Chap-03.qxd 3/1/05 12:31 PM Page 89
Measuring Risks in IT Outsourcing
is to equate it to the variance of the distribution of outcomes.
The extent of the variability in results (whether positive or negative) is the measure of risk. Risk is sometimes also defined as the volatility of a portfolio of activities and its value. This technique is borrowed from the area of finance where ‘the highest expected return for a given level of risk, and the lowest level of risk for a given expected return’ applies (Schirripa and Tecotsky, 2000). Here, risk exposure is also defined as both a loss and a probability function.
Another variant in the perspective of risks from these definitions and arguments is the popularized and widely used balanced scorecard proposed by Norton and Kaplan (1996); four risk ‘perspectives’ are derived: financial, customer, internal and innovation and learning risks. Similarly, additional risk sets or types of risks that affect inter-organizational information systems (IOIS) include technical, asset, organizational, and environmental risk. There are project, capability, financial, and maintainability risks, caused by a variety of technical, organizational, and environmental factors (Sherer, 1995). These risk sets then extend to more subtle risk sets.
For the purposes of this exercise, a hybrid meaning in the grouping of risks is used. The concepts described here are adapted with input from the various other perspectives discussed. As the risks and risk exposure information will be collected and measured, the term ‘risk dimension’ more accurately depicts the new meaning and intention. A risk dimension will show a grouping of risks with similar business function and expectation of loss. The following provides descriptions of the risk dimensions that will be used (see also Table 3.2).
Technical risk (C1 in Table 3.2) is a combination of risks resulting from the use of technology. Besides the characteristics listed in Table 3.2, other possible losses in this area could derive from interconnectivity problems and as more open systems are developed, key technical risks arise from security issues.
A major category of risks is in the Financial dimension (C2 in Table 3.2). The losses occurring as a result of poor planning and experience are major contributors to losses in this group when outsourcing the IT function. To guard against variation clauses in outsourcing contracts, specialized techniques are employed including the use of instruments like additional resource charges (ARCs) and reduced resource charges (RRCs) to accommodate fluctuations in demand from that specified in the capacity plan. This leads to the next risk dimension.
89
Chap-03.qxd 3/1/05 12:31 PM Page 90
Managing the Risks of IT Outsourcing
The use of agreements and legal instruments is designed to mitigate risks along most of the risk groups. Legal risks (C3 in Table 3.2) themselves, however, are significant as a result of increasing use of agreements and contracts.
Operational risk (C4 in Table 3.2) includes possible losses in operations when the supplier takes over responsibility for the outcomes. It is typical for the risks in this dimension to be ‘passed on’
from the buyer to the supplier organization when the outsourcing contract is activated. The shifting risk has been described earlier.
Outsourcing involves a close partnership between two or more organizations. Business risks (C5 in Table 3.2) arise from the relationship between the partners operating in an environment where there is also interaction between other competing organizations, threat of substitute products, competitive barriers to entry and exit, and competitor rivalry. Environmental risks (C6 in Table 3.2) are closely related to the business risks and become manifest as a result of factors external to the organization. Environmental risk includes dependence risk, where one organization becomes dependent on another that attempts to change the terms of the contract or fails to perform adequately, and competitive risk, where one organization attempts to ‘steal’ competitive information from another. With more-open systems in rapidly changing environments and the use of information technology’s monitoring capabilities, dependence risk will decrease. However, competitive risk will become more significant as functionality and accessibility of shared information increases.
Informational risk (C7 in Table 3.2) is very significant when the IT function is outsourced. The worst-case scenario would be a complete loss of the organization’s information. Other losses are incurred as a result of inaccurate or insufficient information when a third party manages the IT function.
Finally, the strategic risks (C8 in Table 3.2) involve tactical mistakes made by the organization in outsourcing the IT function itself. An example of a significant tactical mistake would be when a supplier organization begins to ‘leak’ sensitive information relating to the organization to the latter’s competitors. The outsourcing of the data component and the selection of the supplier are the tactical decisions made that resulted in the loss.
Risks are associated with all forms of outsourcing decisions. The risk ‘signature’ for the buyer of outsourcing services is larger than that for the supplier in the majority of cases. The risk profile reflects the importance of the relationship and the sharing of the 90
Chap-03.qxd 3/1/05 12:31 PM Page 91
Measuring Risks in IT Outsourcing
risk profiles. While significant client/external service provider (ESP) interdependency is not in itself a risk, the risks to the client organization may increase when disagreements emerge about the provision of outsourcing services. To the extent that some large-scale IT sourcing deals are successful, others are less so. Service level agreements (SLAs) and other forms of service contracts specify a series of measurable activities that suppliers provide.
Outsourcing can generate new risks, such as the loss of critical skills or developing the wrong skills, the loss of cross-functional skills, and the loss of control over suppliers. Also, outsourcing has led to a loss of skills and corporate memory. These risks are especially pertinent when the supplier’s priorities do not match the buyer’s requirements. Short-term contracts, based on the principle of the lowest winning bid, stifle incentives to innovate because rewards for innovation cannot be secured by the supplier.
3.11
Constructing the signature
The eight risk dimensions shown in Table 3.2 are proposed as the starting point, for the majority of ITO projects, to analyse the basic risk sets that will be used to construct the risk profile. Each time these dimensions are used, they should be reviewed and analysed for relevance and accuracy. This exercise should always be done, especially if the organization in question is from another industry or the scope of the IT function being outsourced is different. The risk profile would illustrate all the risk dimensions (comprising the total risk exposure for the outsourcing exercise) on one diagram.
3.12
Graph types
To do this, several options and visualization techniques were reviewed including the star graph, radar plot and stereo-ray glyphs of Carr and Nicholson (1998). The star plot, for example, was tested as a means of showing multivariate visualization or risk dimensions in which the multiple measurements of risk exposure would be plotted on equally spaced radii extending from the centre of a circle and linked to form a star. In the radar plot, these radii also represented the value of the measurement.
In this instance, however, each radius stands for a risk dimension instead of a variable. The risk (dimension) response, the risk exposure on each variable, is displayed by points of different shapes or colours, or both.
91
Chap-03.qxd 3/1/05 12:31 PM Page 92
Managing the Risks of IT Outsourcing
The risk exposure values in Table 3.3 and Figure 3.7 are re-plotted using the radar graph in Figure 3.9. The risk profile now describes the risk exposure along multiple axes representing risk dimensions. The resulting risk profile illustration is unique for an ITO
project at any given point in time. For reference, this profile will be called the ‘risk signature’ (see Figure 3.9).
Risk exposure
Transition/Management costs
30
25
Hidden costs
Lock-in
20
15
10
5
Loss of organizational
0
Contractual amendments
competencies
Figure 3.9
The risk signature
Increased cost of services
Disputes & Litigation
or radar plot of risk
exposure with
Service debasement
reference to Table
3.3 and Figure 3.7
The risk signature illustrates the sum of all the risk exposure values derived from the tools previously proposed. What was not obvious through the linear diagrams (Table 3.3 and Figure 3.7) is more easily observed with the multivariate graph. The area bounded by the curve in Figure 3.8 will therefore also represent the total risk exposure experienced by the organization at that point in time.
An assessment of the overall risk exposure along each of the eight risk dimensions would allow the changes in risk exposure along one dimension (a group of risks with similar characteristics) to be manifested on another dimension. This will prompt answers to questions such as, ‘What are the effects of reducing the risk of transition costs5, for example on the risks in organizational competencies through more attention to the skills being outsourced?’ or ‘What are the effects of reducing the risk 5 Where transition costs are the costs that are incurred at the time the supplier takes over the IT outsourcing function
92