Results collated after general agreement
Integrating
OUTPUT
individual
judgements
Results compared using the RDS for consistency Figure 8.4
Qualitative survey methodology (adapted from Jones and Hunter, 1995) This was expected. Selected individuals were given opportunities during individual and group sessions to allow the researcher to gain consensus on the risk ‘readings’. The extent of agreement (consensus measurement) as well as resolution of disagreements (consensus development) were organized through a group facili-tator. The discussions also provided a framework for qualitative assessment of evidence (though they are often concerned with deriving quantitative estimates from the evidence; for example, estimating probabilities for the risks experienced). The participants in the individual and group sessions comprised a selected group of individuals who represented the buyer organization’s operations. The senior managers each represented a focus area in the buyer organization, and the senior manager from the IT
department participated. The CIO, who was also an avid supporter of this exercise, selected each individual. The managers then also nominated participants. The exact numbers varied (and are identified prior to the results in the next section) but finally a pool of 38 participants was used.
The participants’ main qualification was their knowledge of and involvement with the ITO decision and exercise. The initial meeting was called to explain what the research project consisted of and how it linked with the actual project activity to be 181
Chap-08.qxd 3/1/05 12:34 PM Page 182
Managing the Risks of IT Outsourcing
conducted with the buyer organization. Each ‘wave’ of activity was also explained, as the RDS information would be collected at different points in time.
The main survey instrument was a questionnaire consisting of Likert scale ratings, asking the participants to rate the probability of occurrence and extent of loss that could be experienced by the buyer organization along the separate risk dimensions.
Approximately half of the respondents were interviewed face-to-face, the other half via telephone or e-mail given the remoteness of the various sites. Minor editing was carried out for clarity and consistency. For the discussion questions, the responses were edited and discussed within the risk framework of the exercise since ideas, clarifications, and elaborations were required.
Various assumptions have been made and validated. A major assumption is that the exercises in this chapter adequately illustrate the use of a tool that enabled the collection of readily available information from both the supplier and buyer organizations to develop the risk profile at separate points in time: for example, the existence of direct internal and external influences on the pre-established risk dimensions for the ITO exercise at the buyer organization along the eight risk dimensions initially proposed.
The relationship between the influences and risk dimensions is valid only if there are no other factors to be considered. This assumption is valid if the environment is controlled. In a dynamic business environment this may not hold true. The assumption nevertheless can be made based on the absence of any other input.
The exercise hence can be said to provide some validity for the risk dimension and classification of risks.
Another major assumption is that the frameworks created by previous authors and researchers are adequate for the definition of risk exposure. It assumes that the work that has been done to date can be reused in this context and purpose. The risk exposure frameworks are extended and form the foundational elements of the RDS profile.
A further assumption is that the risk transfer mechanism is valid.
When the operations are transferred from one organization to another, the nature of the risks is multidimensional. It is assumed that the risks do not actually physically move but are experienced by the party that takes over the activities that result in the risks.
Given the methods, processes and assumptions made in this chapter, the RDS profile was then used at several points in the 182
Chap-08.qxd 3/1/05 12:34 PM Page 183
A Case Study – ITO Risks
activities timeline in the outsourcing of the IT function at the buyer organization. The various technical, financial, legal, operational, business, environmental, informational and strategic risk elements would be considered and changes observed.
8.6
Using the risk dimensions
The processes that were initiated to create an RDS profile have been carefully illustrated in this chapter. The ‘subject’, i.e. the buyer organization in the case study, for the creation of the risks profile, was selected to allow maximum opportunity to collate and process the risk information in an appropriate outsourcing environment. This allowed the researcher to be deeply involved with the daily activities that were linked directly to the decision to outsource the IT function, selection of the supplier organization, justification of the business case for the outsourcing exercise and engaging with the supplier in order to commence the outsourcing exercise.
The methods used allowed very detailed observations of the risks from perspectives intimate to the buyer organization and the specific ITO situation. The measurement scales were devised to allow the capture of risks from the eight selected, summary risk dimensions. All eight dimensions were verified against the causes and influences of risk both from within and external to the organization at the time of the readings. The processes involved required the gathering of data, and the processing of the information to provide meaningful risk exposure values, standardized with the use of a computer program written specifically to obtain the information sought. The program and the algorithms were subject to the regular software application tests.
In Chapter 2, some of the pertinent and existing concepts of risks inherent in an ITO project were illustrated. It was emphasized there that the IT environment was uniquely different given its rapid change and ‘fluid’ definition both as a supporting and a driving function within the organization in a competitive environment. Risks in this area included both operational and relationship risks. Further work by several researchers and practitioners suggested risk evaluation frameworks and others propounded a range of risk exposure measurement techniques for the ITO environment. The information at hand is therefore sufficiently substantiated to allow the risk profiles and the negotiations process to be addressed directly.
183
Chap-08.qxd 3/1/05 12:34 PM Page 184
Managing the Risks of IT Outsourcing
8.7
The buyer & supplier RDS profiles6
The results of the RDS tool comprised a risk profile for both the buyer and supplier organizations at predetermined points in time. Following this, the results of the RDS would be used to observe changes in the risk profile as the risk transfer phenomenon became manifest in the outsourcing exercise.
This evidence provides support for a comparison of the RDSs of two suppliers against what is perceived as an acceptable risk by both these organizations. It also provides confidence that the risk dimensioning is representative of the risks encountered.
Movements and a presumed relationship between the risk dimensions provide early warning for both the supplier and buyer on possible outcomes and ways of mitigating risks.
At the start of the ITO exercise
The illustration in Figure 8.5 represents the RDS profiles for all the participants of the ITO exercise at two points in time. Point
#1 was an RDS reading taken prior to the selection of the supplier. The risks elements were captured via the use of responses to a ‘Request for Proposal’ (RFP) document and material from the project. These were used in conjunction with the methods discussed earlier. At this juncture, the RDS profile for the buyer organization was also taken to assess the risk profile prior to the handover of the IT function to the suppliers, as well as to gauge the level of risks that were being experienced by all the participants of the ITO exercise. The difference in risk exposure between supplier S1 and supplier S2 is illustrated in Figure 8.6.
The RDSs at point #1 were also used to form the basis of the negotiations between the parties.
After the conclusion of the selection process, that is at point #2, another RDS profile was taken only for the buyer organization.
Point #2 was at a time when the ITO exercise was about to commence, after the selection of one successful supplier. The differences in the buyer organization’s risk profile are shown in Figure 8.7.
When the risk profiles were being created and examined, an arbitrary ‘acceptable’ risk level of 3 was allocated to all the 6 The supplier names have been withheld at the request of the buyer organization in the case study and arbitrarily named S1 and S2 for the purposes of this discussion
184
Chap-08.qxd 3/1/05 12:34 PM Page 185
A Case Study – ITO Risks
participating organizations. This would allow a benchmark to be established when the team members were interviewing the employees and stakeholders at both the buyer and supplier organizations for risk exposure values. For example, when level 3
was acceptable risk, then any number above this would indicate degrees of higher risk and any number below would indicate less risk or almost no risk to the organization. In Figure 8.5, for example, if the RDS profile for the suppliers were examined, then Technical