Managing the Risks of IT Outsourcing
like outdated technology skills, loss of innovative capacity and technological indivisibility. As each risk group is mapped against the elements shown in Table 3.1, the accuracy of the risk groups is verified. For each risk group proposed, each of the risk elements is cross-checked against the others. This approach assists in quickly identifying possible risk groups or dimensions. There is only one checkpoint for the business risks category. The data here suggest that this category would capture the
‘other’ risk factors that would arise in the data collection of risk elements.
The same risk elements, once identified, enable actions to be taken that mitigate risks. This adds a focus to the possibilities of failure on the decision on whether to outsource or not. The risks of not outsourcing, interestingly, carry similar risk factors. The focus is on the risks of outsourcing of the IT function. These risk areas can also be mapped into the categories or dimensions proposed in Table 3.1.
Risk categories and risk types vary between projects. In another project for example, ten groupings of risk identified were financial, technical, project, political, contingency, non-use, internal abuse, external abuse, competitive, reputation, and governmental. These risk groups are, again, collections of risk elements of similar nature. In this example ideas of possible trade-offs between the risk areas or groups was raised. This is an important assumption that is carried forward in the development of the interrelationships between such risk groups. These groups can be mapped into the eight that have been proposed in Table 3.1.
In considering the risk dimensions, the ability to predict and anticipate an undesirable event occurring is important since the consequences of this event are irreversible. Proactive action can be taken by focusing on the data that are used to determine the events or activities that influence these probabilities. For example, by choosing a reputable supplier, the outsourcing project has a lower probability of failure.
Technological newness, application size, lack of expertise on the part of the software development team, application complexity, and organizational environment have been contributory events to the possible failure of software development. The extent of influence of each event in a software project will contribute to the increased probability of the occurrence of an undesirable outcome (that is, project failure).
84
Chap-03.qxd 3/1/05 12:31 PM Page 85
Measuring Risks in IT Outsourcing
3.10
Visualizing risk patterns from
arbitrary risk dimensions
The task of presenting the risk data in a meaningful and easily understandable format needs to be addressed to assess the risk profile. To do this, the information on the probability and risk exposure form data points that are plotted along multiple risk dimensions.
Linking risk dimensions with operational and relationship risks
A summary of the risk dimensions based on previous work in the area of unwanted outcomes is then distilled down to costs and changes in scope, which leads to the following eight risk groups along three risk dimensions (i.e. financial, operational and legal) proposed in Table 3.2.
Table 3.2
Proposed risk groupings for IT outsourcing based on evidence of loss as a result of risk elements described in this section
Dimension
Description
Characteristic
Influence
C1
Technical
Possible loss from the use of existing and new technology Internal
– Complexity of the new and emerging technology and interfaces
– Uncertainty
– Technological discontinuity
– Task complexity
C2
Financial
Possible loss from unbudgeted events
Internal
– Lack of experience and expertise of the enterprise with the activity
– Lack of planning and inaccurate budgeting
– Uncertainty
C3
Legal
Possible loss from legal disagreements or legal challenges External/
– Lack of experience and expertise of the enterprise internal
with the activity
– Lack of experience of the client with outsourcing
– Uncertainty about the legal environment
C4
Operational
Possible loss from poor operations quality or mishap Internal
– Lack of experience and expertise of the client with contract management
– Measurement problems
– Lack of experience and expertise of the supplier with the activity
continued
85
Chap-03.qxd 3/1/05 12:31 PM Page 86
Managing the Risks of IT Outsourcing
Table 3.2
continued
Dimension
Description
Characteristic
Influence
C5
Business
Possible loss from adverse changes in business External
– Asset specificity
– Small number of suppliers
– Scope
– Interdependence of activities
C6
Environment
Possible loss from factors external to organization External
– Measurement problems
– Lack of experience and expertise of the organization and/or of the supplier with OS contracts
– Poor cultural fit
C7
Information
Possible loss from insufficient or inaccurate information External
– Interdependence of activities
– Lack of experience and expertise of the supplier with the activity
– Supplier size
– Supplier financial stability
– Measurement problems
– Task complexity
C8
Strategic
Possible loss from errors in direction or tactical mistakes Internal/
– Loss of organizational competency
external
– Scope
– Proximity of the core competencies
– Interdependence of activities
Financial risks
1. Management costs (unbudgeted/unbudgetable transition costs) 2. Lock-in (switching costs)
3. Hidden costs (uncertainty and absence of complete information) 4. Increased cost of services.
Operational/Legal risks
5. Contract amendments
6. Disputes and litigation
7. Loss of competency(ies)
8. Service debasement.
Illustrating risk exposure
In this example, taking the eight risk groups proposed and illustrated in Table 3.2, and values for the probability of an undesirable outcome as well as loss due to the undesirable outcome, we derive the sample data illustrated in Table 3.3.
86
Chap-03.qxd 3/1/05 12:31 PM Page 87
Measuring Risks in IT Outsourcing
Table 3.3
Sample data for measurement of risk exposure Transition/Management costs
Lock-in
Contractual amendments
Disputes & Litigation
Service debasement
Increased cost of services Hidden costs
Loss of organizational competencies
Risk exposure
14
18
29.25
27.5
21
19.2
28.8
24.5
Probability 2.8
4.5
6.5
5.5
3.5
4
6
7
of undesirable
outcome
Loss due
5
4
4.5
5
6
4.8
4.8
3.5
to undesirable
outcome
Adapted from Aubert et al., 1998, with arbitrary values for Probability and Loss Magnitude in this example Each risk group carries information on risk exposure. The risk exposure comprises elements of the probability of undesirable outcomes (on a probability scale) and the magnitude of losses (on a financial scale) owing to undesirable outcomes. Using the relationship equation defined earlier (i.e. the product of the probability and loss magnitude) the risk exposure values in each of the risk groups can be plotted (see Figure 3.7).
Risk exposure
7
6
5
4
Figure 3.7
3
Risk exposure as
2
Loss (UO)
a function of the
1
Pr (UO) and Loss
0
0
1
2
3
4
5
6
7
8
(UO). (With values
Pr (UO)
from Table 3.3.)
The graph in Figure 3.7 illustrates the risk exposure as defined by the example scenario described. In this example, if the loss due to the undesirable outcomes were held constant but probabilities (other than the maximum and minimum value) were reduced to 1 (or 10%), then the effects of the shape of the curve as a result of reduced risk exposure would be that shown in Figure 3.8.
87
Chap-03.qxd 3/1/05 12:31 PM Page 88
Managing the Risks of IT Outsourcing
Risk exposure
Original
7
6
Lower
Figure 3.8
5
risk
curve
As risk exposure
4
reduces, the graph
3
indicates changes
Loss (UO) 2
Lower risk
(in the direction of
1
the arrows) inwards
0
the lower left corner
0
1
2
3
4
5
6
7
8
Pr (UO)
of the chart
As risk exposure values change, different methods are used to manage the risks that occur. These methods make use of the information (see Figure 3.7 and Figure 3.8) from this framework to measure and illustrate the changes before and after management actions have been taken.
The common method used for representing multivariable data via two-dimensional charts illustrates key movements of risk exposure along the key dimensions. A possible limitation here is the ability to illustrate risk movements along the key groupings of risk. The accuracy of the data that describe the risk exposure as a result of the difficulties in measuring probability and loss magnitude also affects the results. By collecting the risk elements into groups or risk dimensions, the qualitative examination of the risks include, rather arbitrarily, the collective risks along any one grouping. This is not to say that the accuracy of the results has improved. By grouping the risks, the errors are also grouped.
The shape of the ‘curve’ formed by the graph is described as the risk profile. The term risk profile describes the unique shape or contour that is formed when the risk exposure data points are plotted. A new risk profile for the risks in the outsourcing exercise is observed when the risks are plotted against the eight risk dimensions in Table 3.2. The tool described then can be used to illustrate a risk profile at one point in time. This allows separate risk profiles to be compared.
Mapping possible risk dimensions
against the risk landscape
To establish the relevant risk dimensions for analysis, other perspectives of risk are reviewed. An alternative perspective of risk 88