RISK, , occurs
Risk, , remains
A risk dimension*
then
dormant
*(multiple dimensions
are possible)
True
**Note: Risk outcome/
Risk outcome**
Exposure equations from
Risk Effects
(ϖ) Pr(ϖ) Loss (ϖ)
Aubert et al., 1998; Boehm,
1991
Figure 3.4
Causes and effects of risks in the IT outsourcing exercise (Tho, 2004) Causality and random activity concept
The causality and random activity concept is of particular importance when determining risks and risk exposure values.
Risks should not be dismissed or abandoned on the basis of ambiguity or ‘randomness’ of risks. One of the most distinctive philosophies of the ancient Greek philosopher and scientist, Aristotle (384–322 BC), was his notion of causality where each action or event has more than one ‘reason’ that helps to explain what, why, and where things exist. The initial design and thought behind the RDS tool and the research method used was to capture the risks following logical classification into various dimensions.
Following an early view on the subject of causality, the cause of any event is a preceding event or events, without which the event in question would not have occurred. If this rather mechanistic view of causality is translated into context then all the previous actions and events in an ITO exercise would constitute the complete cause of the outcomes of the exercise. It is shown that these effects do not translate into or summarize the risk dimensions that are formulated during the RDS creation exercise. Further investigation in this chapter reveals that the theory of causality breaks down as soon as the inherent complexities in organizations with an intricate set of interdependencies are taken into account.
Some of the logic breaks down as soon as random occurrences arise within the framework. Illustrations of the agency theory 70
Chap-03.qxd 3/1/05 12:31 PM Page 71
Measuring Risks in IT Outsourcing
and simple game theory, discussed in Chapter 4 on the understanding of risk measurements, provide some clues to this end.
The philosophy of causality supports determinism; that is every event has a cause, and the event follows invariably from the cause.
This thinking, however, denies the element of chance or contingency. It also does not take into account free will in humanity and the interplay between the sometimes illogical actions of human beings. It is opposed to indifferentism, or indeterminism, which maintains that preceding events do not and cannot definitely determine subsequent ones. Because determinism is generally assumed to be true of all events except volition, the doctrine is of greatest importance when applied to ethics.
Philosophers deny the ultimate reality, or at least the fundamental validity, of the causal relation. Henri Bergson (1927)1 for example, maintained that neither ultimate reality nor life is bound by exact causal sequences. He propounds that a process of growth takes place in which the unpredictable, and therefore the uncaused, constantly occurs. No exact repetition happens in real time; and where there is no repetition, there is no cause, for cause means that the antecedent is repeatedly followed by the same consequence.
The risk dimensions and RDS formulated identify classic reasons for more work to be done on the relationships between risks dimensions arising in the outsourcing of the IT function as well as major management decisions in today’s business environment.
Before the RDS can be used effectively, the direct influences of the operating environment need to be understood. Both exogenous and endogenous risks are accounted for with the method proposed. The participants in and stakeholders of the ITO exercise have information on risks as a perceived set of losses and probabilities. This information is collected and then illustrated using the RDS.
3.4
Measuring risk exposure
Risk exposure has been defined as the extent and probability of an undesirable outcome. If the probability is small, i.e. nearly zero, the risks can be described as almost dormant as they seldom become manifest in the ITO exercise (see the right hand side of Figure 3.4). If a risk type occurs regularly (the box in the lower half of the figure), then it is often recognized as a ‘common’ risk 1 Nobel Laureate, Nobel prize in Literature, 1927. Found on-line on http://www.nobel.se/literature/laureates/1927/
71
Chap-03.qxd 3/1/05 12:31 PM Page 72
Managing the Risks of IT Outsourcing
type. Common risk types have been documented as categories of risks or risk dimensions.
Quantifying risk exposure
There is a common understanding on total risk exposure at a given point in time: it is the mathematical sum of all the risk exposure values. If, however, the risks are classified into different categories, then the sum of the risks occurring in all the categories represents the total risk exposure at a given point in time for the ITO exercise.
The risk exposure is described as the product of the probability and the magnitude of the undesirable outcome from the relationship, as expressed in the equation below.
RE Pr(UO) L(UO)
where RE is the risk exposure; Pr(UO) is the probability of an undesirable outcome; and L(UO) is the magnitude of loss due to the undesirable outcome.
Considering the variables in the equation above, if the probability (of loss) values were held constant then the risk exposure would be proportional to loss, and vice versa. Practically, however, neither variable (the magnitude of loss nor the probability of loss) is constant over a period of time. So, the total risk exposure for the ITO exercise over time is dynamic (i.e. it changes over time).
At any point in time, however, it is the sum of all the risk exposure (RE) values for all the risk elements experienced in the project. Over time, the total risk exposure is represented by the following equation.
Total risk exposure Total (Probability of loss
Magnitude of loss)
x→
x→
Risk Exposure
∑
∑ Pr(UO) L(UO)
(3.1)
x 0
x 0
where Pr(UO) L(UO) are the individual risk exposure elements.
Risk exposure (RE) boundaries
The probability values provide the parameters that establish the extremities of the equation. The smallest and largest values of probability are zero probability (no chance of occurring) and 72
Chap-03.qxd 3/1/05 12:31 PM Page 73
Measuring Risks in IT Outsourcing
full probability (definitely occurring). Since the maximum possible value for Pr(UO) is a certainty that the undesirable outcome (UO) will occur, then Pr(UO) 1. This implies that the maximum, theoretically possible, value of loss due to the undesirable outcome is always less than or equal to the mathematical sum of all possible magnitudes of all the risk elements.
x →
x →
Risk Exposure
∑
∑ Pr(UO) L(UO)
max
max
(3.2)
x0
x0
To simplify the equation to a single variable for discussion, both the maximum and minimum values for the probability of loss are taken:
x →
x →
Risk Exposure
∑
∑ 1 L(UO)
M
Maximum Value
max
max
x0
x0
x → Risk Exposure
∑
0
Miinimum Value
min
x0
(3.3)
Therefore, given the range of values of probabilities from zero through to a unit (1) it can be reasoned that the total risk exposure is equal to or less than the sum of the total magnitude of loss as a result of undesirable outcomes, illustrated by the next equation below. The maximum value is, theoretically, infinite.
At one selected point in time,
x →
x →
Risk Exposure
∑
≤ ∑ L(UO)
(3.4)
x0
x0
This equation is significant as it describes the relationship between the total risk exposures in an ITO exercise relating to the maximum possible risk exposure values. There is an element of time, in combination with multiple values of loss as a result of risk. An infinite value of total risk exposure is mathematically possible but, practically, is also improbable. By implication, therefore, there must also be a finite number of influences and risk elements that are experienced in an ITO exercise at any single point in time. An infinite number, although theoretically possible, implies again an infinite risk exposure value – a subject for 73
Chap-03.qxd 3/1/05 12:31 PM Page 74
Managing the Risks of IT Outsourcing
another book. The risk exposure would otherwise have no theoretical limit, i.e. infinite value represented by: x →
∑ L(UO)
(3.5)
x0
In the next section, the possible values for the risk elements are discussed, these values being based on the assumption just made.
3.5
Examples of risk management models
There are numerous risk assessment and risk management models. Two extensively used examples are illustrated here to show commonality in some of the components in the latter. The first example is the model used by the US Government Accounting Office for the management of IT risk (US GAO, 1999). A sample risk management programme is illustrated in Figure 3.5.
This model involves an iterative loop that starts with risk assessment (the upper box in Figure 3.5).
Figure 3.5
Assess risk
Sample risk
&
management model
Determine needs
A (Source: adapted
from the US
Government
Implement Policies
Monitor
Accounting Office
&
&
(GAO) document
Controls
Evaluate
GAO/AIMD-00-33
Information Security
Risk Assessment,
Promote
1999.)
awareness
Risk assessment involves identifying possible risks and determining the needs of the particular situation wherein the risk management methods are used. The process then continues with implementation of policies and controls, followed closely by the promotion of awareness of the same risks within the working group or organization. Both awareness and policy actions will be targeted towards mitigating the effects of the risks, should they occur. In an ITO exercise, the same risk assessment and management model is applied. The model assumes that the risks experienced in the exercise are mitigated through a series of actions.