In: Categories » Business » Business IT » Managing the Risk of IT Outsourcing Agreements
| Outsourcing offers several advantages, which include enabling existing staff to concentrate on core competencies, focusing on achieving key strategic objectives, lowering or stabilizing overhead costs, obtaining cost competitiveness over the competition, providing flexibility in responding to market conditions, and reducing investments in high technology. There are also several disadvantages to outsourcing agreements, which include becoming dependent on an outside supplier for services, failing to realize the purported cost savings from outsourcing, locking into a negative relationship, losing control over critical functions, and lowering the morale of permanent employees. Executive management is increasingly recognizing that sometimes the disadvantages of outsourcing outweigh the advantages, even after an agreement has been signed. Many companies are canceling their outsourcing agreements, renegotiating agreements, or deciding to hire their own staff to provide in-house services once again. There are all sorts of reasons for having second thoughts, including arrogance or uncooperative behavior of the vendor, competitive advantage in the market no longer exists, costs of the services are too high, quality of the services are inadequate, and types of services are unnecessary. Unfortunately, many companies could have avoided having second thoughts about their outsourcing agreements if they took one effective action: perform a meaningful risk assessment. RISK MANAGEMENT 101Risk is the occurrence of an event that has some consequences. A vulnerability or exposure is a weakness that enables a risk to have an impact. Controls are measures that mitigate the impact of an event or stop it from having an effect. The probability of a risk is its likelihood of occurrence (e.g., a 60 percent chance of happening). The impact of a risk is its degree of influence (e.g., minor, major) on the execution of a process, project, or system. The basic idea is to have controls in place that minimize the negative consequences of a “bad” outsourcing agreement, known as risk management. Risk management consists of three closely related actions: - Risk identification - Risk analysis - Risk control Risk identification is identifying risks that confront a system or project. Risk analysis is analyzing data collected about risks, including their impact and probability of occurrence. Risk control is identifying and verifying the existence of measures to lessen or prevent the impact of a risk. Risk management for outsourcing agreements offers several advantages. It enables identifying potential problems with agreements. It enables developing appropriate responses to those problems. Finally, it helps to better identify mission-critical functions to retain and others to outsource. Despite the advantages of risk management, there several reasons why it is not done. One, it is viewed as an administrative burden. Two, the understanding and skills for conducting risk management are not readily available. Finally, the information required to do risk management is not available. There are several keys to effective risk management. Risk management is best performed as early as possible, preferably before signing an agreement. It requires identifying and clarifying assumptions and addressing key issues early. It requires having the right people involved with the outsourcing agreement, such as subject matter experts knowledgeable about key issues. One final caveat. Risk management is not a one-time occurrence. It must be done continuously. The reason is that risk management involves taking a snapshot in time and using it to anticipate what might happen in the future. The conditions of an environment, however, may be extremely dynamic and may challenge the validity of assumptions incorporated when managing risk. Hence, it is wise to continuously revalidate risk management before, during, and after negotiating an outsourcing agreement. RISK IDENTIFICATION There are many potential risks confronting outsourcing agreements. These risks can fall into one of three categories: legal, operational, and financial. Legal risks involve litigious issues, prior to, and after negotiating an agreement, such as: - Including unclear clauses in the agreement - Locking into an unrealistic long-term contract - Not having the right to renegotiate contract - Omitting the issue of subcontractor management Operational risks involve ongoing management of an agreement, such as: - Becoming too dependent on a vendor for mission-critical services - Inability to determine the quality of the services being delivered - Not having accurate or meaningful reporting requirements - Select a vendor having a short life expectancy - Unable to assess the level of services provided by a vendor - Vendor failure to provide an adequate level of services Financial risks involve the costs of negotiating, maintaining, and concluding agreements, such as: - Not receiving sufficient sums for penalties and damages - Paying large sums to terminate agreements - Paying noncompetitive fees for services These categories of risks are not mutually exclusive; they overlap. However, the categories help to identify the risks, determine their relative importance to one another, and recognize the adequacy of any controls that do exist. The risks also vary, depending on the phase in the life cycle of an outsourcing agreement. There are essentially seven phases to an outsourcing agreement: (1) determine the business case for or against outsourcing; (2) search for vendors; (3) select a vendor; (4) conduct negotiations; (5) consummate an agreement; (6) manage the agreement; and (7) determine the business case to decide whether to renew, renegotiate, or terminate a contract. A Sample of the Risks in Each Phase
RISK ANALYSIS After identifying the risks, the next action is to determine their relative importance to one another and their respective probability of occurrence. The ranking of importance depends largely on the goals and objectives that the agreement must achieve. There are three basic approaches for analyzing risks: quantitative, qualitative, and a combination of the two. Quantitative risk analysis uses mathematical calculations to determine each risk’s relative importance to another and their respective probabilities of occurrence. The Monte Carlo simulation technique is an example. Qualitative risk analysis relies less on mathematical calculations and more on judgment to determine each risk’s relative importance to another and their respective probabilities of occurrence. Heuristics, or rules of thumb, are an example. A combination of the two uses both quantitative and qualitative considerations to determine a risk’s relative importance to another and their probabilities of occurrence. The precedence diagramming method, whic h uses an ordinal approach to determine priorities according to some criterion, is an example. Whether using quantitative, qualitative, or a combination of the techniques, the results of the analysis should look: Analysis Result
RISK CONTROL There are three categories of controls: preventive, detective, and corrective. Preventive controls mitigate or stop a threat from exploiting the vulnerabilities of a project. Detective controls disclose the occurrence of an event and preclude similar exploitation in the future. Corrective controls require addressing the impact of a threat and then establishing controls to preclude any future impacts. With analysis complete, the next action is to identify controls that should exist to prevent, detect, or correct the impact of risks. This step requires looking at a number of factors in the business environment that an outsourcing agreement will be applied to, factors like agreement options (e.g., co-sourcing, outtasking), core competencies, and information technology assets, market conditions, and mission-critical systems. There are many preventive, detective, and corrective controls to apply during all phases of outsourcing agreements. The Result of Analysis
After identifying the controls that should exist, the next action is to verify their existence for prevention, detection, or correction. To determine the controls that exist requires extensive time and effort. This information is often acquired through interviews, literature reviews, and having a thorough knowledge of a subject. The result is an identification of controls that do exist and ones lacking or needing improvement. Having a good idea of the type and nature of the risks confronting an outsourcing agreement, the next step is to strengthen or add controls. That means deciding whether to accept, avoid, adopt, or transfer risk. To accept a risk means letting it occur and taking no action. An example is to lock into a long-term agreement regardless of conditions. To avoid a risk is taking action in order to not confront a risk. An example is to selectively outsource noncritical services. To adopt means living with a risk and dealing with it by “working around it.” An example is a willingness to assume services when the vendor fails to perform. To transfer means shifting a risk over to someone or something else. An example is subcontracting. TOOLSThe “burden” of risk management can lighten with the availability of the right software tool. A good number of tools now operate on the microcomputer and support risk identification, analysis, and reporting or a combination. Choosing the right tool is important and, therefore, should have a number of features. At a minimum, it should be user-friendly, interact with other application packages, and generate meaningful reports. One of the more popular packages is Monte Carlo for Primavera™. CONCLUSIONRisk management plays an important role in living with a workable, realistic outsourcing agreement. Unfortunately, risk assessment takes “back seat” before, during, and after negotiating an agreement. As a result, many firms are now renegotiating and canceling agreements. Some examples include large and small firms canceling long-term, costly agreements with highly reputable vendors. The key is to use risk assessment both as a negotiation tool and a means for entering into an agreement that provides positive results.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
The widespread assumption of the late 1980s that downsizing from mainframes would reduce IS costs for just about any business sparked what has come to be an increasingly confusing debate about the costs of computing. Today, evidence from a wide range of sources challenges this assumption. Users have become increasingly disturbed about the high costs of decentralizing IS resources. There is also a growing realization that the cost structures of mission-critical systems have remarkably little to do with underlying technologies. ...
2. Leveraging Developed Software: Organizational Implications
Leveraging is the reusability or portability of application software across multiple business sites. The extent to which an application can remain unchanged as it is installed and made operational at each location is referred to as leverageability. Leveraging can reduce the cost of acquiring and maintaining application software. However, the ultimate measure of leveraging is the resulting business benefit — the cost of delivering a working capability from site to site across an enterprise. Whether a manufacturer...
3. Using Project Management to Build an IT Help Desk
Information technology (IT) organizations are under pressure to operate cheaper but also faster and better. At the same time, they must satisfy business objectives or meet requirements described in service level agreements as users employ complex information technology (e.g., client/server tools) in unique environments (e.g., virtual offices). To meet these demands, many IT organizations are setting up a help desk to which users can direct inquiries and problems, ranging from training to network management. Many of these servi...
4. Creating and Implementing a Balanced Measurement Program
It is still unclear why many information systems (IS) projects continue to fail, and why some succeed. Understanding the reasons for project success or failure, however, provides IS managers the information they need to form actions that enable the IS function to move forward and improve. The best way to gain this necessary knowledge is from a comprehensive IS measurement program. Measurement is sometimes viewed as an objective in itself rather than as a way of supporting organizational goals. Much of the available advice on ...
5. The Management Service Provider Option
Conventional wisdom warns companies against outsourcing their core competencies and, at one time, management fell into this category. Now, however, especially with the rise of E-business, organizations require exceptional management to survive. Because this is not always available in-house, management service providers (MSP) are springing up to fill the need. MSPs are an emerging type of vendor that lets customers outsource various aspects of information technology (IT) management. If an MSP can guarantee that an organization&...
6. Hiring and Managing IT Consultants
Managing outside consultants requires a specific set of skills. Among those skills are the abilities to select the right people, to clearly identify and explain the assignment, and to maintain appropriate management discipline during the length of the assignment. IT managers must recognize the need to deal with several circumstances. Consultants have to be managed so that their leaving will not create difficulties. Once consultants complete the assignment, they should be able to move on. IT managers and consultants should work...
7. Software Process Assessment: Building the Foundation for a Mature IS Process
Managers and technical staff in most companies are all too quick to select new methods and tools and proceed toward modern software engineering practice. The problem is that many of these same managers and technical people have a weak understanding of the development and maintenance process that is currently being applied within their organizations. They proceed without a firm foundation or an understanding of where they are. As a result, new technologies sometimes fail to provide the benefits that are expected. Companies str...
8. The Pitfalls of Client/Server Development Projects
The management of client/server projects involves unique pitfalls within traditional systems development categories. This articl addresses the unique characteristics of client/server development projects within the following categories: - Defining/documenting business requirements - Determining hardware/software/network requirements - Estimating - Project tracking - Defining tasks - Estimating hours required ...