Supplier S1 had a high reputation for delivery and the perception was that it would deliver to the required standards. It was known that the losses from insufficient or inaccurate information as a result of poor performance from the IT function was high but the dramatic reduction in the probability and extent of loss as a result of the outsourcing of this function to supplier S1
was surprisingly high. The highest reduction in risk exposure among all the risk dimension changes was seen here.
The RDS topology at point #2 also looks rather dramatic, with an extremely acute angle for the environmental risk dimension (see Figure 8.7). This is probably misleading as the risks for those adjoining, informational and business, had decreased from unacceptable levels to within the acceptable risk limit of 3.0.
Discussions at that time, however, revealed qualitative information that contributed to the significantly high environmental risks including information privy to the supplier only, i.e. asymmetries in intelligence information before contracting, imperfect monitoring of the supplier’s actions, and external or exogenous changes that allow the supplier to behave opportunistically (see also Agency Theory in Chapter 4).
The levels of risk in the financial and legal risk dimensions appear to have increased as a result of the outsourcing activity.
There are transactions costs associated with reliance on the market, including the explicit co-ordination costs and more complex contractual risks. This is evident in this exercise. Although the control over the outcomes has increased through contractual instruments, the mitigating factor was recourse through the legal system. This increased the anxiety levels of management and the perception of legal risks. Also, although the loss of control over the process itself was intentional, this was the point that was highlighted throughout the discussion and interview sessions; it had contributed to additional (or access) precaution-ary measures that raised the internal or endogenous influences that contribute to financial risks.
It is worthwhile noting that the outsourcing exercise had included a range of risk mitigating activity built into the governance contract as well as the service level agreements. A more 194
Chap-08.qxd 3/1/05 12:34 PM Page 195
A Case Study – ITO Risks
meaningful observation would be if both the RDSs (points #1
and #2) were compared simultaneously.
Quantitative assessment of the
buyer RDS
When both the RDSs are superimposed and compared, the differences as a result of the planning activity become more obvious. The illustrative comparison (Figure 8.7) clearly shows the changes in risk exposure between the measurement from point #1
to point #2. The percentage change in total risk exposure from 41.1 to 36.6 is measured against the maximum possible risk exposure, i.e. 101.8. By way of computation, this indicates a 4%
reduction in total risk exposure.
Although this is a very rough measure of the total risk exposure, it also provides a perspective on the relative amount of change in the overall risk landscape that is being discussed. The buyer organization, it appears, is not expecting its risk profile to change significantly after the ITO exercise. In fact, if the topologies are compared, it is also obvious that some of the risks have increased along several critical dimensions, e.g. financial risks (see Figure 8.7).
The main difference is the change in risk exposure in the areas of financial and operational risk. The financial risks seemed to have escalated significantly (by 24%) through loss from unbudgeted events as a result of lack of experience and expertise on the part of the buyer organization’s personnel in relation to the outsourcing activity. In addition, the general uncertainty in the budgeting process did not raise the confidence of the finance personnel or of the general managers in their various operational positions. The supplier was expected to take up the operational risks. This perception resulted in the lowering of operational risks (16% reduction). The biggest improvement noted from the RDS was the extreme improvement in informational risk (approximately 47%). This quantum leap corresponds to the buyer organization relinquishing operational control to the external party. This also implies that there was a significant lack of trust in the internal IT operations legacy in respect of delivering accurate and timely information.
In the previous section the total risk exposures between points
#1 and #2 were compared instead of the risk profiles from the respective RDSs. If the difference between each individual risk dimension were compared to the ‘acceptable’ risk level of 3, the 195
Chap-08.qxd 3/1/05 12:34 PM Page 196
Managing the Risks of IT Outsourcing
risk difference or risk variance between acceptable and actual risks would be obtained. The average difference between actual and acceptable risks in all the risk dimensions represents the level of risks above ‘risk appetite’ for the buyer organization. At the beginning of the exercise (point #1), the difference was quite significant (0.9 of 6.0), i.e. an average of about 15% over the tolerance limit. At the end of the negotiations and at the commencement of the contract with the supplier, the average risks dropped (0.6 of 6.0), i.e. an average of 10% over the tolerance limit. This 5% difference in average reduction in risk level, approaching ‘acceptable’ risk levels, was used to show that the decision of the buyer organization to outsource the IT function was indeed advantageous.
The industrial environment of the buyer organization is turbulent.
Many buyer organizations install new systems in anticipation of external changes, with few data on the nature of change. Bounded rationality often impedes comprehensive contracting in these situations, resulting in contracts with misaligned incentives or significant changes in bargaining power, allowing the supplier to appropriate fees from the buyer. Contractual risks are greatest for those projects that are critical to the buyer organization’s competitive advantage. These systems often provide the buyer with unique benefits that cannot be achieved without the contracted services. This trait increases the case study buyer organization reliance on supplier S1, increasing the possibility of supplier hold-up. The effects of these influences have been discussed extensively but appear, however, to cause minimal concern at the buyer organization, where an increase in legal risks is observed.
As mentioned before, supplier S1 has been working with the buyer organization in the capacity of hardware supplier. Concerns existed over the supplier’s access to confidential data and processes that provided it with competitive advantage. A major objective of the outsourcing exercise, however, was to be able to leverage the supplier for its superior systems and processes.
This element was de-emphasized as the concerns were borne by the supplier.
The financial risk dimension had increased. One observation relates to the interconnectedness of the exercise within the buyer organization. The exercise requires the supplier to be intimately familiar with procedures from various sources at the buyer organization that may be quite difficult to implement. The IT
function affects multiple stakeholders within the buyer organization, making it difficult to specify desired requirements and 196
Chap-08.qxd 3/1/05 12:34 PM Page 197
A Case Study – ITO Risks
functionality. A specific example is the standard operating PC
environment (SOE-PC) where responsibility for the desktop is outsourced component-wise. Co-ordination difficulties and multiple standards in use throughout the buyer organization, plus peculiar levels of autonomy, increase the complexity. While internal IT providers may be generally familiar with the operations of an organization, data collection and the mastering of specific procedures throughout the organization by an outside vendor are costly and increase the overall levels of financial risks arising from uncertainty and scope creep.
8.8
Concluding remarks
The premise of the discussion on managing the risks of IT outsourcing began with a comment that this activity involved a combination of the art of management and the science of measuring an indefinite event, risk. The notion of capturing and illustrating risks with the RDS tool-set and interpreting the risk profiles was shown to provide the basis for measurement.
Several theories were then used to assist in translating some of the characteristics of risk into predictable trends. With the rather lengthy discussion made in the past few pages, it is hoped that the reader gains an alternative view and a further appreciation of the use of the RDS and of the concepts where the risk dimensions share a relationship in any typical ITO project, and will see that the risks are indeed measurable and manageable.
The art of management of the risk events that occur then takes over as activities and programmes are put in to place to mitigate the effects of the risks, to manipulate the influences or origins of the risk events, and to control the internal and external factors that could result in events that in turn give rise to unwanted outcomes. There is no substitute for experience and the innate ability to manage an organization’s resources, the environmental factors and the factors that influence other organizations in the same sector.
It is therefore my hope that the concepts introduced and tools that can be developed using the RDS will help in your current ITO exercise or the next time you are involved with an ITO exercise and activity.