Chap-06.qxd 3/1/05 12:33 PM Page 139
6
Risk characteristics and behaviour in
an ITO exercise
Who controls the past controls the future: who controls the present controls the past.
George Orwell (1903–1950),
author of Nineteen Eighty-Four
There is a need to control the characteristics and behaviour of risks to reduce the effects of those risks. Risk mitigation activity is an essential component part of the process of ensuring predictable outcomes for the ITO exercise, and consequently also of being able to derive maximum benefits from the ITO exercise itself. Risk mitigation tasks are part of good project management.
It is more effective, however, if project managers have the ability to translate information on possible risks into useful knowledge.
With this knowledge, both the buyer and the supplier organizations can formulate a set of practical responses to reduce the effects of risk. Targeted communications programmes, actions and policies can then be put into place using this information, to reduce the effects of risks. This will, in turn, increase confidence levels and allow ITO to be more readily accepted.
In an ITO exercise, the RDS tool introduced earlier allows risks to be identified and illustrated in order to make it possible to control them. The information gathered is used to examine risk behaviour and the various forms of risk profiles formed. Additional steps can then be taken to reduce the anticipated harmful effects of risks on the range of departments in and functions of an organization.
It is, however, often impracticable to measure events or risks that have not yet even taken place. In addition, there are many risks that are not yet defined but may, nevertheless, occur. As demonstrated in the previous chapters, the RDS tool allows the selected risk elements, together with causes and influencing factors, to be differentiated for management attention and subsequent control. This again is occasionally insufficient to represent all the risks dimensions, which may change over time. Change 139
Chap-06.qxd 3/1/05 12:33 PM Page 140
Managing the Risks of IT Outsourcing
makes the one-time portrait or snapshot of risks constructed with the RDS quickly obsolete. In order, therefore, to anticipate risk patterns over time, the interaction between risk dimensions and the behaviour of risks in an ITO exercise needs to be observed and mapped to identify specific patterns or trends, as will be illustrated in this chapter.
The old adage ‘to expect the unexpected’ can be invaluable advice in a situation like IT outsourcing (ITO). Frequently, the occurrence of unexpected events directly influences other events, which eventually thwarts the objectives of the outsourcing process. It is challenging to monitor all facets of risk without using an instrument like the RDS. Many cases of ITO failures have been reported and, as a consequence, outsourcing projects are quickly seen to be of dubious worth or, even worse, deemed to be unworthy of consideration; therefore, in the latter scenario, managers prefer to avoid this topic altogether. This means that outsourcing projects and, therefore, also the business benefits thereof, are never taken advantage of.
With the RDS tool, risks are measured and translated in a meaningful format for the people who manage the projects and drive the organization’s activities to work with. Having measured and understood (see the MUM methodology in Figure 6.1) the risks that become manifest in the ITO project, managers will then need to formulate a specific action agenda to mitigate these risks using the RDS instrument. Figure 6.1 is repeated below from Chapter 2.
This chapter introduces new ideas, possibly abstract in nature but important in the process whereby risks can be mitigated.
Techniques based on research and practical experience gained from multiple ITO projects are introduced as the ideas are presented. A peculiar phenomenon described in this chapter appears Measure
Risk
Understand
Figure 6.1
Managing risks in
Mitigate
an IT outsourcing
environment
(Tho, 2003)
140
Chap-06.qxd 3/1/05 12:33 PM Page 141
Risk Characteristics and Behaviour in an ITO Exercise to consistently portray the behaviour of risks in the ITO environment. This observation is then used to predict some of the changes and behaviour of risks that manifest themselves in the ITO scenario. A significant part of this chapter is devoted to concepts and ideas, because this is an area that bridges the gap between the understanding of risks and actually mitigating them.
Risks behave by nature unpredictably but, if a structured and methodical analytical process is followed, it has been discovered that certain patterns can be identified that allow predictability, albeit with selected constraints. It is very important to intelligently apply the concepts introduced here and not to use them
‘as-is’. To assist in this process, I have also included a case study in Chapter 8 that shows some of the concepts being applied. The slight modification of what is described in this chapter illustrates and reinforces the point that the framework proposed acts only as a guide and must be customized to the reader’s own requirements.
6.1
Behaviour of risks
As with the definition of outsourcing given in Chapter 1, it is often taken as a benefit that operational risks are mitigated by the buyer organization ‘passing’ them to the supplier of ITO services.
As such, operational risks are ‘passed’ from the buyer to the supplier organization when the IT function is outsourced (Bensaou, 1999). When the operational risks are transferred out, however, the risks along the legal, financial and strategic risk dimensions are observed to increase (see also examples in Chapter 8).
Although the other risks that exist are totally unrelated to operational risks, the risk dimensions that relate to them appear to change as if to compensate for the loss in operational risks. These changes occur to the extent that the total risk exposure for the particular ITO exercise remains relatively constant. This apparent interrelationship is always observed (see also further observations in Chapter 7). The various assumptions and suppositions that have been made are outlined in this chapter and in Chapter 7.
Many of the estimates of the probability of an occurrence, and also the possibility or prospect of loss, are based on heuristics or previous experience. To qualify an observation made, we need a comprehensive set of data. The structured approach suggested in Section II provides a framework in which risks can be identified. This does not mean, however, that all possible risks can be identified. Some risks that will not have been included would 141
Chap-06.qxd 3/1/05 12:33 PM Page 142
Managing the Risks of IT Outsourcing
account for a shortfall or access risk exposure for the organization. It was also proposed in the previous chapter that if the relationship between cause and effect could be determined, then not all the risks would have to be defined at the outset.
Another important observation is that a specific relationship exists between several risk dimensions in an ITO exercise at any point in time. This implies the presence of linkages or a correlation between these risk dimensions. The complex causal models introduced in the previous section and illustrated via one-to-many and many-to-one relationships also contribute to a supposition that the risk dimensions exhibit some form of risk relationship pattern. Observations made from a variety of perspectives provide evidence to show the presence of definitive links between the risk dimensions in a relationship of this type.
Risks do not react or move on command. Instead, risks generally appear to change according to various causes and extraneous factors. Although the causal framework has the connotation of determinism and necessity, in practice causal relations are much more subtle and less straightforward than they may initially appear. An example of a causal relationship is the scenario where drinking alcohol and/or talking on a mobile phone while driving causes accidents. This does not actually mean that the consequences are likely or certain. By way of analogy, it is more accurate to say that the probability of an accident increases when driving under the influence of alcohol or driving while having a conversation on a mobile phone. The accident risk exposure however, has increased in these circumstances.
Failure to make IT system backups, to look at another example, does not imply an inability to recover from a hard-disk failure.
The practical notion of causation requires the ability to express it in various degrees of likelihood or probability. In the instance of ITO, the causality assumption can also be observed through the myriad factors that influence the ITO exercise. This is made more complex over time as the combination of events and activities also change. The effects of events and actions are related to observable causes. Multiple causes, however, also overlay one another at different points along a timeline and blur the ability to observe a direct relationship in this phenomenon. It is important that causality is embedded and mixed within the original concepts of creation and random occurrence. In comparison with the development of models explaining the effects of empirical observations, there has been relatively little development of formal models to account for the effects of such prior knowledge.