Overseas hosting risk Analysis

Risk of not being able to comply with New Zealand's legislative requirements when hosting outside of New Zealand

Examples include legislation relating to contracts, Privacy Act 1993, Official Information Act 1982, Public Finance Act 1989, Fair Trading Act 1986. For instance, many US contracts have very broad indemnity clauses, which may place you in breach of the Public Finance Act 1989 - Section 65ZC says: "except as expressly authorised by any Act, it is not lawful for any person to give a guarantee or indemnity on behalf of or in the name of the Crown.

Risk of being subject to different laws in another jurisdiction

Do not assume that local laws are equivalent to New Zealand especially when it comes to disputes and litigation. For instance, a court case in the US found that a hosting provider can make commercial use of customer information on their servers.

Risk of legislative changes in the outsourcer(s) country of residence.

Some jurisdictions are increasingly reacting to privacy, criminal activity and terrorism concerns with changes to and new legislation. In particular EU countries and the US have introduced a number of significant legislative changes in recent times.

Risks relating to software licensing

Software used by the outsourcer may need to be installed on local systems, or there may be unlicensed use of software by the outsourcer

Risks from contract amendments and renegotiation

Design of contract to cover all eventualities, including the ISP or host Terms and Conditions and Acceptable Use Policy (which enable the site to be taken down if there are issues with the content)

Deal only in public and static information

Choose country very carefully - risk analysis of host country and the impact of likely legislative changes

Management of software licences for COTS, customised and open source software

Governance, contract and service delivery management

Political

Risk that hosting of government information and activity offshore could be seen negatively by the public

Risk of loss of sovereignty

Control over government information may be lost when subject to laws/control of other countries

Get Minister's agreement before commencing negotiations

Stop breaches happening

Capability

Risk of loss of domestic capability, including loss of organisational knowledge and strategic capability, and loss of control

Local staff may be uncooperative in implementing the outsourcing project, there may be job losses, and skills to manage the outsourcing may be lost

Risk of reduction in future flexibility

Future options may be significantly limited

Risk of loss of infrastructure in case of breakdowns

Risk of service level reduction compared with local suppliers

Risks arising from lack of cultural fit

Can lead to difficulties in communication and performance expectations

Regular offshore training/presence

Ensure local capability and backup

Effective change management

Governance, contract and service delivery management

Technology

Risk of loss of connection

There are only a few links between NZ and offshore locations with consequent exposure to service disruption due to natural events, or technical fault

Risk of corruption of data

Risk of service level degradation

Including response times, support and reporting

Risk that support infrastructure remains offshore

Redundancy

Architectural design/duplication

Understand infrastructure

Effective governance arrangements

Security

Risk of non-compliance with the Security in the Government Sector (SIGS) security policy.

If the information is classified, it is unlikely that it is suitable for hosting offshore

Risk of non-compliance with the Protective Security Manual (PSM)

In particular the impact on physical security

Risk of non-compliance with other relevant NZ standards

Other standards might be applied or countries don'­t always agree with NZ standards

Risk of theft of hardware or information

Include consideration of 'legitimate'­ loss to foreign country security agencies

Risk of intelligence gathering

The website information, and the system-produced information (such as user access logs), may be monitored or analysed by either government or business intelligence organizations, to NZ'­s detriment. Seemingly innocuous information may be matched with information from other sources to infer facts of greater value e.g. NZ research companies placing orders for particular items of equipment can indicate the priority areas of NZ research.

Risk of external threat in the country of location

Such as war, revolution, civil unrest, terrorist attack

Risk of natural hazard in the country of location

Train offshore suppliers

Audit offshore suppliers

Formal governance structure

Redundancy

Ensure effective physical and technical security - include in contractual arrangements (Audit the implementation of these)

Ensure consideration is given to the potential value of the information, when matched with other sources

Business continuity planning for continued outsource operations (organisation and outsourcer) covering communication, redundancy, recovery, fault tolerance

Undertake a threat assessment

Fiscal

Risk that cost movements can be affected by exchange rate movements

Risk of price changes by suppliers

Risks around fixed price contracts.

Fixed price is often balanced by varying quality in response to changing demands and conditions

Risk of high set up and compliance costs

Risks arising from repatriation and/or transfer to another outsourcer

Hedging and cost arbitrage

Contractual controls

Contract flexibility to reflect changing demands and conditions

Governance, contract and service delivery management

Economic

Risk of reduced economic benefit to NZ

Transferring activities offshore can reduce opportunities for NZ suppliers, although it should be noted that NZ has free trade agreements with Australia (CER) and Singapore (SNZCEP), and suppliers from these countries can therefore bid for NZ work. Additionally, NZ is negotiating free trade agreements with the following countries, therefore in the future suppliers from these countries may be bidding for NZ work: Malaysia; Pacific Islands (PACER); Chile (P3 CEP); Thailand; China.

Cost/benefit balance

Systemic

Risk that offshore hosting could adversely impact on trust in government

Education and awareness and compliance framework

Lock down in contract

Governance

Risks arising from managing at arm'­s length

There is a need to ensure that contractual and other requirements, including service reporting, are being met

Audit and compliance checks

Contractual/legal compliance

Reporting

Governance structure defined in the contract

Commercial

Risks arising from the extra implications of private international law when negotiating a commercial contract for services

Consideration will need to be given to the cost of foreign court legal action, if needed

Risk of financial viability

Bankruptcy, takeover, merger, further outsourcing

Risk of scope creep.

Which may negatively affect service delivery or costs

Maintenance of local third party (support) relationships)

These may become uneconomic for local suppliers or the relationship becomes distant and unproductive

Risk of poor or variable outsourcer performance

Risk of contract lock-in

This is technology-specific

Effective and comprehensive contracts

Effective project and transition management

Assessment of local relationships and formalise support arrangements

Governance

Roles and responsibilities definition

Service level management & performance monitoring

Contract management

Control

Risk that control of data is lost

Risk that wrong services or components are outsourced

Effective and comprehensive contract and processes

Analyse internal versus outsourcer'­s capability,

Assess outsourcing models

Product/service specifications

Project

Risk of start-up and transition risks resulting in service interruption.

Risk of scope creep

Risk of organisational "pushback" and lack of co-operation

Project and change management

Transition requirements specification

Functional requirements analysis

Governance