74
Chap-03.qxd 3/1/05 12:31 PM Page 75
Measuring Risks in IT Outsourcing
Risk management elements in this model include establishing a central management focal point, implementing appropriate policies and related controls, promoting awareness, and monitoring and evaluating policy and control effectiveness. After risks in an ITO exercise are identified, the appropriate monitoring and evaluation activities work in conjunction with the appropriate governance structures to manage risks. In a mature governance model, policies and controls can be implemented in order to streamline the tasks of risk mitigation.
The second model is used by the organization KPMG2, and is published as its ‘risk maturity framework’. The activities and components are very similar to those of the previously mentioned US
Government Accounting Office model. Both models contain elements of determination of risks, followed by measurement and monitoring, then a process for implementing controls and policies. The risk plan or strategy incorporates the overall organizational strategy, which encompasses all the steps outlined above.
Risk strategy
STEP 1
Figure 3.6
Risk structure
STEP 2
Sample risk
management model B
Risk measurement & Mentoring
STEP 3
(Source: Adapted and
simplified from KPMG
Risk portfolio management
STEP 4
Risk Management
methodology [Donner,
Risk mitigation and optimization
STEP 5
2001])
The model described in the framework proposed by KPMG
appears to take on three active approaches. This includes the reactive, tactical and strategic stance that an organization can adopt as its risk management approach.
Each of these positions will have a plan or approach to risk management that includes the following:
● A risk strategy for associating and managing risks based on the organization’s business strategies.
● A risk structure that supports the risk strategy and provides for accountabilities in the structure.
2 KPMG is an international professional services organization that provides risk advisory services
75
Chap-03.qxd 3/1/05 12:31 PM Page 76
Managing the Risks of IT Outsourcing
● Measurement and monitoring that establishes measurement criteria and continuous improvement.
● Portfolio management for identifying, assessing and categorizing risks across the organization.
● Optimization to balance potential risks against opportunities within the established portfolio based on the organization’s tolerance for risks.
The two models describe a very similar methodology and approach to managing risk. The relationships between the various actions and risk-mitigating activity are monitored as a whole; the risk-reducing effects of one set of risks can often be observed to affect another set of risks. A key point that is raised is the measurement and monitoring of risks using specific criteria from a central component of the risk management models.
The model by KPMG extends the ‘actions’ component by proposing three types of reaction to risk including reactive, tactical and strategic action plans. These plans, however, are all also dependent on the measurement of risks and risk exposure. The issues arising in the measurement of risks are illustrated in the following section.
3.6
Difficulties in measuring risks and
risk exposure
Reliably assessing outsourcing risks can be more difficult than assessing other types of risks. The elements that contribute to the causes of risks are extremely variable in this environment.
Project requirements (IT), environment (people) and technology change more quickly in this environment that in any other given the intensity of development in this area (see The role of IT in the organization, Chapter 2). This results in significant shifting in risk profiles for both the supplier and buyer. The lack of reliable and current data makes the determination of outsourcing-risks estimates inconsistent. Risk controls and their extent are often also questionable for the same reason. Because of these limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly precise results that are of questionable reliability.
Risks in ITO are often neglected because the effects are not felt by the IT department or the designated area responsible for the 76
Chap-03.qxd 3/1/05 12:31 PM Page 77
Measuring Risks in IT Outsourcing
operation of ITO. For example, financial risks are sometimes just ignored because the Accounting and Finance department is responsible. Environmental risks that include the effects of competitors, suppliers, and, simply, the operating environment, are also often not considered, simply because they are not included in the purview of the manager’s responsibility.
Risk factors are also constantly changing. In an ITO environment where technological change is very rapid and market volatility is high, efficient capacity planning and utilization of internal or fixed assets, for example, need a significant amount of organizational effort. When considering outsourcing elements of the organization, it is this very nature of the effects of risk that must be analysed to be understood and subsequently managed.
Delimiting all the ways the possible risks can occur is seldom easy, just as determining the probability of loss is not straightforward. The difficulties are often attributable to problems in obtain-ing accurate data on probabilities and costs associated with outsourcing risk factors.
The probability of occurrence of an undesirable outcome can be estimated on the basis of past performance characteristics of the risk element, or subjective probabilities already assessed.
However, in several areas, probabilities are impossible to assess on the basis of past performance. Consequently, risk assessment methods adopt the approach of approximating the probability of undesirable outcomes by identifying and assessing factors that influence their occurrence. In a software development context, for instance, factors belong to five broad categories: technological newness, application size, lack of expertise on the part of the software development team, application complexity, and organizational environment. The degree to which each factor is present in a software project will contribute to an increase in the probability of the occurrence of an undesirable outcome.
3.7
Measuring IT outsourcing (ITO)
risks by group/category
There are various models and methods available for assessing and managing risks, as discussed previously. The scope of the analysis and the amount of resource to be expended varies depending on the type and extent of the assessment to be made.
The availability and reliability of data on risk factors and their effects also contribute to determining the type of risk analysis method to be used.
77
Chap-03.qxd 3/1/05 12:31 PM Page 78
Managing the Risks of IT Outsourcing
The basic concepts generally involve estimates of the monetary cost of the effects of risk and risk reduction techniques based on:
● the likelihood that a damaging event will occur (probability);
● the costs of potential losses (loss quantum); and
● the costs of mitigating actions that could be taken.
Reliable data on likelihood and costs are often not available and there needs to be a ‘feel’ of the risks involved as well as the extent of risk exposure that must be borne by the organization in the outsourcing exercise. A qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium and low risk. In this regard, qualitative assessments depend more on the expertise, experience and judgement of those conducting the assessment. It is also possible to use a combination of quantitative and qualitative methods.
The grouping of risks into categories3 or dimensions is not a new concept. Risk grouping or the classification of risks in a similar category is routinely applied and an integral part of the insurance industry for the purposes of quantifying risks and subsequently defining the insurance premiums to be charged.
Actuaries use risk classification to price and design financial security systems. The concept of representing and illustrating the effects of risk in an exercise to outsource the IT function is a derivation of this idea. Risk grouping has the intention of placing individual risks bearing reasonably similar expectations of loss in a group or class of risks. This exercise estimates risks from probabilities associated with the occurrence, timing and magnitude of events using concepts borrowed from the insurance industry in its classification of risk profiles.
The term causality referred to above is not used in the strictest or rigorous sense of cause and effect, but in a general sense, i.e.
where there is a plausible relationship between the characteristics of a risk grouping and the hazard for which an outsourcing activity or task is provided. For example, outsourcing the maintenance of the customer database would not by itself cause loss of privacy or data, but it does bear a reasonable relationship to the risk hazard of operational risk, and thus would be a reasonable basis for grouping risks for the outsourcing of the IT function. The concept is nevertheless important when considering 3 American Actuarial Standard of Practice (ASOP) No. 12, (1990), Concerning Risk Classification, Actuarial Standards Board (ASB), 15th January, 1990
78
Chap-03.qxd 3/1/05 12:31 PM Page 79
Measuring Risks in IT Outsourcing
the individual elements of risk categories (see also the Case Study example in Chapter 8).
Considering types of risk will help in classifying them into groups (i.e. categories or dimensions) as a method of quantifying, reducing or simplifying the many risks in any particular outsourcing arrangement. This is not to say that risks are going to be ‘boxed’ or can be encapsulated into categories, as this would be grossly misleading. The intention, however, is to be able to simplify the understanding of all of the risks that occur during the different phases of an ITO exercise in order to be able to manage, manipulate and reduce the effects of risks. By classifying risks in specific groupings, the risk landscape will be more easily understood.