If just the buyer side of the agreement is observed, then the operational risks are qualitatively and arguably reduced. The other risks, including financial risk, risk on reliance of the supplier and environmental risks such as the catastrophic risk of business failure as a result of failure by the supplier to deliver, are arguably increased. The interplay between the risks and severity of risks along each of these dimensions or risk sets appears to take on several characteristics including the ability to trade off one for the other and interdependence. Importantly also however, the risks appear also to be able to be managed as a result of certain sets of actions taken by the contracting organizations in the risks landscape.
5.3
Sharing risks within one organization,
between value activities
Much has been said in the literature about the linkages within the organization value chain regarding the sharing of risks. The value chain is a concept introduced by Michael Porter (1985), where the organizational activities, both primary and support, are grouped into various categories. Porter identified the linkages between value activities that are interdependent and that 123
Chap-05.qxd 3/1/05 12:32 PM Page 124
Managing the Risks of IT Outsourcing
provide the organization with competitive advantage through cost or functional differentiation. By extrapolation, the linkages still exist for the risks involved when one of the major support activities like technology is intentionally removed for performance by an external party. By implication, then, the risk profiles of the related value activities also change. The profiling graph provides another analytical tool to monitor this change.
The value activities are linked through intricate relationships.
For example, the implementation of a computerized organization resource planning (ERP) application tool will affect primary activities such as supply chain activities, logistics within and external to the organization and, finally, the complete customer experience. This is an anecdotal generalization but is founded on many examples in the literature that can provide empirical evidence. A complete analysis is outwith the scope of this book. The point that needs to be emphasized, however, is that the information gained through the use of technology is fundamental to exploiting value linkages. The downstream effect of this exploitation of technology means that the risks are also shared and spread between the activities in the value chain.
Technical
6.0
5.0
Strategic
Technical
Financial
4.0
6.0
3.0
5.0
Technical
Strategic
2.0
Financial
5.0
4.0
Technical
1.0
3.0
6.0
Strategic
4.0
Financial
0.0
Legal
2.0
3.0
5.0
Strategic
Financial
1.0
4.0
2.0
Informational
0.0
3.0
Legal
1.0
Firm infrastructure
2.0
Informational
0.0
Legal
Operational
1.0
Human resource management
Informational
0.0
Legal
Environmental
Business
Operational
Environmental
Operational
Business
Technology development
Business
Environmental
Operational
Procurement
Business
Inbound logistics
Operations
Outbound logistics
Marketing & Sales
Service
Figure 5.2
Example illustration of risk profiles in interdependent value activities in the organizational value chain (value chain adapted from Porter, 1985) Risk signature/RDS – supplier
By focusing on the competence areas that are essential to the formation of competitive advantage through product innovation, marketing, and brand development, organizations become reliant on specialized suppliers for providing best-in-class production 124
Chap-05.qxd 3/1/05 12:32 PM Page 125
Risk Interaction in IT Outsourcing
services to quickly reap value from innovations and spread risk at the same time.
This in itself is a risk that needs at least to be understood to exist and then managed in order to avoid unforeseen and often surprising events that could result in disastrous consequences. A rather straightforward example is when a buyer relies ‘blindly’
on selected equipment (assets) and specialist services of an outsourcing services supplier who in turn now chooses to raise the prices for its services. There are few choices open to the buyer if this event were not planned for and mitigated either through a contract, through a multi-supplier strategy or even through rigorous governance processes.
Supplier(s)
Enterprise (Buyer)
Figure 5.3
A one-
a
a
5
5
to-many relationship
h
4
h
4
b
b
3
between the buyer
3
2
2
organization and its
1
1
g
0
c
g
0
c
supplier(s) of
outsourcing services
d
f
d
f
as a strategy to
e
e
mitigate operational
risk of dependence
Risk signature/RDS – buyer
Using a similar risk of reliance on an organization (see above), the supplier organization would invest in selected equipment (assets) and specialist skills to provide the relevant services.
This increases its risk if the single buyer were to terminate the outsourcing agreement prematurely. With the right mix of capabilities however, a supplier could reduce its business risk through structuring a multiple customer and/or multiple business profile.
In a typical IT support function, modularization of functions helps suppliers to reduce the degree of asset specificity while maintaining the capability to offer customized services. Having such capabilities, a supplier could further expand its customer base and serve new application areas.
Suppliers, then, are able to ramp output up and down according to changes in demand. Similarly, suppliers are able to achieve relatively stable demand profiles, high capacity utilization rates, and low costs by pooling demand from a large number of customers (buyer organizations) if process technology depends 125
Chap-05.qxd 3/1/05 12:32 PM Page 126
Managing the Risks of IT Outsourcing
Supplier(s)
Enterprise
a
a
5
h
5
4
b
h
4
b
3
3
2
2
1
1
g
0
c
g
c
d
d
f
f
e
e
Figure 5.4
A reversed
relationship where a
supplier’s risk profile
a
changes in line with
5
h
4
b
3
its development of
2
1
g
c
multiple relationships
d
f
with many
e
organizations/IT
outsourcing projects
Buyer (Enterprise(s))
not on specific assets, but on generic assets, assets that are widely applicable to the entire customer pool, and suppliers have the capacity to identify and meet the complex requirements of multiple customers and transform that data into a format usable by their generic processes. With the commoditization of IT equipment, processes and techniques, more supplier organizations are finding outsourcing a lucrative business.
To graphically illustrate risk or the negative outcomes, the dimensions of risk to be illustrated are technical, financial, legal, operational, business, environmental, informational and strategic.
The loss due to an undesirable outcome can be approximated either via quantitative analysis3 or via qualitative assessment of the organizational impact of each negative outcome.
5.4
Tolerance for risk exposure
(risk appetite)
An outsourcing contract represents a long-term partnership (possibly over 5 years) where the constantly changing business environment and conditions are managed through a governance structure. Both the buyer and supplier [or external services provider (ESP)] has different preferences and tolerance for risk, also described as the ‘risk appetite’. The risk premiums required and costs for appropriate risk mitigation activities that need to be factored into the total project costs will differ given 3 For instance, by evaluating the amount of sales lost due to disruption of service to customers
126
Chap-05.qxd 3/1/05 12:32 PM Page 127
Risk Interaction in IT Outsourcing
the individual project characteristics and the appetite for risk shown by the contracting organizations.
Risks indicate decision limits in an outsourcing context. The tolerance for risk or risk appetite for uncertainty varies from one organization to another; hence it is important that, first, the levels of tolerance are determined and the risk levels are then managed within these boundaries. For example, risk aversion has paid off for many organizations in an increasingly complex business environment as organizations seek to avoid risks rather than profit from them. As a result, they often overlook the highest-value IT initiatives while spending money on safer but less valuable ideas. To what extent can these organizations, however, tolerate the levels of risk or uncertainty? To remain competitive, organizations need to weigh the ‘safety’ current capabilities and assets against risks and ‘dangers’ of increased efficiency and cost-cutting. It is not easy continually to change, as this requires a significant amount of energy, courage and innovative use of new tools.
The RDS proposed earlier is a method to identify and present the multidimensional nature of risk that will enable subsequent understanding of its nature and the forces that either magnify or reduce risk. It is important for management to take a more proactive role in the understanding of risk and its subsequent mitigation.
The elements of risk exposure and risk appetite of the buyer and supplier are also contributory factors. Here, a project with shorter payback period is considered better because of the lower perceived risks. The internal rate of return (IRR) of the ITO project is focused on the stream of the future cash flows and is not impacted by the cost of capital. If the cost of capital equals the IRR there will be no financial benefit from investing in the exercise. Therefore, IRR effectively creates a ceiling for the cost of capital as an example of one component that contributes to the financial risk appetite of the buyer organization. In a separate risk dimension, the IRR is related to the level of operational risk experienced. Generally, the higher the operational risk, the higher the IRR. The IRR, however, reaches a stage where the increase in IRR is no longer acceptable or has exceeded the organization’s appetite for risk given the risk levels that are experienced (see Figure 5.5).