When the risk profiles for both the supplier and buyer are superimposed on the same chart, the relative risk exposures also reveal areas where negotiations for trading one party’s risk for another can be made. In Figure 4.1 for example, the buyer-risks (indicated using the solid line) along risk dimensions A, B, D, E, F
and H are relatively larger than those of the supplier (indicated using dotted lines), which are seen as having a relatively ‘safe’
risk profile. Along dimensions C and G however, the supplier is more at risk relative to the buyer organization.
Risk dim A
Buyer
5
Supplier
4
Risk dim H
Risk dim B
3
Figure 4.1
2
Examples of
1
dissimilar
Risk dim G
0
Risk dim C
signatures (or
risk dimension
signatures) of the
Risk dim F
Risk dim D
buyer and supplier
organizations along
Risk dim E
eight arbitrary risk
dimensions
A more detailed discussion can follow, given more information on the nature of the risk dimensions; the buyer could trade some the risks in A, B, D, E, F and H for C and G.
While it is clear that the buyer experiences more risk along the dimensions along the vertical axes, and the supplier has increased risk along the dimensions on the horizontal axes, a question that needs to be asked is if the total risk exposure for the buyer and the supplier is the same. Knowing that the area bounded by the 97
Chap-04.qxd 3/1/05 12:32 PM Page 98
Managing the Risks of IT Outsourcing
risk signature reveals the total risk exposure for the buyer and supplier organizations in this example of an outsourcing agreement, the total risk exposure can be measured and computed (see next section).
4.2
Computation of total risk exposure
To compute the area bounded by the risk signature or profile, the formula for the area under the curve, given multiple dimensions (eight in this case), is constructed from basic mathematical principles. The angle between each risk dimension, A through
H, is 45°, derived from 360° divided by eight (corresponding to the number of equal angles). Hence the total risk, or area enclosed by the graph under this profile, can easily be computed as in equation (4.1) below.
Total risk Area enclosed by the graph (risk here represents the risk exposure, RE) therefore
Total risk [ (product of adjacent risk exposure magnitudes)]
(4.1)
where is a constant depending on the number of risk dimensions (see Table 4.1).
Given that the risk profiles or risk signatures are multi-sided shapes, the area under the graph is computed as follows.
a
Buyer
8
Supplier
h
6
b
4
2
g
0
c
Figure 4.2
Sample risk
f
d
signature (RDS)
demonstrating key
e
values for the
computation of total
risk exposure
98
Chap-04.qxd 3/1/05 12:32 PM Page 99
Understanding Risks When Outsourcing the IT Function i
⎡ 7
⎤
∑ risk 0.5sin ⎢∑ (risk risk ) (risk risk ⎥
i
(i 1)
1
8 )
⎣⎢
⎥
i1
⎦
But 45° where there are 8 dimensions therefore, i 7
⎡
⎤
∑ risk ⎢∑ (risk risk ) (risk risk ⎥
i
(i 1)
1
8 )
⎣⎢
⎥
i 1
⎦
where 0.3536
The total risk exposure changes are the total risk profile changes. When the number of risk dimensions change, then the value of the constant also changes, where
sin [360/( # risk dimensions)]
Table 4.1 illustrates the possible values of given the changes in the number of risk dimensions.
Table 4.1
Sample computation of the constant for use in the computation of the total risk exposure in a construct of the risk profile in equation (4.1) and as illustrated in Figure 4.2
No of risk
3
4
5
6
7
8
9
dimensions
Angle theta
120
90
72
60
51
45
40
Constant alpha
0.4330
0.5000 0.4755 0.4330
0.3909 0.3536
0.3214
The number of risk dimensions in Table 4.1 ranges from three to nine. To graphically illustrate risk, or negative outcomes, eight selected dimensions of risk were arbitrarily chosen. These dimensions were plotted along equally spaced axes, all at 45°
angles in a radar plot. These dimensions were selected based on a rationale for classifying risks into categories. In proposing eight risk dimensions (see Table 3.2), the number 8 rather coinci-dentally matched the optimal value. This is supported by Miller (1994): while discussing the bandwidth dilemma in data representation, he introduced the rule of ‘seven plus and minus two’
during the presentation on multivariate, multidimensional visualization techniques. Keller and Keller (1993) also endorsed this rule during their discussion on radar and spider plots. This appears to be the optimal number of risk dimensions to visualize or depict the risk profile of an outsourcing project. Also, as will 99
Chap-04.qxd 3/1/05 12:32 PM Page 100
Managing the Risks of IT Outsourcing
be seen in the following sections, it is observed that 8 seems to be the optimal number of risk dimensions representative of a collection of many risks of a similar nature.
As mentioned in Chapter 1, visualization is a process of balancing noise and smoothness. Instead of following some generalized cognitive rules, we should process data representation along the noise–smoothness continuum owing to different research goals and data types.
Comparing buyer and supplier
risks on the RDS
From the RDS example in Figure 4.2, the total risk exposure for the buyer’s risk exposure is computed as 82.4 and the supplier’s risk exposure as 82.05 using the following formulae derived from equation (4.1). The actual computation is shown here.
Buyer risk
risk 0.5 0.7071 [(Dim A.Dim B) (Dim B.Dim C)
(Dim C.Dim D) (Dim D.Dim E)
(Dim E.Dim F) (Dim F.Dim G)
(Dim G.Dim H) (Dim H.Dim A)]
0.5 0.7071 (30 20 24 30 15 18 48 48)
82.4
Supplier risk
risk 0.5 0.7071 [(Dim A.Dim B) (Dim B.Dim C)
(Dim C.Dim D) (Dim D.Dim E)
(Dim E. Dim F) (Dim F.Dim G)
(Dim G.Dim H) (Dim H.Dim A)]
0.5 0.7071 (20 12 18 36 36 30 40 40)
82.05
Interpreting the buyer and
supplier RDSs
From the RDS in Figure 4.2, it is also quantitatively or empirically observed that both the supplier and buyer experience almost identical1 total risk exposure from the outsourcing arrangement.
When the charts are analysed from the perspective of the risk dimensions however, the supplier is over-exposed along risk dimensions E and F. The buyer, on the other hand, carries more risk along all the remaining risk dimensions. The supplier hence 1 The difference between 82.4 and 82.05 is insignificant for this purpose 100
Chap-04.qxd 3/1/05 12:32 PM Page 101
Understanding Risks When Outsourcing the IT Function carries an advantage along all but two of the risk dimensions.
This would otherwise be unknown if it was not charted. The increase in risk is not linear but a quadratic function indicating increasing exposure on the part of the organization.
If the magnitude of risk exposure (RE) along any one dimension changes, the difference in total risk profile to the organization or organization project is:
(R.E. R.E.) (product of adjacent R.E. magnitudes)
(4.2)
where is a constant given the risk profile, and defines the risk categories.
Equation (4.2) is the same as equation (4.1) except that it shows the difference and change in the total risk exposure. This means also that when risk dimensions are held constant, i.e. (adjacent RE) , the risk profile relationship is linear or can also be measured directly from either the probability or magnitude of risk exposure, i.e. read directly from the axes of risk dimensions.
This is worth while noting for making simple analyses. More-complex charts would require equation (4.2) to be used.
Further observations from risk
signatures or risk dimension signatures
There are many specific observations that describe the dynamics of the risks along each of the predetermined dimensions that relate to the RDS for the ITO exercise. A specific observation that is highlighted, i.e. the extent to which the risk can be ‘stretched’, identifies the organization’s tolerance of risk, or ‘risk appetite’, along each dimension. Risk appetite is the preference and tolerance for risk of the supplier and/or the buyer organization. An organization’s risk appetite is also referred to by the extent to which it tolerates risks as described by performance indicators, operational parameters and process controls. The organization’s tolerance for risk or risk appetite is highlighted when the risks are discussed and demonstrated in an illustration of a risk profile.
This risk tolerance can be mapped as an additional RDS plot. It will indicate the extent of risk exposure along each of the dimensions that the organization is prepared to tolerate. The actual RDS then will illustrate areas where this tolerance is either exceeded or is within the limits set. For example, when a customer relationship management (CRM) application is developed by an IT developer for a retail chain, there are significant risks along the technical dimension; there is high risk (level 4) here but low risk on the 101
Chap-04.qxd 3/1/05 12:32 PM Page 102
Managing the Risks of IT Outsourcing