8.2
Risks identification
The organization was not immune to risks. In fact it would be subject to a very diverse and complex set of risks that would have to be managed and mitigated to allow the ITO project to proceed.
The framework that was used to capture risks in the project was derived from work by Earl (1996), as described in Chapter 3, where the risk elements are mapped against the eight risk dimensions, as illustrated in Table 8.1 below. Each risk element is discovered through an interview process, which is described in 1 See differences between contracting and outsourcing in Chapter 1
170
Chap-08.qxd 3/1/05 12:34 PM Page 171
Table 8.1
Mapping common risk elements with risk dimensions Risk elements (Source: Earl, 1996)
Risk categories/Dimensions
Technical
Financial
Legal
Operational
Business
Environmental
Informational
Strategic
Possibility of weak management
✓
✓
✓
✓
✓
✓
✓
✓
Inexperienced staff
✓
✓
Business uncertainty
✓
✓
✓
✓
Outdated technology skills
✓
✓
✓
✓
Endemic uncertainty
✓
✓
✓
✓
✓
Hidden costs
✓
✓
✓
Lack of organizational learning
✓
✓
✓
Loss of innovative capacity
✓
✓
✓
Dangers of eternal triangle
✓
✓
✓
✓
Technological indivisibility
✓
✓
✓
Fuzzy focus
✓
✓
✓
✓
171
Chap-08.qxd 3/1/05 12:34 PM Page 172
172
Table 8.2 Buyer risks in the ITO project (case study organization) Major risk dimensions
Internal
External
Technical
Financial
Operational
Strategic
Legal
Informational
Business
Environmental
Environmental Influences
Competitive pressure
Within the healthcare
✓
✓
✓
✓
industry (clinical tests)
Buyers
✓
✓
✓
Suppliers
✓
✓
✓
Substitutes
✓
✓
✓
New Entrants
✓
✓
✓
✓
Nationalism, Politics, Structure
✓
✓
✓
Global Events
✓
Hedging against currency
✓
✓
✓
✓
fluctuation
Industry Practices
Follow-the-leader phenomenon
✓
✓
✓
Using IT as a primary function
✓
✓
✓
✓
✓
(cf supporting role)
Governance of IT within
✓
✓
✓
structure
Shorter planning cycles
✓
✓
Reasons for outsourcing IT
Cost reduction
✓
✓
✓
Improved customer service
✓
✓
✓
Improved revenue generation
✓
✓
✓
Speeding adoption of new
✓
✓
✓
technology
Improved integration with
✓
✓
✓
business partners
Improved security
✓
✓
✓
(regulatory requirements)
Sharing Information
✓
✓
✓
Contract negotiation & ongoing
✓
✓
✓
governance
Organization’s operations
(outsourced)
Company’s past 5 year
✓
✓
✓
track record
Management team
✓
✓
✓
✓
performance
Company’s strategic plans
✓
✓
✓
✓
Lack of information on risks
✓
✓
✓
✓
✓
Budgeting and demand
✓
✓
✓
✓
management
Poor technical resources
✓
✓
Outsourcing all its IT
✓
✓
✓
✓
✓
✓
✓
✓
operations
Working with a strategic IT
✓
✓
✓
✓
✓
✓
✓
✓
outsourcing partner
173
Chap-08.qxd 3/1/05 12:34 PM Page 174
Managing the Risks of IT Outsourcing
the following section. The matrix also allows the risk elements to be verified against the risk categories and vice versa.
As elements are collected and each risk dimension is verified, the probability of occurrence and the magnitude of loss information are used to compute the risk exposure along each dimension.
In addition, each risk dimension is related to a source of influence, whether internal or external to the organization. The source of the risk is identified early and documented for subsequent risk mitigation activity (see below).
Technical Internal
Financial Internal
Operational Internal
Figure 8.1
Strategic Internal/External
Sources of risks
Legal External/Internal
(risk dimension)
Informational External
mapping to sources
Business External
of influence
Environmental External
Once the risks elements can be confirmed, the probability of occurrence and severity levels can be determined to allow computation of the total risk exposure values.
The risk elements were grouped under three key headings: environmental influences, industry practices and the organization’s operations (ITO exercise). Figure 8.2 shows the summary illustration of the matrix obtained from this case study. Some of the elements are further described here.
Probability of occurrence
Severity level
Frequent
Probable
Occasional
Remote
Improbable
I
High
II
III
IV
Low
Risk 1
Undesirable and requires immediate attention Risk 2
Undesirable and requires corrective action, but some management discretion allowed Risk 3
Acceptable with review by management
Risk 4
Acceptable without review by management
Source: US Government Accounting Office, ‘Information Security Assessment – Practices of Leading Organizations’, June 1999
Figure 8.2
Risk assessment matrix
8.3
Internal (endogenous2) risks
The organization in the case study, like others in the industry, carries high fixed costs, and experiences an unpredictable cash 2 See also Figure 3.2 in Chapter 3
174
Chap-08.qxd 3/1/05 12:34 PM Page 175
A Case Study – ITO Risks
flow and low margins as a result of price competition and the inevitabilities of unforeseen regional and global events. The radical and strategic decision to outsource its IT function was based on three key factors: the need to focus on core competence, the need to reduce operational risks and the need to simultaneously derive optimal outcomes from the IT function at a lower cost.
Buyer risks
Operational risks were never really fully quantified, or were partially ignored as the management team never appeared to consider the effects of failure of the IT function. It had maintained a fully operational IT department with over 100 trained IT personnel. The first computerized application had been installed over 12 years ago. The management team wanted to reduce technical risks by working with an ITO partner who would guarantee the performance of the IT function and include updated technology.
The organization had incurred excessive expenditure on excess capacity that did not match up to returns. Burdened with a large operation and high capital costs in a plummeting global economy, the organization had huge cash outflows as a result of the purchase of new equipment for specialized testing. Obvious implications included difficulty in repaying its debts. There was poor evidence of increasing volumes of medical tests and management literally gambled on increasing demand and regional and global orders based on trends for long-term diseases such as hypertension, stress, and cancer. Despite this evidence, orders were confirmed for more new equipment (approximately 25% increase in testing capability) to be delivered over a 5-year period. Demand for medical tests from existing and new customer bases remained uncertain. The financial risks were mounting and the strategic risks were close to the organization’s point of intolerance.
Supplier risks
Two prospective suppliers had been considered in the selection process. Subsequently, only one supplier3 was selected to perform the ITO task for the complete IT function.
3 There are models where multiple supplier organizations work together to provide ITO services (see Chapter 1)
175
Chap-08.qxd 3/1/05 12:34 PM Page 176
Managing the Risks of IT Outsourcing
Initially, during the selection and proposal consideration process, both suppliers were vying to win this potentially lucrative new business. The organization would outsource the major functional areas of IT including Cross-Platform Services, Help Desk Services, Mainframe Data Centre Computing, Midrange Data Centre Computing, Desktop Services, Network Services (voice and data), Application Development, Application Maintenance and Station Support (regional). The key strategic core activities to be retained by the management team would be the development, maintenance and control of IT strategy, IT policy and new solutions provision and systems integration. The Business Units would be accountable for business integration. Oddly also, given that mobile telephones, walkie-talkies and other equipment were under the control of the IT function, with the new structure, these were ‘out of scope’.
The IT operation at the organization was logically separated into eight ‘service towers’. These were functional areas that comprised multiple services: the Data Centre (mainframe, midrange and database) Processing Services, Network (server support) and Desktop Support Services, Help Desk Management Services, Application Management, Governance Services, Transition and Transformation Services, Business Continuity and Disaster Recovery Services, and Exit Management and Assistance Services.
Each of these services towers had been derived from a previously created document from an exercise commissioned by the organization to identify key parts of the business.
The suppliers are familiar with the organization and its management. When bidding for the project, the immediate risk the suppliers accept includes a significant number of applications that have been unaccounted for or are unknown. This poses both a threat and a risk as the supplier would be bidding for an unknown quantity of work. This risk is classified as a technical risk. Also, there is a financial risk when there is competition for the work. The lowest bidder often wins the work but may be left to take on several unaccounted-for but contracted pieces of work that would quickly erode any profits (see Winner’s Curse Phenomenon in Chapter 4). The load of operational risks would need to be covered when the transition from the buyer to the supplier takes place. The transition planning and governance of the project becomes a critical activity and is the responsibility of the supplier. The compensation for the supplier is the long-term, steady income stream that it begins to enjoy after the ITO project has commenced. Its strategic risks now need to be considered as other buyer organizations in the same industry area, for example, 176