It must be mentioned that the validity of an argument should be distinguished from the truth of the conclusion. If one or more of the premises is false, the conclusion of a valid argument that follows may also be false. With this in mind, several key 162
Chap-07.qxd 3/1/05 12:33 PM Page 163
Mitigating Risks in an ITO Environment
assumptions have been made during the course of the arguments in this book that need to be highlighted.
Important assumptions
Several important assumptions were made in pursuing work that guided the direction of the recommendations made specifically with regard to the use of the RDS. Some of these assumptions relate to general activities and behaviour of the entities being studied and are included here for completeness. For example, it was assumed that the buyer and supplier organizations approach the exercise as rational business entities. The decisions and actions that follow are designed to enhance profitability and increase the effectiveness of the individual organizations.
It is assumed that the major theories were applicable and accurate in the context of the ITO exercise. While the exercise served to re-validate many theories, others could not be validated. For example, it was assumed that risks did not occur randomly. The theory of causality was used where there was a notion of definitive causes and effects of risks in the ITO exercise coming from both within and outwith the organization. While the causality theory could not be validated, it was assumed that it was applicable and accurate in this context.
It was further assumed that the models used to derive the experimental constants and variables for the risk profiles were sufficiently accurate. There were three sets of constant values used and two of variables. The constant figure of 8 for the risk dimensions was assumed for the project. Another constant , (see equation (4.1), p. 98) used to compute the area under the RDS
graph was based on straight lines between the risk dimensions.
Finally, a constant number of supplier and buyers was assumed.
Although the implications for these values carry little consequence for the final recommendation, they are highlighted to enable appropriate changes to be made the next time the exercise is run in another environment. Other values that were used included those in the six-point Likert scale, used for measurement. The other major variables that could be altered were the three major factors that appear to have influenced the relationship between the risk dimensions. The experimental constants should be reviewed each time the exercise is repeated.
The assumptions made in using the methods pertained to the area of consistency. Specifically, arguments were made on the need to group risks into categories for measurement. A key assumption arrived at was that the risk exposure measurements 163
Chap-07.qxd 3/1/05 12:33 PM Page 164
Managing the Risks of IT Outsourcing
could be categorized. Examples from insurance and other industries were also assumed to be applicable in this context.
Although the concept of categorization is accepted, there is no clear proof of the ability to compartmentalize risks and no extensive study to show that risks can be grouped.
Many of the definitions, concepts and notions were derived from the literature and were validated so far as was possible against natural laws, reason and common sense. There were three element definitions that were difficult to validate. This included a definitive meaning for the major terms used, including a universally accepted meaning for the terms outsourcing and risk exposure as well as the term organization. The researcher’s definition was highlighted and clearly defined at an early stage in the book. The assumption was that the minor ambiguities in the definitions would not significantly alter the development of the main theory and ideas.
In addition, the recommendations are based on multiple case studies conducted in Asia and Australia. An assumption made is that the management style and the cultures of the individuals involved did not play a significant role in the judgement of risks, which in turn might have influenced the measurement of risks.
Despite obvious documented differences in terms of Western and Asian cultures regarding ‘power distance’ and ‘individualism’, sufficient evidence was not found to differentiate the decisions made in Asia from those in Western cultures, other than the
‘experience’ factor. Individualism is characterized as a preference for a loosely knit social framework in societies wherein individuals are supposed to take care of themselves and their immediate families only: the ‘I’-concept (Hofstede, 1980; Brislin, 1999).
Besides the major assumptions above, there were three main areas where the impact of the assumptions could have made some difference to the outcomes. These areas included the creation of the risk profile with risk dimensions, depiction of the risk profile and the construction of the theory that is discussed here.
7.6
Insights into risk behaviour
using the RDS tool
Given the new insight into the behaviour of risk, measured as risk exposure values through the life cycle of the ITO exercise, the manager will have accumulated a greater appreciation of the risks involved whether directly through the RDS or indirectly through the use of the methods described.
164
Chap-07.qxd 3/1/05 12:33 PM Page 165
Mitigating Risks in an ITO Environment
The IT function was outsourced to derive significant benefits for the buyer organization, generally by leveraging economies of scale and the ability to focus on core competence. In most cases, the buyer is observed to pass its operational risks to the supplier and derive maximum benefit from the expertise of the supplier in terms of resources, knowledge and processes. The supplier in turn would be compensated for its participation in the exercise with a steady stream of revenue over a contracted period. The supplier then shares its resources and leverages on its own economies of scale. The question remains, however, if the supplier would carry too much risk since the operational and technical risks would be taken over from the buyer organization. The concept of the winner’s curse described in Section I is a repeated phenomenon where the supplier underestimates the costs of providing the services in its zeal to capture a larger market share.
Buyers and suppliers have arrived at outsourcing agreements in many different scenarios. The outsourcing of the IT function, however, is something that has relatively recently been resorted to. It can be shown that the risk profiles of two different suppliers with different backgrounds typically are very similar. This is often because both supplier organizations operate in the same environment. In most cases, this demonstrates consistency in the perception of risk profiles by different organizations at a given point in time.
Studies that were made also demonstrate that both the buyer and supplier maintain the same total risk exposure, despite significant differences in the risk profile at different stages in the ITO
exercise. Given a long-term contract (over many years), it was also theoretically demonstrated that a state of equilibrium is reached where, over time, the total risk exposure would remain constant. The buyer’s risk profile is measured at several separate points in time over the life cycle of the outsourcing exercise. Most of the changes in the risk profile can then be explained through actions giving rise to environmental as well as internal influences on the project. Importantly, the total risk exposure remains fairly constant during all these events. The main theory can be expressed in the form of the fundamental equations following:
(buyer). dt
∫
t1
0
and
(supplier). dt
∫
t2
0
165
Chap-07.qxd 3/1/05 12:33 PM Page 166
Managing the Risks of IT Outsourcing
where 1, 2 are constants specific to the particular ITO exercise that is being undertaken.
7.7
Further remarks
The IT function is a ‘necessary evil’ that many organizations require just to stay in the market. It is a matter of survival in the current economy. Organizations use IT to enable the development and use of faster and more efficient processes and to keep the costs of production low. Some organizations use the IT function as a strategic tool that differentiates products and services from those of the competition. The majority of organizations, however, need to maintain a complex and very dynamic IT
function just to support routine operations. It is these organizations that primarily are resorting to outsourcing arrangements.
A new market is created where organizations seize the opportunity to supply IT services to other organizations.
For the many organizations that seek to relieve themselves of the operational risks inherent to the IT function, this study supports the notion that the operational and technical risks are indeed ‘shifted’ to the supplier organization. The benefit to the many organizations starting an ITO contract is the ability to shift unwanted operational and technical risks that become manifest specifically in the IT function, to the supplier.
At the same time, as the IT function changes, organizations that need to realize the strategic advantage of the IT function in differentiating services and products are also resorting to outsourcing arrangements. The strategic risks are mitigated via the use of more effective governance processes and an understanding of the total risk exposure. The results of this study also provide another perspective wherein the total risk exposure remains the same for these organizations; while some areas of risk may exceed the organization’s appetite for risk, the total risk exposure is unaltered. As there are areas of high risk, there will be risk areas where the risk exposure will have reduced to compensate for the high risk effects; again, the total risk exposure is unchanged. Over time, purposeful action will shift the risks from the areas where exposure is high to the areas where exposure is low.