Understanding IT outsourcing risk: incorporating risk management in your IT sourcing strategy

Outsourcing decisions have long term consequences. Understanding how IT organisations and IT executives make decisions, value risk and manage risk is an integral part of IT outsourcing. The consequences of poor decision making with resulting lock-in effects can be detrimental to competitiveness, undermine organisational morale and incur significant costs. Managing risk during the IT sourcing life-cycle is at the heart of successful IT outsourcing.

Starting in the strategy phase of an IT sourcing initiative and through the entire project, companies should work with a structured approach to risk management. IT executives need to ensure that the organisation understands the multiple impacts that the decision to outsource IT will have and be able to evaluate the risks versus the returns. They should consider how to manage and maintain internal control over outsourced IT deliveries. Additionally, depending on industry there are regulatory requirements that need to be considered, such as GL 44 within the financial sector.

There are a number of risks in IT outsourcing that have to be managed on strategic, tactical and operational level. Companies need to manage outsourcing and third party risk actively. The risk management approach needs to include the reporting and monitoring arrangements that should be implemented from inception to the end of an IT outsourcing agreement – including the business case, the contract, the implementation of the contract to its expiry, contingency plans and exit strategies. This approach also needs to be operationalised during the contract life-cycle. It is not a one-time, discrete event.

However, in order to leverage the true value of IT sourcing, transformation is key and with it comes risks. IT organisations need to balance the operational agenda with more forward-looking strategic initiatives. They need to balance risk exposure with transformational change. From a decision-making perspective, this is a critical management issue. As the authors of the HBR article The hidden traps in decision making state:

“Before deciding on a course of action, prudent managers evaluate the situation confronting them. Unfortunately, some managers are cautious to a fault—taking costly steps to defend against unlikely outcomes. Others are overconfident—underestimating the range of potential outcomes. And still others are highly impressionable—allowing memorable events in the past to dictate their view of what might be possible now.”

There are numerous traps in decision making and the best tool to manage these is awareness. Awareness of the decision making traps helps companies and executives to avoid the pitfalls of bias, false sense of security from estimates, excessive caution, overconfidence and failure to ignore sunk costs. This awareness is the basis and foundation of a suitable risk management framework and process in an IT outsourcing initiative.

A common pitfall in IT outsourcing initiatives is to think that risk can be outsourced. 3gamma has in close co-operation with clients noticed and worked through the issues of getting stuck with a vendor that is not delivering. The strategies to manage these situations are as diverse as the reasons for them; ranging from keep-and-develop approaches, transformational resourcing to selective insourcing. The contract plays a significant role to cover different eventualities, but it can also be an underlying root cause for the issues at hand.

To reduce risk and achieve the business objectives through IT outsourcing, companies need to apply a holistic approach. They must consider the entire outsourcing life-cycle – combining business, IT and legal IT outsourcing expertise – and have a transparent discussion with vendors about the exit strategy up front. But it is not merely a legal or contractual issue – it is imperative to also include this approach in the IT sourcing strategy through the definition and clustering of IT sourcing objects, IT architecture and application integration considerations. In addition, the risk needs to be managed from strategy to inception to renewal through a regular risk management assessment process on strategic, tactical and operational level focussing on:

• Reviewing the alignment with business objectives and a regular business case assessment.
• Assessing the impact of limitations in flexibility and understanding lock-in mechanisms (processes, architecture, integration, tools etc.)
• Monitoring contractual alignment and the contract’s validity to the services required and delivered, understanding potential scope creep and contract leakages
• Assessing the change effort required and exit-mechanism applicability
• Understanding available external market capabilities (market insight) for the services in scope
• Understanding of internal execution capability, i.e. an ability to transfer services from one vendor to another vendor (or insource)

The risk management approach is continuous and should not be limited to the actual decision. Savvy IT executives revisit their decisions regularly and manage their vendor base as a portfolio to optimise its business value.

Authors: Maria Ekberg, Director 3gamma and Rickard Holmkvist, COO 3gamma Group and Managing Director (Sweden)

Maria Ekberg
Director
+46 709 11 90 70
maria.ekberg@3gamma.com

Rickard Holmkvist
COO 3gamma Group and Managing Director (Sweden)
+46 723 26 37 77
rickard.holmkvist@3gamma.com