Key downside risks of an outsourced IT software project
As a Founder / CEO / CTO, we often must decide whether to build a digital health platform as an outsourced project
This depends on various factors such as available resources, internal IT and management expertise, budget, and project management capabilities. Recent Regenemm Healthcare posts have assessed a comparison of internal vs outsourced IT approaches.
This paper examines the outsourcing risks and downsides and all the virtual potential IP and data loss risks associated with this decision point. Start-ups, especially those led by founders without IT backgrounds or advanced IT skill sets, often need help building their internal development teams quickly.
Outsourcing can be an attractive option for such start-ups due to its cost-effectiveness and access to a wide range of technical expertise.
Naturally, outsourcing has some risks, but start-ups can still benefit if they implement the appropriate strategies to manage and mitigate them.
The area of software design in the healthcare field is part of a rapidly changing ecosystem. This is highly competitive, and an outsourced team in this domain "could" want to reproduce or copy the coding work done. Indeed, this is uncommon, but let's face it, Code is mobile/portable, and a great idea can be very tempting to reuse elsewhere.
How can strategies be implemented to prevent this and protect copyright and IP? What can be done to give a more significant line of sight for the Company that outsources these valuable ideas to an outside firm? Protecting intellectual property (IP) and copyright when outsourcing software development in the competitive healthcare field is crucial and central to efficient project completion.
Implementing the following strategies can help safeguard your ideas and maintain control over your project
1. Thorough Vendor vetting/evaluation
- Research and choose a reputable outsourcing IT company with a strong track record in similar projects.
- Check references and testimonials from past clients.
- Verify their commitment to IP protection and data security. Get this in writing.
- Perform general corporate background checks and security clearances with previous clients/associates/ASIC/ Corporate affairs.
- Conduct background checks on key personnel from the outsourcing partner working on your project.
- Keep an audit of all working on the project throughout the lifecycle.
- Once chosen, implement different levels of security clearance for all key team members based on their roles and responsibilities, granting access to sensitive information only to those who need it.
- Choose a vendor who aligns with your Company's values and vision and is committed to the project's success. Choose a reputable vendor with a solid ethical track record in similar projects.
- Don't give open access to the Vendor for all your repositories, e.g. Atlassian, AWS, Azure, GitHub, BitBucket, unless essential. Track who has access to which sites; don't leave this in the hands of the Vendor
- If it doesn't feel right, back out and ensure all meaningful conversations are diarised and shared
2. Legal agreements, Contracts, and Risk Management
- Sign a comprehensive Non-Disclosure Agreement (NDA) with the outsourcing partner to protect sensitive information. Implementing strong non-disclosure agreements (NDAs) is necessary, and IP protection clauses in contracts can be critical. An NDA is only as strong as the particular time spent creating them - this will be further outlined in a forthcoming paper. (avoid boilerplate replicas)
- Include IP protection and copyright clauses in the contract, specifying that all developed software, Code, and documentation are the exclusive property of your Company.
- Ensure the contract contains non-compete clauses to prevent the Vendor from working on similar projects for a specified period. Include non-solicit clauses
Risk assessment and mitigation plans
- Identify potential risks to your intellectual property and develop strategies to minimise or eliminate these risks.
- Maintain an up-to-date risk register and revisit it regularly, adjusting your strategies as needed.
3. Work Segmentation and compartmentalisation
- Divide the project into smaller modules and distribute them among different teams or vendors, reducing the risk of IP theft by limiting access to the complete project.
- Keep critical components in-house, such as proprietary algorithms and trade secrets, and have your internal team develop them.
4. Regular monitoring and audits of produced Code, examination of workflows, and documentation of any new IP
- Establish milestones and deliverables to track progress and maintain project oversight.
- Conduct regular code reviews and audits to ensure quality and compliance with IP protection policies.
- Schedule meetings and progress updates to maintain open communication and build trust with the outsourcing partner.
- Regularly monitor the Vendor's performance, security practices, and adherence to regulations.
- Ensure the Vendor follows Software lifecycle best practices, documents for SaMD regulatory purposes, and follows Regulations standards- ISO and IEC, HIPPA, and GDPR relevant to the project.
5. Promote secure communication and encrypted data transfer
- Use secure communication channels and data transfer methods, such as encrypted file sharing and VPNs.
- Implement a Source code version control system like in Git Hub or BitBucket to track changes and maintain a detailed codebase history.
- Make sure Commits frequently occur, especially after checking an invoice is paid.
6. Develop Employee training and cyber security awareness
- Ensure that both your internal team and the outsourcing partner's employees understand the importance of IP protection and adhere to company policies.
- Train your and the outsourced employees to recognise and report potential IP infringement or data security risks.
7. Consider making software Escrow arrangements
- Consider using a software escrow service to store the source code, documentation, and other project assets with a neutral third party.
- The escrow provider can release the materials to your Company in case of a contract breach, vendor bankruptcy, or other unforeseen circumstances.
8. Create an Incident Response Plan (that remains relevant to your needs)
- Develop a clear incident response plan outlining the steps to be taken in case of IP infringement, data breaches, or other security incidents.
- Share this plan with your outsourcing partner and ensure they understand their responsibilities in case of an incident.
9. Assess the need for intellectual property insurance
- Consider obtaining intellectual property insurance to protect your Company from potential losses due to IP infringement or litigation.
- Insurance coverage can support legal fees, damages, and other expenses associated with IP disputes.
10. Register your Local / Regional and International IP
- Register your IP (patents, trademarks, copyrights, etc.) in all relevant jurisdictions, including the country where your outsourcing partner is located.
- Familiarise yourself with these countries' IP laws and regulations to ensure proper protection and enforcement of your rights.
11. Build transparent and well-defined management processes
Establish transparent processes with the outsourcing partner, promoting a culture of openness and accountability. Establish strong communication channels. Encourage transparency in communication between the Founder and the outsourced team. Regular check-ins, progress updates, and feedback loops help ensure that the project stays on track and that potential issues are addressed promptly.
- Clearly define project roles, responsibilities, and expectations, minimising the chances of misunderstandings and conflicts.
- Foster a long-term relationship with your outsourcing partner (if desired), creating an environment of trust and mutual benefit.
By implementing these strategies, you can create a more secure environment for outsourcing software development while protecting your valuable ideas and IP.
Maintaining a solid working relationship with the outsourcing partner and closely monitoring their adherence to IP protection and data security policies will further reduce the risks (and the stress!) associated with outsourcing in the competitive healthcare field.
Once commenced, a Non-tech start-up Founder/CEO must be diligent and watch for any red flags that may indicate a project with an outsourced company is going off the rails
For a start-up, the outsourcing risks are genuine. However, this subgroup needs the ability to create results with their team quickly. This is especially the case where the start-up Founder is not IT trained or does not have advanced skill sets in this arena.
Some of the warning signs include:
- Poor or deteriorating communication: If the outsourcing company is consistently unresponsive, unclear, or evasive, it may indicate problems with project management or a lack of transparency.
- Missed deadlines: Repeatedly ignoring or delaying deliverables without valid reasons can indicate that the project is not managed effectively.
- Frequent scope changes: If the project scope keeps changing, leading to increased costs and timeline extensions, it may signal poor planning or a lack of understanding of the project requirements.
- Declining quality: If you notice a drop in the quality of deliverables or an increase in bugs and errors, it could mean the outsourcing company is cutting corners or struggling to meet project demands.
- Inadequate progress updates: If the outsourcing company fails to provide regular progress updates or is unwilling to share details about the project's status, they may be hiding issues or delays.
High staff turnover or frequent Staff illness/absence: Frequent changes in the team members working on your project could indicate instability within the outsourcing company or a lack of commitment.
- New "staff" being subcontracted from overseas without prior approval or request. Remember, they may be subcontractors and not even in the IT company!
- New overseas "staff" may also be charged at the same rate as an Australian worker - without discussion with the Founder. This is important to discuss as overseas staff work hours cannot be claimed in Australian-based R and D Start-Up Incentive grants.
- The outsourced firm is not providing clear documentation and not committing to regular GitHub-type repositories.
- Unexpected cost increases If the outsourcing company frequently requests additional funds or alters the pricing structure without a clear explanation, it may be a sign of financial mismanagement or an attempt to overcharge.
- Reluctance to share source code or documentation. If the outsourcing company hesitates to provide access to the source code or proper documentation, they may try to maintain control over your project or hide issues in their work. Poor documentation for version releases, deficient bug audits and fixes are significant warning signs.
Here are a few suggestions tailored specifically for start-ups involved in outsourcing parts of their IT workloads
- Start small: Begin by outsourcing a smaller, non-critical project to evaluate the outsourcing partner's performance and reliability. This allows you to establish a working relationship without exposing your core intellectual property.
- Leverage specialised platforms: Use Time verification analytics and specialised healthcare IT outsourcing firms to find experienced and vetted developers or teams. These platforms often have built-in protections and mechanisms for handling disputes, which can be helpful for start-ups.
- Build a hybrid team: Consider building a mixed group of in-house and outsourced talent. This allows you to maintain control over critical aspects of the project while leveraging the expertise of outsourced team members for specific tasks.
- Hire a technical consultant or advisor: If the Founder lacks advanced IT skills, consider hiring an experienced technical consultant or advisor to guide the project and oversee the outsourced team. This person can act as a liaison between the start-up and the outsourcing partner, ensuring that the project stays on track and meets quality standards.
- Network and seek recommendations: Contact your professional network and industry peers or attend relevant events to gather suggestions for reliable outsourcing partners. Personal referrals can help you find trustworthy vendors with proven track records.
- Focus on communication and collaboration: Foster a collaborative environment between your start-up and the outsourcing partner. Use tools like Slack, Trello, or Basecamp to facilitate communication, project management, and visibility into the development process.
- Continuous learning and improvement: Treat every outsourced project as an opportunity to learn and improve your start-up's processes and capabilities. Be prepared to iterate and refine your outsourcing strategy based on the lessons learned from each engagement.
This paper has looked at practical strategies to mitigate risk in the software outsourcing project space. We will continue to explore this theme over the next two weeks. As a result, we aim to demonstrate how these projects can be successfully managed through organised, pre-planned and proactive implementation.