Chap-03.qxd 3/1/05 12:31 PM Page 93
Measuring Risks in IT Outsourcing
exposure to disputes and litigation if we paid more attention to the services (increasing the relatively low risk on costs of services)?’
In the case of a reduction in risk exposure, the area enclosed by the curve would simply decrease proportionately. The risk exposure of transition cost escalation for example is not nearly as high as that for contract amendments of loss of organizational competencies. The graph shows the frequencies of data series relative to one another. The correlation of one dimension to another is also visible, i.e. where there is a relationship between the risk dimensions.
Three methods can be considered for preparing the scales along each of the axes on the graphs as the data on risk exposure are captured. These options are measurement in categorical, in rank-ordered and in continuous format.
Categorical scales on the axes
When the categorical scales (or nominal scales) are used to quantify the risks, the values in each dimension are taken by tallying up the numbers along each of the risk dimensions. For example, the values are made up of two components, i.e. high- and low-risk items. Other variables with more than two categories including medium–high, very high, medium–low and very low, are also plotted on the categorical scales. This method provides an illustration of the risk profiles. It may be too inaccurate to indicate changes in the risk profile/signature as a result of changes made in the outsourcing exercise. To be of any use, the risk profile requires more-accurate readings to allow a meaningful analysis of changes in risk and for a comparison of different profiles.
Rank-ordered scales on the axes
The second method uses rank-ordered scales (or ordinal scales), which quantify each dimension by giving each data point a rank. For example, the eight dimensions might be ranked from 1 to 8 in terms of order of risk severity. The dimensions would be ranked 1st, 2nd, 3rd, 4th, etc. in a rank-ordered scale. This option would serve to provide relative risk weightings of the individual dimensions in terms of criticality and need for attention. This would be used to prioritize management attention along the dimensions but is not useful in the examination or comparison of the different profiles. Data on the relative weightings may then be collected from interviews with individual personnel involved 93
Chap-03.qxd 3/1/05 12:31 PM Page 94
Managing the Risks of IT Outsourcing
with the outsourcing exercise. There is little consensus, however, with regard to the relative weighting of each dimension.
Likert scales on the axes
The third method uses continuous scales, which quantify the qualitative assessment risk severity at equal intervals along a 5-point yardstick. The scale information would be scored against the criteria as follows:
No risk
1
Little risk
2
Expected risk
3
High risk
4
Very high risk
5
Unacceptable risk 6
The Likert scale, with a numeric index of 1 to 6 based on an empirical severity of the exposure to risk, was used. A ‘1’ would represent no risk, and a ‘6’ unacceptable risk. Given the subjective nature of the assessment, an even number has been allocated to the Likert scale to avoid ‘fence sitting’ and force the results of the evaluation to either side of the risk scale. This method of collecting data was the most effective. This is discussed further in the next chapter along with the methods employed to acquire the data for the risk signature diagrams.
3.13
IT outsourcing and the risk dimension
signature (RDS)
A ‘risk signature’, as defined previously, is derived from the pattern of risk exposure along the dimensions of an arbitrary eight risk dimensions that provides an intuitive interface to allow further assessment and analysis. The risk signature, comprising the risk exposure values along each risk dimension, also shows the total risk exposure experienced in the outsourcing exercise.
The characteristics of the risk dimension describe each risk dimension and the rationale for selecting the individual risk elements to be grouped into the risk dimensions. The ‘influence’ provides clues as to the origin of the causes, as illustrated in Figure 3.2.
Following the construction of the RDS, the risk profile needs to be illustrated and salient messages translated or understood.
This is the subject of the following chapter.
94
Chap-04.qxd 3/1/05 12:32 PM Page 95
4
The challenge of understanding risks
when outsourcing the IT function
Where observation is concerned, chance favours only the prepared mind.
Louis Pasteur (1822–1895), French scientist At an Inauguration lecture, Faculty of Science, University of Lille Digital tools magnify the abilities that make us unique in the world: the ability to think, the ability to articulate our thoughts, the ability to work together to act on those thoughts.
Bill Gates (1955–), US business executive
The risks that occur in an IT outsourcing (ITO) exercise are complex and understanding the interaction of risks after measuring the varieties of risks can be a daunting task. It is important for a manager in this situation, therefore, to be able to visualize (metaphorically) the intensity and range of current risks in order to effectively control activities and determine the outcomes. This involves the ability to understand risk exposure. To do so, it is necessary to be able to appreciate the quantitative nature of risks, compare risks (and changes) over time, observe risk patterns and then actively reduce the effects of selected risk elements. As has already been highlighted in Section I, many risks originate from failures to successfully monitor the relationship between supplier and buyer, the element of uncertainty in the IT function itself, the level of competitive importance that has been imposed on the IT function that is being outsourced, and the level of interconnectedness between the buyer and suppler organizations.
Risks in ITO are unwelcome. Risks represent the worst that could happen, especially when the benefits and reasons why an organization used ITO could be jeopardized or the success of the enterprise could be threatened. There would be a successful outcome when buyers of ITO services have the IT products and services delivered both on time and to budget. Likewise, suppliers want to deliver to the buyer’s expectations. Risks, therefore, are an inherent component of ITO and must be understood in order to be mitigated.
95
Chap-04.qxd 3/1/05 12:32 PM Page 96
Managing the Risks of IT Outsourcing
In this chapter, the notion of a ‘portrait’ of the risk landscape for the ITO exercise will be introduced from the RDS illustrations constructed in Chapter 3. The ‘risk portrait’ is a description of all the risks that are exhibited during an ITO exercise. It is displayed with the use of star graph, radar plot and stereo-ray glyphs. It can be used also as an instrument to illustrate complex risks. In a graphical format, the risk portrait communicates the risk complexity in a manageable format to the person working on risks in this environment. With this, the shifting of risks between supplier and buyer that was discussed previously in Section I can be observed with the oscillation between both buyer and supplier entities.
Also, in order to understand, manage and mitigate the complex and varied risks that become manifest, the concept of ‘grouped risks’ or ‘categorization’ is borrowed from the insurance industry in the formulation of its insurance products and premiums.
The ‘risk portrait’ introduced illustrates the changes in the nature and severity of risks, over time, as both the supplier and buyer of ITO services interact. To measure and show risk exposure, the risk categories are collected and assembled into risk portfolios that provide a set of comprehensive information on risks for both the supplier and buyer of ITO services. This notion extends further to enable the illustration and comparison of the various interactions or relationships between actions in a typical ITO scenario. It is shown that the information can then subsequently be used as a means to plan negotiations that aim to arrive at more-equitable ITO arrangements between the buyer and supplier organizations. This tool is called the risk dimension signature or RDS (Tho, 2003) (see below).
4.1
Interpreting the RDS
A risk signature can also be construed to mean a particular risk profile that is created using a number of different methods. To differentiate the risk signature that is constructed from risk dimensions, the term risk dimension signature (RDS) is coined.
It is an imprint of the risks from risk dimensions or groups already identified for a specific ITO arrangement. The risk dimension signature represents a unique picture of the risks at one point in time during the ITO project. It uniquely differentiates the project from any other. It would be very unlikely for two identical RDS patterns to co-exist.
The risk signature is a tool that will assist the organization to better understand risks to business operations and avoid risky 96
Chap-04.qxd 3/1/05 12:32 PM Page 97
Understanding Risks When Outsourcing the IT Function practices, such as allowing scope creep and development of a variety of alternative supplier practices, and to be alert for other events streaming from agency theory. It also provides an efficient means for communicating assessment findings and recommended actions to business unit managers as well as to senior corporate officials. Standard report formats and the periodic nature of the assessments have provided organizations with a means of readily understanding reported information and comparing results among units over time. The RDS will be the primary tool to support the notion that there is a set of interrelationships between the actions and effects of actions that influence the risks.