Interplay between risk dimensions
Assuming that the eight dimensions mentioned earlier accurately depicted the different risks that become manifest in the ITO, the interplay between the risk dimensions was investigated. In order to limit the number of assumptions that could be made, the investigation was peculiar only to the outsourcing of the IT function.
In addition, the significance of IT was explained as it was unique and displayed characteristics different from those of other support or strategic functions in a typical organization. For example, given the extremely dynamic nature of the IT function, the interplay between the risk dimensions may have been affected. The ability to continually observe the total risk profile may have been influenced by the nature of the IT function in an outsourcing environment.
Interaction of intrusive factors
The interaction that exists as a result of intrusive factors (exogenous and endogenous) was assumed to play a role in the interrelationship between the risk dimensions. The risk dimensions proposed in this study provide an empirical framework to illustrate the interaction of the elements and the nature of the interaction within the risk frameworks proposed by other researchers.
The evidence supports the proposition that relationships exist between these risk dimensions. The interaction of the intrusive factors assumes that the majority of the factors have been included.
7.5
Using the concepts
General theories that attempt to explain the implicit relationships that exist provide a framework, based on which further tests can be made. The methodology used in this book already enables detailed observation of the influences and risk elements for one ITO exercise. The work already completed also allows for subsequent research to be done to confirm or build upon the observations made in this study. To facilitate its use in another environment, the theories on risk relationships and interaction 159
Chap-07.qxd 3/1/05 12:33 PM Page 160
Managing the Risks of IT Outsourcing
between risk dimensions in an ITO exercise have been formulated in this chapter.
Overcoming difficulties that may be
encountered
Possible difficulties may be encountered in selected areas when attempting to work through the risk frameworks. One such area could be the issue of uncertainty in the environment and the significant variation and dynamics in the way the risk elements become manifest. The situations mentioned included a clear direction when there were high levels of certainty and discrete outcomes through a situation involving ‘true ambiguity’. The situation where the ITO exercise is conducted probably lies in between, i.e. where there is a range of possible outcomes. The methods proposed are an attempt to render the quantification of risk elements a more consistent method of monitoring and managing risks. While ideas are drawn from various sources, the final derivative that is proposed is the risk dimension signature (RDS) tool. The RDS allows the focus on all risks to be managed and the focus to be shifted to critical risk elements, grouped into risk categories. As these change over the life cycle of the ITO
exercise, the RDS allows the capture of the major changes in risk elements and fluctuations in risk exposure. It is not, however, a substitute for a thorough knowledge of the environment and is not a replacement for experience and judgement.
Another area of difficulty that can be encountered is project logistics and access to the appropriate sources of information (e.g.
documents, people and stored data) in the organization that is in the midst of a major ITO exercise. In addition, access to the relevant information and people can prove to be extremely difficult if this is treated as a separate activity. This impediment can be reduced by appropriate initiation as an integral part of the ITO
exercise itself (and executed by the ITO team). Also, given the sensitive nature of the results and the need for very senior management attention, it is recommended that there is senior management involvement and sponsorship throughout the exercise.
Yet another area of difficulty could be encountered in an ITO
exercise, one that needs to be highlighted to avoid the same errors and mistakes each time this exercise is repeated: this constitutes a combination of issues starting with the logistics of the data gathering exercise, then the determination of the appropriate number and description of the risk dimensions, followed by consensus on the risk values that would be used. The sequence 160
Chap-07.qxd 3/1/05 12:33 PM Page 161
Mitigating Risks in an ITO Environment
of events that is planned may result in the determination of the risk dimensions conducted prior to the collection of data for risk exposure along the risk dimensions. To avoid this, it should be done simultaneously to streamline logistics (i.e. time and effort).
The difficulties in logistics start when some of the participants who contribute to the development of the risk dimensions are no longer on the team at the time the data are collected. The
‘buy-in’ and discussion time that is spent talking about the risk dimensions may prove challenging. It can be seen then that the people involved add to the subtle differences in each definition embedded in the risk dimensions. In another project, the changes were so subtle that there were up to thirty different risk dimensions at one stage. Again, based on reason and theory described at length earlier, the rational number of risk dimensions has been summarized to a manageable eight.
Limitations
A discussion on difficulty would not be complete if the limitations of the exercise were not incorporated. Limitations, in this instance, arise from the difficulties that are anticipated when using the RDS tool.
A limitation in any study of risks is the estimates made of the probabilities of losses from these risks. It would be extremely difficult, if not impossible, to accurately guess the probability of an occurrence. The number of participants is usually significant.
In projects undertaken, over a hundred individuals representing approximately 10% of the organization and possibly up to three quarters of the IT division were interviewed. As a result, many of the responses provided a class ‘average’. In addition, the categorization of the risk types also provided a further ‘average’
value. In many instances, such an exercise is not possible. Such a limitation needs to be taken into account in the results.
A further limitation of the exercise is the description of the risk exposure (RE) profile and comparison of the shapes. The area enclosed by the risk profile in the RDS represented the total risk exposure at a particular point in time. Although changes in shape can be identified through observation, more subtle changes are difficult to quantify or illustrate accurately.
There is some use of ‘fuzzy logic’ where the outcome of the risk elements is expressed as a probability rather than as a certainty.
For example, in addition to being either true or false, the probability expressed by a participant of the exercise, to the best of their knowledge and based on heuristics, were, in relation to 161
Chap-07.qxd 3/1/05 12:33 PM Page 162
Managing the Risks of IT Outsourcing
outcome, probably true, possibly true, possibly false, and probably false. This is a matter of heuristics because the probabilities were expressed based on experience, knowledge of the environment and the situation. In an analogous example, if a coin were to be tossed ten times and the results indicated ten occurrences of ‘head’, the statistical result would be ‘1’ for head (or 100%
chance of the occurrence of ‘head’). We know that in an ideal-ized example, it would be ‘0.5’ (or 50% chance of the occurrence of ‘head’). Heuristics was used in a situation where there was a decision based on judgement. In a situation where the probabilities of risks occurring were uncertain, deriving responses from the participants in the exercise involved group discussions as well as the methods discussed in the previous section.
A limitation of cognitive heuristics is the probability of error. In a situation where the probability of risk is uncertain, the bias provided by the participants based on prior and existing knowledge furnishes the platform for the data to be collected. This is also related to the first point made in this section. The assumption that has been used in all the cases discussed here was that the same errors were negated in the grouping and classification process.
Many of the limitations that have been encountered are exhibited as a result of uncertainty in the environment and in the concepts of management under uncertainty. Hamel and Prahalad (1994) have repeatedly proposed that no paradigm or idea would be useful in formulating a strategy. They mention that in an environment of uncertainty there is ‘no comfort’ that can be gained and that plans and strategies are indeed limited and cannot ‘be reduced to eight rules for excellence, seven S’s, five competitive forces, four product life cycle stages, three generic strategies, and innumerable two-by-two matrices’.
This provides a setting in which my proposition can be further analysed and extrapolated in future studies. A stand on the view of the knowledge paradigm is taken to ensure that the theories developed are ‘valid’. The notion of validity or credibility of the case presented by the researcher provides a foundational element for new theory. Ultimately, however, validity depends on the collective judgement of the community that a construct and its measure are valid. In the end, we are all left to deal with the effects of our judgement, which is just as it should be.