Both S1 and S2 were placed in the same environment where the external influences, i.e. the buyer organization, environment and bidding structure (IT outsourcing project), were common for the two suppliers. If Figure 8.6 were reviewed again, the risk dimensions most affected by internal influences would be technical, financial and strategic. In Figure 8.6, the largest difference 189
Chap-08.qxd 3/1/05 12:34 PM Page 190
Managing the Risks of IT Outsourcing
in risk exposure between S1 and S2 lies in the technical and financial risk dimensions.
The financial, technical and strategic risks are affected by supplier internal influences. The ‘spike’ in the financial dimension for both S1 and S2 could also point to an early warning for risks in the area of the budgeting and financial modelling that need to be done.
Equation (4.1) for total risk exposure derived in Chapter 4, the total Risk Exposure, [(product of adjacent risk magnitudes)] is reused here. is a constant with a value that is a function of the number of risk dimensions. The total risk exposure (rounded to the nearest decimal place for consistency with the data input) hence is computed for both S1 and S2 as Risk (S2) 38.6, and Risk (S3) 36.2.
The results also indicate that there is an almost equal risk exposure for the two suppliers that are working in the same environment with the same buyer organization. Despite the obvious differences in risk exposure along the technical and financial risk dimensions, the small differences in the other risk dimensions appear to compensate for these differences.
Acceptable risk exposure indicated by the fine dotted line in Figure 8.6, is computed as Risk (acceptable) 25.4. Both suppliers appear to be ‘over-exposed’ by 52% and 42% respectively (see Table 8.3). This indicates a project that has ‘high risk’ and an inherent need to reduce risks in all the areas other than the legal, strategic and technical, wherein the suppliers appear to be most comfortable. The term high risk also presupposes the notion that the suppliers’ appetites for risks are lower than the 42%
over-exposure value computed.
Table 8.3
Risk exposure levels for S2, S3 against ‘acceptable’ risk Supplier S2
Supplier S3
Acceptable
Risk exposure
38.6
36.2
25.5
% Over-exposed
52
42
Unacceptable risks occur in five of the eight dimensions identified in this exercise. From observation of the shapes of the RDSs, it appears that there is least exposure in the area of legal risks. If the theory that total risk exposure remains constant is true, the risk exposure along the legal risk dimensions can be used to compensate for over-exposure along the other risk dimensions; 190
Chap-08.qxd 3/1/05 12:34 PM Page 191
A Case Study – ITO Risks
i.e. this is a risk area where some trade-off can occur. Practically, this means that it is possible for legal instruments or agreements to be crafted and used to offset or reduce the informational, environmental and business risks. For example, the suppliers could arrange indemnity clauses, promising to deliver certain activities or deliver certain products in exchange for certain assurances in the business and environmental dimensions.
Qualitative assessment of the
buyer RDS
The risk exposure (rounded to the nearest decimal place for consistency with the input data) for the buyer at point #1 is defined mathematically as 41.1. This measurement derives from the risk exposure computation following the equation for total risk exposure derived in Chapter 4, where
(total risk exposure) [(product of adjacent risk magnitudes)]
as also reused here. , in this instance, is equal to 0.3536.
The acceptable risk exposure (marked by the dotted line in Figure 8.5), is Risk (acceptable) 25.4. Through similar computation the Risk (maximum) 101.8. A possible interpretation could be that the current risk profile is 15% over the acceptable risk tolerance level.
The least significant risks areas are business and strategic. All other areas appear to have risks that are unacceptably high.
From the interactions with individuals at the buyer organization, the most prominent feature, which was repeatedly highlighted in the discussions, was concern that the buyer organization was in turmoil because of uncertainty in its industrial sector and in its current political setting. The environment was most significant to the outsourcing of the IT function as the suppliers were US companies and were subject to intense scrutiny from local government (being overseas companies). This was a unique risk situation, highlighted in this case with a very high reading for risk exposure along the environmental dimension.
Risk exposure along the informational risk dimension was a possibility because the IT infrastructure that supported the buyer organization’s operations was almost non-functional. ‘Systems are not integrated and other components practically not working’
(CIO, personal communication, 5 November 2002). Operational risks were high generally as a result of poor information (i.e. late 191
Chap-08.qxd 3/1/05 12:34 PM Page 192
Managing the Risks of IT Outsourcing
or incorrect information). This extended to high legal risks (from suits as a result of negligence). Technical risks were also high as a result of non-performance issues. Many of these issues, however, were interrelated. When the suppliers were invited to bid for the outsourcing exercise, each organization was assessed for its ability to deliver superior IT results for the buyer organization.
The buyer RDS profiles were measured at two points in time, point #1, i.e. when the suppliers were being selected, and point
#2, i.e. when the ITO exercise had commenced using the supplier selected.
Technical
RE stage 1
6
RE stage 2
‘Acceptable’
5
Strategic
Financial
4
3
2
1
Informational
0
Legal
Figure 8.7
Operational
Environmental
Buyer RDS data
comparison at two
Business
points in the ITO
exercise
Just after the commencement of the ITO exercise, the risk dimension signature for the buyer organization was tested again. This time around, the risks appeared to exist along similar dimensions but were manifest in different ways and in magnitude of exposure.
Many of the issues had already been addressed through joint working sessions where both the supplier and buyer teams had had thorough discussions and undergone exchange of documentation, and had completed due diligence with respect to each other’s organization. Both parties were aware of the types of risk that were going to be ‘passed-on’ from the buyer to the supplier. Negotiations had already progressed to the stage when the supplier had also quoted its ‘fee’ for services to be rendered according to the agreed scope and scale of the exercise. The supplier’s risks would have been taken into account already. This is 192
Chap-08.qxd 3/1/05 12:34 PM Page 193
A Case Study – ITO Risks
referred to as point #2 for the purposes of measuring the RDS of the buyer.
There were sixteen selected participants from the buyer organization for this round of data collection. The CIO was in the group, together with eight senior general managers, and senior managers from the IT, audit and risk groups as well as from functional areas that utilize IT in routine operations.
The risk exposure computed at point #2 yields Risk (buyer @ pt 2)
36.6 (see Figure 8.7) as compared to the previous risk exposure at point #1 (see previous section) of Risk (buyer @ pt 1) 41.1.
The risk exposure decreased along multiple risk dimensions.
This confirms an earlier expectation that the total risk exposure would decrease as a result of selecting supplier S1. On examination, the topology of the RDS also illustrates a very dramatic reduction (from 4.1 to 1.3) in the informational risk dimension.
With minimal contractual problems (see legal risk dimension), the buyer organization is expecting to reap the benefits through the supplier including economies of scale, scope or specialization in the form of improved quality, lower cost or faster time to market of all its operations, translating roughly into lower informational risks. This has also been observed in the literature (Quinn and Hilmer, 1994).
Some researchers observe lower informational risks where the supplier provides a multitude of easily measured activities that are specified in the service contract (Shachtman, 1998), allowing the buyer organization to generate greater outsourcing opportunities and stronger incentives for its partner (Holmstrom and Milgrom, 1991). The ability to monitor services from the IT function eases the monitoring exercise. This could explain the significant reduction in informational risk from the perspective of the monitoring dimension.
The buyer organization, unlike in a situation where there exists a large degree of uncertainty with respect to various factors of services provided and the external environment, faces a consistent environment wherein the IT components and functions have been long in use and are familiar to both supplier S1 and the buyer organization. Issues of poor monitoring raised by researchers such as Quinn and Hilmer (1994) are not as pronounced in this instance.
Uncertainty is a constant in IT-based processes, making outsourcing inherently difficult, owing to the expectation that current
‘facts’ will no longer be relevant soon after the commencement 193
Chap-08.qxd 3/1/05 12:34 PM Page 194
Managing the Risks of IT Outsourcing
of a relationship. As the buyer organization is also trying to raise its IT capabilities, the uncertainty in the technical environment has also been de-emphasized. Indeed when the technical risk dimensions between point #1 and point #2 are compared, the technical risks have decreased as a result of uncertainty.