Dimensions of IT Outsourcing Risks- Valutrics
Outsourcing has moved markedly from attending to a single function more efficiently, to reconfiguring a whole process in order to achieve greater shareholder value across the organization. The emphasis is shifting from outsourcing parts, facilities and components, towards outsourcing the intellectually based systems, such as customer response handling, procurement and management.
The role IT plays in the organization determines the strategy and route taken when it is outsourced. After the decision to outsource is made, however, the relevance (of its role) diminishes. The success of the outcomes of an IT service then comes to the forefront.
In an environment where the outsourced IT function changes from a support to a primary (strategic) role within the organization, the decision to continue to outsource is based very much on the risk exposure in the operational, business and strategic areas, which influence the decision.
Risks involve events that are characterized by probability and uncertainty. They also stem from possibilities and indeterminate paths as a result of random events.
Risks can be quantified as expected potential loss. To do this, the expected potential loss from outsourcing is reckoned as the product of two variables, the magnitude of the exposure and the probability of loss.
A Gartner report finds there would be a sixty per cent probability that seventy-five per cent of organizations that fail to recognize and mitigate risk throughout the outsourcing life-cycle will fail to meet their outsourcing goals because of misaligned objectives, unrealized expectations, poor service quality and cost overruns.
Operational and relationship risks
There are two main angles from which risk that is inherent in an IT Outsourcing arrangement is viewed. The first is the operational risk that involves undesirable consequences deriving from the operations of IT in the organization. The second form of risk stems from the relationship between the buyer and supplier in the form of opportunistic behaviour by the supplier who takes advantage of a long-term and ambiguous contract .
A significant portion of the operational risk is passed on to the supplier as the IT function is outsourced while the relationship risk remains with the buyer. Unlike operations risk, the relationship risk is ‘bi-directional’. In this instance, the risk exposure relating to the relationship can be passed back and forth depending on the situation and the ‘bargaining power’ of both the contracting parties at that time. The relationship risk shifts from buyer to supplier and vice versa.
Further relationship risk exposure from the outsourcing deal includes some common areas such as:
• misaligned incentives between supplier and buyer;
• insufficient investments from the participants;
• market failures from private information not shared;
• ineffective bidding mechanisms;
• inappropriate use of confidential information;
• supplier hold-up, expropriation and loss of bargaining power; and
• supplier’s private information about its capabilities.
This list above contains many of the salient features but is by no means exhaustive. In order to examine the risks inherent in an organization that is considering outsourcing its IT function, the elements that contribute to the risk in the IT Outsourcing environment need to be explored.
The scope of outsourcing includes strategic IT functions together with value activities that differentiate the organization from its suppliers. As suppliers provide competence in new technologies and access to better IT professionals, these elements contribute strategically to the buyer’s organizational value chain. The expanded role of outsourcing relationships includes relatively better services and financial performance, and new lines of business.
Elements of the e-commerce value chain, including strategy, systems development and integration, payment processing, market
design, advertising and customer management, as well as development of the physical network and web-hosting, are outsourced.
In the IT Outsourcing scenario, risk carries functions of multiple variables, mathematically expressed as:
Risk = fn(governance, (un)certainty, competitive environment,
organizational interconnectedness)
In a ‘cause and effect’ situation, risks also play a role in the effects of activities engendered by the outsourcing of the IT function. Risks in this instance are concerned with the effect of governance, uncertainty, competitive environment and organizational interconnectedness .
IT outsourcing risks (causes and effects)
Aprimary driver or determinant of risk originates from the lack of information (information asymmetry) in the precontract phase, followed by an inherent inability to accurately monIT Outsourcingr the other partner’s actions. Further, the conditions of an outsourcing contract allow either the supplier or the buyer to behave opportunistically. Uncertainty, competitive importance and organizational interconnectedness are the other contributory drivers of risk in an IT Outsourcing exercise. The ‘cause’ groupings for risks in IT Outsourcing derive from inabilities to optimally manage the agreement and its subsequent change in line with the evolution and heterogeneity of the IT function.
It has been consistently argued that large, vertically integrated organizations need strategic outsourcing measures to remain competitive, especially in highly contested and fast-moving markets. In a causal chain of events, there are observable causes for risks and, equally, measurable effects should the risks occur. The ‘cause’ is a situation that exists that sets up a potential risk. The cause of risks can be proactively managed. The effect(s) of risk are the likely outcomes if the risk occurs.
In any outsourcing exercise, risk is an essential and critical component of the formulation of decisions and in the mitigation of its undesirable consequences. In the outsourcing of the IT function, some of the more well documented and major risks involve escalating costs, diminishing service levels, loss of expertise, and contract irreversibility.
Examples of risk management models
There are numerous risk assessment and risk management models. Two extensively used examples are illustrated here to show commonality in some of the components in the latter.
The first example is the model used by the US Government Accounting Office for the management of IT risk .
Risk assessment involves identifying possible risks and determining the needs of the particular situation wherein the risk management methods are used. The process then continues with implementation of policies and controls, followed closely by the promotion of awareness of the same risks within the working group or organization. Both awareness and policy actions will be targeted towards mitigating the effects of the risks, should they occur. In an IT Outsourcing exercise, the same risk assessment and management model is applied. The model assumes that the risks experienced in the exercise are mitigated through a series of actions.
Risk management elements in this model include establishing a central management focal point, implementing appropriate policies and related controls, promoting awareness, and monIT Outsourcingring and evaluating policy and control effectiveness. After risks in an IT Outsourcing exercise are identified, the appropriate monIT Outsourcingring and evaluation activities work in conjunction with the appropriate governance structures to manage risks. In a mature governance model, policies and controls can be implemented in order to streamline the tasks of risk mitigation.
The second model is used by the organization KPMG , and is published as its ‘risk maturity framework’. The activities and components are very similar to those of the previously mentioned US Government Accounting Office model. Both models contain elements of determination of risks, followed by measurement and monIT Outsourcingring, then a process for implementing controls and policies. The risk plan or strategy incorporates the overall organizational strategy, which encompasses all the steps outlined above.
The model described in the framework proposed by KPMG appears to take on three active approaches. This includes the reactive, tactical and strategic stance that an organization can adopt as its risk management approach.
Each of these positions will have a plan or approach to risk management that includes the following:
• A risk strategy for associating and managing risks based on the organization’s business strategies.
• A risk structure that supports the risk strategy and provides for accountabilities in the structure.
• Measurement and monIT Outsourcingring that establishes measurement criteria and continuous improvement.
• Portfolio management for identifying, assessing and categorizing risks across the organization.
• Optimization to balance potential risks against opportunities within the established portfolio based on the organization’s tolerance for risks.
The two models describe a very similar methodology and approach to managing risk. The relationships between the various actions and risk-mitigating activity are monIT Outsourcingred as a whole; the risk-reducing effects of one set of risks can often be observed to affect another set of risks. Akey point that is raised is the measurement and monIT Outsourcingring of risks using specific criteria from a central component of the risk management models.
The model by KPMG extends the ‘actions’ component by proposing three types of reaction to risk including reactive, tactical and strategic action plans. These plans, however, are all also dependent on the measurement of risks and risk exposure.
Difficulties in measuring risks and risk exposure
Reliably assessing outsourcing risks can be more difficult than assessing other types of risks. The elements that contribute to the causes of risks are extremely variable in this environment. Project requirements (IT), environment (people) and technology change more quickly in this environment that in any other given the intensity of development in this area . This results in significant shifting in risk profiles for both the supplier and buyer. The lack of reliable and current data makes the determination of outsourcing-risks estimates inconsistent. Risk controls and their extent are often also questionable for the same reason. Because of these limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly precise results that are of questionable reliability.
Risks in IT Outsourcing are often neglected because the effects are not felt by the IT department or the designated area responsible for the operation of IT Outsourcing. For example, financial risks are sometimes just ignored because the Accounting and Finance department is responsible. Environmental risks that include the effects of competIT Outsourcingrs, suppliers, and, simply, the operating environment, are also often not considered, simply because they are not included in the purview of the manager’s responsibility.
Risk factors are also constantly changing. In an IT Outsourcing environment where technological change is very rapid and market volatility is high, efficient capacity planning and utilization of internal or fixed assets, for example, need a significant amount of organizational effort. When considering outsourcing elements of the organization, it is this very nature of the effects of risk that must be analysed to be understood and subsequently managed.
Delimiting all the ways the possible risks can occur is seldom easy, just as determining the probability of loss is not straightforward. The difficulties are often attributable to problems in obtaining accurate data on probabilities and costs associated with outsourcing risk factors.
The probability of occurrence of an undesirable outcome can be estimated on the basis of past performance characteristics of the risk element, or subjective probabilities already assessed.
However, in several areas, probabilities are impossible to assess on the basis of past performance. Consequently, risk assessment methods adopt the approach of approximating the probability of undesirable outcomes by identifying and assessing factors that influence their occurrence. In a software development context, for instance, factors belong to five broad categories: technological newness, application size, lack of expertise on the part of the software development team, application complexity, and organizational environment. The degree to which each factor is present in a software project will contribute to an increase in the probability of the occurrence of an undesirable outcome.
Mapping possible risk dimensions
To establish the relevant risk dimensions for analysis, other perspectives of risk are reviewed. An alternative perspective of risk is to equate it to the variance of the distribution of outcomes.
The extent of the variability in results (whether positive or negative) is the measure of risk. Risk is sometimes also defined as the volatility of a portfolio of activities and its value. This technique is borrowed from the area of finance where ‘the highest expected return for a given level of risk, and the lowest level of risk for a given expected return’ applies . Here, risk exposure is also defined as both a loss and a probability function.
Another variant in the perspective of risks from these definitions and arguments is the popularized and widely used balanced scorecard proposed by Norton and Kaplan ; four risk ‘perspectives’ are derived: financial, customer, internal and innovation and learning risks. Similarly, additional risk sets or types of risks that affect inter-organizational information systems (IOIS) include technical, asset, organizational, and environmental risk. There are project, capability, financial, and maintainability risks, caused by a variety of technical, organizational, and environmental factors . These risk sets then extend to more subtle risk sets.
• C1: Technical
Possible loss from the use of existing and new technology
– Complexity of the new and emerging technology and interfaces
– Uncertainty
– Technological discontinuity
– Task complexity
• C2: Financial
Possible loss from unbudgeted events
– Lack of experience and expertise of the enterprise with the activity
– Lack of planning and inaccurate budgeting
– Uncertainty
• C3: Legal
Possible loss from legal disagreements or legal challenges
– Lack of experience and expertise of the enterprise with the activity
– Lack of experience of the client with outsourcing
– Uncertainty about the legal environment
• C4: Operational
Possible loss from poor operations quality or mishap
– Lack of experience and expertise of the client with contract management
– Measurement problems
– Lack of experience and expertise of the supplier with the activity
• C5: Business
Possible loss from adverse changes in business
– Asset specificity
– Small number of suppliers
– Scope
– Interdependence of activities
• C6: Environment
Possible loss from factors external to organization
– Measurement problems
– Lack of experience and expertise of the organization and/or of the supplier with OS contracts
– Poor cultural fit
• C7: Information
Possible loss from insufficient or inaccurate information
– Interdependence of activities
– Lack of experience and expertise of the supplier with the activity
– Supplier size
– Supplier financial stability
– Measurement problems
– Task complexity
• C8: Strategic
Possible loss from errors in direction or tactical mistakes
– Loss of organizational competency
– Scope
– Proximity of the core competencies
– Interdependence of activities
Technical risk (C1 ) is a combination of risks resulting from the use of technology. Besides the characteristics listed other possible losses in this area could derive from interconnectivity problems and as more open systems are developed, key technical risks arise from security issues.
A major category of risks is in the Financial dimension (C2 ). The losses occurring as a result of poor planning and experience are major contributors to losses in this group when outsourcing the IT function. To guard against variation clauses in outsourcing contracts, specialized techniques are employed including the use of instruments like additional resource charges (ARCs) and reduced resource charges (RRCs) to accommodate fluctuations in demand from that specified in the capacity plan. This leads to the next risk dimension. The use of agreements and legal instruments is designed to mitigate risks along most of the risk groups.
Legal risks (C3 ) themselves, however, are significant as a result of increasing use of agreements and contracts.
Operational risk (C4 ) includes possible losses in operations when the supplier takes over responsibility for the outcomes. It is typical for the risks in this dimension to be ‘passed on’ from the buyer to the supplier organization when the outsourcing contract is activated. The shifting risk has been described earlier. Outsourcing involves a close partnership between two or more organizations.
Business risks (C5 ) arise from the relationship between the partners operating in an environment where there is also interaction between other competing organizations, threat of substitute products, competitive barriers to entry and exit, and competIT Outsourcingr rivalry.
Environmental risks (C6 ) are closely related to the business risks and become manifest as a result of factors external to the organization. Environmental risk includes dependence risk, where one organization becomes dependent on another that attempts to change the terms of the contract or fails to perform adequately, and competitive risk, where one organization attempts to ‘steal’ competitive information from another. With more-open systems in rapidly changing environments and the use of information technology’s monIT Outsourcingring capabilities, dependence risk will decrease. However, competitive risk will become more significant as functionality and accessibility of shared information increases.
Informational risk (C7 ) is very significant when the IT function is outsourced. The worst-case scenario would be a complete loss of the organization’s information. Other losses are incurred as a result of inaccurate or insufficient information when a third party manages the IT function.
Finally, the strategic risks (C8 ) involve tactical mistakes made by the organization in outsourcing the IT function itself. An example of a significant tactical mistake would be when a supplier organization begins to ‘leak’ sensitive information relating to the organization to the latter’s competIT Outsourcingrs. The outsourcing of the data component and the selection of the supplier are the tactical decisions made that resulted in the loss.
Risks are associated with all forms of outsourcing decisions. The risk ‘signature’ for the buyer of outsourcing services is larger than that for the supplier in the majority of cases. The risk profile reflects the importance of the relationship and the sharing of the risk profiles. While significant client/external service provider (ESP) interdependency is not in itself a risk, the risks to the client organization may increase when disagreements emerge about the provision of outsourcing services. To the extent that some largescale IT sourcing deals are successful, others are less so. Service level agreements (SLAs) and other forms of service contracts specify a series of measurable activities that suppliers provide.
Outsourcing can generate new risks, such as the loss of critical skills or developing the wrong skills, the loss of cross-functional skills, and the loss of control over suppliers. Also, outsourcing has led to a loss of skills and corporate memory. These risks are especially pertinent when the supplier’s priorities do not match the buyer’s requirements. Short-term contracts, based on the principle of the lowest winning bid, stifle incentives to innovate because rewards for innovation cannot be secured by the supplier.
Shifting the ‘effects of risk’
One reason why organizations outsource their IT function is to shift some elements of risk from the customer (buyer) to the supplier. The buyer of outsourcing services hopes to transfer away its operational and technical risks by passing them to a supplier organization that will, effectively, take them over and agree to deliver a set of outcomes.
During an IT Outsourcing exercise, however, actions performed by either the supplier or buyer of outsourcing services can change the nature and severity levels of risk experienced by either party.
There are compromises made by both parties in the outsourcing exercise. Anecdotal evidence can be found in examples of IT Outsourcing failures that have been partly attributed to insufficient focus on an area that was neglected or ‘unacceptably exposed’ to risk factors. As risks are transferred away, other risk elements appear to enlarge .
As the risks are shifted from the buyer to the supplier and vice versa, the interaction between buyer and supplier actions and the risk exposure can be observed qualitatively. An example to illustrate the risk-shift phenomenon is now discussed. Consider a situation where the amount of money budgeted for use in the purchase of essential backup disks is insufficient or untimely.
This means that copies of the ‘live’ operating data cannot be taken and stored. Operational risk is hence increased because there is no duplicate copy of the ‘live’ data. Here, an action from the area of finance has affected the area of operations along a sequential chain of events. Financial risk needs to be reduced; costs have to be controlled; insufficient money is allocated for activities which are not urgently required (i.e. purchase of disks for copies); disks for copies hence have not been purchased and copies of the ‘live’ data not made. These factors cause the operational risks to increase because there is no contingency plan should the data on the computers be destroyed or corrupted by an event like a malicious attack by a computer virus or a natural calamity like a fire. There are no duplicate copies available to replace originals that might be destroyed. In this case, the risks in the area of operations are elevated in an effort to reduce financial exposure and risk. Financial risks have been traded off against operational risks.
Another example of interrelationships between activities and risks is illustrated in the area of contract management. Often contracts are made between the supplier and buyer of outsourcing services at the beginning of the contract, which might only be a few years old. These contracts have a short ‘shelf-life’, and, unless updated, become quickly outdated because new technology has replaced the old, skills required have changed, and processes and delivery mechanisms are different. Microsoft Corporation’s almost ubiquitous Windows operating system for basic personal computers for example, has had major changes on several occasions in the last years. New features and functions often translate into new performance measurement criteria for the supplier of IT services. This may seem trivial at first but when an organization has hundreds of personal computers in its inventory in geographically disparate locations, any exercise to upgrade IT components often becomes a major task and an area of operational risk. As a buyer of outsourced IT services, however, the technical and operational risks appear to have decreased as a result of the deployment of better and more efficient technology, but the legal and operational risks are increased in a complex set of interrelationships.
So what are the implications of these observations on shifting risk? How are the risks in one area traded off against another, if at all? What constitutes an acceptable risk for any one area?
What are the levels of risk that each area of the organization can, or should, carry? While heuristics and the cumulative experience that managers of organizations who are involved with the outsourcing of the IT function have applied for years have proven useful in responding to these questions, the dramatic and everincreasing changes brought about by new components in IT coupled with the increasing scope of outsourcing exercises make this experience an untrustworthy guide.
Atypical outsourcing agreement or arrangement often involves neglect of the relationship and interaction between the buyer and supplier organizations. The risk of the buyer organization increases when disagreements emerge about the provision of the outcomes of outsourcing services. Without a systematic analytical approach to the outsourcing decision, the organization may make arbitrary choices on the decision to outsource, based on historic norms, cash flow difficulties, political considerations or misperceptions of the benefit–risk trade-off.