No one doubts today that the role of IT officers and CIOs has become far more complex than just a decade ago. Given the increasing use of cloud services, it is also understandable that so many choose managed service providers (MSPs) for key parts of IT infrastructure.
However, when IT professionals rely heavily on MSPs to handle compliance data, you have to wonder if that’s a good idea. Especially if they don’t employ rigorous contract management.
A recent survey of IT professionals conducted by an IT integrated services provider (and reported on www.insidecounsel.com here.) hinted at a troubling trend. According to a survey of 138 IT professionals at a recent conference, 43 percent of those surveyed “do not have a clear understanding of how to manage compliance legislation data.”
More than half (52 percent) said they’d prefer to have managed service providers handle data compliance issues – rather than do so internally.
Though this isn’t a definitive study (it’s really a small sample for a survey), you can see the troubling trend in the responses: you can’t really outsource responsibility when it comes to risk and compliance issues.
This doesn’t mean, of course, that you can’t trust very sensitive tasks to a managed service provider. You certainly can – and many (if not most) IT chiefs have no problem doing this. And there certainly are many situations where hiring a vendor with a high degree of expertise in compliance is warranted.
But it does raise a question: Should you be outsourcing compliance tasks without having an internal contract management process? It just seems to make a lot of sense when it comes to anything that can expose your company to regulatory risk. After all, from the regulators’ point of view – you can’t really outsource responsibility.
Having a contract management solution in-house should be coupled with a dedication to good internal contract management practices as well. This means ensuring timely reviews of contract performance and a certain amount of diligence in monitoring service level agreements or key contract terms. Relying on your vendor as the sole source of evaluating compliance seems … risky.
In any event, there are many other reasons for IT departments to practice good contract management (See “Five ways to ‘speak CIO’ to get contract management approval”). Without a contract management solution, IT professionals may be over-relying on MSPs and others when it comes to outsourcing compliance.
And remember, there’s no such thing as outsourcing responsibility when it comes to compliance and regulations.