Chap-08.qxd 3/1/05 12:34 PM Page 177
A Case Study – ITO Risks
would be hesitant in allowing it to take over their IT function lest there be collusion or sharing of information (see also Agency Theory, Chapter 4 and Outsourcing Contracts, Chapter 1).
8.4
External (exogenous4) risks
The buyer and supplier organizations in the case study work in a similar environment and share some of the external risks and experience. The external risks typically derive from the legal framework, the environment, information availability and the business milieu.
Buyer risks
The legal risks to which the buyer is exposed stem directly from contract amendments that appear in almost all outsourcing con-tracts5 as conditions change and the measurement criteria for outcomes of the IT function change (see Role of IT and the Productivity Paradox, Chapter 2). A governance process is implemented to ensure that flexibility in the contract takes the inevitable changes into account. This action mitigates the legal risks but does not cater for possible disputes and litigation, and possible service debasement.
As the buyer organization ventures into a new ITO exercise, it is exposed to regular business risks, which are much like the risks in any significant business venture. The ITO exercise is unique as it ‘locks’ the buyer and supplier into a long-term partnership and the business risks that are encountered will need to be managed even more meticulously. In addition, the risks from the environment change.
In this situation, the buyer organization also suspected that the suppliers had provided inaccurate information in an effort to win the bid. The exposure along the information risk dimension was not substantial but the risk of possible loss therefrom would lead to a threat of legal and financial risk.
Supplier risks
The suppliers on the other hand were facing a difficult time trying to differentiate their products and services offering. The IT
function that was going to be outsourced was relatively generic 4 See also Figure 3.2 in Chapter 3
5 From the author’s experience
177
Chap-08.qxd 3/1/05 12:34 PM Page 178
Managing the Risks of IT Outsourcing
and did not have many speciality services that would easily show that one supplier was better than the other.
Both organizations were large multinationals that had very significant technical expertise and capability, reputations for excellent service and solid track records to show that both were perfectly suited to manage the IT function for the buyer organization. Therefore only the price of the services to be contracted would tilt the decision in favour of one or the other.
The threat of legal risks was significant as the buyers would lock in to a long-term contract with the buyer and commit resources and time to deliver a set of very tangible outcomes that the buyer had already determined. In addition, the risk exposure along the business risk dimension was high given that the price of the services would be reduced significantly to beat the competition. The environmental and informational risk factors were very similar for both supplier organizations, which were operating under very similar sets of rules.
The risk dimension signature (RDS) would show the changes in risk profiles for the buyer as well as the two supplier organizations. This would also facilitate the negotiations process, which would be based on risks, resulting in a winning situation for all three parties. As risks are passed on from the buyer to the (winning) supplier, the buyer would need to adequately compensate the supplier as it would be interested in gaining the best outcomes. The supplier, on the other hand, would be forced to provide a reasonable price as it would need to clinch the deal. The criteria for the winning deal hence would be a relatively honest evaluation of the extent of risk that either supplier could tolerate for a reasonable outcomes set. In this situation, the larger of the two suppliers declined to bid citing unacceptable business and technical risks. It did not have a sufficient risk appetite to take on the work. The smaller, more nimble supplier organization had a higher risk appetite and was willing to take on more risks in the hope of gaining market share ahead of the competition.
The RDSs for both suppliers are constructed based on discussions and qualitative assessments made by representatives from the suppliers, together with input from the consulting team and buyer’s project team. This formed the core business, or functional requirements, with the following core services:
● Cross-Platform Services
● Help Desk
178
Chap-08.qxd 3/1/05 12:34 PM Page 179
A Case Study – ITO Risks
● Mainframe Data Centre Computing
● Midrange Data Centre Computing
● Desktop Services
● Network Services (WAN and LAN)
● Application Maintenance and Development
● Disaster Recovery
● Organization Transformation Management
● Services to be retained by the buyer organization
● Facilities.
Arrangements by the buyer and supplier would also be carried out for the approach to the scope of services, definitive set of service levels, structure and management approach, roles and responsibilities, transition management, governance, long-term service approach and, finally, the value proposition as a target for the exercise. The human resources arrangements would include staffing plans and supplier personnel, who would be responsible for delivering the functionality required. The financial agreements would include an agreement on the term, pricing requirements and pricing structure, any retained expenses to be agreed and the transition services fees (which is often forgotten or omitted). The contractual considerations then also include all the items listed here but the details would carry the elements ranging from an agreement and description of the current environment, the buyer organization’s requirements, a detailed description of the services to be provided, service level definitions and reporting requirements. Speciality requirements include software licensing agreements, voice and data network requirements (both domestic and international), the reporting and status requirements for activities that require development (i.e. work-in-progress requirements) and, finally, governance principles.
After all the components of the IT function have been outsourced, the remaining tasks that are ‘left over’ for the buyer organization include the critical components of the IT function, which are the IT policy and IT strategy, as well as the overview tasks for new systems selection, implementation and maintenance.
This is illustrated in Figure 8.3 where the larger filled circles indicate greater responsibility. For example, the buyer organization’s IT unit would still be responsible for the policy and strategy but not the systems implementation or maintenance.
The responsibilities of the buyer organization versus those of the supplier would need to be strategically delineated to deliver the maximum advantage to both parties. This, however, 179
Chap-08.qxd 3/1/05 12:34 PM Page 180
Managing the Risks of IT Outsourcing
IT function
New systems selection
New systems integration
Policy
Strategy
Requirements
Application
Selection
Implementation
Maintenance
Buyer’s business unit
Buyer’s IT unit
Supplier resources
Other resources
Figure 8.3
Allocation of tasks between supplier and buyer (source: IT outsourcing project documentation)
exposes a number of key risk areas in the strategic, business and informational dimensions (referred to in the risks above).
The buyer organization would maintain primary accountability for its business units and the IT policies and overall IT strategy (see Figure 8.3). The IT requirements definition for the applications to be developed or purchased remains with the business unit and the buyer organization’s core IT unit. After the outsourcing agreement has been agreed and is proceeding, the selection of the systems integrator also remains with the buyer organization. This is to ensure it retains the governance of the outsourced supplier. It still has control over, and overall responsibility for, the outcomes of all IT projects. The actual systems implementation and systems maintenance work is to be moved to the outsource supplier. In addition however, as illustrated in Figure 8.3, the supplier has a role of contributing to the decisions on IT policies and strategy and to other selection decisions.
8.5
Risk profiles from participants in
individual and group sessions
The quantitative method was used in the previous section to derive one view of the risk profiles experienced by the buyer organization (buyer) as it engages with another organization (the supplier). A schematic of the methodology is also illustrated in Figure 8.4 initially proposed by Jones and Hunter (1995) for medical and health systems research. It has been adapted for use in the process discussed here. The method is straightforward where the ‘Input’ process will provide information for ‘processing’ and ‘output’ as an RDS profile.
The results of the analyses were subject to a lack of consensus by the participants and stakeholders primarily as a result of inconsistencies in perception, private agendas and hidden information.
180
Chap-08.qxd 3/1/05 12:34 PM Page 181
A Case Study – ITO Risks
Questions
Risk exposure from probability & loss estimates INPUT
Participants
Senior managers, managers
Information
Ranking sheets, project documentation
Second round: participants are grouped and results are re-ranked following feedback and results from the supplier response
Measuring of
PROCESS
structured
interaction
Second round: participants are grouped and results are re-ranked following feedback and results from the supplier response