The patterns portrayed by the risk profile in the previous chapter show risk exposure characteristics including the abnormally high (peaks) or low (troughs) risks encountered at particular points in time. As the set of interrelationships change over time, the mix of risk exposure elements and their relative ‘weights’
along each of the risk dimensions are also observed to change.
The RDS illustrates risks along multiple dimensions and then qualitatively describes the relationships between the risk dimensions that arise in the outsourcing of the IT function. This is done by comparing two versions of the RDS for the same ITO exercise using the same parameters, which change because of events that have occurred in between each recording. During an ITO
exercise, the RDS tool can then be used to illustrate the risk profiles that will verify the objectives stated at the start of the book.
The most significant changes in the risk signature are expected to occur when there are new activities or significant changes made to existing processes that occur during the course of the outsourcing exercise. The changes in the RDS profile will demonstrate and validate previous observations and hypotheses on risk sharing and risk transfer between the buyer and supplier. The changes in the risk exposure along each of the risk elements (grouped by risk dimension) are recorded in the RDS illustration; observations of changes in the risk patterns over time show the existence of relationships between the risk dimensions.
132
Chap-05.qxd 3/1/05 12:32 PM Page 133
Risk Interaction in IT Outsourcing
When changes are made via programmed activities, risks in the risk dimensions also change. The patterns of risk signature and the size of the total risk exposure throughout the outsourcing exercise are observed to remain constant. The risk exposure values are observed to change within an organization as the nature and use of the IT function change (owing to changes in the profile of the IT components, people or processes). The conclusion is that there exists a set of interrelationships between actions and the effects of these actions that influence the risks along key risk dimensions, so keeping the total risk exposure for the exercise constant.
For illustrative purposes, the buyer and supplier have been assigned arbitrary risk exposure levels of 6 and 5 respectively in Figure 5.8. In the equally spaced, octagonally shaped RDS
example, equal risk exposure on all eight risk dimensions is illustrated. The total risk that the buyer is exposed to is larger than that of the supplier.
Technical
6
Strategic
Financial
4
2
Buyer
Informational
0
Legal
Supplier
Figure 5.8
Risk
Risk levels for both
buyer and supplier
RDSs indicate equal
Environmental
Operational
risks along all
dimensions
Business
The risk signature patterns that take shape then provide visual clues to the relationships between the various risk categories or dimensions. For example, an octagonal (almost circular) RDS in Figure 5.8 represents equal risk levels in all dimensions and a protrusion from this circle would represent a point of stress, where the risk is higher than in any other dimension.
The choices made by either the buyer or supplier of ITO services then influence the effects of risks directly; they also indirectly influence the shape of the risk signature along the risk dimensions, forming new risk dimension signatures (RDSs). For example, the risk exposure values are illustrated according to the characteristics of risks along the eight dimensions that are relevant to the outsourcing exercise for the case study (see Chapter 8).
133
Chap-05.qxd 3/1/05 12:32 PM Page 134
Managing the Risks of IT Outsourcing
Empirical measurement
As this tool is empirically based, detailed observation of risks within the ITO environment will need to be collected and presented. Risk exposure values for any ITO activity are influenced by a very complex set of factors. Environmental factors such as organizational politics, people issues, changes in policies and global events directly affect a business organization and its decisions on competition. These complexities overlay such matters as IT governance and radical changes in IT hardware, software and the networking environment. Hygiene factors and behavioural factors that contribute to the elements comprising agency theory also add to the possible outcomes in the permutations that can be made in this already complex environment (summarized in Figure 5.8).
To obtain data for the RDS, informal, semi-structured interviews are conducted. As opposed to the formal or structured interviews that have an explicit agenda, informal interviews have a specific but implicit research agenda. Informal interviews can be used to determine the categories of meaning in a culture and are useful in discovering what people think and how one person’s perceptions of risk compare with another’s. There is no standard measure of default values or tolerance levels in organizational performance. The empirical qualitative research method hence is suggested for the collection of risk data for the project. The observations can include nuances of behaviour of key stakeholders and key risk drivers following the specific observations.
Data on risks and risk exposure
Primary data can be gathered using planned and structured interviews, focus group sessions and the Delphi technique. This technique was developed by the Rand Corporation in the late 1960s as a forecasting methodology. Later, the US Government enhanced it as a group decision-making tool using the results of Project HINDSIGHT, which established a factual basis for the workability of Delphi. Planned and semi-structured personal interviews were conducted with current personnel from various departments as well as business consultants in the team. The interviews were designed to assess the interviewees’
responses to the risks involved in the outsourcing exercise. The information gathered was then used to construct questionnaires, develop the risk dimensions and subsequently measure some of the risk exposure values. In the focus group sessions for example, the personnel from the IT planning area gathered 134
Chap-05.qxd 3/1/05 12:32 PM Page 135
Risk Interaction in IT Outsourcing
specific information on risks in the area of IT planning. The Delphi technique was subsequently used to ‘guide’ debate through the discussion sessions in order to obtain the relevant information on the risks and risks dimensions required.
The research involved data accumulated through the author’s work with multiple organizations on ITO projects. Secondary data was obtained from commercial project documentation as well as commonly available sources such as project reports, the Internet and other available data on the IT function within the organization. Certain key assumptions and concepts provide the basis for the exercise. The first is the concept of causality and random activity used when observing the risks that occur during the ITO exercise, as previously discussed. The other idea used is that of external influences on activities in the same exercise.
Interaction between categories
Inherent in the operations of the organization are technical, financial and operational risk. An interpretation of the types of risks that are categorized in each of these areas is subjective.
This can change as the exercise changes. It is most relevant and critical, however, that use of the tool and its concept is observed and applied throughout the ITO exercise.
The tool that is proposed has been used to identify previously neglected areas of risk that the buyer organization may carry.
For example, the business risks that increase as a result of the outsourcing exercise include the responsibility for the results delivered by the supplier organization. Should the supplier not deliver as promised, it is the buyer organization that ultimately suffers. The increased risk that the buyer organization carries needs to be mitigated. Before this step, however, it must identify where its tolerance for risk along the business risk dimension lies.
In many instances, as outsourcing is an accepted way of getting superior results, the specialist services offered by the supplier must be ‘better’ than those of the buyer. Often the ability to focus (core competency), economies of scale and financial support are advantages that the supplier has in its arsenal to assist in providing these services. Many ITO agreements fail, however, when there are disagreements on the use of these resources as both buyer and supplier require unfettered access. The RDS also provides a scenario where the benefits and risks can be illustrated and thus fairly shared. This means that the patterns or signatures are modified to the extent that both organizations benefit.
135
Chap-05.qxd 3/1/05 12:32 PM Page 136
Managing the Risks of IT Outsourcing
It is proposed that the RDS exercise is not one that should be conducted procedurally without an understanding of the exercise through observation, involvement and application of artistic management. It has been demonstrated that the complexities and variables involved are far too intricate for a mathematical model to be derived. This does not in any way contradict the use of the methodology for the construction of the RDS described previously. It is the combined use of heuristics, current observations and qualitative findings that plays a vital role in achieving an accurate and usable result.
136
Chap-06.qxd 3/1/05 12:33 PM Page 137
Section III
Mitigating (& managing)
risks in IT outsourcing
This page intentionally left blank