106
Chap-04.qxd 3/1/05 12:32 PM Page 107
Understanding Risks When Outsourcing the IT Function 4.5
Shifting the ‘effects of risk’
One reason why organizations outsource their IT function is to shift some elements of risk from the customer (buyer) to the supplier. The buyer of outsourcing services hopes to transfer away its operational and technical risks by passing them to a supplier organization that will, effectively, take them over and agree to deliver a set of outcomes.
During an ITO exercise, however, actions performed by either the supplier or buyer of outsourcing services can change the nature and severity levels of risk experienced by either party.
There are compromises made by both parties in the outsourcing exercise. Anecdotal evidence can be found in examples of ITO
failures that have been partly attributed to insufficient focus on an area that was neglected or ‘unacceptably exposed’ to risk factors. As risks are transferred away, other risk elements appear to enlarge (see examples below). If separate RDS profiles were to be taken for the buyer and the supplier over two different points in time, especially at different stages in the outsourcing exercise, the shifts in risk would become very apparent. An example is illustrated in Chapter 8 in the case study.
Risk-shifts between buyer and supplier
As the risks are shifted from the buyer to the supplier and vice versa, the RDS profiles indicate that each of the risk dimensions also change. This interaction between buyer and supplier actions and the risk exposure can be observed qualitatively. An example to illustrate the risk-shift phenomenon is now discussed. Consider a situation where the amount of money budgeted for use in the purchase of essential backup disks is insufficient or untimely.
This means that copies of the ‘live’ operating data cannot be taken and stored. Operational risk is hence increased because there is no duplicate copy of the ‘live’ data. Here, an action from the area of finance has affected the area of operations along a sequential chain of events. Financial risk needs to be reduced; costs have to be controlled; insufficient money is allocated for activities which are not urgently required (i.e. purchase of disks for copies); disks for copies hence have not been purchased and copies of the ‘live’ data not made. These factors cause the operational risks to increase because there is no contingency plan should the data on the computers be destroyed or corrupted by an event like a malicious attack by a computer virus or a natural calamity like a fire. There are no duplicate copies available to replace originals that might be destroyed. In this case, the risks 107
Chap-04.qxd 3/1/05 12:32 PM Page 108
Managing the Risks of IT Outsourcing
in the area of operations are elevated in an effort to reduce financial exposure and risk. Financial risks have been traded off against operational risks.
Another example of interrelationships between activities and risks is illustrated in the area of contract management. Often contracts are made between the supplier and buyer of outsourcing services at the beginning of the contract, which might only be a few years old. These contracts have a short ‘shelf-life’, and, unless updated, become quickly outdated because new technology has replaced the old, skills required have changed, and processes and delivery mechanisms are different. Microsoft Corporation’s almost ubiquitous Windows operating system for basic personal computers for example, has had major changes on no less than three occasions in the last 5 years, i.e. from Windows 98, Windows Me, and Windows XP. New features and functions often translate into new performance measurement criteria for the supplier of IT services. This may seem trivial at first but when an organization has hundreds of personal computers in its inventory in geographically disparate locations, any exercise to upgrade IT components often becomes a major task and an area of operational risk. As a buyer of outsourced IT
services, however, the technical and operational risks appear to have decreased as a result of the deployment of better and more efficient technology, but the legal and operational risks are increased in a complex set of interrelationships.
So what are the implications of these observations on shifting risk? How are the risks in one area traded off against another, if at all? What constitutes an acceptable risk for any one area?
What are the levels of risk that each area of the organization can, or should, carry? While heuristics and the cumulative experience that managers of organizations who are involved with the outsourcing of the IT function have applied for years have proven useful in responding to these questions, the dramatic and ever-increasing changes brought about by new components in IT
coupled with the increasing scope of outsourcing exercises make this experience an untrustworthy guide.
A typical outsourcing agreement or arrangement often involves neglect of the relationship and interaction between the buyer and supplier organizations. The risk of the buyer organization increases when disagreements emerge about the provision of the outcomes of outsourcing services. Without a systematic analytical approach to the outsourcing decision, the organization may make arbitrary choices on the decision to outsource, based 108
Chap-04.qxd 3/1/05 12:32 PM Page 109
Understanding Risks When Outsourcing the IT Function on historic norms, cash flow difficulties, political considerations or misperceptions of the benefit–risk trade-off. Also, given that there is an agency model in operation, many of the activities and risks involved are derived from the fact that people have a tendency to cheat and take advantage of a situation, as articulated in what is known as agency theory (Eisenhardt, 1989).
Agency theory explains how to best organize relationships in which one party (the buyer) determines the work which another party (the supplier) undertakes. The theory argues that under conditions of incomplete information and uncertainty as occurs in an ITO environment, agency problems arise.
4.6
Observing risks in an ITO environment
It is understood from the review that while partnership arrangements vary considerably in their operations, from flexibly defined, formal contracts, to loose strategic initiatives, they also include the provision of shared risk and benefits. As observed in Chapter 1
(Figure 1.4) strategic or transformational outsourcing provides for a set of partners who have a considerable stake in the game, and often that means sharing both risk and reward. How is the disproportionate weighting of risk between the supplier and buyer, if any, then quantified? How are the risks of the disproportionate experience levels of the buyer and supplier mitigated?
The phenomenon of winner’s curse (Kern et al. , 2002), as described below, is the situation where extreme cost cutting is undertaken by the winning supplier based on the risks to supplier when it agrees to enter into the outsourcing contract. What are the risks involved? How are the risks quantified and decisions made?
As this chapter opened by discussing foundational concepts and what has been learned about what works and what does not, as well as the conceptual models for understanding when organizations should and should not outsource, it concludes by focusing on the key area of risks within the ITO environment.
It is simply not possible for this book to attempt to answer all the possible questions posed in an ITO exercise. It recognizes, however, the central theme of risk measurement and management that needs to be addressed, and aims to provide the reader with the appropriate tools and information to be able to manage each individual situation that arises as a separate case. Further, it recognizes that there is a lack of cohesive evidence, supported by any tools or methods, that allows the recognition of risks within the framework of decision-making in an outsourcing 109
Chap-04.qxd 3/1/05 12:32 PM Page 110
Managing the Risks of IT Outsourcing
exercise. Specifically, the outsourcing of the IT function introduces unique features that add to the complexity of the risks argument.
A series of complex factors including operational, strategic and environmental factors influence risk. In addition, less-predictable human factors, explained through the presence of agency theory as well as observable factors between both the supplier and buyer, affect the behaviour of risks. In order to assess the effect of these complex sets of influences on the risk profile, a tool needs to be developed.
The IT environment is unique and the nature of the outsourcing of the IT function is arguably distinct between industries and also between the operational and business functions that are outsourced; therefore the application of the concepts of risk needs to be made for each of the projects that the reader is involved with.
There are also two very important observations that arise from the RDS profiles and discussion of risks in the ITO exercise. The first is the notion of the winner’s curse which very aptly describes a situation where the winner actually loses because of the bidding framework that is typically used in an ITO scenario. This provides an added reason why the RDS profile is critical for the supplier of ITO services as it will provide both early warning as well as a tool to compute the basic risks that would be encountered in such an activity. The supplier would then be able to assess the impact of increases in risks that exceed its risk tolerance or risk appetite.