142
Chap-06.qxd 3/1/05 12:33 PM Page 143
Risk Characteristics and Behaviour in an ITO Exercise 6.2
Risk appetite
Imagine an individual managing an IT operation for an organization wishing for the mythical ‘perfect project’, i.e. the project or business venture that carries no risks. In this fabricated scenario, all activities proceed as planned. The organization in this instance has no risk appetite and cannot tolerate any risks at all.
It is a situation where there is either a zero probability of any undesirable outcome, or a situation where the loss incurred as a result of an undesirable outcome is always zero.
A more reasonable and realistic view of things, however, is a scenario where the project is barraged with outcomes that are both undesirable and unsolicited. We also find that most organizations have a certain level of tolerance for things that may go wrong, i.e. a level or appetite for risks; the risk exposure values are actively managed within ‘acceptable’ or tolerable levels.
These tolerable levels of risk are referred to as the ‘appetite for risk’ of the organization (see also ‘risk appetite’ in Chapter 5).
An organization’s appetite for risk is distinctive as it is largely dependent on selected characteristics of the organization. For example (largely exaggerated to convey the point), a diversified conglomerate that is heavily funded may have a relatively higher tolerance for financial risk (or a larger appetite for risk) compared to a small organization that is owned by an individual, with a relatively lower appetite for financial risks. The smaller organization would not have the capability to recover from a financial disaster as well as the larger organization with significantly greater monetary reserves that it can call upon.
6.3
Fundamental assumptions in
understanding risks
Three fundamental assumptions have been made so far, which are outlined below.
Cause & effect
The first is that all risks are subject to a cause and effect relationship. The causes, however, manifest themselves as either naturally occurring or through direct intervention (i.e. through careful planning and deliberate action). The observable interaction between internal and external influences on the risk exposure features cause and effect. This shows the existence of a direct relationship between the risk dimensions. For example, 143
Chap-06.qxd 3/1/05 12:33 PM Page 144
Managing the Risks of IT Outsourcing
we say ‘A caused B’. We know A occurred and B occurred, and if A had not occurred then neither would B. Bayesian theory would determine the probability of the occurrence. In this instance, however, extending these notions on categorization, we assume that the effects of the risks categorized in risk dimensions are pooled and already considered when observing the empirical data. Simply put, the risk dimensions hence have already pooled the effects of the risks. This assumes that the risks in the same common pool have common causes.
Internal/external influences
In the second assumption, the internal-influences phenomenon is limited to an individual organization as opposed to a group of interacting organizations. For example, where the RDSs for two suppliers competing for the same project are illustrated, the interaction between internal influences is only for the individual suppliers (or intra-organizational). The same logic is extended to assume the alternative situation; that is, there is a relationship between external influences only in an inter-organizational situation. This assumption is different from the other two as it breaks down quickly in practice. The classification of influences as
‘internal’ and ‘external’ does not apply; the influences combine in effects on risks. This assumption is deliberately maintained, however, to show the distinction between the competing environment (external influences) and organizational strategy (internally controlled).
Accuracy of risk classification/grouping The third major assumption is that the risk classifications reflect the risks in the ITO exercise sufficiently to provide an accurate illustration of the risk landscape. Risks experienced in an ITO
exercise are categorized into the eight dimensions crafted, discussed, tested and verified against several scenarios in the previous chapters. While these dimensions apply to the majority of ITO exercises, in others and for some types of organization, this may not be the case as risks are subject to and have a relationship with the prevailing conditions (as discussed in Chapter 3).
6.4
Effects of influences
Suppose all the risks experienced are caused by events and actions, whether purposeful or otherwise. These events and actions become influences, originating from either internal or 144
Chap-06.qxd 3/1/05 12:33 PM Page 145
Risk Characteristics and Behaviour in an ITO Exercise external sources. It is intuitive then to assume that the risks experienced in an ITO exercise are related to changes in the environment, practices in the market and internal operations. Since the risk dimensions proposed correlate to the influences, the risk dimensions themselves may be used as indicators for the factors influencing the risks. To investigate the difference in external influences, the RDS profile for one organization is taken over two separate points in time (see case study in Chapter 8).
Differences would be expected to originate predominantly from external influences.
It is the specific nature of this relationship between risk dimensions that is observed. Clues to its behaviour are sought by observing changes in the RDS patterns. Although the risk exposure values are dynamic, it is not certain if the total risk exposure 1
for the project itself changes. The background and reasons for a static total risk exposure cannot be expounded in this book but, supposing there is an observed state of stasis over time, then the dynamics of the changes in risk exposure can be managed more effectively.
6.5
Relationships between risk dimensions
Many propositions have been raised that cover the relationships between the supplier and buyer organization in an ITO exercise including agency theory and possibilities of some sharing of risks between the participating organizations. While there are relationships between the risk dimensions observed within an organization (i.e. either buyer or supplier), there are also relationships between risk dimensions between organizations (i.e.
both the buyer and supplier).
The changes in the risk dimensions also appear to be time-
related functions. That is to say, the dynamics of change along all the dimensions change with time. At any single point in time, all the risk dimensions in the RDS profile are constant. The magnitude of risk exposure (RE) along any of the risk dimensions changes. The changes hence are also functions of magnitude.
The degree of interrelatedness between each risk dimension also appears to change, giving rise to a third function. The changes are a function of degree of relatedness. A brief discussion on notion of risk balancing later in this chapter provides further background.
1 Previously defined as the mathematical sum of risk exposure along all the risk dimensions in an IT outsourcing exercise 145
Chap-06.qxd 3/1/05 12:33 PM Page 146
Managing the Risks of IT Outsourcing
Further, there are three key characteristics that are exhibited by the risks in this situation. These characteristics include the risk balancing phenomenon, the concept of total risk exposure and the existence of a state of equilibrium.
Risk balancing
In an ITO environment, risk profiles are often short-lived, i.e.
they change rapidly in response to changes in the environment.
Peculiar to outsourcing, there are two very closely linked organizations: the buyer and the supplier. Both these organizations work towards a ‘win–win’ situation where the risks are almost equally shared. This state of ‘risk balance’ provides the most equitable form of partnership where both parties are motivated to jointly reduce the risk exposure. In a ‘risk balanced’ state, the risk areas (bounded by the risk signature) for the buyer and supplier are almost the same, and a state of equilibrium is reached where both participants share almost equal risks.
Changes in risk exposure (RE)
As previously proposed, the risk exposure depicted by the RDS
is demonstrated by the equation simplified in Chapter 4 and re-illustrated below for reference.
Buyer
Risk dim A
5
Supplier
Risk dim H
4
Risk dim B
3
2
1
Risk dim G
0
Risk dim C
Figure 6.2
Re-illustration of the
Risk dim F
Risk dim D
RDS equation (from
Risk dim E
Figure 4.2 in
Chapter 4)
i
⎡ 7
⎤
∑ Risk 0.5sin ⎢∑ (risk risk ) (risk risk ⎥
i
(i 1)
1
8 )
⎣⎢
⎥
i1
⎦
But 45° where there are 8 dimensions. Therefore, 146
Chap-06.qxd 3/1/05 12:33 PM Page 147
Risk Characteristics and Behaviour in an ITO Exercise i 7
⎡
⎤
∑ Risk ⎢∑ (risk risk ) (risk risk ⎥
i
(i 1)
1
8 )
⎣⎢
⎥
i 1
⎦
where 0.3536
The equation carries a constant , that is dependent on the number of risk dimensions in the ITO exercise. The value of is calculated. The total risk exposure changes are the total risk profile changes. When the number of risk dimensions change, then the value of also changes, where sin(360/(# risk dimensions)).
Sample values of are listed in Table 4.1 in Chapter 4.
Through simplification the total risk exposure, , or area under the RDS with a selected profile, can be easily computed as