(buyer). dt (supplier). dt constant
∫
∫
0
0
where represents the total risk exposure.
Risks are, to a reasonable extent, naturally occurring. The risk ecosystem is a balance between forces. The analogy of nature’s ecosystem illustrates this point. A popular predator–prey model is a concept where, initially, there are a given number of predators that feed on a given number of prey. As the number of prey reduce because of hunting activity, the scarcity of food (prey) forces a reduction in the number of predators. Fewer predators means that more prey have a chance to survive as the prey is then not hunted. The numbers of prey subsequently increase.
The cycle then repeats. As the number of prey increases, so does the number of predators. The predator/prey ecosystem sustains a relatively stable number of prey and predators at any given point in time. The concept of the risk ecosystem appears to exhibit similar, although not identical, behaviour. Both the supplier and buyer risk profiles appear to fluctuate as the risk is passed from one organization to the other. Over time, there appears to be a stable total risk profile for both buyer and supplier.
The notion of equilibrium and a state of constancy was compared earlier with game theory in a situation where the buyer and supplier organizations were exposed to a series of decisions over the life cycle of the ITO exercise. This was previously proposed by Elitzur and Wensley (1997). In this case, however, the 155
Chap-07.qxd 3/1/05 12:33 PM Page 156
Managing the Risks of IT Outsourcing
emphasis was on a state of equilibrium in the total risk exposure experienced by the buyer and supplier organizations. New insight into this case is gained through observing a state of equilibrium that exists as the influences or causes of risks are considered.
The result was equilibrium in the totality of the state of risk exposure.
7.2
Predicting the behaviour of
risks with the RDS
The behaviour of risks in an ITO exercise, using the RDS, can therefore be summarized as follows. In an ITO exercise, risks are transferred from one organization to another over the period agreed under an earlier defined contract. The total risk exposure of the contracting parties remains relatively constant within the selected risk ecosystem. Within the risk ecosystem that has been defined, the constancy of the total risk exposure patterns does not appear to be affected by either internal or external risk influences. This special relationship between risk dimensions appears to remain and is only affected by the functions of time, magnitude of risk types and the degree of interrelatedness of risk dimensions.
The function of time is a dominant feature as the effects of risk occur over varying lengths of time. For each risk effect to completely express itself, the variable of time needs to be taken into account as much as the variability of the effect of the risk itself.
If a risk type is known to take effect over a longer period, and the time variable can be controlled, then the risk may be mitigated using this variable.
The magnitude of risk is a component of the risk exposure defined earlier, and a high risk exposure carries along with it a high risk magnitude. If the impact of risks along a dimension is of high magnitude, this often overrides concerns for risks with relatively lower magnitude. For a given organizational risk appetite, risks with low magnitudes may sometimes also be considered imma-terial and ignored. Hence the risk relationship equation can be put into effect to mitigate risks. For example, mitigation of a risk of low magnitude may be ignored altogether given an organization with high risk appetite for this type of risk.
Often also, risks of different types and from different dimensions relate to each other closely. For example, the risk dimensions for strategy, business and environment are very frequently grouped together because of the very close relationship they enjoy.
156
Chap-07.qxd 3/1/05 12:33 PM Page 157
Mitigating Risks in an ITO Environment
All three affect each other very closely. Other cases, operations for example, may not be affected at all by the environment.
There are many major factors that have a role in the interaction between the selected risk dimensions. Attention has been drawn here to the three salient variables which emerge as more significant than the others.
7.3
Depiction of the risk profile
Despite steps taken to verify all the elements that contribute to the risk profiles, it is arguable how well the description or postulation of the behaviour of the interaction between the risks in the various risk dimensions identified can be used in other ITO
projects. A major assumption made is that the profiles provide a sufficiently accurate illustration of the profiles that are observed.
The consistency of methods in the process, standardized measurement techniques and common tools negate possible errors in measurement. While the risk patterns and observed interaction between the risk dimensions are verified against theoretical models, many of the pragmatic answers come from experience and heuristics. The use of theoretical models is useful to the extent that they predict certain types of behaviour and become powerful tools when used in conjunction with experience and a little common sense.
The RDS, simply used, can already provide a graphical illustration that highlights these risk dimensions that require urgent and immediate reaction. For a more proactive stance, the RDS can also provide a framework for risk mitigation through the recognition of risk patterns that arise from the interaction between supplier and buyer. Strategic interaction can be validated with game theory. The behaviour of people and interaction derives from agency theory. The risk variation and behaviour of relationships between the risks can be related to Nash’s theory. The extent of risk exposure can then often be predicted via the theory that the total risk exposure remains constant over time in a risk ecosystem (Tho, 2004). In combination this allows the manager to forecast, to a limited degree, the behaviour of risks in the ITO space.
7.4
Risk frameworks
There are critiques that may be made of the existing techniques and frameworks. First, the models are limited in the ability to capture and illustrate all the risks that occur. Then again, the 157
Chap-07.qxd 3/1/05 12:33 PM Page 158
Managing the Risks of IT Outsourcing
models are focused on specific risks, which leads to arguments about accuracy and determination in an environment where uncertainty and a high degree of change are prevalent. Finally, the assumptions made using the existing models possibly do not allow for the specialized need for observations in the trans-ferability of risks across organizations. While these points are true to a limited extent, there are also those that need to be raised in defence of the use of these frameworks that highlight the significant advantages that outweigh these points.
In order to observe the interaction of the group of identified risks, an alternative perspective is recommended. Instead of viewing risks within an organization, an outside or macro-view of the total risk profile (all of the risks combined) can be taken.
The difference is that both the environmental and internal risks can be viewed together. This addresses some of the shortcom-ings of the earlier framework in the ability to capture all the risks. The method of grouping risks into categories (which refer to both internal and external risks) allows a summary illustration of the majority of risks that are perceived to become manifest in one illustration.
Many of the rules and frameworks used originate from existing risk frameworks. As the risks are studied from a complete risk profile perspective, the nuances of each risk item are considered as part of the collective for the risk group or risk dimension.
This reduces the complexity of the study and allows a clearer view of the phenomenon where risks appear to be ‘transferred’
from one organization to another in an ITO agreement.
From the new perspective, risks are viewed as a whole where all the risks that affect the ITO project are taken. Following detailed observation of the new risk profile, the total risk profile of the ITO project remains constant over time. Information that supports this argument includes observations of empirical data from the RDS that show changes in the individual risk dimensions. The profiles from observations of the RDS profile show that changes occur along risk dimensions, appearing to compensate for changes along other risk dimensions that have arisen earlier.
The shifts in magnitude of total risk exposure value from the buyer to the supplier in the operational and technical risks dimensions are ‘compensated for’ by movements in the risks along other dimensions for both organizations. As the supplier accepts the transfer of risk in the operation and technical dimensions (i.e. increases along these risk dimensions), the supplier organization is also observed to experience less risk exposure 158
Chap-07.qxd 3/1/05 12:33 PM Page 159
Mitigating Risks in an ITO Environment
from the business, strategic and financial risk perspectives. Both buyer and supplier organizations experience many changes along the individual risk dimensions but the total risk profile remains constant. The supplier is able to enter into a long-term agreement with the buyer because its risk profile is fairly uniform.