Leverage Risk to Inform IT Outsourcing Requirements

Set yourself up to create an outcome-oriented request for proposal.

Analyst Perspective

Fear-driven risk assessments will not help you define requirements for a prospective MSP.

Organizations outsource infrastructure for several reasons, some more realizable than others: cost reduction, the strategic decision to focus on core business functions, the need to free up time for overburdened IT staff, and access to technical skills and technologies at a scale that an organization would not be able to support on its own.

However, outsourcing infrastructure does not “magically” resolve the internal limitations, gaps, or challenges that an organization is trying to address unless the risks of outsourcing are also considered during the planning stage. These risks include loss of control, security and compliance concerns, misalignment with vendor roadmaps, internal resistance, poor understanding of the vendor’s shared responsibility model, and even the prospect of needing to insource underperforming outsourced functions. But then there is the risk of not outsourcing.

Effectively assessing the risks of outsourcing your infrastructure is a key step in defining outcome-based requirements for a prospective managed service provider (MSP). To assess the outsourcing risks systematically, begin by defining broad, common risk categories that you need to consider. Then develop more specific, relevant scenarios to evaluate the likelihood and impact of each risk and how you will mitigate it if you choose to proceed. Identify which risks need to be mitigated internally and which can be addressed by transferring them to the vendor through outcome-based requirements. You will likely discover that outsourcing only succeeds if you have your own house in order.

Emily Sugerman

Senior Research Analyst, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Your Challenge

You are seeking to outsource IT infrastructure to achieve several benefits, including:

• Solutions to the talent risks of cost, capability, and capacity.
• Access to scalable support and specialized skill sets.
• Alignment with changing strategic direction (e.g. outsourcing noncore functions).

Common Obstacles

Despite your best intentions, implementing managed infrastructure services poorly can increase disruption instead of value:

• You may assume that all responsibility has shifted to the vendor. However, you still retain responsibility and accountability for change management, asset management, and problem management. Outsourcing does not drive efficiency if your house is not in order.
• Dissatisfaction with MSP performance or failure to realize expected cost savings can lead to insourcing, resulting in more upheaval and wasted efforts.

Info-Tech’s Approach

Prevent issues before they occur by assessing the risks of outsourcing your infrastructure before you sign the contract.

• Generate key outsourcing risk scenarios most relevant to your organizational context from a common risk category framework.
• Prioritize the risks based on their impact and likelihood. Define which risks you own and can control (e.g. immature processes) and which are vendor-related.
• Turn risks into action items:
  • Build a burndown list of internal risks to address before you begin the vendor selection process.
  • Translate vendor risks into outcome-based requirements and include these requirements in the request for proposal (RFP).

Outsourcing a flawed process only means that you’re paying someone else to run it.

The key to successful infrastructure outsourcing is to clearly define the integration points between your IT service management (ITSM) processes and those of the provider.

Organizations face critical business challenges

Outsourcing can be a viable solution to the top talent challenges that are facing IT organizations today.

Info-Tech’s IT Talent Trends 2025 report found that the top three talent risks that organizations are facing today are related to costs (acquiring and retaining talent), capability (access to critical skills), and capacity (demand exceeding in-house capacity). Outsourcing infrastructure is one potential solution to these risks.

• Solution to talent shortages: Outsourcing can provide access to support and specialized skill sets that are not available internally or that the organization is not prepared to hire for.
• Changing customer expectations: Increased customer expectations for constant availability may not be cost-effective for internal IT infrastructure to provide.
• Evolving strategic direction of the business: Organizations may choose to outsource commodity services and focus their investments on the core business instead.

Info-Tech’s IT Talent Trends 2025

25%

IT organizations report that 25% of IT work is outsourced ...

22.6%

... and 22.6% of these organizations anticipate that they will leverage more outsourced partners by the end of 2025.

IT Talent Trends 2025, n=403

But outsourcing is not a magic bullet

Outsourcing does not drive efficiency if your house is not in order.

• Not all IT shops have the experience to outsource or manage foundational infrastructure products and services effectively. Instead of solving business problems, poor implementation of outsourced infrastructure services will cause unproductive disruption instead of adding value.
• The top outsourcing challenges listed in the accompanying chart reflect weaknesses in the organization itself, not necessarily in the provider. The challenges indicate an overarching lack of governance and strategic planning and an inability to report on whether the outsourcing relationship is delivering the desired benefits.
• For example, organizations may assume that outsourcing a service also transfers all accountability to the vendor. This is not true. For example, you still retain responsibility for change management, asset management, and problem management.
• Moreover, dissatisfaction with MSP performance or failure to realize expected benefits can lead to another change in provider or even insourcing the service once again, resulting in more upheaval and waste. The same survey found that the top driver for insourcing is “better control over service quality and performance” (Deloitte, 2024). The best time to establish this control is during the planning and requirements-defining stage, well before the ink is dry on the contract.

Source: Deloitte, 2024

Outsourcing cannot fix broken processes, but it can spark standardization

INDUSTRY

Food Service

SOURCES

Network World, 2023
Technology Magazine, 2023
Intelligent CIO, 2023

Embrace the opportunity that outsourcing presents to catalyze internal transformation and modernization.

ACR, a food service company formerly known as AmerCareRoyal, had been shaped by a series of mergers and acquisitions. Under the former CIO, Jeff DeSandre, the company partnered with secure access service edge (SASE) and managed detection and response (MDR) provider Open Systems (as well as additional MSPs for support with its ERP platform) to quickly scale support for security needs that had outgrown the capacity of the existing IT team and would not be built in-house. Notably, the IT leader drew a direct connection between the success of the implementation and the company’s improvement of its own processes and infrastructure architecture: “A challenge at first was adhering to the best practices our vendor enforces ... This forced us to standardize and clean up many years of bad habits, which was painful at first” (Network World, 2023).*

Elsewhere, DeSandre reiterated the value the MSP offered, compared to ACR’s previous firewall solution: “We had no one on our staff that really knew it, except for one person. We had very little documentation. Although it was a good piece of technology, to me it didn’t tick any of the boxes that I was worried about, which is it being extensible, scalable and documented. Open Systems solved that problem right out of the gate because the SASE solution, being a managed service, requires you to be disciplined ... We had to go process by process, system by system and look where we had sloppiness – and we had to pull that out. That was a challenge while we were doing it, but I think the outcome has been tenfold in payback for that pain. The amount of gains we’ve gotten has been tenfold” (Intelligent CIO, 2023).* The MSP relationship can indeed catalyze internal transformation and modernization, but only if you are willing to do this cleaning and heavy lifting as part of the partnership.

*Boldface added for emphasis

Leverage risk to inform infrastructure outsourcing requirements

Info-Tech’s Methodology for leveraging risk to inform IT outsourcing requirements

Insight Summary

Outsourcing a flawed process only means that you’re paying someone else to run it.

You cannot fix a flawed process by outsourcing it. IT infrastructure outsourcing can fail for many reasons, but one of the biggest risks is failing to get your own house in order, such as failing to clearly define the integration point between your ITSM processes and those of the MSP.

A service exception rarely produces exceptional service.

If you represent an outlier to your MSP’s standard set of service offerings, you are far less likely to succeed in your outsourcing objectives.

Develop outcome-based requirements that connect to OKRs.

Instead of focusing on how the MSP does what it does, clearly identify the outcomes that the vendor must produce for you and then ensure that the vendor achieves them. In practice, this means not being overly focused on defining technical RFP requirements for outsourcing. Instead, write outcome-based requirements that translate into objectives and key results (OKRs). OKRs will measure your MSP’s ability to meet your outcome-based requirements.

Project Deliverable

This blueprint is accompanied by the following key deliverable, where you will document most of the outcomes from the activities in this blueprint:

Outsource IT Infrastructure Risk Assessment Workbook

The Outsource IT Infrastructure Risk Assessment Workbook will help you complete the activities in this blueprint. The workbook will provide you with a means to quickly assess the viability of an infrastructure service for outsourcing, as well as a prioritized list of your organization's greatest risks when outsourcing that service, relative to the likelihood of the occurrence of these risks and their potential impact on operations.

As you work through the activities in this blueprint, watch for the blue download icon shown at the right. It will tell you how to complete the deliverable by directing you to specific sections, or it will link to a tool that will help you complete an activity.

Download the Outsource IT Infrastructure Risk Assessment Workbook.

Project Benefits

IT Benefits

• Determine viable IT infrastructure outsourcing candidates.
• Reduce the risk of project failure if your organization moves forward with an MSP partner.
• Develop more robust requirements, which will be easier to measure and hold the MSP accountable for during the contract.

Business Benefits

• Leverage the benefits of successful infrastructure outsourcing objectives (e.g. better elasticity and ability to meet seasonal demands, support for growth through mergers and acquisitions).
• Leverage talent and technical skills that are not available in-house while focusing on core business value.
• Transition from capital expenses for building infrastructure to more regular operating expenses associated with leveraging “as a service” providers.

Phase 1

Determine Scope

Activities

1. Define infrastructure outsourcing objectives.
2. Identify outsourcing candidates.

Outcomes of this phase

• Defined outsourcing goals
• Candidates for infrastructure services/products to outsource

Define infrastructure outsourcing objectives

Identify the strategic advantages that outsourcing IT infrastructure and services is intended to provide.

Primary Objectives

Availability and reliability: Outsourcing service providers offer higher standards for data availability and reliability than most organizations can provide in-house.

Recovery: Outsourcing service providers can also provide better disaster recovery capabilities.

Elasticity: Certain forms of outsourcing can provide more elasticity and allow your organization to scale up and down its usage quickly and easily to meet seasonal demands.

CapEx to OpEx: Capital expenses associated with building infrastructure are translated to operating expenses that are smoothed out over a number of years.

Secondary Objectives

Operating cost predictability: Outsourcing can minimize the risk of operating costs, make them more predictable, and thereby simplify budgeting.

Scalability: In some cases, outsourcing can shorten the time it takes to set up new infrastructure.

Improved security: Done correctly, organizations may achieve an improvement in security capabilities.

Expanded service levels: Improving and expanding service levels to provide 24/7, 365 monitoring and support.

Identify outsourcing candidates

The best candidates for infrastructure outsourcing are commodity IT services or processes, for which a vendor offers a performance advantage.

Consider services that are:

• Not critical to strategic objectives.
• Not one of your business’s key differentiators/competitive, advantages.
• Not dependent on specialized in-house knowledge.

And where the vendor offers:

• Superior talent and/or access to specialized skills.
• Improved economies of scale or lower cost at scale.
• Access to superior technology.

Remember: If you represent an outlier to your MSP’s standard set of service offerings, you are far less likely to succeed in your outsourcing objectives.

Identify viable outsourcing candidates

1. Download the Outsource IT Infrastructure Risk Assessment Workbook.
2. On Tab 1, Assess Outsourcing Candidates, enter up to five infrastructure products or services that you are considering for outsourcing. Record the names of these services in cells D6, F6, H6, etc.
3. State whether or not you agree with the service assessment statements using the drop-down lists to determine each service’s importance to your business outcomes and the vendor’s potential performance advantage.
4. Review the results on Tab 2, Outsourcing Candidates. Focus on those services that fall into the upper left quadrant: low importance to business outcomes and high vendor performance advantage. Begin with these services in the subsequent risk assessment activities.

Download the Outsource IT Infrastructure Risk Assessment Workbook.

Phase 2

Assess Risk

Activities

1. Determine your organization’s risk appetite.
2. Define your organization’s risk categories and scenarios.
3. Conduct an initial risk evaluation.

Outcomes of this phase

• Initial risk assessment

Determine your organization’s risk appetite

It is the business, not IT, that owns outsourcing and security risks, so it is the business that should set the risk appetite at an organizational level.

Review the risk likelihood and impact scales on Tab 4 in the Outsource IT Infrastructure Risk Assessment Workbook and make adjustments as needed. Adjusting the risk appetite setting will change which risk severity levels will be flagged as tolerable vs. intolerable.

If you do not know your organization’s risk appetite, keep the Risk Appetite setting at low for now. However, add an action item on your burndown list to conduct a more formal assessment of your organization’s risk tolerance as part of a broader Information Security Strategy and as a prerequisite to any IT infrastructure outsourcing project.

To begin to determine risk appetite, leverage Info-Tech’s Information Security Pressure Analysis Tool, which consists of the following:

• An organizational security risk assessment
• An analysis of internal and external stakeholder pressures for information security
• An assessment of your organization’s security risk appetite

Define your organization’s risk categories

1. Definitions of risk vary for different organizations. Refer to Info-Tech’s ten risk categories on the following slide. These identified risk categories can be used to develop a custom list of risk scenarios applicable to your organization.
2. Start by gathering existing data on historical risk occurrences at your organization. A good place to start is a risk register or checklist, which will list all previously identified risks to your organization.
3. Define your risk categories on Tab 3 in the Outsource IT Infrastructure Risk Assessment Workbook. Enter a Risk Category name and Risk Description for each Category ID, or use the suggestions provided in the tool.

Download the Outsource IT Infrastructure Risk Assessment Workbook.

Generate risk scenarios from ten broad risk categories

Strategy/Direction Risks

• Strategy or Governance
• Business Understanding
• Implementation and Operations
• Architecture and Design

Hardware Risks

• Hardware Obsolescence
• Theft and Destruction of Physical Assets
• Hardware Operational Failures
• Performance or Capacity

Software Risks

• Software Obsolescence
• Software Performance or Capacity

Data Risks

• Data Leakage
• Loss of Data Integrity
• Poor Data Quality

Vendor Risks

• Technology Evaluation and Selection
• Vendor and Partner Management

Project Risks

• Project Quality
• Project Scope
• Project Time and Timing
• Project Costs

Personal Risks

• Labor Capacity
• IT Expertise and Skills Gap
• IT Human Error

Continuity Risks

• Labor, Industrial, or Political Action
• Acts of Nature
• Facilities Performance

Security Risks

• Loss of Control of Systems
• Unauthorized Access
• Internal Espionage
• Social Engineering

Compliance Risks

• Regulatory Compliance
• Contractual Compliance
• Social Responsibility

Generate risk scenarios from your risk categories

1. Generate risk scenarios from your risk categories. Use a political, economic, social, and technological (PEST) analysis, or another framework of your choice, to brainstorm new risks.
2. Alternatively, consider (safely) using a large language model (LLM) prompt. Tailor a LLM prompt to generate risk scenario options based on your broad organizational context, focus area, and desired outcomes. Start with the LLM prompt and safety guidance provided on the following slide and paste the prompt into your approved LLM.
3. Modify and iterate the prompt until you are satisfied with the draft scenarios.
4. Compile the risks that resonate with you and your organization. Input these risk scenarios into column C in the Outsource IT Infrastructure Risk Assessment Workbook.
5. Select the associated Risk Category from the drop-down menu in column D. If you do not have risk categories, feel free to use the options available.
6. Add the risk statement (description) in column E.

Download the Outsource IT Infrastructure Risk Assessment Workbook.