Scroll Top

Mitigating Risk in Offshore Software Development

– By Nagendra Rao, Director of Business Development

Executive Summary

In the last ten years, the world has seen an exponential rise in offshore development. “Offshoring” means shifting software development work to an overseas vendor. While larger businesses and Fortune 500 companies have embraced offshoring in a big way, smaller businesses still shy away from it. They associate several risks with the process. This paper discusses real and perceived risks in the offshoring process along with ways to minimize them


In any endeavor, knowing the risks reduces your vulnerability. The risks inherent in any strategic business initiative are magnified when it involves partnering across geographic and cultural boundaries. Likewise, the risks typical of software development multiply when teams are distributed.

Types of Risk

There are different types of risks in offshore outsourcing. Some risks are real, while others are only perceived. Risks can be broadly categorized into Control Risks, Security Risks, Organizational Risks and Performance Risks. Some risks are common to all outsourcing engagements, while some are specific to offshoring.

Control Risks

When thinking about offshore outsourcing, many companies fear a loss of control over quality, schedule and cost. Companies see their present in-house staff as dependable, quality standards as high, and market expectations as well understood by their teams. So why change? To these companies, working with a new team of developers tens of thousands of miles away raises many questions. Will the offshore team be skilled? How well will they understand the needs of my industry? And will they understand how critical quality is to our customers?
Other fears are about schedules. While it is easy to reach across a partition or talk to a team of engineers in the next room, in order to get a fix done quickly, it is harder to coax a team from far away. The time zone difference with the offshore vendor also presents a challenge, as do the logistics inherent in some offshoring engagement models. Due to the impact it has on their resource management, it is not easy to convince some vendors to pull back resources or crash schedules.
Last but not least is the fear of losing control over costs. There is a learning curve involved in knowledge transfer and in learning about a new client’s business. Potential clients of offshoring engagements may wonder how much supervisory time would be involved in such an engagement and if this could result in losing control over costs.

Security Risks

Security fears are largely twofold, centering on potential violations of intellectual property (IP) rights and potential risks to data security. When contemplating offshore engagements, companies often wonder if the employees and the management team of the offshore company will be sufficiently aware of IP security issues and able to impose diligent controls to protect their “crown jewels.” In the case of sensitive information, like financial, human resources-related data, competitive information, and market research related data, the companies want to ensure that their offshore vendor will protect their information adequately, as the damage caused by information leaks is costly and often irreversible.

Organizational Risks

Many employees of companies who are embarking on an offshoring foray are afraid of losing their jobs. In this situation, it is important to motivate key employees and involve them in the critical decision-making process. Sometimes, after working with a vendor for some time, companies also face the risk of attrition of key employees in the vendor organization, especially in countries where the demand for skilled labor is very high. Key consultants leave periodically and quickly, dissolving the knowledge base that has been built up over time. Companies are well advised to learn how the vendor organization guards against these challenges and protects its clients’ interests.

Performance Risks

Performance risks can be classified into quality and reliability risks. Will the offshore team deliver code that is written well, performs well and is maintainable? Will they do it every time? Will they require a large amount of supervision? Potential offshoring clients want to be convinced that the outsourced application performs as well as one that was developed in house; that the code is well structured, tested, and optimized for the intended environment; and that technical documentation is accurate and user friendly.

Emergence and Escalation of Risks

How the different types of risks that emerge in offshore engagements are minimized depends on how well client and vendor are prepared and on how experienced they are in handling them. It is useful to understand how risks emerge and how they can be mitigated with adequate preparation.

Depending on People Instead of Processes

Control and performance risks in an offshoring engagement increase drastically when clients and vendors do not establish processes and performance metrics. Software development is people-driven. When people who work on a development project are from different companies, countries and continents, risk escalates substantially.
Risk also increases with an over-dependence on the specific working styles of individuals. Enabling a large number of people with different working styles to collaborate in a way that generates consistent, timely results requires formal processes, templates, and milestones for all interactions and deliveries. Typical software development lifecycle processes include the establishment of requirement specifications, design and test plans, and acceptance criteria documents. While working with globally distributed teams, critical meetings and conferences should be recorded, verbal commitments avoided, and minutes circulated promptly.
Developing metrics in the planning stage will reduce risk throughout the project. If the vendor mentions that delivery is on schedule, track the progress reports. At the end of the development phase, request written updates; and when tests are concluded, ask for their results. As the familiarity with processes increase, their effectiveness depends on how well they are enforced. Consistently enforced processes will result in substantially lower risk, as the offshoring relationship matures.

Vendor Misunderstanding of Client Requirements

Some clients fail to explain adequately to their vendor how their organizations work and why. On the other hand, vendors often do not understand the client’s market pressures, end-user requirements, and time constraints. This lack of mutual understanding between client and vendor partner can increase risk substantially.
For instance, if the vendor is unaware that an application will undergo several rounds of changes during the design phase due to fluctuating market needs, they may be insufficiently prepared to handle changes, causing the product release to be delayed. If a developer is not told that the end-user prefers a specific browser, he or she may build a user-interface that is difficult to use. The client needs to spend time with the development team explaining their market pressures, end-user requirements, and their organization’s internal processes.

Inadequate Senior Management Involvement

Senior management at the C-level needs to dedicate adequate time to each offshoring venture. Too often, relationship and project management gets relegated to junior staff, as the project progresses. This increases all types of risks.
Periodic due diligence of the engagement and its individual components as well as regular discussions between key representatives from both the vendor and the client organizations can go a long way in reducing risks in offshoring. The relationship also needs support from other departments within the client organization, such as sales and marketing, human resources and finance. The longer and deeper the offshoring relationship, the more due diligence is required.
Project managers on both sides often avoid discussing unpleasant issues that are easily corrected but may cause momentary friction. Senior management’s involvement can bring resolution to these types of issues. If senior management is actively involved in the engagement and reviews its progress often, risk is minimized and the relationship objectives are met.

Insufficient Contractual Details

Effective contractual agreements to back up the engagement need to be in place before successful offshoring can begin. The agreements should not be tortuous. Nor should they be cursory or left to verbal commitments. Security risks can be avoided through Mutual Non-Disclosure, Non-Compete, and NonEmployee Solicitation Agreements. Signed and Accepted Proposals, Statements of Work, Professional Service Agreements, and Licensing Agreements can cover most contractual obligations.

Lack of Communication

Risk in offshoring engagements increases exponentially with poor or one-sided communication. Limiting communication to only a few individuals can cause multiple problems that are often recognized too late. These can include cost overruns, schedule slippage, and people-related problems. All too often, risks increase at a point in the project when mitigating them has become very costly.
A detailed communication plan developed at the beginning of the engagement is part of a good risk mitigation strategy. This plan should detail communication tools and processes, responsibilities for reporting on the different aspects of the engagement, and contingency plans. It is equally important to copy all team members one-mails and other key pieces of information, across hierarchies and disciplines. By operating as a team across organizational boundaries, the client organization can ensure that multiple people in their own organization interact seamlessly with the people of the vendor organization.

Insufficient Team Motivation

For the overall success of the offshore engagement, it is especially important to invest in team motivation. The departure of a key member from the team can hit a project harder than some delays or even cost overruns. It therefore pays to make a serious effort to understand the members of the offshore team. Find out what motivates them. The same routine peer review that seems ordinary in the client organization may be considered de-motivating in the vendor organization, due to cultural differences or peer group dynamics. Organizations would do well to work with the vendor to draft plans for appreciating the work of key employees and the team as a whole. Simple end-of-project vacations, picnics, or merchandising items from your company can go a long way towards motivating your offshore team.

Risks in Different Models of Engagement Models

The most popular engagement models in offshore software development are defined projects and captive Offshore Development Centers (ODCs). The risks associated with each model are slightly different.

Offshore Projects

It is said that a third of all software projects overrun on costs and schedules. To minimize overruns and slippage in schedules, team leaders need to manage offshore projects the same way in which they manage in-house projects, by documenting project plans that are detailed and exhaustive. Some areas in offshore projects, however, pose greater risks and need more detailed planning. These include user-interface design; integration of third-party tools; hardware infrastructure; database setup and migration; testing and application staging; and release to production. Detailed scope of work documents, detailing assumptions, entry and exit criteria, as well as acceptance test documents can help mitigate risks inherent in these activities.

Offshore Development Centers

The most popular engagement model is the Offshore Development Center. The success of an ODC depends largely on how good the team is, how well it integrates with your organization’s daily tasks, and how well the vendor is aligned with your long-term plans. In addition, there are so-called “softer” issues pertaining to HR development, such as resources management, handling attrition, and team motivation. Not paying adequate attention to these issues can put your organization at considerable risk. However, if planned and managed properly, ODCs with their associated cost and time savings can be an important part of a company’s business strategy.

Criteria for Successful ODC Engagements

Mitigating Risks Early

The sooner risks are identified, the less significant their impact. Companies that use offshoring successfully develop a risk management strategy long before they hand over projects or begin establishing an ODCwith a vendor.

Selecting the Vendor

Though many businesses have experience with outsourcing infrastructure, networking and other activities, they seldom know how to select an offshore vendor. An inexperienced vendor can substantially increase risks in offshoring. When planning an offshore engagement in India, a visit to is a good beginning. NASSCOM profiles the Indian software industry and provides a list of vendors.

It pays to work with a vendor who has a local presence in the vendor’s home country. This demonstrates commitment on the vendor’s part and ensures that the client can reach them quickly in the same time zone for fast intervention. This can reduce risk of failure in offshore engagements substantially. Contractual obligations can be more easily enforced locally than from far away. In addition, the local team can serve as an agent in bridging gaps in expectations, cultural differences, and communication styles and also act as an internal customer for the offshore team before deliveries are made to the client.
While cost is a major consideration in offshoring, it generally does not pay to select a vendor purely on that basis. In contracting any supplier, it is advisable to do a technical evaluation with a select number of vendors and then negotiate with the two finalists before making a choice. Again, if you negotiate too hard, you may end up losing in the long term. In a people business, the best resources will be assigned to the clients who pay the most.
Companies must also examine the financial stability and track record of potential vendors and check references before making a selection. Requests for Information (RFIs) may help in gathering substantive information about a vendor up-front and lessen the fears of perceived risks. Include questions on how a given vendor organization manages security, performance, and people risks, project components, and engagements as a whole. Beware of asking too many vendors for RFIs. You run the risk of losing their interest or getting only very guarded information.

Selecting Initial Projects

Success with initial projects is critical to any company that wants to make offshoring part of its business model for the long run. The first projects should be relatively simple, with comparatively little customer impact and short duration (less than three months). This enables you to assess the performance of the vendor and reduces irreversible risks that often arise in longer offshoring engagements. Executing several maintenance and testing projects is often a good way to start an offshore engagement. This way, the offshore team can gain domain knowledge and get up to speed with little risk to either organization.

Building the Team

There are key people who will make your offshoring foray successful, such as the project managers, architects, and team leads. It’s good to ask for their resumes, or at least for brief profiles of them and to talk to prospective team members before engaging them. To make the project successful, you need to “like” everything about your vendor partners, from their technical grasp of issues to their management and communication styles.

Setting Expectations in the Start-up Phase

Each organization has its own style. Some are slow, measured, and process-oriented while others operate in a continuously changing dynamic way. Some organizations rely on quick results and expect less process and documentation. To some, a good processes and documentation is key, while speed is less important. It is good to agree on the pace with the vendor right from the start. Let them know what they can expect from you. Changing expectations midway can increase risk for both sides. In interacting with vendor partners, avoid using a management style that you would not use within your own organization. You will find that good vendors will adapt quickly to your style.

Discussing Risks and Mitigation Strategies Openly

Best practices in risk management dictate that client and vendor discuss risks and their mitigation openly in the beginning stages of an engagement and follow up with periodic reviews. It is good practice to document a Risk Management Plan as part of the overall plan for the engagement, including sensitive issues like management of attrition, non-performance, and project delays.


When planning an initial offshore engagement, it is important to distinguish between perceived and real risks. Some perceived fears stem from the discomfort of working remotely, unfamiliarity with other cultures, differing time zones, and misconceptions about work culture in other countries. These fears are often dispelled with a few conversations and with due diligence. Explore and question your fears. Talking with prospective vendors, meeting, their teams and visiting their facilities, often go a long way in dispelling them.
Real risks, on the other hand, cannot be talked away. They require solid risk management strategies, including metrics, processes, communication, and a deep level of commitment from on both sides. While some of the strategies outlined in this document might help you plan for the risks, they cannot replace actual experience. Empirical evidence shows that offshoring works and is here to stay. So venture out, tread with care, and plan for success.