If the perspective of the supplier of ITO services is taken, it appears to be able to take on the new risks, although sometimes to its peril. The winner’s curse phenomenon is one of several results of the neglect of the risks involved, plus an overzealous 166
Chap-07.qxd 3/1/05 12:33 PM Page 167
Mitigating Risks in an ITO Environment
attitude by suppliers to win work and underprice their services.
Again, if the concept of a relationship between the risk dimensions introduced here is used, the total risk profiles observed will reach a state of equilibrium. And, as areas of very high risk exposure appear, other areas of risk will be observed where there will be a reduction in risk exposure that compensates for the increased risk. The total risk exposure remains constant over time. Again, with management focused on mitigating risk in the areas of high exposure, the total risk profile remains unchanged.
This means that in the areas of low risk exposure additional risks will be taken on in further compensation for reductions in risk in the areas of high risk exposure.
Finally, as with many other theories and propositions, the risk relationship concept in any exercise must not stand alone but be subject to ‘common sense’ and logical tests in environments that extend beyond the one that has been suggested here. The cases discussed here have been subject to predetermined limitations and conditions, so other tests must be used to introduce a new set of parameters.
Section II began as an attempt to explain the singular phenomenon of risk transfer that had attracted many organizations to consider the use of outsourcing to provide further benefits for the IT function. This was based very much on an organization’s understanding of the nature of ITO and general concepts of risk.
There are few tools or risk frameworks available to measure the risk profile of an organization in an ITO environment. The concepts of pooling risks in the insurance industry led to the notion of categorizing risks into risk dimensions. This led to the introduction of the risk dimension signature (RDS), which is unique to any individual ITO exercise; the RDS allowed observations of the risk profile to continue. The notion that there exists a relationship between changes in risk dimensions in the ITO environment was then introduced. The internal and external influences of risks were considered along with the behaviour of the risks over time.
It is therefore my hope that some of the concepts discussed in this book will be useful to the reader. Again, there is no substitute for experience, common sense and logical reasoning. The RDS, when employed in conjunction with all the concepts and ideas appearing in this book, should prove to be useful in understanding, measuring, illustrating and anticipating the risks that will ultimately become manifest in the ITO environment.
167
Chap-08.qxd 3/1/05 12:34 PM Page 168
8
A case study – ITO risks
The case study presented here is about a multinational organization that has embarked on an ITO exercise, and which has been referred to already in several chapters of this book. It serves as a practical example that re-illustrates the concepts introduced earlier. Unlike the situation in other ITO exercises, the organization in this case study has an unusually high incidence of risk characteristics from environmental (political environment), business, and strategic risk dimensions. These dimensions are conspicuous set against the discussion on pure operational risks.
This natural exaggeration is appropriate as it amplifies some of the concepts discussed in previous chapters and allows the details to be more clearly observed.
To protect the privacy of individuals and the organization, pseu-donyms have been intentionally used for purposes of the case study. The data presented, however, are real. Actual data were collected by a team of individuals over a period of 5 months while working on the ITO exercise.
The team that worked on the project was one that would normally be found on an ITO exercise. It consisted mainly of personnel with a background in IT who had worked in the IT department prior to the exercise, and managers from every department in the organization. The Board and Senior Management team were the sponsors for the ITO programme. The project ‘champion’ was the Chief Information Officer (CIO) for the organization and she had the role of maintaining the focus of the team. She provided the
‘energy’ from the start of the ITO exercise to its completion.
Although there are multiple facets of the ITO exercise that could be highlighted, only the risk capture and management activities are highlighted, as applicable to the subject matter in this book.
8.1
Case study background
The case study organization provides clinical investigative services for regional tertiary care centres (acute care hospitals). The services provided include the processing of samples, analysis and results reporting. To facilitate this, the organization has 168
Chap-08.qxd 3/1/05 12:34 PM Page 169
A Case Study – ITO Risks
maintained an in-house IT function for over 10 years. In order to save costs and focus on its core competence the management team has recently decided to embark on an ambitious project to outsource all the major components of the IT function.
Clinical investigative services is a discipline within the healthcare industry that include both laboratory and radiology functions.
Together, these functions require processes that are information intensive. Data are collated, stored and disseminated on every sample collected and results are reported and stored in the patients’ medical records. Subsequently, the analysis and presentation of the outcomes of the tests also require significant use of the IT function. This forms one of the most important sources of current information for diagnosis by a clinician. The laboratory tests that are performed by the organization for its clients include those involving haematology, chemical pathology, cytology and microbiology. The various modalities covered in radiology include X-rays, CT scans, ultrasound and MRI. As such, the operations and reporting requirements are complex, and the accuracy and timeliness of the information provided are vital.
Clients are predominantly healthcare centres including hospitals, clinics and centres for rehabilitative care and allied health, which are situated in geographically disparate locations spread over three time zones.
So, the organization itself is an outsourcing services supplier as it performs tests for outsourcing services buyers, the healthcare institutions. It is, however, also a buyer of outsourcing services.
In this case, it is buying outsourcing services for its IT function.
The risks in the IT function will be discussed here.
As a business entity, it needs to deliver value for its shareholders in the form of profitability and return on investment. Also, like any other business, it is not immune to pressures for cost reduction. As a professional services organization in the healthcare industry, the cost objective and expenditure priorities for patient safety and accuracy of information need to be balanced through a series of management activities that operate to maximize the efficiency of all the organization’s resources.
In addition to industry pressures, the organization is subject to environmental influences – it has the added pressure from the Government to provide services at cost for many social projects including participation in operations relating to bio-terrorism; disease outbreaks; and more recently the avian flu epidemic that threatened the nation. To make matters worse, this organization was the only one in the country to have specialized facilities for 169
Chap-08.qxd 3/1/05 12:34 PM Page 170
Managing the Risks of IT Outsourcing
selected medical tests. The need to collect, maintain and disseminate information through its IT function was distracting its people from the core business of providing medical testing services.
Finally, heightened competition in the industry had resulted in greater yield and price pressure on the organization’s products and services. It had to re-engineer and urgently change (transform) current operations with attention to lowering operating costs and increasing margins through focus on customer care, improved services and increased reach. Competitive pressures provided the catalyst for change.
It had used contract workers to perform specific functions like the installation of the local area network (LAN) and short-term contractors to write small computer programs. The management team had devoted a significant amount of time to supervise and manage these contracts. The same team has now decided that its IT function is not a core competence function and that it wants only to benefit from the outcomes of this function1. It will outsource the IT operations along with the attendant operational risks. The IT operations, however, are strategically important to the organization because of the need for accurate and real-time information. This need to keep selected components (for example, the information on the Oracle™ database and electronic interfaces between some of the test machines and the computer system) of the IT function confidential and proprietary was recognized early. To satisfy both these requirements, the outsourcing supplier had to have a strategic relationship with this organization (see ‘Outsourcing Partnerships/Contracts’ in Chapter 1). Organizational boundaries between the ITO supplier and this organization would merge as the outsourcing and supplier organizations would share in the performance and outcomes of the very important IT function.