loss of corporate information]’ or just ‘undesirable increases in operational risk’. Most importantly and central to this environment, is the notion of risks introduced in Section I of this book.
xv
Prelims.qxd 3/1/05 12:29 PM Page xvi Preface
Operational risks are transferred away when the IT function is outsourced, but other risk types that were formerly dormant become active and, in addition, new risks are introduced. This new uncertainty and risk has deterred many organizations considering IT outsourcing. A tool is introduced in Section II of this book that may help alleviate some of this anxiety. The tool is used in conjunction with existing risk frameworks to improve the management of risks in this environment.
Risks have seldom been addressed directly. The importance of risks, however, highlights a shift in emphasis that has taken place, as there is a realization of the significance of quantifying and understanding risks in an IT outsourcing exercise. For example, there is a grossly uneven experience level (experience of an IT outsourcing exercise) between the supplier and buyer that skews advantage toward the supplier. In response, it is important that participants in an IT outsourcing exercise understand and anticipate changes in the behaviour of activities that can cause harm (risks) within the complex and often inexact environment of IT outsourcing. This is illustrated in the case study in Section III of this book.
A supplier is often loath to share proprietary material and experience, possibly because of a fear that its competitors would take advantage of the way it manages its risks. As a result there are few, if any, publicized or ‘shared’ attempts to address the area of risks in an IT outsourcing exercise for the supplier. Buyers that need this information are not able to easily obtain it without first engaging with an outsourcing services supplier. Then again, it is the supplier that takes on the operational risks in an IT outsourcing exercise. The supplier is able to manage risk exposure, especially in the operational risk dimension, better than the buyer given its focus and dedicated resources on the IT function. So the argument continues.
This book focuses on both the supplier and buyer of IT outsourcing services. It guides the reader through the creation of risk profiles for both these entities; these profiles are of equal importance for a successful IT outsourcing contract and arrangement. The
‘risk dimension signature’, or 1RDS instrument introduced in this book, can be deployed quickly as a tool to depict the complex 1 The acronym for the risk dimension signature (RDS) used throughout this book should not be confused with the neonatal respiratory distress syndrome (RDS), also called hyaline membrane disease, which is discussed in the area of healthcare risks.
xvi
Prelims.qxd 3/1/05 12:29 PM Page xvii Preface
risks in any IT outsourcing environment in a simple, graphical way for both the buyer and supplier. This is used in conjunction with the more tried and proven risk management approaches.
Readers will find that many concepts introduced with the RDS
leverage on some of the new concepts and ways of measuring risk, which is explained in Section I. Sample approaches and instruments are mentioned as complementary tools that support the RDS. The RDS may then be used as a tool to ensure equal distribution of risks between the buyer and supplier in the IT outsourcing exercise.
Foundational concepts and terms used in IT outsourcing are explained in Section I ‘Selected terms in the language of IT outsourcing’. This exercise establishes a common baseline for readers from various backgrounds, and serves to highlight nuances in the terminology, which can be quite confusing at times. With this as a background, a simplified risk measurement and management approach called the ‘Measure, Understand and Mitigate’, or MUM method in this book, is introduced in Sections II and III.
This provides a framework for the reader to quickly capture and proactively manage risks in the IT outsourcing environment. The mathematical equations introduced in Section II represent the computation of simple risk exposure (RE). There has also been a very conscious effort to avoid the use of more-complex equations but readers who are inclined are encouraged to extend these concepts further with the author. The three sections of the book are intended to methodically introduce the reader to some of the key concepts of managing risks but importantly also, introduce the new instrument to represent the range of risks in the IT outsourcing environment. Chapter 8 provides the reader with a ‘walk-through’ of a live example of an IT outsourcing exercise. Many of the concepts introduced in the book are referred to and used in the case study. With this, it is hoped that the reader is able to use the basic concepts to build better risk mitigation frameworks and enjoy more fully the concept and benefits of outsourcing.
IAN THO
xvii
This page intentionally left blank
Chap-01.qxd 3/1/05 12:29 PM Page 1
Section I
Language of IT
Outsourcing (ITO)
This page intentionally left blank
Chap-01.qxd 3/1/05 12:29 PM Page 3
1
Common terms and concepts
used in outsourcing
All colours will agree in the dark.
Francis Bacon (1561–1626)
English philosopher, statesman, and lawyer
The information technology (IT) function is multifaceted and complex. This complexity is increased as components and infrastructure built using new technology advances at a dizzying pace. The rate of adoption of new technology to enable organizations’1 business processes to be differentiated from those of the competition, and, ultimately, to deliver products and services to customers, is just as feverishly brisk. IT components are, in addition, pervasive, and have become a mandatory function in most business operations.
As organizations realize the need for the IT function, they are faced with a new problem, i.e. the increasing challenge of maintaining a fully operational IT function within the organization.
This is challenging because the IT function is often not a core function and continues to distract organizational activities from a main focus. Outsourcing the IT function then becomes a tantal-izing prospect, which allows organizations to maintain a fully operational IT function that will have predicable outcomes and costs and that will allow them to maintain a focus on core business operations. Allowing a third party to maintain the IT function solves the difficulty. Or so it seems.
When the IT function is combined with outsourcing activity, the risks that are introduced form a new set of risks (or risk profile), one that is rarely observed in any other environment. For example, in this situation, elements of agency theory are observed where 1 The term organization is used synonymously with generic terms like firm, enterprise, business, operation, establishment or company throughout this book.
3
Chap-01.qxd 3/1/05 12:29 PM Page 4
Managing the Risks of IT Outsourcing
two entities (the buyer and supplier) are contracted in an environment where there is a complex combination of tasks. This gives rise to organizational and environmental risks that are often neglected in performance measurement or payment schemes. The interaction of the environment and various factors external to either the buyer or the supplier also contributes to this complexity because of the extended duration of the contract. This combination of factors provides for a risk profile that is constructed from multiple risk types.
1.1
The need to manage risks in IT
outsourcing
Managing the risks of IT outsourcing is a combination of the art of management and the science of measuring an indefinite event, i.e. risk. Risks must never be ignored but addressed proactively to ensure that their effects are never realized. Managing risks in an IT outsourcing (ITO) exercise is, in addition, not a discre-tionary activity. The management of risks involves active steps to reduce, to acceptable levels, the probability of an unwanted event occurring. It also requires an overall understanding of the operations, the environment and the possible effects as various factors interact.
Despite the importance of risks, many managers have either no opportunity to consider risks because of more urgent operational concerns or little understanding of how to manage something that has not yet happened. In fact, many would consider it a waste of time because it is difficult to do. In addition, current methods are inadequate for guiding and evaluating the journey that these organizations must make when working on the long-term ‘deal’ with a supplier and vice versa. There are many risk management tools. There are, however, few if any that allow the manager to take a snapshot of risks that occur in his/her specific environment or project. And there are fewer tools available to allow the manager to forecast and predict the behaviour of risks in the ITO environment.
If there is so much consternation over the outsourcing of the IT
function, why is there significant and growing evidence for the popularity of ITO? One reason is the overwhelming number of benefits that outsourcing offers to organizations that buy and use this concept (buyers) and others that offer it (suppliers). Before taking on the concept of risks in ITO, there are some key terms and concepts where common understanding must be established.