Managing the Risks of IT Outsourcing
Ian Tho
Preface
xv
Section I: Language of IT Outsourcing (ITO) 1
Chapter 1: Common terms and concepts used in outsourcing
3
1.1 The need to manage risks in IT outsourcing 4
1.2 The practice of outsourcing
5
1.3 Agreeing the definition of outsourcing
7
1.4 Contracting versus outsourcing
9
1.5 Blurred organizational boundaries
11
1.6 Differences in emphasis
12
Risk transfer difference
12
Buyer/Supplier relationship difference
12
Changes in process model difference
13
1.7 Process changes
16
1.8 Acceptance of information technology
outsourcing (ITO)
18
Early adopters and failures
19
1.9 Benefiting from ITO
20
Supplier benefits
23
Common (buyer and supplier) benefits
24
Buyer benefits
24
1.10 Outsourcing models
25
Outsourcing types
27
Complete/Selective outsourcing
28
Keiretsu
29
1.11 Outsourcing partnerships
30
v
Prelims.qxd 3/1/05 12:29 PM Page vi Contents
1.12 Outsourcing contracts
34
1.13 Outsourcing and the implications for human resource development
37
Chapter 2: Outsourcing the IT function
39
2.1 The ‘core competency’ argument
41
Performance of the IT function
42
Distinctive competency
44
Diversification and specialization
45
Outsourcing to derive the benefits of core
competency
46
2.2 The ‘economies of scale’ argument
47
2.3 Commoditization of IT
49
2.4 The role of IT in the organization
49
2.5 Outsourcing and the unique role(s)
of the IT function
50
The IT productivity paradox and outsourcing 53
Hidden costs
54
2.6 Information technology outsourcing risk 56
Section II: Measuring and understanding
IT outsourcing risks
61
Chapter 3: Measuring risks in IT outsourcing 63
3.1 Risk definition
65
3.2 Investigating risk
65
Intrusive factors (exogenous and
endogenous risks)
66
Operational and relationship risks
67
3.3 IT outsourcing risks (causes and effects) 69
Causality and random activity concept
70
3.4 Measuring risk exposure
71
Quantifying risk exposure
72
Risk exposure (RE) boundaries
72
3.5 Examples of risk management models
74
3.6 Difficulties in measuring risks and risk exposure 76
3.7 Measuring IT outsourcing (ITO) risks by group/category
77
3.8 So why group risks?
79
Associating similar risk types
79
Evaluating over time
80
Considering risk characteristics and focus
80
Risk classification
81
vi
Prelims.qxd 3/1/05 12:29 PM Page vii Contents
3.9 Identifying risk groups for IT outsourcing (ITO) 82
Recommended risk groups/dimensions
82
3.10 Visualizing risk patterns from arbitrary risk dimensions
85
Linking risk dimensions with operational
and relationship risks
85
Illustrating risk exposure
86
Mapping possible risk dimensions against
the risk landscape
88
3.11 Constructing the signature
91
3.12 Graph types
91
Categorical scales on the axes
93
Rank-ordered scales on the axes
93
Likert scales on the axes
94
3.13 IT outsourcing and the risk dimension
signature (RDS)
94
Chapter 4: The challenge of understanding risks when outsourcing the IT function
95
4.1 Interpreting the RDS
96
4.2 Computation of total risk exposure
98
Comparing buyer and supplier risks on the RDS
100
Interpreting the buyer and supplier RDSs
100
Further observations from risk signatures
or risk dimension signatures
101
4.3 Additional RDSs and patterns
103
Sample RDS patterns and interpretation
103
4.4 IT outsourcing (ITO) measurement framework 104
Considering multiplicity of risks
105
Considering contract periods
105
Considering buyer and supplier
106
4.5 Shifting the ‘effects of risk’
107
Risk-shifts between buyer and supplier
107
4.6 Observing risks in an ITO environment
109
4.7 Winner’s curse
110
4.8 Agency theory
112
Chapter 5: Risk interaction in IT outsourcing 119
5.1 Interaction between supplier and buyer in IT outsourcing
119
The paradox effect
120
Relationship dynamics between buyer
and supplier
121
vii
Prelims.qxd 3/1/05 12:29 PM Page viii Contents
5.2 Implications of relationship for risk
121
Interplay between buyer and supplier RDSs
122
Sharing of risks between buyer and supplier 123
5.3 Sharing risks within one organization, between value activities
123
Risk signature/RDS – supplier
124
Risk signature/RDS – buyer
125
5.4 Tolerance for risk exposure (risk appetite) 126
5.5 Mapping the risk signature
128
5.6 Evaluation dimensions
129
5.7 Analysing risk with the RDS
131
Empirical measurement
134
Data on risks and risk exposure
134
Interaction between categories
135
Section III: Mitigating (& managing) risks in IT outsourcing
137
Chapter 6: Risk characteristics and behaviour in an ITO exercise
139
6.1 Behaviour of risks
141
6.2 Risk appetite
143
6.3 Fundamental assumptions in understanding risks
143
Cause & effect
143
Internal/external influences
144
Accuracy of risk classification/grouping
144
6.4 Effects of influences
144
6.5 Relationships between risk dimensions
145
Risk balancing
146
Changes in risk exposure (RE)
146
State of equilibrium
147
6.6 Game theory
149
6.7 Chaos theory
151
6.8 The perfect project
152
Chapter 7: Mitigating risks in an ITO environment 154
7.1 The ITO risk ecosystem
154
7.2 Predicting the behaviour of risks with the RDS
156
7.3 Depiction of the risk profile
157
7.4 Risk frameworks
157
Interplay between risk dimensions
159
viii
Prelims.qxd 3/1/05 12:29 PM Page ix Contents
Interaction of intrusive factors
159
7.5 Using the concepts
159
Overcoming difficulties that may be encountered 160
Limitations
161
Important assumptions
163
7.6 Insights into risk behaviour using the RDS tool 164
7.7 Further remarks
166
Chapter 8: A case study – ITO risks
168
8.1 Case study background
168
8.2 Risks identification
170
8.3 Internal (endogenous) risks
174
Buyer risks
175
Supplier risks
175
8.4 External (exogenous) risks
177
Buyer risks
177
Supplier risks
177
8.5 Risk profiles from participants in individual and group sessions
180
8.6 Using the risk dimensions
183
8.7 The buyer & supplier RDS profiles
184
At the start of the ITO exercise
184
RDS for supplier S1
186
RDS for supplier S2
188
Qualitative assessment of the buyer RDS
191
Quantitative assessment of the buyer RDS
195
8.8 Concluding remarks
197
References
199
Index
203
ix
This page intentionally left blank
Prelims.qxd 3/1/05 12:29 PM Page xi
To
my darling wife Cynthia,
my loving parents Yow Pew and Irene, and my only sister, Su-fen.
xi
This page intentionally left blank
Prelims.qxd 3/1/05 12:29 PM Page xiii About the author
Ian Tho is a practising management consultant. He has over eighteen years of international consulting experience and works with both buyers and suppliers in the area of IT outsourcing services. He is a graduate of the University of Melbourne, Australia, where he earned a BEng. He received his MBA from Monash University, Australia, and earned his PhD in the area of risks in IT outsourcing, at Deakin University, Australia. He is also a Fellow of the Australian Institute of Management.
Ian works in the area of IT outsourcing and is the National Head of Healthcare with KPMG. He works with healthcare providers, suppliers, regulators, insurance, pharmaceuticals and equipment manufacturers. He has also worked with Andersen Consulting (now Accenture) for over eleven years in its Chicago, New York, Melbourne, Paris, Singapore and Kuala Lumpur offices. Ian was the Managing Director for Asia with Datacom Asia (Outsourcing and Call Centres) where he was responsible for Datacom offices in Malaysia, Singapore, Thailand, Hong Kong, the Philippines and Indonesia. His clients include Microsoft; 3Com; Palm; Toshiba; Compaq; Dell Asia Pacific; Citibank; United Parcel Service Inc.; Carlsberg; Colgate; Shell; Jet Propulsion Laboratory, USA; Vlassic Pickles, USA; Malaysia buyer organizations; Malayan Banking; National Heart Institute, Malaysia; Telstra, Australia; the Alfred Hospital, Australia; the State Electricity Commission of Victoria, Australia; the Commonwealth Bank of Australia; and United Energy, Australia. His other clients include major organizations in healthcare, manufacturing, oil & gas and technology. Ian can be reached via e-mail at iantho@myjaring.net xiii
This page intentionally left blank
Prelims.qxd 3/1/05 12:29 PM Page xv Preface
Buyers or suppliers of IT outsourcing services are constantly tor-mented by the prospect of having to deal with the vicissitudes of risks in their projects. In today’s business environment, the precipitous rates of technological change have outpaced the ability of many organizations to support the IT function. These organizations are faced with the ‘usual’ challenge to maintain an IT
function and to simultaneously manage in an environment of brisk change and perpetual uncertainty. All of this, however, in addition to the vagaries of risk and its effects, makes managing the IT function an exceptionally challenging task for many managers.
As a result, these managers and the organizations they represent succumb by using outsourcing as an opportunity to de-focus from the IT function, something that is, commonly, also not an activity of core competence (Prahalad and Hamel, 1990). IT outsourcing promises to lower operating costs, lower risk exposure and take advantage of best practices that are introduced when working with the supplier of IT services. These organizations plan to transfer the IT function outside the organization and also to reap the payback of the IT function, through the use of outsourcing.
The term outsourcing conjures up several different meanings depending on how it is viewed. To potential and existing users of this concept, it may contain a connotation of a loss of control; and a fear that a third party would take over jobs, work and responsibility for what used to be an internal function. To others, it carries suggestions of a takeover; and to yet another group, outsourcing implies additional work that will be required to supervise additional personnel that are brought ‘on-board’. Many managers, it seems, attempt to seek consolation by rejecting the concept of outsourcing altogether. Further, ideas are devised and thoughts rationalized to address this feeling of trepidation through commonly heard reasons not to outsource. Common reasons that may inadvertently or unintentionally be used to reinforce these concerns include, for example, ‘IT outsourcing results in an unacceptable loss of control’, ‘intolerable increases in security issues [e.g.