Information technology outsourcing (ITO) risk

Spread the love

Risk is a common feature with any business endeavour. As ITO is
like any other business activity, risks are an integral part of the
ITO exercise. Unlike most business environments, however, ITO
involves a very long term relationship with a supplier of out-
sourcing services. This also means that there is a wide range of
risks for ITO that need to reflect the dynamics of the arrange-
ment, the fast-paced IT industry and changes in people including
leadership, workers and customers. The risks (previously iden-
tified as pure risks) occurring in an ITO exercise are unique and
relate specifically to (1) the IT function itself (comprising oper-
ations and development of components), and (2) the ITO deal.
ITO arrangements represent promises between a buyer and sup-
plier of IT services over an agreed period. Along with this are the
associated contract risks over the same period. A contractual
agreement that benefits both the buyer and supplier of ITO ser-
vices, therefore, naturally also contributes to a successful out-
sourcing relationship. An essential component of this outsourcing
relationship is the governance of the ITO exercise. Inherent in
the governance activities are changes that need to be agreed and
subsequently made in the contract or agreement between the
parties. As result of inevitable influences from the dynamic busi-
ness and operating environment, changes need to be reflected in
the contracts. This governance process will ensure that both par-
ties continue to share maximum benefits and also an equitable
portion of the risks that manifest in the ITO exercise.

In addition to a consideration of risks of contract amendments
and disputes leading to litigation, an increased understanding
of the different types of risks encountered by each of the con-
tracting parties would allow for more effective governance of
contracts, which mitigates the risks and balances difficulties
between the parties.
Before the risks in an ITO are discussed in detail, it is necessary
to establish a common understanding of several key concepts in
an ITO exercise. The most common of the concepts misunder-
stood is the ‘core competency’ argument and the risk elements
that are carried along with the use of this notion.
The IT function has a unique role in any organization, especially
in the current economy. It is different from any other function
within the organization. When it is outsourced special consider-
ation needs to be given to it.
Many managers, IT practitioners and researchers in this area
warn of risks when embarking on the outsourcing of the organ-
ization’s IT function. Part of the reason for this is because there
are very few data available on the organizations’ risk tolerance
(or ability to absorb the effects of risk) when embarking on an
ITO exercise. The innate inability to understand and subsequently
manage the risks involved is a factor that contributes signifi-
cantly to this hesitance. There is scant knowledge on the effects
of actions to mitigate risk exposure in an ITO exercise. Little
wonder, then, why many organizations remain reluctant to out-
source the IT function. It is often decided not to outsource the IT
function at all, or to take only partial measures, in which case
the benefits of outsourcing the IT function are often not fully
We know from the work done in the area of outsourcing that one
of the benefits accruing is the ability to move some of the oper-
ational risks encountered in the IT function from the buyer to the
supplier organization. This ability to shift the risks to an organ-
ization that is more capable of managing the risks is valuable to
the buyer organization. It allows the buyer organization to focus
on other tasks and frees resources that would otherwise have to
be allocated to managing the IT operations and associated risks.
The dominant sources of risk derive from information asym-
metry (between buyer and supplier), the inherent inability to
monitor the partner’s actions, and exogenous changes that allow
one party to behave opportunistically during the period of the
partnership. It is, hence, a gargantuan task to understand the
causes, effects and nature of all the risks that manifest in an ITO
exercise. A selected portion of the risks in the ITO exercise is
highlighted in this book to illustrate very specific risks that play
a vital role in the decision to outsource the IT function. It is this
nature and behaviour of key risk elements that needs to be
addressed each time an organization outsources its IT function.
The risk elements deliver opposing results or yields, i.e. being
either constructive or destructive to the organizations that par-
ticipate in the exercise.
It is known that a certain amount of risk shifts from the buyer to
the supplier of outsourcing services. This is a phenomenon that
is taken advantage of most in a typical ITO exercise and is seen
as a benefit by the buyer of the services. The transfer of risks
between buyer and supplier occurs almost as soon as the out-
sourcing exercise commences. As would be expected, oper-
ational risks are transferred away from the buyer organization
as risks that accompany the IT operations. The supplier, on the
other hand, takes on the new operations and associated risks as
part of the agreement and is compensated through a service fee.
It is observed, however, that despite this obvious benefit, the
buyer organization often hesitates to shift the IT operations out-
side the organization for fear that the loss of control may be
unsustainable. The buyer is also often anxious over the uncer-
tainty caused by a range of new risks that it has to manage as a
result of the ITO exercise. The supplier, on the other hand,
appears willingly to absorb the operational risks, which con-
tributed to the reason why the buyer initiated the outsourcing
exercise in the first place.
These traits provide a background to interesting insights into
the management and nature of shifting risks both within and
between the buyer and supplier organizations. The final chapter
in this book highlights this phenomenon and includes an illus-
tration of a set of observable traits that exist between risk group-
ings when the IT function of an organization is outsourced.
Managers in the same organizations that purchase the use of IT
components argue that the in-house IT function not only com-
prises components that are often referred to as ‘commodity’
functions, but form an essential and strategic part of the overall
corporate strategy. The IT function, in this instance, differenti-
ates the organization’s services and products from those of its
competitors. The IT function is no longer a commodity but a
strategic component. As such, the IT function contains ‘secrets’
that are often not shared, to preserve the competitive advantage.

The supplier of the IT function, however, has established a spe-
cial relationship with the buyer organization. Confidentiality
and security become very important as areas of high risk. This
relationship is more than that of a casual supplier; rather, one
where the integrity of the information and technology delivered
becomes vital. It is often argued that, unlike manufacturing
industry where products can be protected via legal instruments
such as patents, information flows are more difficult to control.
Fraudulent and criminal use of information is often difficult to
trace or police; and therefore the risk of sharing one’s informa-
tion with a third party is often viewed as an unacceptable risk.
In both these instances (commodity versus strategic roles), how-
ever, it is still quite plausible and conceivable that the use of the
concept of ITO along with its many variants, is able to deliver
significant and tangible benefits to both the buyer and supplier
organizations. The difference lies in the ‘integrity and reliability’
of the supplier as compared to an in-house maintained IT func-
tion. This difference is often observed as it becomes manifest in
the risk exposure and risk profile of the buyer and supplier