice adds a relational dimension to the communication. This helps interpret statements more accurately on the relationship level.

Level 5: Video Conference with Camera

Some body language (from the torso up) is visible, which helps especially in conflict situations to interpret relational cues and increases the chances of resolving the conflict successfully.

Level 6: In-Person Meeting

Action and reaction are visible in real time. You can see and feel if someone is sweating or trembling with fear. Changes in skin color, movements in the room – whether expansive or withdrawn – are unconsciously registered and evaluated every millisecond. This allows for a complex assessment of whether what is being said feels credible. Important decisions in crisis or conflict situations should always be made in person.

Conclusion – Constructive Communication in Service Provider Management

Next time a conflict arises, consider whether choosing the right communication channel could lead to a quicker resolution.

If you’d like to learn more about the art of constructive communication in managing service providers, we recommend the seminar “Practice of IT Provider Management.”

In today’s digital era, Artificial Intelligence (AI) plays an increasingly important role across all business areas of a company. For organizations that have outsourced IT services, AI support can offer significant advantages in provider management by automating processes, minimizing risks, and increasing efficiency. In this blog post, we explore key areas of IT provider management and demonstrate how AI can support these functions—and how AI is transforming provider management.

We’ll examine six core areas: Contract Management, Relationship Management, Risk Management, Performance Management, Financial Management, and Continuous Improvement.

AI Support – Key Areas in Provider Management

We’ll examine six core areas: Contract Management, Relationship Management, Risk Management, Performance Management, Financial Management, and Continuous Improvement.

 

We’ll briefly outline each area and then show how AI can support or relieve employees in provider management. Various AI systems may be used.

Since newer versions of IT systems increasingly include AI functionality, it makes sense to first utilize the AI features of systems already in use within the company. These may include generative AI systems like ChatGPT or MS Copilot, as well as contract management systems, supplier management systems, ERP systems, service management platforms, and more.

1. Contract Management

Scope:
Contract management involves creating, negotiating, monitoring, and renewing contracts with IT service providers. It includes ensuring compliance with contract terms and managing contract changes.

AI Support:
AI can automate contract analysis by checking for compliance and identifying potential risks. Using Natural Language Processing (NLP), contracts can be analyzed faster and more accurately. AI-powered systems can also assist in negotiations by analyzing historical data and suggesting optimal strategies.

2. Relationship Management

Scope:
Relationship management focuses on maintaining and developing relationships with IT service providers to ensure long-term, productive collaboration.

AI Support:
AI can analyze communication patterns and feedback to monitor provider satisfaction and flag potential issues early. AI-powered chatbots can serve as the first point of contact for inquiries and problems, reducing response times and strengthening relationships.

3. Risk Management

Scope:
Risk management involves identifying, assessing, and minimizing risks related to IT service providers, including financial, operational, and compliance risks.

AI Support:
AI can use predictive analytics to detect potential risks early and suggest countermeasures. Machine learning algorithms can analyze historical data to identify patterns that indicate future risks, enabling proactive risk mitigation.

4. Performance Management

Scope:
Performance management includes monitoring and evaluating the performance of IT service providers to ensure they deliver agreed-upon services and continuously improve.

AI Support:
AI can monitor provider performance in real time by analyzing performance data and KPIs. It can detect anomalies and deviations immediately and suggest improvements or set benchmarks.

5. Financial Management

Scope:
Financial management covers budgeting, cost control, and billing related to IT service providers, aiming for efficient financial oversight.

AI Support:
AI can automate invoice verification and cost analysis, improving accuracy and efficiency. Predictive analytics can forecast future cost trends and help prevent budget overruns.

6. Continuous Improvement

Scope:
Continuous improvement aims to optimize processes and services in IT and provider management by identifying improvement opportunities and implementing measures.

AI Support:
AI can analyze process data to identify bottlenecks and inefficiencies. Machine learning algorithms can suggest process optimizations and monitor the implementation of improvements.

Impact on Provider Management Roles

The use of AI in IT provider management shifts the focus of employee tasks. Routine and manual activities are increasingly automated, allowing staff to concentrate on strategic and value-adding tasks. Skill requirements are evolving—technical understanding and the ability to work with AI systems are becoming more important. Analytical skills and data literacy are also gaining significance.

Overall, integrating AI leads to more efficient and proactive workflows in IT provider management. Employees can focus more on relationship building and strategic alignment, while AI systems handle data analysis and process optimization. This creates added value for both the company and its employees, who can grow in their roles and acquire new competencies.

Conclusion – AI Support in Provider Management

Using AI in provider management offers numerous benefits and can significantly enhance efficiency and effectiveness across various areas. Companies that adopt AI early can gain a competitive edge and future-proof their provider management processes. However, they must also invest in timely employee development and, in the medium term, consider adjustments to staffing levels.

In today’s business world, IT service contracts are the critical foundation for collaboration between outsourcing companies and their service providers. A well-crafted contract can make the difference between smooth cooperation and constant conflict. Based on our experience from various outsourcing projects, we want to highlight 10 important aspects that should be regulated in an IT service contract to ensure effective provider management.

Scope

We do not aim for completeness: many other aspects should also be appropriately regulated in IT service contracts depending on the outsourcing situation. These include liability, warranties, payment terms, confidentiality, contract duration, termination conditions, knowledge and compliance management. So let’s focus on the aspects that, in our view, are particularly decisive for the success or failure of cooperation with service providers. Summarized for you: IT Service Contracts – 10 Key Aspects

Ten Aspects

1. Clear Service Specification

The services to be provided must be defined as clearly and precisely as possible in the service contract. This includes the type and scope of services as well as the expected service quality. The latter is usually specified in the contract through service levels. The procedure for measuring compliance with service levels should also be regulated in the contract.

When specifying the expected external services, it is important to clearly define the client’s cooperation obligations. If other service providers are working for the outsourcing company, clear performance boundaries between all parties must be specified. The goal is to minimize gray areas between provider and client as well as between providers.

Additionally, the framework conditions under which the service provider is to deliver the services must be defined. These can include service times and location requirements.

Clear service specifications and measurable service levels help manage expectations on both sides and provide a basis for evaluating service quality.

 

2. Pricing and Billing Modalities

A transparent and fair pricing mechanism is essential to avoid misunderstandings and disputes. The contract should clearly specify which services are provided at what price and how billing is handled. Variable costs, such as for additional services or overtime, should also be clearly regulated.

 

3. Change Management

Changes to IT services are inevitable, whether due to technological advancements or changing business requirements on the client side. Effective change management in the contract ensures that changes are carried out in a structured and controlled manner. This includes defining processes for requesting, evaluating, commissioning, and implementing changes, as well as communication between the parties.

 

4. Risk Management

A good IT service contract should also include provisions for handling risks and emergencies. This involves identifying potential risks, developing action plans, and regularly reviewing and updating these plans. The goal is to proactively minimize the impact of disruptions and ensure continuity of business processes.

 

5. Reporting, Roles, and Communication

Regular reporting and open communication are crucial for successful provider management. The contract should specify what information (especially within SLA reporting) a provider must deliver and at what intervals, and how communication between the parties is organized. Appropriate roles and committees, along with their tasks and interactions, should be defined in the contract for regular exchanges and decision-making.

This enables continuous monitoring of service quality, early identification of problems, and appropriate service development.

 

6. Cooperation

The contract should also obligate the service provider to cooperative behavior. This applies not only to collaboration with the client but also with the client’s other service providers. Shared goals should be defined in the contract as a basis. Common values and rules can then be agreed upon to guide cooperative behavior.

 

7. Escalation Procedures

A clearly defined escalation procedure is important for resolving conflicts quickly and effectively. The contract should specify the steps to be taken when problems cannot be resolved at one level and who is then responsible for resolution. This helps avoid misunderstandings and ensures timely problem resolution.

 

8. Performance Reviews and Audits

Periodic performance reviews and audits help ensure compliance with contractually agreed standards. The contract should specify how often these reviews take place and what criteria are applied. This allows deviations to be identified early and countermeasures to be taken.

 

9. Continuous Improvement and Innovation

A good IT service contract should also include provisions to promote innovation and continuous improvement. This may include the provider’s obligation to regularly evaluate new technologies and best practices and to propose optimization measures for IT services. The contract should also define how improvement ideas are planned and implemented, especially when multiple service providers must collaborate to realize improvements.

 

10. Exit Strategy

A well-thought-out exit strategy is essential to ensure a smooth transition to a new provider or the reintegration of services into the company upon contract termination. The contract should include clear provisions for the handover process, data migration, and support from the previous provider.

 

Conclusion: IT Service Contracts – 10 Key Aspects

A well-crafted IT service contract is the foundation for successful collaboration between client companies and IT service providers. The ten aspects mentioned – clear service specification, pricing and billing modalities, change management, risk management, reporting and communication, cooperation, escalation procedures, audits, continuous improvement, and exit strategy – are crucial for effective provider management and minimizing conflicts.

As a provider manager, you should ensure that these points are clearly and precisely regulated in your contracts to enable smooth and successful collaboration. If you work with multiple service providers, it makes sense to agree on uniform contract provisions with all parties. This simplifies collaboration and provider management.

A good contract alone does not guarantee good service and smooth cooperation. But it provides the necessary foundation. Consistent expectation management and active relationship management are essential for long-term success in IT outsourcing.

Supplier evaluation in multi-provider environments: Does it really add value? In many companies that have outsourced IT services, supplier evaluation is often initially considered a low priority. After outsourcing, the initial focus is on establishing effective provider management. Companies generally do not revisit the issue because they do not expect it to be of great benefit. We show that supplier evaluation is worthwhile, how it can be designed, and how the results can be consistently used to your advantage.

1. Limiting the scope of consideration

Supplier evaluation serves to make the performance of a company’s suppliers transparent. It should not be an end in itself. Evaluation is a means of enabling the targeted selection and development of suppliers. In the following, we will focus on the evaluation of IT service providers that have already been commissioned and their development. We do not consider the selection of new IT service providers in this article.

 

2. Initial situation

If companies evaluate IT service providers at all, they often do so only in the purchasing department and with a focus on criteria that are relevant to them, i.e., primarily commercial criteria. These include, in particular, criteria such as price, adherence to deadlines, and delivery reliability, as well as the handling of requests for quotations. Content-related aspects such as service quality and cooperation, which are essential for provider management, are often not considered at all or only marginally.

 

3. Goals and benefits

Supplier evaluations can serve various purposes, i.e., the evaluation results can be used for different purposes. Three possible objectives are outlined below:

Evaluations can be used to optimize the performance of individual service providers. Weaknesses are identified and can then be eliminated, ideally through an established continuous improvement process (CIP). In some cases, training and development measures by the client may also be necessary.

Furthermore, the evaluation can also be used to improve the allocation of services to providers. Ideally, this should be done as part of the annual review of the sourcing strategy. With a view to the entire service portfolio, an assessment is made as to which service providers should take on additional tasks in the future based on their evaluation and development, and which should be reduced or no longer used. In some situations, it is helpful to be able to compare evaluations of service providers. This should support the evaluation methodology.

Another objective is to ensure compliance among service providers. For example, compliance with sustainability rules becomes transparent, as stipulated by the recently introduced German Supply Chain Act or international ESG guidelines. (The evaluation results should be verified and substantiated by supplementary audits at the service provider).

 

4. Designing the supplier evaluation

The design of the supplier evaluation should be aligned with the desired objectives. What does that mean specifically? The evaluation is not an end in itself, but always a means to an end: it provides data on the basis of which improvements can be initiated. These improvements may be the responsibility of purchasing, provider management, or other departments. Regardless of who is responsible, the assessment criteria must provide the data needed to plan and implement these improvements.

 

Criteria and their assessment

In principle, both quantitative and qualitative criteria can be used for the assessment. Quantitative criteria are measurable, such as compliance with agreed service levels. Companies can determine the degree to which qualitative criteria are met, such as the competence of the service provider’s employees, by means of surveys, as there is no measurement method available. This is evaluated by awarding points on a predefined scale, e.g., from 0 to 10.

In order to set up the evaluation process quickly, some companies determine supplier evaluations exclusively on the basis of surveys.
We recommend measuring all quantitative criteria as a matter of principle and incorporating the results into the evaluation as automatically as possible. The reason for this is that it significantly reduces the manual effort required for service provider evaluations, as only the qualitative criteria still need to be evaluated by people via a survey. In addition, the results are more objective than those obtained from surveys.

So which criteria should be included? As already mentioned, this depends on what is to be done with the evaluation results. It generally makes sense to derive criteria from the following groups:

 

• Service quality derived from SLA reporting,
  i.e., fulfillment of contractually agreed services and service levels,
• Cost-effectiveness of external services,
  i.e., prices in relation to the market,
• Soft facts,
  e.g., employee skills, proactivity, flexibility, cooperation,
• Compliance,
  adherence to regulations, e.g., the General Data Protection Regulation (GDPR) and the Supply Chain Act (sustainability, human rights),
• Range of services,
  i.e., the service provider’s potential to meet future requirements and take on additional service areas.

Tool support

We have already emphasized above that the effort required to carry out supplier evaluations should be as low as possible. For this reason, it is advisable to create tool support for evaluations that, in particular,

• automates as much of the evaluation as possible (especially service levels derived from the data sets of the SLA reports),
• provides technical support for surveys so that they can be completed with minimal effort by all participants,
• provides comprehensible reports for evaluation at the touch of a button,
• and enables trends to be evaluated over several evaluation cycles.

 

5. Conducting and evaluating assessments

It is important to define a role responsible for supplier assessments that is responsible for the further development of the assessment process, as well as for coordinating the implementation of individual assessments and providing the results to those departments that process them.

The survey part of an evaluation should be answered by selected individuals involved in service use or provider management. Depending on the service, these may include provider managers, internal IT staff, management representatives, purchasing and contract management, as well as customers and users.

The evaluation of the results can also provide input for supplier classification. This also helps with supplier selection for future procurement measures. Possible classes include “preferred suppliers,” “suppliers to be developed,” and “blocked suppliers” (further gradations are possible).

 

6. Conclusion – Supplier evaluation in IT provider management

Supplier evaluation is a valuable tool for developing IT service providers and the entire service organization. It is important that the evaluation process is set up correctly. In particular, companies should ensure that they have good tool support with extensive automation to ensure that the process and the evaluation results are accepted by all parties involved.

Most importantly, however, the evaluation results should be used for control and improvement measures. If companies only produce attractive reports, then the effort involved in supplier evaluation is a bad investment.

Many businesses in Germany are facing a growing shortage of skilled IT professionals. This trend is largely driven by demographic shifts in the German labour market, as the baby boomer generation approaches retirement. Increasing staffing gaps are compelling companies to reconsider how they manage this issue within the IT sector. We’re exploring potential solutions, focusing not only on improved recruitment strategies but particularly on IT outsourcing. In this context, we also examine the associated implications and possible use cases.

Initial Situation

Skilled IT professionals are currently in high demand, and many companies are struggling to fill their vacancies. This is primarily due to the growing need for skilled workers driven by digitalisation, alongside demographic changes: the younger, smaller birth cohorts cannot compensate for the retirement of the larger baby boomer generation. The problem is expected to worsen significantly in the coming years, as the majority of baby boomers have yet to exit the workforce.

The age structure of Germany’s population (2021) highlights the IT skills shortage  Age structure of Germany’s population (2021) Even skilled workers from abroad cannot come close to bridging the widening gap. For this reason, every company must develop and implement a tailored solution to address this issue.

 

Potential Solutions to the IT Skills Shortage

Many companies will need a solution that combines several measures. The following approaches are particularly worth considering:

• Improving recruitment strategies
• Establishing in-house IT teams abroad
• IT outsourcing

Below, we examine these measures in more detail and offer an assessment.

 

Improving Recruitment Strategies

To successfully attract new IT professionals, a company’s recruitment process must be designed for employee-driven markets. In other words, candidates choose their roles and are courted by employers seeking skilled staff. Key aspects of this shift include:

• Enhancing the appeal of available roles to meet the rising expectations of potential applicants. In addition to salary, factors such as a positive company culture and attractive working conditions (e.g. flexible hours and location, training opportunities) play a crucial role.
• Effectively marketing job postings and the aforementioned benefits. Potential candidates must be actively targeted. Additional channels—such as social media and job fairs—should be explored to capture the attention of skilled professionals.
• Ensuring the recruitment process is fast and flexible. If feedback is slow or decision-making takes too long, candidates may be snapped up by competing employers.

However, in most cases, improved recruitment alone cannot meet the growing demand for skilled workers, as the supply is simply too limited. Recruitment is often only a supplementary measure.

 

Establishing In-House IT Teams Abroad

If a company needs to hire a larger number of IT professionals, setting up an in-house IT team abroad may be a viable option. Countries with a high proportion of young people in their population are particularly attractive. Additionally, such countries should offer stable economic conditions, a well-developed IT sector, strong educational institutions, and a qualified pool of IT professionals. Nearshore and offshore locations can also offer significant cost savings.

That said, the initial effort required for this approach is substantial: suitable countries must be evaluated and selected, and country-specific conditions must be factored into risk management, business cases, and the setup of the new unit. For this reason, this measure is more suitable for large corporations and IT service providers.

 

IT Outsourcing: Shifting the Skills Shortage

This approach involves increasing the proportion of outsourced IT services within the company—or outsourcing services for the first time. Outsourcing reduces the number of internal IT professionals required. The skills shortage is transferred to the external service provider, who is now responsible for supplying the necessary qualified staff for the services they take over. The provider must implement appropriate measures to meet these requirements.

On the client side, outsourcing may reduce the need for internal service delivery staff, but it introduces new tasks related to managing external service providers. This requires personnel with the right competencies, and many internal staff may need to develop skills in provider management.

If internal provider management staff are unavailable or insufficient, qualified professionals must be sourced from the labour market. This poses the risk that provider management roles may remain vacant for extended periods.

Alternatively, instead of building internal provider management capacity, companies can outsource these functions as well—just like IT services. According to the Service Integration and Management (SIAM) framework, several options are available.

We focus here on two externally supported options:

 

(1) Outsourced Provider Management

In this option, a company engages an external service provider to manage its external IT service providers. This provider should have sufficient expertise and experience in provider management.

                             Figure 1: Externally sourced

Provider Management as an External Service – A Solution to the IT Skills Shortage Figure 1: Provider Management – External Service The company authorises the service provider to act on its behalf. Only a few activities (e.g. policy decisions) remain internal. This option enables the rapid establishment of professional provider management while reducing internal effort and mitigating the IT skills shortage.

 

(2) Hybrid Provider Management

Here, internal staff resources are supplemented by those of an external service provider to ensure effective provider management.

                             Figure 2: Hybrid solutions

Provider Management as a Hybrid Solution – A Response to the IT Skills Shortage Figure 2: Provider Management – Hybrid Solution The external provider, equipped with sufficient expertise and experience, can fulfil two roles:

• Quickly establish professional provider oversight
• Coach internal staff and significantly ease their workload

In both options, it is essential to clearly define roles and responsibilities between the internal organisation and the external provider.

 

Managing the IT Skills Shortage – Conclusion

If a significant proportion of a company’s IT workforce belongs to the baby boomer generation and is set to retire in the coming years, IT outsourcing offers the greatest potential to counteract the skills shortage—especially given the likely continued strain on the labour market. The more IT services are outsourced, the greater the need for provider management. If qualified staff are also scarce in this area, engaging a specialised provider management service may be the solution—either to support a small internal team or as a fully external service.

Risk management in IT vendor management is essential to minimize risks during and after the outsourcing of IT services, ensuring smooth service operations. In today’s digital world, businesses are increasingly dependent on IT services, making the efficiency and quality of these services critical to their success. In the following, we show how to effectively handle risk management for IT services during outsourcing, particularly in the operational phase as part of vendor management.

Introduction to Handling Risks in IT Outsourcing

Managing outsourcing risks is crucial for companies to maintain the stability, security, and integrity of their IT systems and data. Additionally, it helps ensuring compliance with legal and regulatory requirements. The goal of risk management in IT vendor management is to identify, assess, and mitigate risks that arise from cooperating with service providers.

Risk management should be active in all phases of the outsourcing lifecycle:

 

Figure 1: Outsourcing Lifecycle and Risk Management

 

During the “Strategy” phase, potential risks associated with the decision to outsource IT services are thoroughly examined. In the “Concept” phase, where the design of the services to be outsourced is developed, only alternatives with acceptable risks are considered.

Subsequently the “Request-for-Proposal” (RFP) phase involves evaluating provider characteristics to identify and analyze potential risks. Service provider selection is based on a balanced assessment of acceptable risks versus the anticipated benefits. Essential risk mitigation measures should be clearly defined and included in the contract with the service provider.

Finally in the “Transition” phase, risk management is integrated into project management processes. Upon completing the transition project, project managers transfer risk management responsibilities to the operational team to ensure continued oversight during the operational phase.

 

Legal and Regulatory Requirements

Regulated industries such as finance, insurance, and critical infrastructure (KRITIS) must adhere to strict guidelines and legal requirements for risk management in IT outsourcing. These requirements often need to be translated into specific procedures and processes within the company. Examples include:

Financial Sector

• EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02)
• DORA (Digital Operational Resilience Act; EU 2022/2554)
• German Banking Act (Kreditwesengesetz – KWG), §25b
• Minimum Requirements for Risk Management (MaRisk) – AT 9 (a German regulation)
• Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT; a German regulation)

Insurance Sector

• EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
• German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), §32
• Minimum Requirements for the Business Organization of Insurance Companies (MaGo) – §13 (a German regulation)
• Supervisory Requirements for IT in Insurance Companies (Versicherungsaufsichtliche Anforderungen an die IT – VAIT; a German regulation)

Critical Infrastructure Sector (KRITIS)

• ISO/IEC 27001
• BSI Standard 200-3: Risk Management
• BMI – Protection of Critical Infrastructures – Risk and Crisis Management · Guide for Companies and Authorities
• IT Security Act 2.0

 

Risk Analysis for Outsourced IT Services

Risk management for outsourced IT services can be divided into two phases: before outsourcing and after outsourcing. Before outsourcing, the client is solely responsible for risk management.

After outsourcing, risks can be categorized into three groups: client risks, provider risks, and interface risks. Client risks are IT-related risks that remain with the client. Outsourcing also introduces new risks that the client must manage. Provider risks are related to the service provider and the services they offer, some of which are transferred from the client to the service provider. These risks are managed by him; however, the client remains responsible and must ensure that the service provider fulfills their obligations effectively. Organizational and technical interfaces are established between the client and provider during outsourcing, which can lead to interface risks. Clearly defining and assigning responsibilities for risk management is essential in this context.

 

Figure 2: Risk management before and after outsourcing

 

Risk Identification for Outsourced IT Services

It is also important to identify the different categories of risks associated with IT outsourcing. The risk categories help in classifying identified risks and also assist in verifying the completeness of recorded risks. The following categories may occur in particular*:

• Strategic Risk: Occurs when the decisions and actions of a service provider are not aligned with the strategic goals of the company.
• Operational Risk: Refers to the risk of loss arising from ineffective or faulty processes, employees, controls or systems of a service provider.
• Business Continuity Risk: occurs when an external event affects the service provider’s ability to continue IT operations, with corresponding impacts on the client.
• Compliance and Regulatory Risk: Results from potential non-compliance with laws and regulations by a service provider.
• Information Security Risk: Essentially concerns cyberattacks and data breaches that can occur due to security vulnerabilities at service providers.
• Financial and Credit Risk: Directly relates to a critical financial situation of the service provider, where they may fail to meet their contractual obligations, i.e., providing products and services as agreed.
• Reputational Risk: Encompasses various ways a service provider could damage the client’s reputation, brand, or name either directly or indirectly.
• Concentration Risk: Occurs when a company relies on too many high-risk or critical services from a single service provider or when there is only one provider in the market offering critical products and services to the client.
• Geopolitical Risk: Can arise when the service provider is located in a country that is prone to issues such as political unrest, corruption, or human rights violations.
• Environmental Risk: Includes political changes, natural disasters, and other social issues that can impact the service delivery of the service provider.

* https://www.venminder.com/blog/types-vendor-risks-monitor

 

This list is not exhaustive. Moreover the risks categorized according to risk categories should be recorded in a risk register and managed appropriately, meaning they need to be carefully assessed and suitable measures should be planned and implemented.

 

Sample Risk Mitigation Measures

Here are some examples of risk mitigation measures for selected risk categories:

Operational Risk:

• Clearly define responsibilities and accountabilities to minimize misunderstandings, confusion, and delays.
• Specify service levels (KPIs and target values) in the strategy and concept phase to minimize unclear expectations between the client and the service provider.

Compliance and Regulatory Risk:

• Require standards, certifications, and security systems/technologies during provider selection.
• Implement controls and processes to ensure the provider meets legal and regulatory requirements.
• Set KPIs and target values for compliance, establishing regular reporting and review.

Business Continuity Risk:

• Implementation of a Business Continuity Plan (BCP) by the service provider to ensure the continuation of IT operations in the event of an external incident.
• Regular review and updating of the BCP to ensure that it meets current needs and requirements.
• Regular testing of the BCP to ensure that it functions effectively in the event of an emergency.

 

Conclusion – Risk Management in IT Vendor Management

In conclusion, risk management in IT vendor management is crucial to ensure the stability, security, and integrity of IT systems and data. Moreover companies, especially in regulated industries like finance, insurance, and critical infrastructure, must adhere to strict regulatory requirements by establishing appropriate risk management procedures and processes.

Furthermore risk management should be integrated into all phases of the outsourcing lifecycle, addressing all relevant risk categories. Companies must clearly define responsibilities to manage risks that arise from working with service providers.

Companies that outsource IT services are increasingly focusing on establishing a vendor management organisation within their own operations. They have come to realise that simply selecting the right service provider is not enough to ensure high-quality IT services. Service providers do not operate “automatically”; they require a continuous interface with the client company and must be properly managed.

In the following, we outline the current state and challenges of provider management in Germany—that is, we sketch out where German companies currently stand in setting up their provider management structures and what is still missing for success.

Basis for the following assessments of the current situation in IT-outsourcing companies are the results of the itSMF survey conducted in 2022 – we were involved in both the design and analysis of the survey – as well as discussions held during consulting projects and training sessions with representatives from various German companies.

 

1. Vendor Management in Germany – Current Status in Companies

Many companies have realised that when outsourcing IT services, it is not enough to simply specify external services clearly and conclude solid contracts. Increasingly, they are also defining how collaboration with service providers should be structured and how providers should be managed. To shape this collaboration, companies are establishing processes, tools, SLA reporting, and governance structures, and implementing them jointly with providers. They also define roles for managing service providers and assign them to internal staff. This lays the foundation for clear responsibilities and effective collaboration with service providers.

Nevertheless, many companies remain dissatisfied with the performance of their service providers and the quality of collaboration. Why is that?

 

2. Causes of Problems

Poor provider performance and strained collaboration can usually be traced back to a few recurring causes:

 

2.1 Service Prices Too Low

In outsourcing projects, companies often negotiate prices too aggressively. Especially when large service volumes are involved and multiple bidders have submitted proposals, sales teams at service providers are highly motivated to win the contract—often because their commission is based on the contract value. As a result, they may concede significant discounts under pressure from procurement.

Once the contract is signed, responsibility shifts to the provider’s operations team. If the negotiated prices leave the provider with a very narrow margin, the operations team may try to reduce costs to make the engagement financially viable. This often comes at the expense of service quality. Wherever possible, effort is minimised, and only the bare minimum is delivered. Providers may also look for contractual grey areas to charge additional fees and boost revenue. These behaviours lead to frequent disputes, increased effort, and dissatisfaction on both sides—ultimately compromising service quality.

2.2 Poorly Defined Services

The services to be delivered by the provider are often poorly structured. This means the provider cannot apply its standardised services developed for other clients. In many cases, the service scope involves numerous interfaces with internal and/or external stakeholders.

Both factors create friction in service delivery. The provider must build a custom service organisation and cannot rely on the efficiency and quality of its well-established, optimised standard processes.

As provider staff must learn new service procedures, initial errors and seemingly simple mistakes occur—making the provider appear less competent compared to the internally delivered services that evolved over decades.

This leads to dissatisfaction among the client’s internal IT users. The resulting pressure is passed on to the provider via the vendor management team. However, the provider’s ability and motivation to improve service delivery quickly are limited due to the learning curve and economic constraints. Unplanned improvement efforts further reduce their margin.

2.3 Culture of Mistrust

Provider representatives are often perceived by the client’s IT staff as adversaries who must be “motivated” through strict control and pressure to deliver agreed services. A culture of mistrust quickly develops, replacing one of collaborative partnership. Questions arise such as: Has the provider really delivered the agreed service? Is it using underqualified staff to cut costs? Are penalties enforceable due to poor performance?

In such an environment, both parties try to maximise their own benefit—often at the expense of the other. This inevitably creates a loser and makes collaboration more difficult.

A shift toward mistrust is especially likely when other problems occur simultaneously. For example, if the provider makes several simple mistakes during the onboarding phase, service quality suffers.

If the provider frequently ends up on the losing side, it may withdraw and do only the bare minimum. This leads to poor service and increased effort for blame-shifting and consequence management.

 

3. Vendor Management in Germany – Conclusion

Most companies have learned that IT outsourcing must be carefully planned and executed, and that a vendor management organisation must be established as part of this process.

However, this alone is often not enough to ensure high-quality external services. The root causes of poor performance and difficult collaboration with service providers often include unprofitable pricing, poorly defined services, and a culture of mistrust. Frequently, one problem triggers others, leading to a downward spiral in the service relationship. Many companies initially resign themselves to such situations, as no clear way out is apparent.

Yet even if the problems are not easily resolved, both parties can jointly plan and implement appropriate measures to gradually improve the situation. The key prerequisite is a mutual commitment to constructive cooperation. Especially when a culture of mistrust has taken hold, this becomes a challenging and long-term task that requires ongoing, active involvement from the management teams on both sides.

Vendor management tools are used to manage the relationship between an organization and its IT service providers. They help organizations manage their providers and vendors, track their performance, and ensure that they are meeting the needs of the business. Yet there is no one-size-fits-all solution for requirements placed on the tools because the functional focus of the tools used often varies. This article compares three tools, each with a different focus: ServiceNow, SAP Ariba and Kissflow Procurement, which can be used as Vendor management tools.

Functional requirements in Vendor management

In addition to general requirements for a vendor management tool such as

• Intuitive usability
• Quick familiarization for users
• Easy adaptation to the individual needs of a company
• scalability
• economic efficiency
• support of different roles
• data security and data integrity,

there are functional requirements that are important for Vendor Management activities. These functional requirements focus on supporting the business in the following Vendor Management task areas: Contract Management, Performance Management, Relationship Management, Risk Management, Change Management, Provider Assessment, Compliance Management, Continual Improvement, and Financial Management. Each task area is ideally supported by a functional area in the tool.

 

Vendor Management Tools – Functional Areas

Functional area	Description
Contract Management	All contractual information of each service provider is managed here. This starts with the specification of the services to be provided by a provider and ends with the awarding of the service provision to a provider and the associated contractual documents. In addition to service specifications, the framework contract regulations regarding tasks and obligations of the parties as well as the design of the cooperation are relevant here. “Managing” covers the entire contract life cycle: concluding, amending, and terminating contracts. The provision of current contract documents for Vendor management is important.
Risk Management	The Risk Management functional area includes all activities for identifying, assessing, and managing risks throughout the entire lifecycle of IT services.
Relationship Management	The focus of this area is the active maintenance of the relationship with the service provider. All information such as meeting minutes, appointments, actions, communication matrix, etc. must be managed and made accessible to those concerned.
Performance Management	This functional area manages compliance with the service levels agreed in the contract, i.e. the provider’s performance. For this purpose, key performance indicator values are determined and compared with the target values.
Provider rating	The service providers are periodically evaluated with regard to their overall performance in terms of service quality and their cooperation. Here, the assessments per provider are recorded, summarized and presented in a consolidated form. Trend analyses enable the assessment of the development per service provider.
Compliance Management	This functional area manages all activities to ensure that the service provider meets compliance requirements such as laws, policies, and guidelines.
Continual Improvement	The activities to improve the services and their delivery by the service providers are to be coordinated here. Furthermore, the continuous improvement of vendor management itself and innovation management are to be handled here.
Financial Management	Activities within the scope of budget planning and monitoring, controlling and cost calculation, auditing to ensure the effective use of financial resources are managed in this functional area.

Tools that offer Vendor management functions

There are many different tools with vendor management capabilities on the market, each with its own unique features and benefits. In this section, we compare the three tools ServiceNow, SAP Ariba and Kissflow as examples. Due to their different content focus, they set different functional priorities.

 

ServiceNow

ServiceNow is a global provider of a cloud-based platform that makes it possible to automate business processes quickly and easily. ServiceNow is modular and consists of the IT, HR, Customer and Creator workflows. Each workflow includes multiple product areas that can be assembled based on the needs of the business. Each product area combines several products with different functions.

ServiceNow’s Vendor Management Workspace product, which provides essential vendor management functions, is part of the IT Service Management (ITSM) product area. The Vendor Management Workspace product integrates data from the Service Portfolio Management (SPM), Contract Management, Assets, SLA Contracts, Vendor Risk Management and Continual Improvement Management (CIM) products.

An integrated “Provider Performance Dashboard” provides the company with a clear picture of how well providers are performing. Other products such as Audit Management, Vendor Risk Management and Compliance Management, which are also relevant for Vendor management, are located in the Governance, Risk, and Compliance product area

.

SAP Ariba

SAP Ariba provides an online marketplace for business-to-business commerce that can be used to purchase goods and services from suppliers.  It supports buyers in all their classic tasks and suppliers in their interaction with buyers. The service focus is the digitization and automation of purchasing processes and supply chains. There is no direct reference to IT service management, but it can be used to procure IT services and manage service providers. SAP Ariba has a wide range of product areas, which are further subdivided into products such as Supplier Risk, Contracts, Spend Analysis, Role-based Dashboards, Supplier Lifecycle and Performance and more. Almost all of these products support parts of the functional areas required for Vendor Management with their functions. Furthermore, SAP Ariba can be integrated with SAP HANA (for e.g. invoice verification and approval as well as budget monitoring).

 

Kissflow

Kissflow is a simple and customizable cloud-based workflow tool. It enables the development of applications for business processes with little or no code. It provides templates to help companies create personalized workflows that are tailored to the exact needs of the organization. It also provides products with common features. These features can be used to develop company-specific applications.

Among the products are pre-built applications such as Project Management and the Procurement App. The Procurement App functions can be used in performing vendor management tasks. For example, the Procurement App offers as functionality an automated onboarding process for providers, a purchase requisition process, and integrated provider performance management. It also integrates with other Kissflow products or third-party applications such as SAP, Google Apps, Office 365, and Zapier via the integrations interface feature. Thus, missing vendor management functions such as relationship management can be extended. Likewise, it integrates with other Kissflow products or third-party applications such as SAP, Google Apps, Office 365, and Zapier via the interface feature.

 

Comparison of Vendor Management Tools

All three tools meet the general requirements described above. The following table lists the products or the functions of the tools that address the functional requirements for vendor management listed above:

Funktionsbereich:	ServiceNow	SAP Ariba	Kissflow
Contract Management	Contract Management	Contracts	Vendor Management Purchase Requisitions
Risk Management	Vendor Risk Management	Supplier Risk	—
Relationship Management	Project Portfolio Management, Task Communications Management	Supplier Lifecycle and Performance	Vendor Management
Performance Management	Vendor Manager Workspace, Service Level Management	Supplier Lifecycle and Performance   Performance is measured via a survey in Supplier Performance Management Project. Current data such as service level KPIs can be imported	Spend Analytics   Here, in addition to costs and budget Service Levels recorded and managed
Provider Assessment	Surveys and Assessments,   Benchmarks	Supplier Lifecycle and Performance   The evaluation is also made via the “Supplier Performance Management Project” function (-> Survey)	—
Compliance Management	Audit Management Policy and Compliance Management	Supplier Lifecycle and Performance   Conduct one survey per vendor using the Modular Questionnaire Project feature.	—
Continual Improvement	Continual Improvement Management	—	—
Financial Management	Cost Management	Ariba Invoice Management Spend Analysis	Purchase Orders Purchase Requisitions Purchase Invoices Spend Analytics

 

Conclusion

ServiceNow covers all vendor management functions through existing products.

SAP Ariba has functions for vendor management, but some of the functional requirements can only be covered in a roundabout way. For example, in performance management, the current IT service KPIs can only be imported via a survey function for subsequent analysis. However, the survey function is intended more for evaluating the service provider and not for reporting and analyzing the service levels.

Kissflow covers the least vendor management functions. However, it seems to be easy to develop applications in Kissflow to implement more functions.

Since all tools provide APIs for integrating other tools such as ERP, contract management or IT service management systems, the functions not covered can also be realized by implementing these interfaces. For example, financial data from ERP or contract data from existing contract management can be synchronized this way. It must then be decided whether to work with just one central tool and synchronized data or whether to use multiple tools to support vendor management.

Companies today operate in a market environment that is more complex and competitive than ever before. The stable and predictable conditions of past decades are giving way to a digitalised future with new rules of engagement.

In this context, businesses that rely on outsourced IT services face a key question: how can their existing internal organisational structure be regularly realigned to meet future demands? When reviewing their sourcing strategy, companies often focus solely on the outsourcing itself, while the internal organisation that remains is frequently overlooked.

For this reason, this article focuses on the design and development of the internal organisation that remains in place within the chosen sourcing scenarios.

To make a sourcing strategy successful, the internal organisation must ensure efficient management of service providers and smooth collaboration among all parties involved in service delivery. Before any outsourcing measure is taken, the entire organisation must be reviewed and evaluated. This evaluation requires answers to the following questions:

• How can the company optimally organise and structure the IT service function in the future?
• How can the current organisational structure be improved?
• Is outsourcing to an external provider still the better option for services already outsourced, or would internal delivery be more effective?
• What personnel and budget requirements are associated with each organisational option?
• What skill profiles must employees meet?

To answer these questions, a review of the existing sourcing strategy is recommended. This is typically carried out using a structured, multi-step approach, as illustrated in Figure 1: Review of an Outsourcing Strategy.

🔍 Step-by-Step Review of a Sourcing Strategy

Step 1: Environmental Analysis

This step involves reviewing the defined goals and conditions for IT outsourcing to ensure they are still relevant. It also checks whether the outsourcing goals are clearly derived from the company’s overall strategy. These goals form the basis for evaluating different outsourcing scenarios. Examples are shown in Figure 2: Outsourcing Goals.

Step 2: Assessment of the Current Situation

A comprehensive inventory of the current organisational structure for delivering IT services is conducted—often using an organisational chart. This chart may need updating with current or missing information. It should include:

• All departments involved in IT service delivery
• External service providers
• IT users
• Relationships between departments

Responsibilities of each department involved in IT delivery are then described in detail.

Based on the updated chart, relevant activities and associated efforts are recorded. Best-practice frameworks such as ITIL and SIAM can be used to identify all necessary service delivery tasks and ensure completeness.

Tasks are divided into internal and external categories:

• Internal tasks include overarching responsibilities, vendor management, and internal IT services.
• External tasks are handled by service providers, consultants, etc.

Using the 9PROFITS framework from amendos GmbH (see Figure 4), vendor management tasks can be defined. Cost estimates for service delivery are derived from these activities.

 

Step 3: Evaluation of the Current Situation

By comparing framework-defined activities with those actually performed, gaps become visible. Weaknesses are identified in:

• Service specifications
• Existing processes
• Tools used
• Interfaces between departments
• Provider evaluations

Root causes of these weaknesses are analysed, and action plans are developed. Implementation costs are estimated and factored into overall service delivery costs.

Step 4: Market Potential Analysis

This step assesses whether the market can provide the required IT services economically and at the necessary scale. Based on well-defined service packages, the internal organisation can be adjusted accordingly.

Step 5: Strategy Development

Using strategic guidelines and outsourcing goals, various outsourcing scenarios are created and evaluated—each with a tailored internal organisational structure. For each scenario, costs, advantages, and disadvantages are determined, along with skill profiles for internal teams and external providers.

Scenarios are then subjected to a cost-benefit analysis. Only those that promise reasonable benefits within budget constraints are considered further and undergo a risk analysis. The final evaluation incorporates these risk results.

A comprehensive recommendation is then formulated. Management must make a decision based on this recommendation before implementation planning begins.

✅ Conclusion

To realign an existing organisation with outsourced IT services for the future, the organisational structure and service environment must be thoroughly analysed. Based on findings and business goals, various outsourcing scenarios can be developed and assessed. These scenarios should include necessary changes to the organisational structure.

From this evaluation, a recommendation can be made to support informed decision-making by management. Any required structural adjustments should be planned and implemented early in the outsourcing process.