The Multidimensionality of IT Outsourcing Risks

IT outsourcing is a complex endeavour with multiple sources of risks. The body of knowledge on the subject is vast but scattered. Our project aims to create an integrated risk and controls framework. This paper discusses the multidimensional nature of outsourcing risks that needs to be addressed when such framework is developed. This paper presents findings from two workshops where risks, their classifications and dimensions where discussed by a group of experienced risk practitioners. The results highlight that practitioners see strategy, stakeholders and the different phases of the outsourcing as important dimensions that create risk and needs to be addressed by organisations that are planning or already running an outsourcing venture. This research confirms that there are a number of dimensions in IT outsourcing risk and it has provided depth to the understanding of these dimensions

The Multidimensionality of IT Outsourcing Risks

Abstract: IT outsourcing is a complex endeavour with multiple sources of risks. The body of knowledge on the subject is vast but scattered. Our project aims to create an integrated risk and controls framework. This paper discusses the multidimensional nature of outsourcing risks that needs to be addressed when such framework is developed. This paper presents findings from two workshops where risks, their classifications and dimensions where discussed by a group of experienced risk practitioners. The results highlight that practitioners see strategy, stakeholders and the different phases of the outsourcing as important dimensions that create risk and need to be addressed when organisations are planning or running an outsourcing venture. This research confirms that there are a number of dimensions in IT outsourcing risk and it has provided depth to the understanding of these dimensions

Towards an economic analysis of IT outsourcing risks

This paper uses a case study to focus on the economic impacts of IT outsourcing risks through price determination. Previous research on IT Outsourcing (ITO) has examined risks from a number of perspectives, invariably from its impact on cost and failure. This paper uses a two dimensional model of buyer and supplier risk to show the relationships between the two related forms of risk in ITO and the determination of prices to resolve the risk

Taxonomy of Technological IT Outsourcing Risks: Support for Risk Identification and Quantification

The past decade has seen an increasing interest in IT outsourcing as it promises companies many economic benefits. In recent years, IT paradigms, such as Software-as-a-Service or Cloud Computing using third-party services, are increasingly adopted. Current studies show that IT security and data privacy are the dominant factors affecting the perceived risk of IT outsourcing. Therefore, we explicitly focus on determining the technological risks related to IT security and quality of service characteristics associated with IT outsourcing. We conducted an extensive literature review, and thoroughly document the process in order to reach high validity and reliability. 149 papers have been evaluated based on a review of the whole content and out of the finally relevant 68 papers, we extracted 757 risk items. Using a successive refinement approach, which involved reduction of similar items and iterative re-grouping, we establish a taxonomy with nine risk categories for the final 70 technological risk items. Moreover, we describe how the taxonomy can be used to support the first two phases of the IT risk management process: risk identification and quantification. Therefore, for each item, we give parameters relevant for using them in an existing mathematical risk quantification model

Managing IT outsourcing risks: the case of large organisations in South Africa.

Masters Degree. University of KwaZulu-Natal, Durban.Information technology (IT) is significant to achieving business objectives. Despite the significance of IT to the business, organisations are outsourcing the whole, or part thereof, of their IT department to reduce cost and focus on the core of their business. The outsourcing of IT, however, comes together with risks such as vendor lock-in, loss of control and information breaches that could lead to IT outsourcing (ITO) failure. If these risks are not properly identified and managed, organisations will remain vulnerable. While studies have been conducted on ITO and risk management, very few have conducted exploratory research to address how to manage the risks of ITO. Hence, using a qualitative approach, this study explored how large organisations manage the common risks of ITO. These risks are the operational risk, business continuity risk, data privacy risk and compliance risk of the IT Service Provider (ITSP). The study further explored the impact of these risks on large organisations and the mitigating controls organisations can have in place to reduce their impact and likelihood of occurrence. Interviews, which were recorded, was conducted with 12 experts from two large organisations in South Africa. The recorded interviews were transcribed, coded using NVivo software and analysed using thematic analysis. The main themes of this study were governance, develop ITO risk profile, ITSP audit, risk treatment, and assurance. Findings show that organisations need to constitute a Risk Management Committee with a substantial level of experience in the management of risks and ITO. This is to ensure the effective identification, assessment and treatment of ITO risks. Furthermore, the constituted Risk Committee must conduct verification exercises to identify the inherent risks of ITO. They must also conduct maturity assessment and business impact analysis (BIA) in assessing the probability of occurrence and impact of ITO risks. The Committee must establish technical and administrative controls in mitigating the risks of ITO. The findings further show that organisations must integrate risk governance and assurance polices in their ITO risk management strategy to continuously monitor residual risks and identify potentially new risks. A governance Framework for IT Service Provider Risk Management (ITSPRM) that may serve as a guide in the effective management of ITO risks was also developed and presented

TAXONOMY OF TECHNOLOGICAL IT OUTSOURCING RISKS: SUPPORT FOR RISK IDENTIFICATION AND QUANTIFICATION

The past decade has seen an increasing interest in IT outsourcing as it promises companies many economic benefits. In recent years, IT paradigms, such as Software-as-a-Service or Cloud Computing using third-party services, are increasingly adopted. Current studies show that IT security and data privacy are the dominant factors affecting the perceived risk of IT outsourcing. Therefore, we explicitly focus on determining the technological risks related to IT security and quality of service characteristics associated with IT outsourcing. We conducted an extensive literature review, and thoroughly document the process in order to reach high validity and reliability. 149 papers have been evaluated based on a review of the whole content and out of the finally relevant 68 papers, we extracted 757 risk items. Using a successive refinement approach, which involved reduction of similar items and iterative re-grouping, we establish a taxonomy with nine risk categories for the final 70 technological risk items. Moreover, we describe how the taxonomy can be used to support the first two phases of the IT risk management process: risk identification and quantification. Therefore, for each item, we give parameters relevant for using them in an existing mathematical risk quantification mode

IT Outsourcing Risk Management at British Petroleum

This paper reports the results of a study of three successive IT outsourcing contracts at British Petroleum (BP). We offer an operational definition of IT outsourcing risk and use it to assess the risk exposure associated with each contract. We then examine how the management at BP dealt with outsourcing risk. Our results show that careful and deliberate risk management can substantially attenuate the level of risk exposure, and that IT outsourcing risks can be managed. Ce document présente les résultats d'une étude de trois contrats d'impartition successifs. L'étude fut conduite chez British Petroleum. Une définition opérationnelle du risque d'impartition est donnée. Cette définition est ensuite utilisée pour déterminer le niveau de risque associé à chacun des contrats. Les mécanismes de gestion de risque sont également identifiés. Les résultats démontrent qu'une gestion active du risque permet de réduire sensiblement les niveau d'exposition au risque, notamment dans le cas de contrats d'impartition des technologies de l'information.Outsourcing of IS, IS risk management, agency theory, transaction cost economics, case study, Impartition des systèmes informatiques, gestion du risque d'impartition, gestion du risque, théories de l'agence et des coûts de transaction, étude de cas

Risks and Audit Objectives for IT Outsourcing

In the recent years, as a result of globalization, internet and IT progress, the outsourcing of IT services has seen an exponential growth. As a result more and more companies decide to outsource, partially or totally, their IT services. Nevertheless, the outsourcing process exposes both clients and service providers to a series of risks that can seriously affect their activities. Managing these risks by improving the quality and efficiency of internal control has made the ITO audit a necessary component for all the companies involved in this process. The goal of this paper is to identify analyze and map the influence areas of ITO risks in order to suggest a series of objectives for ITO audit.Information Technology, Outsourcing, Audit, Risks, Service Provider

Development of a Risk Assessment Model for Global Information Technology Outsourcing

Global Information Technology (IT) outsourcing has been recognized to have important potential benefits. However, researchers and practitioners also recognize potential risks involved in global IT outsourcing, which sometimes lead to undesirable consequences. This paper develops a model to assess risks in global IT outsourcing. Specifically, this paper begins by identifying global IT outsourcing risk factors by considering the national infrastructure, organizational infrastructure, and project environment. Second, a Global IT Outsourcing (GITO) engagement model for risk assessment is developed to logically link all these risk factors together. Third, one quantifiable approach based on a relative-weighted assessment model is presented to demonstrate how the risks in the GITO engagement model can actually be measured and assessed. Such an overall measurement of global IT outsourcing risks establishes a reference point for assessing global IT project outsourcing risks, and will assist managers to enhance global IT outsourcing’s effectiveness and realize its vast potential. This paper will also benefit high-level decision makers including executives, policy planners, and managers working on decisions regarding global IT outsourcing, such as decisions on selecting an outsourcee country with a lower level of risk