RISK IDENTIFICATION
There are many potential risks confronting outsourcing agreements. These risks can fall into one of three categories: legal, operational, and financial.
Legal risks involve litigious issues, prior to, and after negotiating an agreement, such as:
§ Including unclear clauses in the agreement
§ Locking into an unrealistic long-term contract
§ Not having the right to renegotiate contract
§ Omitting the issue of subcontractor management
Operational risks involve ongoing management of an agreement, such as:
§ Becoming too dependent on a vendor for mission-critical services
§ Inability to determine the quality of the services being delivered
§ Not having accurate or meaningful reporting requirements
§ Select a vendor having a short life expectancy
§ Unable to assess the level of services provided by a vendor
§ Vendor failure to provide an adequate level of services
Financial risks involve the costs of negotiating, maintaining, and concluding agreements, such as:
§ Not receiving sufficient sums for penalties and damages
§ Paying large sums to terminate agreements
§ Paying noncompetitive fees for services
These categories of risks are not mutually exclusive; they overlap. However, the categories help to identify the risks, determine their relative importance to one another, and recognize the adequacy of any controls that do exist.
The risks also vary, depending on the phase in the life cycle of an outsourcing agreement. There are essentially seven phases to an outsourcing agreement: (1) determine the business case for or against outsourcing; (2) search for vendors; (3) select a vendor; (4) conduct negotiations; (5) consummate an agreement; (6) manage the agreement; and (7) determine the business case to decide whether to renew, renegotiate, or terminate a contract. Exhibit 1 lists some of the risks that could exist for each phase.
Exhibit 1. A Sample of the Risks in Each Phase
Phase
Risk
Determine the business case for or
Using incorrect data
against outsourcing
Search for vendors
Using a limited selection list
Select a vendor
Entering biases into the selection
Conduct negotiations
Not having the right people participate in
the negotiations
Consummate an agreement
“Caving in” to an unfair agreement
Manage the agreement
Providing minimal expertise to oversee
the agreement
Determine the business case to renew,
Ceasing a relationship in a manner that
renegotiate, or terminate the contract
could incur high legal costs
RISK ANALYSIS
After identifying the risks, the next action is to determine their relative importance to one another and their respective probability of occurrence. The ranking of importance depends largely on the goals and objectives that the agreement must achieve.
There are three basic approaches for analyzing risks: quantitative, qualitative, and a combination of the two.
Quantitative risk analysis uses mathematical calculations to determine each risk’
s
relative importance to another and their respective probabilities of occurrence. The Monte Carlo simulation technique is an example.
Qualitative risk analysis relies less on mathematical calculations and more on judgment to determine each risk’
s relative importance to another and their
respective probabilities of occurrence. Heuristics, or rules of thumb, are an example.
A combination of the two uses both quantitative and qualitative considerations to determine a risk’
s relative importance to another and their probabilities of
occurrence. The precedence diagramming method, whic h uses an ordinal approach to determine priorities according to some criterion, is an example.
Whether using quantitative, qualitative, or a combination of the techniques, the results of the analysis should look like Exhibit 2.
Exhibit 2. Analysis Result
Risk
Probability of Impact
Occurrence
Unable to assess the level of services provided by a
High
Major
vendor
Locking into an unrealistic long-term contract
Low
Major
Select a vendor that has a short life expectancy
Medium
Major
Paying large sums to terminate agreements
High
Minor
RISK CONTROL
There are three categories of controls: preventive, detective, and corrective.
Preventive controls mitigate or stop a threat from exploiting the vulnerabilities of a project. Detective controls disclose the occurrence of an event and preclude similar exploitation in the future. Corrective controls require addressing the impact of a threat and then establishing controls to preclude any future impacts.
With analysis complete, the next action is to identify controls that should exist to prevent, detect, or correct the impact of risks. This step requires looking at a number of factors in the business environment that an outsourcing agreement will be applied to, factors like agreement options (e.g., co-sourcing, outtasking), core competencies, and information technology assets, market conditions, and mission-critical systems.
There are many preventive, detective, and corrective controls to apply during all phases of outsourcing agreements (see Exhibit 3).
Exhibit 3. The Result of Analysis
Preventive Controls
Detective Controls
Corrective Controls
Provide ongoing oversight
Establish minimum levels Re-negotiating because of
during the execution of the of performance in an
changing market conditions
agreement
agreement
Have the right to approve or Maintain ongoing
Identify conditions for
disapprove of
communications with the discontinuing a contract
subcontractors
vendor
After identifying the controls that should exist, the next action is to verify their existence for prevention, detection, or correction. To determine the controls that exist requires extensive time and effort. This information is often acquired through interviews, literature reviews, and having a thorough knowledge of a subject. The result is an identification of controls that do exist and ones lacking or needing improvement.
Having a good idea of the type and nature of the risks confronting an outsourcing agreement, the next step is to strengthen or add controls. That means deciding whether to accept, avoid, adopt, or transfer risk. To accept a risk means letting it occur and taking no action. An example is to lock into a long-term agreement regardless of conditions. To avoid a risk is taking action in order to not confront a risk. An example is to selectively outsource noncritical services. To adopt means living with a risk and dealing with it by “working around it.” An example is a willingness to assume services when the vendor fails to perform. To transfer means shifting a risk over to someone or something else. An example is subcontracting.
TOOLS
The “burden” of risk management can lighten with the availability of the right software tool. A good number of tools now operate on the microcomputer and support risk identification, analysis, and reporting or a combination. Choosing the right tool is important and, therefore, should have a number of features. At a minimum, it should be user-friendly, interact with other application packages, and generate meaningful reports. One of the more popular packages is Monte Carlo for Primavera™.
CONCLUSION
Risk management plays an important role in living with a workable, realistic outsourcing agreement. Unfortunately, risk assessment takes “back seat” before, during, and after negotiating an agreement. As a result, many firms are now renegotiating and canceling agreements. Some examples include large and small firms canceling long-term, costly agreements with highly reputable vendors. The key is to use risk assessment both as a negotiation tool and a means for entering into an agreement that provides positive results.
Chapter 28: Hiring and Managing Consultants John P. Murray
OVERVIEW
Managing outside consultants requires a specific set of skills. Among those skills are the abilities to select the right people, to clearly identify and explain the assignment, and to maintain appropriate management discipline during the length of the assignment. IT managers must recognize the need to deal with several circumstances. Consultants have to be managed so that their leaving will not create difficulties. Once consultants complete the assignment, they should be able to move on.
IT managers and consultants should work together to provide a level of value beyond the basics of the project. For example, simply completing a project may not be enough; there will be a requirement for documentation so someone in the organization can continue to manage the project. Training staff members who take over a project prior to the consultant’
s leaving is another exa mple of added value.
An additional concern is selecting consultants to carry out a project. Different consulting organizations offer different sets of skills and services. Finding a consulting organization is not difficult, but it can be a challenge to find the appropriate organization that can produce professional results. Working with consultants is expensive, and it is important to make the right choice with the first choice. IT managers who thoroughly understand how to hire and manage consultants benefit the most from using consultants.
WAYS OF MANAGING CONSULTANTS
Because IT managers are ultimately responsible for the success or failure of a project, they must thoroughly document a project’
s history in case the project fails. When the
heat rises because of a failed IT project, facts can sometimes get lost in the scramble to place blame. Consultants have experience in dealing with projects in difficulty and they can be adroit in defending themselves. Also, consultants probably have a better set of sales skills than many IT managers and can use those selling skills to bolster their position in the event of difficulty.
Whether or not a project is in difficulty, an astute IT manager is careful to gather and document facts about consultants’