Ian Tho – Managing the Risks of IT Outsourcing

Managing the Risks of IT Outsourcing

Ian Tho

Preface

xv

Section I: Language of IT Outsourcing (ITO) 1

Chapter 1: Common terms and concepts used in outsourcing

3

1.1 The need to manage risks in IT outsourcing 4

1.2 The practice of outsourcing

5

1.3 Agreeing the definition of outsourcing

7

1.4 Contracting versus outsourcing

9

1.5 Blurred organizational boundaries

11

1.6 Differences in emphasis

12

Risk transfer difference

12

Buyer/Supplier relationship difference

12

Changes in process model difference

13

1.7 Process changes

16

1.8 Acceptance of information technology

outsourcing (ITO)

18

Early adopters and failures

19

1.9 Benefiting from ITO

20

Supplier benefits

23

Common (buyer and supplier) benefits

24

Buyer benefits

24

1.10 Outsourcing models

25

Outsourcing types

27

Complete/Selective outsourcing

28

Keiretsu

29

1.11 Outsourcing partnerships

30

v

Prelims.qxd 3/1/05 12:29 PM Page vi Contents

1.12 Outsourcing contracts

34

1.13 Outsourcing and the implications for human resource development

37

Chapter 2: Outsourcing the IT function

39

2.1 The ‘core competency’ argument

41

Performance of the IT function

42

Distinctive competency

44

Diversification and specialization

45

Outsourcing to derive the benefits of core

competency

46

2.2 The ‘economies of scale’ argument

47

2.3 Commoditization of IT

49

2.4 The role of IT in the organization

49

2.5 Outsourcing and the unique role(s)

of the IT function

50

The IT productivity paradox and outsourcing 53

Hidden costs

54

2.6 Information technology outsourcing risk 56

Section II: Measuring and understanding

IT outsourcing risks

61

Chapter 3: Measuring risks in IT outsourcing 63

3.1 Risk definition

65

3.2 Investigating risk

65

Intrusive factors (exogenous and

endogenous risks)

66

Operational and relationship risks

67

3.3 IT outsourcing risks (causes and effects) 69

Causality and random activity concept

70

3.4 Measuring risk exposure

71

Quantifying risk exposure

72

Risk exposure (RE) boundaries

72

3.5 Examples of risk management models

74

3.6 Difficulties in measuring risks and risk exposure 76

3.7 Measuring IT outsourcing (ITO) risks by group/category

77

3.8 So why group risks?

79

Associating similar risk types

79

Evaluating over time

80

Considering risk characteristics and focus

80

Risk classification

81

vi

Prelims.qxd 3/1/05 12:29 PM Page vii Contents

3.9 Identifying risk groups for IT outsourcing (ITO) 82

Recommended risk groups/dimensions

82

3.10 Visualizing risk patterns from arbitrary risk dimensions

85

Linking risk dimensions with operational

and relationship risks

85

Illustrating risk exposure

86

Mapping possible risk dimensions against

the risk landscape

88

3.11 Constructing the signature

91

3.12 Graph types

91

Categorical scales on the axes

93

Rank-ordered scales on the axes

93

Likert scales on the axes

94

3.13 IT outsourcing and the risk dimension

signature (RDS)

94

Chapter 4: The challenge of understanding risks when outsourcing the IT function

95

4.1 Interpreting the RDS

96

4.2 Computation of total risk exposure

98

Comparing buyer and supplier risks on the RDS

100

Interpreting the buyer and supplier RDSs

100

Further observations from risk signatures

or risk dimension signatures

101

4.3 Additional RDSs and patterns

103

Sample RDS patterns and interpretation

103

4.4 IT outsourcing (ITO) measurement framework 104

Considering multiplicity of risks

105

Considering contract periods

105

Considering buyer and supplier

106

4.5 Shifting the ‘effects of risk’

107

Risk-shifts between buyer and supplier

107

4.6 Observing risks in an ITO environment

109

4.7 Winner’s curse

110

4.8 Agency theory

112

Chapter 5: Risk interaction in IT outsourcing 119

5.1 Interaction between supplier and buyer in IT outsourcing

119

The paradox effect

120

Relationship dynamics between buyer

and supplier

121

vii

Prelims.qxd 3/1/05 12:29 PM Page viii Contents

5.2 Implications of relationship for risk

121

Interplay between buyer and supplier RDSs

122

Sharing of risks between buyer and supplier 123

5.3 Sharing risks within one organization, between value activities

123

Risk signature/RDS – supplier

124

Risk signature/RDS – buyer

125

5.4 Tolerance for risk exposure (risk appetite) 126

5.5 Mapping the risk signature

128

5.6 Evaluation dimensions

129

5.7 Analysing risk with the RDS

131

Empirical measurement

134

Data on risks and risk exposure

134

Interaction between categories

135

Section III: Mitigating (& managing) risks in IT outsourcing

137

Chapter 6: Risk characteristics and behaviour in an ITO exercise

139

6.1 Behaviour of risks

141

6.2 Risk appetite

143

6.3 Fundamental assumptions in understanding risks

143

Cause & effect

143

Internal/external influences

144

Accuracy of risk classification/grouping

144

6.4 Effects of influences

144

6.5 Relationships between risk dimensions

145

Risk balancing

146

Changes in risk exposure (RE)

146

State of equilibrium

147

6.6 Game theory

149

6.7 Chaos theory

151

6.8 The perfect project

152

Chapter 7: Mitigating risks in an ITO environment 154

7.1 The ITO risk ecosystem

154

7.2 Predicting the behaviour of risks with the RDS

156

7.3 Depiction of the risk profile

157

7.4 Risk frameworks

157

Interplay between risk dimensions

159

viii

Prelims.qxd 3/1/05 12:29 PM Page ix Contents

Interaction of intrusive factors

159

7.5 Using the concepts

159

Overcoming difficulties that may be encountered 160

Limitations

161

Important assumptions

163

7.6 Insights into risk behaviour using the RDS tool 164

7.7 Further remarks

166

Chapter 8: A case study – ITO risks

168

8.1 Case study background

168

8.2 Risks identification

170

8.3 Internal (endogenous) risks

174

Buyer risks

175

Supplier risks

175

8.4 External (exogenous) risks

177

Buyer risks

177

Supplier risks

177

8.5 Risk profiles from participants in individual and group sessions

180

8.6 Using the risk dimensions

183

8.7 The buyer & supplier RDS profiles

184

At the start of the ITO exercise

184

RDS for supplier S1

186

RDS for supplier S2

188

Qualitative assessment of the buyer RDS

191

Quantitative assessment of the buyer RDS

195

8.8 Concluding remarks

197

References

199

Index

203

ix

This page intentionally left blank

Prelims.qxd 3/1/05 12:29 PM Page xi

To

my darling wife Cynthia,

my loving parents Yow Pew and Irene, and my only sister, Su-fen.

xi

This page intentionally left blank

Prelims.qxd 3/1/05 12:29 PM Page xiii About the author

Ian Tho is a practising management consultant. He has over eighteen years of international consulting experience and works with both buyers and suppliers in the area of IT outsourcing services. He is a graduate of the University of Melbourne, Australia, where he earned a BEng. He received his MBA from Monash University, Australia, and earned his PhD in the area of risks in IT outsourcing, at Deakin University, Australia. He is also a Fellow of the Australian Institute of Management.

Ian works in the area of IT outsourcing and is the National Head of Healthcare with KPMG. He works with healthcare providers, suppliers, regulators, insurance, pharmaceuticals and equipment manufacturers. He has also worked with Andersen Consulting (now Accenture) for over eleven years in its Chicago, New York, Melbourne, Paris, Singapore and Kuala Lumpur offices. Ian was the Managing Director for Asia with Datacom Asia (Outsourcing and Call Centres) where he was responsible for Datacom offices in Malaysia, Singapore, Thailand, Hong Kong, the Philippines and Indonesia. His clients include Microsoft; 3Com; Palm; Toshiba; Compaq; Dell Asia Pacific; Citibank; United Parcel Service Inc.; Carlsberg; Colgate; Shell; Jet Propulsion Laboratory, USA; Vlassic Pickles, USA; Malaysia buyer organizations; Malayan Banking; National Heart Institute, Malaysia; Telstra, Australia; the Alfred Hospital, Australia; the State Electricity Commission of Victoria, Australia; the Commonwealth Bank of Australia; and United Energy, Australia. His other clients include major organizations in healthcare, manufacturing, oil & gas and technology. Ian can be reached via e-mail at iantho@myjaring.net xiii

This page intentionally left blank

Prelims.qxd 3/1/05 12:29 PM Page xv Preface

Buyers or suppliers of IT outsourcing services are constantly tor-mented by the prospect of having to deal with the vicissitudes of risks in their projects. In today’s business environment, the precipitous rates of technological change have outpaced the ability of many organizations to support the IT function. These organizations are faced with the ‘usual’ challenge to maintain an IT

function and to simultaneously manage in an environment of brisk change and perpetual uncertainty. All of this, however, in addition to the vagaries of risk and its effects, makes managing the IT function an exceptionally challenging task for many managers.

As a result, these managers and the organizations they represent succumb by using outsourcing as an opportunity to de-focus from the IT function, something that is, commonly, also not an activity of core competence (Prahalad and Hamel, 1990). IT outsourcing promises to lower operating costs, lower risk exposure and take advantage of best practices that are introduced when working with the supplier of IT services. These organizations plan to transfer the IT function outside the organization and also to reap the payback of the IT function, through the use of outsourcing.

The term outsourcing conjures up several different meanings depending on how it is viewed. To potential and existing users of this concept, it may contain a connotation of a loss of control; and a fear that a third party would take over jobs, work and responsibility for what used to be an internal function. To others, it carries suggestions of a takeover; and to yet another group, outsourcing implies additional work that will be required to supervise additional personnel that are brought ‘on-board’. Many managers, it seems, attempt to seek consolation by rejecting the concept of outsourcing altogether. Further, ideas are devised and thoughts rationalized to address this feeling of trepidation through commonly heard reasons not to outsource. Common reasons that may inadvertently or unintentionally be used to reinforce these concerns include, for example, ‘IT outsourcing results in an unacceptable loss of control’, ‘intolerable increases in security issues [e.g.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

Leave a Reply 0

Your email address will not be published. Required fields are marked *