Chap-02.qxd 3/1/05 12:30 PM Page 58
Managing the Risks of IT Outsourcing
causes, effects and nature of all the risks that manifest in an ITO
exercise. A selected portion of the risks in the ITO exercise is highlighted in this book to illustrate very specific risks that play a vital role in the decision to outsource the IT function. It is this nature and behaviour of key risk elements that needs to be addressed each time an organization outsources its IT function.
The risk elements deliver opposing results or yields, i.e. being either constructive or destructive to the organizations that participate in the exercise.
It is known that a certain amount of risk shifts from the buyer to the supplier of outsourcing services. This is a phenomenon that is taken advantage of most in a typical ITO exercise and is seen as a benefit by the buyer of the services. The transfer of risks between buyer and supplier occurs almost as soon as the outsourcing exercise commences. As would be expected, operational risks are transferred away from the buyer organization as risks that accompany the IT operations. The supplier, on the other hand, takes on the new operations and associated risks as part of the agreement and is compensated through a service fee.
It is observed, however, that despite this obvious benefit, the buyer organization often hesitates to shift the IT operations outside the organization for fear that the loss of control may be unsustainable. The buyer is also often anxious over the uncertainty caused by a range of new risks that it has to manage as a result of the ITO exercise. The supplier, on the other hand, appears willingly to absorb the operational risks, which contributed to the reason why the buyer initiated the outsourcing exercise in the first place.
These traits provide a background to interesting insights into the management and nature of shifting risks both within and between the buyer and supplier organizations. The final chapter in this book highlights this phenomenon and includes an illustration of a set of observable traits that exist between risk groupings when the IT function of an organization is outsourced.
Managers in the same organizations that purchase the use of IT
components argue that the in-house IT function not only comprises components that are often referred to as ‘commodity’
functions, but form an essential and strategic part of the overall corporate strategy. The IT function, in this instance, differentiates the organization’s services and products from those of its competitors. The IT function is no longer a commodity but a strategic component. As such, the IT function contains ‘secrets’
that are often not shared, to preserve the competitive advantage.
58
Chap-02.qxd 3/1/05 12:30 PM Page 59
Outsourcing the IT Function
The supplier of the IT function, however, has established a special relationship with the buyer organization. Confidentiality and security become very important as areas of high risk. This relationship is more than that of a casual supplier; rather, one where the integrity of the information and technology delivered becomes vital. It is often argued that, unlike manufacturing industry where products can be protected via legal instruments such as patents, information flows are more difficult to control.
Fraudulent and criminal use of information is often difficult to trace or police; and therefore the risk of sharing one’s information with a third party is often viewed as an unacceptable risk.
In both these instances (commodity versus strategic roles), however, it is still quite plausible and conceivable that the use of the concept of ITO along with its many variants, is able to deliver significant and tangible benefits to both the buyer and supplier organizations. The difference lies in the ‘integrity and reliability’
of the supplier as compared to an in-house maintained IT function. This difference is often observed as it becomes manifest in the risk exposure and risk profile of the buyer and supplier organizations. In this chapter, some of the fundamental ideas of outsourcing of the IT function have been discussed; they need to be understood in order to experience, identify and measure the risks that manifest themselves in this environment. For it is only when risks are quantified that they can also be mitigated in order to enjoy the maximum benefits of true IT outsourcing.
This is discussed in Section II.
59
This page intentionally left blank
Chap-03.qxd 3/1/05 12:31 PM Page 61
Section II
Measuring and understanding
IT outsourcing risks
This page intentionally left blank
Chap-03.qxd 3/1/05 12:31 PM Page 63
3
Measuring risks in IT outsourcing
Without measureless and perpetual uncertainty the drama of human life would be destroyed.
Winston Churchill (1874–1965), British prime minister Risks in IT outsourcing (ITO) are often the effects of a combination of activities and events. These events can arise both at different times and in different geographical locations. For example, an event in the Head Office in Singapore last month could have very significant effects on another event in Sydney, Australia, today and affect another activity in San Francisco the following week.
Various methods and tools are used to help measure and quantify these activities and events. The risk dimension signature (RDS) instrument proposed in this chapter allows measurements to be made from the various risk perspectives, and then graphically illustrates the risk exposure values (or measured quantities) at different points in time. The risk profiles that are depicted in the RDS then become an essential part of overall risk management methodology that allows the manager to understand risks more completely and make informed decisions. RDS transforms risk management from an academic or mathematical exercise into an essential and practical tool.
Risks involve events that are characterized by probability and uncertainty. They also stem from possibilities and indeterminate paths as a result of random events. We know that ITO is characterized by:
● multiple variations in outsourcing models (Chapter 1); and
● the two very special roles that the IT function plays in an organization (Chapter 2).
This, combined with the complexities of both the buyer and supplier organizations in a synergistic, long-term relationship, creates an environment that is full of events and ‘risk fertile’, or full of risks.
Measurement activity to capture these risks is more complex than ever before, partly as a result of the intricacies involved with 63
Chap-03.qxd 3/1/05 12:31 PM Page 64
Managing the Risks of IT Outsourcing
available options and volumes of information flows that power today’s fast-moving organizational processes. The probability of an event happening, whether with good or bad consequences, is never predictable to any degree of certainty. In fact, uncertainty in the economy, in technology, in business and in politics has made forecasting based on probabilities quite futile and, sometimes, even counter-productive.
In order to understand risks, however, detailed observation and measurement is mandatory. So the first step in the process is to be able to take measurements and to illustrate the results in a way that is meaningful to the ITO manager or practitioner. If the risk characteristics that are expressed in the specific ITO assignment can be measured, activities to mitigate the risks can be put into place for selected risks. A simplified step methodology involving three basic steps, Measure, Understand and Mitigate (MUM), as illustrated in Figure 3.1, is used to show the three fundamental phases that are used to address risks before a more comprehensive risk management method is used.
Measure
Risk
Understand
Figure 3.1
Mitigate
Managing risks in
an IT outsourcing
environment
Obviously a complete risk management methodology is comprehensive but the MUM method addresses the need to quickly depict and address urgent risks and allows plans to be effective as critical risks will need to be addressed urgently. Therefore more detailed risk management methods should be used in conjunction with the three phases proposed. This approach is designed to be short, and to be as practicable as possible for easy use. Given these assumptions, it should also be used in conjunction with organizational communications that include policy making, suitable controls and the promotion of risk awareness programmes (see also samples of widely accepted risk management models in Figures 3.5 and Figure 3.6). These items or activities form part of the overall risk management plan (see Chapter 6).
64
Chap-03.qxd 3/1/05 12:31 PM Page 65
Measuring Risks in IT Outsourcing
3.1
Risk definition
For simplicity, many scholars and researchers agree to define risk in an ITO scenario simply as the possibility of loss or injury.
Risks begin as a direct consequence of negative outcomes. Risks are also formed as an extension of factors leading to negative outcomes. Risks refer either directly to:
● negative outcomes; or
● factors that lead to the negative outcomes.
Negative outcomes include shortfalls in systems performance.
For example, in the case of a software development project, poor systems performance could take the form of disruption of service to a customer that depends on IT to support a particular business process function. In an ITO exercise, hidden costs (described in Chapter 2) and loss in innovative capacity would constitute examples of poor systems performance. Factors that lead to these negative outcomes include, for example, a continuing stream of requirement changes or personnel shortfalls in a systems development context. In an ITO project, lack of upper management commitment to the exercise or inexperienced staff and business uncertainty are clearly factors that lead to negative outcomes.