financial parameter (level 1). The signature clearly identifies ‘stress’
loads in the area of technology (new, unproven technology). This example is illustrated in Figure 4.3 where the risks and total risk exposure along the technical dimension are high. Coincidentally, the risks in the financial area are lower than those in the others.
Technical
Supplier
4
Buyer
Strategic
3
Financial
2
Figure 4.3
1
Scenario A where
Informational
0
Legal
the technical risk to
the buyer is high
(the supplier risk
has been held
Environmental
Operational
constant for the
purposes of
Business
illustration)
To reduce the stress loading on technology, perhaps more money can be allocated to additional expertise, to experienced consulting assistance and perhaps also to further investigation in the area of CRM. This increases the finance risk but the risk signature looks more evenly distributed; the overall risk loading is also more evenly distributed.
When more money is spent to ‘fix’ the technical problem, the risk profile as indicated by the RDS in Figure 4.4, indicates a profile that is much more evenly distributed. The other dimensions can be compared similarly. For example, the interrelationships Technical
Supplier
4
Buyer
Strategic
Financial
3
2
1
Figure 4.4
Informational
0
Legal
Scenario A where
some technical risk
has been ‘traded’
for financial risk (the
Environmental
supplier risk has
Operational
been held constant
for the purposes of
Business
illustration)
102
Chap-04.qxd 3/1/05 12:32 PM Page 103
Understanding Risks When Outsourcing the IT Function and impact of operations, business and information are recipro-cal in nature.
4.3
Additional RDSs and patterns
The risk profiles and patterns also illustrate information on the level of risk exposure or risk severit; risk dimensions for attention; and dimensions that are missing. For example, an acute angle along any single axis could represent a significant variance in risk levels between dimensions, which causes undue stresses to outsourcing agreements for either the buyer or supplier.
Sample RDS patterns and interpretation
An obtuse angle, on the other hand, typically defines a more-balanced risk-sharing profile between risk dimensions (see Figure 4.5). The star and arrowhead topologies have features in common, i.e. have extreme risks along the north–south- and east–west-facing risk dimensions compared to the other shapes.
This indicates severe risk exposure at each ‘point’ or ‘tip’ compared to the central area of the ‘star’.
The circular topology shown demonstrates the ‘ideal’ risk profile where the magnitude of risk is similar along all the risk dimensions. This indicates some degree of risk sharing and management for the outsourcing arrangement. When risk is drastically reduced along selected risk dimensions, for example arbitrary dimensions C and G along the horizontal axis, a squeezed rectangular shape emerges. The stresses placed on the other risk dimensions would be high. This is discussed further in the following sections.
A circular topology for the buyer indicates even risk sharing between the risk dimensions, and an arrowhead indicates significantly lower risk along two dimensions. When one topology is superimposed on another, the mismatch causes significant strain on the contracting and governance processes necessary to equalize the risk profiles. Even though the buyer would be content, the uneven risk exposure will create a handicapped situation.
Therefore, to summarize, the RDS profile will also allow several characteristics to be monitored and observed. These include the following:
1. An illustration or measure of total risk exposure (by computation).
2. A ‘feel’ of the areas which are subject to additional or reduced risk (by comparison).
103
Chap-04.qxd 3/1/05 12:32 PM Page 104
Managing the Risks of IT Outsourcing
Risk dim A
Risk dim A
5
3
4
Risk dim H
Risk dim B
Risk dim H
Risk dim B
3
2
2
1
1
Risk dim G
0
Risk dim C
Risk dim G
0
Risk dim C
Risk dim F
Risk dim D
Risk dim F
Risk dim D
Risk dim E
Risk dim E
Buyer
Supplier
Buyer
Supplier
Star topology
Circular topology
Risk dim A
Risk dim A
5
5
4
4
Risk dim H
Risk dim B
Risk dim H
Risk dim B
3
3
2
2
1
1
Risk dim G
0
Risk dim C
Risk dim G
0
Risk dim C
Risk dim F
Risk dim D
Risk dim F
Risk dim D
Risk dim E
Risk dim E
Buyer
Supplier
Buyer
Supplier
Squeezed rectangle topology
Arrowhead topology
Figure 4.5
Sample RDS or risk profile topologies (with arbitrary dimensions) 3. An understanding of the areas subject to unduly high or low levels of risk and risk exposure (by reviewing the RDS on a stand-alone basis); and
4. An assurance that the ‘gut feel’ for risks is correct (by careful and detailed observation of the negotiating parties and the environment).
4.4
IT outsourcing (ITO) measurement
framework
The intrinsic risks need to be considered in any outsourcing situation. For example, the need to retain the ability to change strategy 104
Chap-04.qxd 3/1/05 12:32 PM Page 105
Understanding Risks When Outsourcing the IT Function and options can lead to risks of increases in hidden costs, costs of services and management costs, which are difficult to forecast or budget for. Additional reasons that have been cited include the risk of loss of intellectual property, the risk of loss of competency and the ‘lock-in’ phenomenon where the contractual obligations impose limitations on both the buyer and the supplier in seeking alternative means to perform the outsourced task. It can be shown, however, that a few key risk areas dominate, i.e. have larger risk exposure than have other risks, in the ITO environment.
Considering multiplicity of risks
To make the measurement of the assortment or multiplicity of risk elements easier, the risks are sorted into groups with similar risk characteristics. IT-related risks have been classified to include elements such as operational failure or lack of reliability (Markus and Tannis, 2000), security breaches, reputation damage to an organization owing to its failure to safeguard the privacy of customer data, and strategic risk (such as adopting a new IT too soon or too late). These risks form the most significant portion of risks in the IT exercise. Risks involved with the IT function in combination with an outsourcing exercise are unique. They are quite different for each area considered separately. In the outsourcing of the IT
function within an organization, the complex operations of both the IT function and the outsourcing exercise need to be considered together. The risks in the outsourcing of the IT function are also exacerbated by the fact that IT (and its components) characteristically evolves very rapidly and has very short product life cycles.
Considering contract periods
ITO agreements cover relatively very long periods (many ITO
agreements span 5 to 10 years). Implicit in this observation, the products and services that are supplied and used relating to the outsourcing of the IT function also change many times over the period of the outsourcing agreement. By inference then, the inevitable changes in the operating environment (including people, technology, processes and supporting business requirements) become natural catalysts that give rise to an environmental risk consideration. Consequently also, risk effects that are experienced in the ITO exercise are directly related to the organization and its IT policies.
In an ITO exercise these IT risks, together with the risks inherent in an outsourcing exercise, come together and are experienced by both the supplier and buyer of outsourcing services. The 105
Chap-04.qxd 3/1/05 12:32 PM Page 106
Managing the Risks of IT Outsourcing
effects of ITO risks have been shown (Aubert et al., 1998) along two main measurement metrics, i.e. ‘the importance of potential loss’ and ‘the probability of undesirable outcomes’. The framework for risks built by these researchers allows an assessment of the level of risk exposure for each ITO decision. There is also a group of risks that form the most significant portion of risks in the ITO exercise. Together, the most significant IT project-risks, along with the ITO-risks, form the basis for the most significant measurements of risk exposure that the framework deals with.
Considering buyer and supplier
The information in the frameworks allows a comparison between the elements of risk exposure for both the buyer and supplier organizations. It does not demonstrate, however, the dynamics of the interaction that exists between the causes and effects of the decisions that are made to mitigate the risks. Also, the effects of changes in risk exposure levels are often interrelated. The effects and relationships in this interaction require new methods, tools and frameworks for their observation and measurement. Outsourcing arrangements are partnerships between the buyer and supplier organizations over an agreed period. They constitute alternatives to the more traditional transaction-based contracts, which are usually shorter and defined to deliver specific services or products. An ITO arrangement, for example, may span a period of 10 years or ten financial periods wherein new budgets, strategies and plans will be formulated to balance the forces in a competitive environment.
The risks are often passed from the supplier to the buyer and vice versa (see previous chapter). Risk exposure is also observed to be passed from one risk dimension to another within the virtual confines of either entity. In many examples, the organizations (both buyer and supplier) become increasingly reliant on the structures and, in particular, on the dependencies of a networked environment. As more organizations adopt outsourcing practices, the interconnected systems, processes and people networks increase the inherent risks created in partnership and joint working relationships. Developments in principal-agency theory discussed in the previous section (Chapter 3) have given some insight into the incentive mechanisms used inside organizations, and, by extension, into the role of information and information technology. However, because the same models apply equally well to contracts between organizations, agency theory by itself cannot explain the boundaries of organizations or the relative advantages of different institutional or ownership structures.