The existence of vague links between the outcomes and contributory factors does not make the understanding of risks any easier or measurement more straightforward.
Risks can be quantified as expected potential loss. To do this, the expected potential loss from outsourcing is reckoned as the product of two variables, the magnitude of the exposure and the probability of loss.
3.2
Investigating risk
Risks are classified as either speculative or pure risks. Speculative risks (e.g. gambling) offer both the potential for gain and the potential for loss, for example in investment in stocks. Pure risks, the kind that occur in an ITO exercise, do not necessarily result in losses, but they never result in gains and are, for the most part, unwanted.
To reduce the loss or mitigate risks, efforts are focused on reducing the probability of the undesirable event itself through, for example, the use of penalties compensating for delays in system delivery. The probability of occurrence of an undesirable outcome is estimated on the basis of historical data. Probabilities 65
Chap-03.qxd 3/1/05 12:31 PM Page 66
Managing the Risks of IT Outsourcing
are often, however, difficult to determine merely on the basis of past performance. In the case study example in Chapter 8, it is obvious that the probabilities estimated by the ITO team represent quantitative data based on collective experience.
Intrusive factors (exogenous and
endogenous risks)
Further, a distinction that could be made in risk types is the classification of endogenous and exogenous risk. A risk is classified exogenous when an undesirable event occurs beyond any form of control and is not affected directly by any actions. Examples are earthquakes or typhoons. Endogenous risks are those that are dependent directly on people actions. An automobile accident is an example of risk where a large portion of the risk is endogenous. The probability of a virus attack is significantly influenced by the user’s behaviour and software use (endogenous). The PC
user controls part of this risk by deciding to expose corporate networks through unwanted links on the network. To mitigate this risk, users are informed of the areas they can control and are advised on more restrictive practices to adopt when surfing the Internet and performing downloads.
In a business environment, the dynamics of risk exposure can be, and are, influenced by many variables. The magnitude of these variables, in singular or group form, collectively determines their relevance. For example, the effects of risk on the finances of an organization can be influenced by its shareholder structure, the business environment (which determines the amount of investment), the technology environment (which determines the capability of performing selected functions) and the competitive environment (which determines its products, delivery and organizational structure). These factors ‘intrude’
into the outsourcing environment. It has been shown that these
‘intrusive factors’ contribute to the risk profile of the outsourced operation.
Risk dimensions are affected at different levels by external (exogenous) influences of ‘intrusive factors’ discussed earlier as well as internal (endogenous) influences. An example of the influences impinging on risk factors is illustrated in Figure 3.2.
Environmental and business risk in the case study (see Chapter 8) for example, derives from external influences, discussed in detail here. The organization’s strategic, legal and informational risk profiles are influenced most significantly by a mix of both internal and external influences.
66
Chap-03.qxd 3/1/05 12:31 PM Page 67
Measuring Risks in IT Outsourcing
Stakeholder (buyer/supplier) risk dimension influence sources External influence
Technical
Strategic
Environmental
Figure 3.2
Example of
Financial*
Legal
Business*
mapping internal
(endogenous) and
Operational
Informational
external (exogenous)
influences with risk
dimensions (Tho,
2004)
Internal influence
Operational and relationship risks
There are two main angles from which risk that is inherent in an ITO arrangement is viewed. The first is the operational risk that involves undesirable consequences deriving from the operations of IT in the organization. The second form of risk stems from the relationship between the buyer and supplier in the form of opportunistic behaviour by the supplier who takes advantage of a long-term and ambiguous contract (see also Agency Theory in Chapter 4). Both these risk types are illustrated in Figure 3.3.
A significant portion of the operational risk is passed on to the supplier as the IT function is outsourced while the relationship risk remains with the buyer. Unlike operations risk, the relationship risk is ‘bi-directional’. In this instance, the risk exposure relating to the relationship can be passed back and forth depending on the situation and the ‘bargaining power’ of both the contracting parties at that time. The relationship risk shifts from buyer to supplier and vice versa.
Buyer
Supplier
‘Pass on’
Operations risk
‘Bi-directional’
Figure 3.3
Relationship risk
Operations and
relationship risk
(Tho, 2003)
67
Chap-03.qxd 3/1/05 12:31 PM Page 68
Managing the Risks of IT Outsourcing
Further relationship risk exposure from the outsourcing deal includes some common areas such as:
● misaligned incentives between supplier and buyer;
● insufficient investments from the participants;
● market failures from private information not shared;
● ineffective bidding mechanisms;
● inappropriate use of confidential information;
● supplier hold-up, expropriation and loss of bargaining power; and
● supplier’s private information about its capabilities.
This list above contains many of the salient features but is by no means exhaustive. In order to examine the risks inherent in an organization that is considering outsourcing its IT function, the elements that contribute to the risk in the ITO environment need to be explored. (See also Agency Theory and the Winner’s Curse phenomenon in Chapter 4.)
The scope of outsourcing includes strategic IT functions together with value activities that differentiate the organization from its suppliers. As suppliers provide competence in new technologies and access to better IT professionals, these elements contribute strategically to the buyer’s organizational value chain. The expanded role of outsourcing relationships includes relatively better services and financial performance, and new lines of business.
Elements of the e-commerce value chain, including strategy, systems development and integration, payment processing, market design, advertising and customer management, as well as development of the physical network and web-hosting, are outsourced.
In the ITO scenario, risk carries functions of multiple variables, mathematically expressed as:
Risk fn(governance, (un)certainty, competitive environment, organizational interconnectedness)
In a ‘cause and effect’ situation, risks also play a role in the effects of activities engendered by the outsourcing of the IT function.
Risks in this instance are concerned with the effect of governance, uncertainty, competitive environment and organizational interconnectedness (Clemons, 2000). The point raised here is that risks in the ITO exercise appear to have a direct relationship with a set of causes. It is argued that, while some arguments for ITO are intuitively appealing at an analytical and general level, they 68
Chap-03.qxd 3/1/05 12:31 PM Page 69
Measuring Risks in IT Outsourcing
remain simplistic in practice because they do not account for the complexities that permeate the management of information resources and risks (Earl, 1996). Some different models are examined in the following sections.
3.3
IT outsourcing risks (causes and
effects)
A primary driver or determinant of risk originates from the lack of information (information asymmetry) in the precontract phase, followed by an inherent inability to accurately monitor the other partner’s actions. Further, the conditions of an outsourcing contract allow either the supplier or the buyer to behave opportunistically. Uncertainty, competitive importance and organizational interconnectedness are the other contributory drivers of risk in an ITO exercise. The ‘cause’ groupings for risks in ITO derive from inabilities to optimally manage the agreement and its subsequent change in line with the evolution and heterogeneity of the IT function.
It has been consistently argued that large, vertically integrated organizations need strategic outsourcing measures to remain competitive, especially in highly contested and fast-moving markets. In a causal chain of events, there are observable causes for risks and, equally, measurable effects should the risks occur. The
‘cause’ is a situation that exists that sets up a potential risk. The cause of risks can be proactively managed. The effect(s) of risk are the likely outcomes if the risk occurs.
In any outsourcing exercise, risk is an essential and critical component of the formulation of decisions and in the mitigation of its undesirable consequences. In the outsourcing of the IT function, some of the more well documented and major risks involve escalating costs, diminishing service levels, loss of expertise, and contract irreversibility.
Some of the ideas developed in the context of a causal reasoning framework, which is investigated and introduced here, are summarized in Figure 3.4. In this illustration, we assume that the risks in an ITO exercise are caused directly by a set of risk drivers and have a set of effects that are experienced within the organization. In this instance, multiple risk dimensions are possible.
The risk types could then lie dormant indefinitely or become manifest in the ITO project. The risk outcomes become the risk exposure for the organization.
69
Chap-03.qxd 3/1/05 12:31 PM Page 70
Managing the Risks of IT Outsourcing
Risk Causes
IT outsourcing risk drivers
If
False
A risk category* or