Outsourcing is the strategic decision to delegate to an external provider the execution of a function or process that the organisation could carry out internally. It is not simply "hiring outside help": it is a managed transfer of activity, risk and, in many cases, assets and people, governed by a service contract and regulated by measurable service levels. The relevant question for an executive committee is not whether outsourcing is cheaper, but which capabilities are worth owning and which are better bought. This article covers the decision framework, vendor evaluation, the contractual mechanics and the mistakes that turn a sound business case into a governance failure.
When to outsource: the make-or-buy framework and transaction cost theory
The conceptual foundation of outsourcing is the transaction cost economics formulated by Oliver Williamson, 2009 Nobel Laureate in Economics. Williamson argues that the boundary of the firm is determined by comparing the cost of producing in-house against the cost of coordinating an exchange in the market, including the costs of negotiating, monitoring and enforcing the contract. When an activity requires highly specific assets (proprietary knowledge, deep integration with other processes) or is difficult to measure, the market fails and internalisation makes sense. When the activity is standardised, measurable and served by a competitive market of providers, outsourcing reduces total cost.
A useful practical rule follows: outsource what is non-core and measurable; keep what is core or difficult to specify. A core function is one that sustains competitive advantage — an airline's pricing algorithm, a brand's product design, the direct relationship with a key customer. Support functions such as payroll, facilities maintenance, first-line technical support, logistics or non-differentiating software development are natural candidates. A competitive analysis using SWOT or Porter's Five Forces helps classify which activities belong in each quadrant before the decision is taken.
Several models should be distinguished. Traditional outsourcing transfers a complete function. Staff augmentation brings in external professionals who work under the organisation's own management. BPO (Business Process Outsourcing) externalises entire business processes such as customer service or document management. ITO (IT Outsourcing) covers infrastructure and development. Geographically, the choice ranges from onshore (same country), nearshore (nearby country with limited time-zone and cultural gap) and offshore (distant relocation). The choice is not purely about price: time zones, language, data protection law and provider stability matter as much as the day rate.
Vendor evaluation: from RFI to due diligence
Selecting a vendor is a process, not a price negotiation. The recommended path starts with an RFI (Request for Information) to map the market, continues with an RFP (Request for Proposal) that details functional and service requirements, and culminates in a shortlist subjected to due diligence. Evaluation should weight at least five dimensions: financial solvency (do not outsource a critical process to a provider that might go under), demonstrable technical capability backed by verifiable references, management certifications, information security and cultural fit.
Certifications provide objective evidence. ISO/IEC 27001 accredits an information security management system; ISO 9001 certifies quality management; and ISO/IEC 20000-1 covers IT service management. For providers that handle data, an externally audited SOC 2 Type II report is worth far more than any commercial declaration. Require the current certificate and its statement of applicability (SoA), not just a logo on a slide deck.
| Criterion | Indicative weight | Required evidence |
|---|---|---|
| Technical capability and methodology | 30% | Reference cases, named team, transition plan |
| Proposed service levels and SLA | 20% | Availability commitments, response times, penalties |
| Security and compliance | 20% | ISO 27001, SOC 2, GDPR conformance, business continuity plan |
| Total cost of ownership | 20% | Unit cost, transition costs and exit costs |
| Solvency and cultural fit | 10% | Audited accounts, staff turnover, references |
The contract and SLAs: governing what gets measured
An outsourcing contract without quantified service level agreements is an invitation to conflict. The SLA (Service Level Agreement) converts expectations into verifiable metrics: service availability (for example, 99.9% monthly), response and resolution times by incident priority, and quality thresholds. Each metric must have its calculation method, its measurement period and its consequence. Non-performance penalties (service credits) align incentives, but a well-drafted contract also includes bonuses for exceeding targets and mechanisms for continuous improvement.
Relationship governance is organised in tiered committees: operational (weekly or fortnightly, reviewing incidents and backlog), tactical (monthly, reviewing SLAs and improvement plans) and strategic (quarterly, reviewing the relationship, roadmap and satisfaction). Three clauses are critical and are routinely drafted poorly or omitted entirely: the exit or reversibility clause, which obliges the provider to cooperate in an orderly transition at the end of the contract; ownership of data and deliverables; and, where staff transfer applies in Spain, compliance with Article 44 of the Workers' Statute on business succession.
When the provider processes personal data on behalf of the client, it acts as a data processor and the GDPR requires a processor agreement compliant with Article 28, with the safeguards detailed in the Spanish Data Protection Agency's guidance. If the provider is outside the European Economic Area, the basis for the international transfer must be documented. Overlooking this point turns an operational decision into a regulatory exposure.
Implementation steps and the transition phase
Signing the contract is the beginning, not the end. The transition is the phase where most projects derail. A sound sequence includes: (1) documented knowledge transfer with recorded sessions and transferred knowledge bases; (2) a period of parallel or shadow operation before cut-over; (3) a formal acceptance checkpoint; and (4) a stabilisation period with SLAs under observation during the first months before penalties apply. Appointing a relationship owner on both sides — a service manager with real authority — is the governance investment with the highest return.
The learning curve should be budgeted for realistically. During the transition, cost tends to rise before it falls, because the outgoing and incoming teams overlap and the provider's productivity has not yet reached steady state. Real savings materialise once stabilisation is complete, not in the first month. Setting this expectation with financial management in advance prevents the frustration that kills many projects at launch, and allows realistic review milestones to be set — checkpoints at which to verify that the relationship is advancing towards the agreed objectives before dependency on the provider deepens.
Common mistakes that destroy the business case
- Outsourcing the problem, not the function. Externalising a broken process only transfers the chaos; first you must stabilise and document it.
- Hollowing out oversight capacity. Letting go of the person who knew how to manage the function leaves the organisation without a competent counterpart when dealing with the provider.
- SLAs with no calculation method. A "99.9%" with no definition of what counts as downtime is meaningless on paper.
- Forgetting the exit clause. Lock-in inflates any renegotiation and blocks a change of provider.
- Ignoring the learning curve. The promised savings do not appear until after stabilisation; budgeting them in month one creates frustration.
Frequently asked questions
Is outsourcing the same as offshoring? No. Offshoring means moving an activity to another country, whether internally or with a third party. Outsourcing means delegating to an external provider, wherever they are located. The two can be combined, but they are separate decisions.
When should you NOT outsource? When the activity is core to competitive differentiation, when it is very hard to specify and measure, or when the loss of in-house knowledge would create an irreversible dependency on the provider.
What is an SLA and how does it differ from a KPI? An SLA is a contractual commitment with consequences for non-performance; a KPI is a performance indicator that is tracked but does not necessarily carry a penalty. Every SLA is a KPI, but not every KPI is an SLA.
Who is liable to the data protection authority if the provider suffers a data breach? The data controller (the contracting organisation) remains responsible to the data subject and the authority, even though the processor (the provider) also bears its own liability. That is why the Article 28 GDPR contract and the security due diligence are not optional.
Conclusion: outsourcing is a capability decision, not a cost decision
Well-conceived outsourcing is not justified by a percentage savings promise, but by an honest answer to two questions: does this capability differentiate us, and can we measure its output? If the activity does not differentiate and is measurable, a specialised provider will execute it with greater scale, better tooling and more capacity to absorb demand spikes than an internal team. The real value appears when the organisation retains governance — the what and the how much — and delegates execution — the how — while preserving the ability to supervise and, if necessary, reverse the arrangement. A contract with quantified SLAs, a credible exit clause and an active relationship committee distinguish outsourcing that frees management focus from outsourcing that merely adds an intermediary. At Summum Consultoría we support that make-or-buy analysis, RFP drafting and governance model design so that the outsourcing decision is made on data and managed with discipline.