3.8
So why group risks?
It is both impossible and unnecessary to predict what the experience would be for individual risks in all activities concerned in the outsourcing of the IT function. There are a finite number of risk elements that contribute to the total risk exposure in an ITO
exercise. In addition, if the occurrence, timing and magnitude of an event were known in advance, there would be no economic uncertainty and therefore no reason for management of uncertainty. Predictions of risk experience in ‘groups or classes of risk’
provide a sufficient compromise, as data on experiencing individual risk elements are not deemed to be accurate.
Associating similar risk types
Estimates are typically made through the use of past experience, coupled with projections of future trends, for groups with similar risk characteristics. The grouping of risks with similar risk characteristics builds and maintains an equitable system regarding the pricing system that determines insurance premiums.
This concept of grouping of risks to determine averages and the application of these averages is also used to classify risks in the determination of risks for the outsourcing of the IT function.
A difficulty in risk classification derives from trying to handle issues of ‘fairness’ and ‘similar risk characteristics’. The assumption, based on experience, is that every outsourcing activity, individual, business (even within one industry group), and outsourcing contract is unique. This makes any particular risk classification process unworkable to the extent that the risk classification process attempts to identify and measure every 79
Chap-03.qxd 3/1/05 12:31 PM Page 80
Managing the Risks of IT Outsourcing
characteristic of every activity engaged in by the organization.
On the other hand, as there are differences in risk characteristics between contracts and between businesses that bear significantly upon cost, to ignore all such differences would be
‘unfair’. These issues compound the difficulty surrounding risk classification as it is not clear where lines should be drawn.
Evaluating over time
Defining the uncertainty of an occurrence and of its timing, and of the magnitude of a particular event, albeit in this process with a price peg, does not make the unquantified known; nor need it. By outsourcing the IT function, the organization assumes the financial uncertainty. It is not able to ‘fix’ the occurrence or the magnitude of a specific risk merely because it assumes that risk. With a price tag on risk, it would be easier to make decisions during the process of evaluating options in the outsourcing exercise. One way to estimate a price is to rely exclusively on heuristics, i.e. experience, insight and judgement concerning the nature of the particular hazard involved and the exposure to loss. This method is not optimal but reveals the ‘recentness’ of the concepts in complete outsourcing of the IT function (historical data are scarce, and often do not even exist). A more critical approach would be, theoretically, to observe the actual losses associated with the risk over an extended period of time. The nature of the risks identified here is unique. Hindsight often suggests there is little or no cost as the individual risk within the IT environment moves to a likely or even certain eventual realization. Hazards change so rapidly over the period of observation that the information obtained by past observations may not be applicable to the current or future exposure to financial uncertainty. The development of IT and the changing nature of this industry are a subject of a separate discussion.
Considering risk characteristics
and focus
An alternative method of grouping risk would be to observe the losses associated with groups of individual risks with similar characteristics, which frequently can be done over a more acceptable period of time. The notion of risk groups is identified with this concept. While any individual risk in a given class is no more predictable than it was before the transferring or pooling of the risk occurred, a reasonable price may be established 80
Chap-03.qxd 3/1/05 12:31 PM Page 81
Measuring Risks in IT Outsourcing
by observing the losses of the group of risks and relating the price to the average experience of the group. Perfect conditions are seldom achieved. The risk characteristics defined here hence reflect both observed fact and informed judgement. The method used to collect data on the probability and magnitude of loss is described in the next chapter.
Risk classification
Risks encountered in the outsourcing of the IT function and their effects on the organization such as higher cost levels, degraded service levels and loss of expert resources have been identified from past experience and discussed in various formats as well as in the literature. It is recognized that the probability of occurrence and loss resulting from the undesirable outcome can be effectively mitigated by early identification of the risk areas and formulating specific strategies. Risk mitigation therefore actively seeks to reduce undesirable consequences by implementing risk-reducing measures and disaster-recovery plans already in place for rapid deployment.
Insurance, for example, is commonly used to mitigate the economic uncertainty associated with chance occurrences. ‘Insurance exchanges the uncertainty of the occurrence, the timing, and the financial impact of a particular event for a predetermined price.’ (Actuarial Standards Board, 1989; American Academy of Actuaries, 1980, p. 2.)
Risk classification is used to group individual risks having reasonably similar expectations of loss. It is important to note that the determination of an average experience for a particular class of risk is not the same as predicting the experience for an individual risk in the class. It is not humanly possible and is, arguably, unnecessary, to predict experience for individual risks. In this exercise, the risk groups or classes occurring in the outsourcing of the IT function are brought together. Observation of interaction between the risk groups are then used to derive strategies for maintaining an ‘equal’ risk profile based on acceptable levels of risk or acceptable tolerance levels for the particular exercise.
The classifications of risks are used to illustrate, for example, the risk groupings and negotiation strategies between the buyer and supplier. Information on the interaction of risk groups becomes input for the initial decision to select a suitable outsource supplier. It is also important that this information is available for decisions on ongoing governance of the ITO
81
Chap-03.qxd 3/1/05 12:31 PM Page 82
Managing the Risks of IT Outsourcing
arrangement. A point of equilibrium in the risk profiles is sought. In this exercise, the organization’s tolerance for risk and compromises can then be supported by a set of tangible risk profiles, which are discussed in this chapter.
3.9
Identifying risk groups for
IT outsourcing (ITO)
If risks are to be grouped, the next task is to identify the risk groups that should be used. Although the risks identified in the previous section specifically address some risk areas, larger risks groupings have been identified through the use of subject head-ers such as financial, business, technical, strategic, operations, and political areas of risks (DiRomualdo and Gurbaxani, 1998).
The risk groups observed earlier can be classified under financial risk and operational risk types. Business, strategic, and political risks have involved new business start-ups, process re-engineering, refocus on the client’s core competencies, assistance in managing mergers or globalization, and diminishing the often political debates about new IT projects (Sobol and Apte, 1998). The technical risks commonly offered have included access to expertise, improved services, new technologies, and technological innovation (Kern and Willcocks, 2001). The risks often accompany benefits in similar situations and similar areas.
For use in an ITO project for example, list of risk categories will be determined. This list is specific to and characteristic of the ITO project. Risk profiles of all ITO projects differ. The approach normally used is to group risks by proposing frameworks that segment the types of ITO related risk for analysis (Clemons, 1995; Earl, 1996).
Recommended risk groups/dimensions
A common set of eleven risk elements or areas that are most exposed or prone to undesirable outcomes were used. These areas appear in the majority of ITO projects; they are listed on the left of the table in Table 3.1. For the purposes of describing the risk groups accurately, the term risk dimensions is used.
Along with these risk elements, the risk groups4 are arranged in a matrix. The technical risk group for example, covers elements 4 Which can also be called risk categories or risk dimensions with synonymous meaning
82
Chap-03.qxd 3/1/05 12:31 PM Page 83
Table 3.1
Example of mapping risk elements into categories or dimensions (Tho, 2004) Risk elements (Source: Earl, 1996)
Risk categories/Dimensions
Technical
Financial
Legal
Operational
Business
Environmental
Information
Strategic
Possibility of weak management
✓
Inexperienced staff
Measuring Risks in IT Outsourcing
Business uncertainty
✓
✓
✓
Outdated technology skills
✓
✓
✓
Endemic uncertainty
✓
✓
✓
✓
Hidden costs
✓
✓
✓
Lack of organizational learning
✓
✓
Loss of innovative capacity
✓
✓
Dangers of eternal triangle
✓
✓
Technological indivisibility
✓
✓
Fuzzy focus
✓
✓
✓
✓
Risk elements (Source: Earl, 1996)
83
Chap-03.qxd 3/1/05 12:31 PM Page 84