As a result of COVID-related economic impacts, organisations are engaging in cost-cutting efforts and a rigorous review of their security and technology vendor relationships to reduce complexity and identify opportunities for cost efficiencies. With increased scrutiny from stakeholders and regulatory agencies, it is doubly critical that organisations conduct a thorough assessment of products, services, data, and information systems, before ceasing or consolidating engagements to ensure governance, risk management, quality, regulatory, and compliance standards are maintained.
As major contracts come up for renewal, the focus will likely be on renewal options, replacement of products/services, and assessment of risk and compliance. However, business and asset owners are often time-poor and do not have the resources to conduct the necessary comprehensive review and are forced to accept a renewal option that may not provide the best Return on Investment (ROI). Additionally, vendors, and associated contracts and MSAs, may not meet the latest regulatory and compliance standards such as GDPR, Privacy Act 1988, and CPS234/231, requiring a full assessment process to review those security- and privacy-related clauses.
The lack of time, resources, and appropriate governance of vendors, products, and contracts mean an increased risk of falling foul of regulatory, accountability, and compliance obligations. In addition to the increased risk, many organisations are possibly paying too much for services and products they may not need.
Below I have laid out a non-exhaustive list of some steps and considerations for organisations looking to reduce IT costs and complexity.
Below are some key considerations:
- Identification of technology/cybersecurity products and services currently used to support the organisation’s operations. (High, mid, low-value contracts)
- Calculation of total cost of ownership for each product/service (including licensing, support, infrastructure, labour)
- Assessment of fit of each technology/service to its intended objective
- Full review of contracts/MSAs with a lens on security clauses to ensure suppliers are compliant
- Development of strategic modelling tools to streamline future vendor reviews and quality assurance efforts
Assessing the performance of current vendors to determine both the organisation’s dependency and the cost-effectiveness of the services/products supplied, you need to focus on the below fundamentals:
- performance history, including abatements, response/rectification, and service failures benchmarked against the Service Level Agreement
- ability to continue to provide the services, including business continuity plans
- incident response and reporting, including disaster recovery
- risk management
- change management
- quality assurance
- communication with management
- system availability, latency, and redundancy, including technical support
- asset lifecycle management/replacement
- vendor replacement analysis, including the identification of proprietary systems
Once a decision is made to consider a vendor for replacement, I recommend the following actions:
- obtain indicative quotes from alternate ICT providers
- assess the ability of alternate providers to supply/manage/maintain integrated technology and workflow applications, and their ability to upgrade/add new technology to meet industry best practice
- identify risks to replacing the incumbent such as the ownership of proprietary technology, data governance, and intellectual property
- establish approximate timelines for replacement
- provide a cost-benefit analysis of replacement
Capital Expenditure Analysis
Spending on vendor solutions can roughly be broken down into the following key categories:
- Personnel (FTEs and contractors)
- Licensed on-premise deployed software
- SaaS solutions
- Cloud infrastructure (IaaS)
- Outsourced managed services
Recurring costs vs non-recurring costs – Typically recurrent ICT expenditures would tend to be program-related. In contrast, non-recurrent ICT expenditures would tend to be project-related.
Recurrent – I recommend undertaking a benchmarking analysis of recurrent ICT expenditure in making your assessment. This analysis will enable you to compare the provider’s performance with its past performance and with the performance of comparable ICT services providers. You can use this information to inform your view of if historical ICT expenditure levels are reasonably reflective of prudent and efficient costs. Recurrent ICT expenditures are associated with maintaining existing ICT functions and capacity and would refer to ICT investments made on a frequent periodic basis. Recurrent ICT, for example, would refer to the expenditure associated with:
- The costs associated with the ongoing upgrade of ICT hardware – i.e. upgraded on a cyclical or periodic basis. This need not be annually but would be routine in nature (i.e. a regular upgrade frequency).
- Licensing and support costs – provider licensing, provider support, in-house support, etc.
- Version roll forward costs – all costs associated with the periodic update of existing systems. Again, this need not be annual but should be routine in nature (i.e. a regular frequency of version roll forward); and
- Any other ICT costs that are incurred periodically. Typically, non-network ICT assets have a standard life of five years (generally depreciated over five years in PTRM) and will likely be replaced every five years. Given this short asset life, I would consider that these replacement projects are suitable to be regarded as recurrent expenses.
- These are typically program-related investments due to their mainly ongoing recurrent nature.
Non-recurrent – Non-recurrent ICT projects refer to major (one-off, infrequent, or non-periodic) investments related to replacing existing ICT assets or acquiring new ICT assets, functions, or capability that is driven by a specific need. These projects can deliver benefits, such as:
- Risk avoidance/reduction (e.g. due to loss of provider support).
- OpEx savings (e.g. through efficiency improvements).
- CapEx savings (e.g. through better asset management practices).
- Improvements to reliability.
- Improvements to customer service/satisfaction.
Non-recurrent ICT expenditures would refer to major (one-off, infrequent, or non-periodic) investments related to:
- replacing existing ICT assets or acquiring new ICT assets, functions, or capability driven by a specific need. For example, installing major new or replacement software that may require significantly expanded or upgraded hardware to operate, or the replacement of hardware to enable the expansion of data capture needs.
- Examples of non-recurrent ICT projects would be significant upgrades to distribution network management systems, meter data and billing system replacements or any material cost associated with replacing existing ICT systems.
As a first principle, you need to ensure that such projects are prudent and efficient (i.e. benefits exceed costs). Where the investment does not have a positive business case, you consider if it maintains the service levels in the most efficient way (i.e. least cost for the maintenance of the service level). If the investment is driven by obtaining benefits for your organisation, you identify if the delivered benefits exceeded the cost. If the investment was driven by receiving benefits for the ICT subcontractor, you need to consider how those benefits were being passed on to the organisation.
The leaders of business units under review should view such endeavours not as a threat but as an opportunity to carefully assess their return on investments in vendor solutions. Nearly every organisation will identify operational inefficiencies that inevitably develop as the economic and business landscape evolves, advancements in security and technology emerge, and an entity’s risk profile changes. Conducting a genuinely objective analysis to identify cost-saving and complexity-reduction opportunities is not easy. However, done correctly, such an exercise can not only lead to a material reduction in overall cost and complexity but can also result in an improvement to an organisation’s information security maturity and allow for the reallocation of capital to address the changing risk and economic landscape.
Contact me at firstname.lastname@example.org for more information or if your organisation requires assistance with their IT cost optimisation or cybersecurity.