the university of sheffielddagda.shef.ac.uk/dispub/dissertations/2003-04/... · 5.3.10 using third...

Risk Management Practices in Information System

Outsourcing: an investigation into a commercial bank

in UK

A Study submitted in partial fulfilment of the requirements for the degree of Master of Science in Information Systems

at

THE UNIVERSITY OF SHEFFIELD

By

JYOTI BAHIRWANI

SEPTEMBER 2004

ABSTRACT This research work focuses on the risk management practices in information system

outsourcing adopted by a commercial bank in UK. It is motivated by the risks identified

in the academic literature. Though ample research has been conducted to identify risks

and decision frameworks for outsourcing, there is little or no study conducted to identify

the risk management practices. The research illustrates the globally increasing trend of

outsourcing IS and demonstrates the various strategies and decision frameworks adopted

for outsourcing.

The research draws largely from the analysis of the interviews conducted with the

various stakeholders in the outsourcing process namely: technology head, project

manager, compliance manager, procurement manager, support manager and business

development manager. After analyzing the interviews, an inductive qualitative research

approach was used to draw conclusions. The interviewees agree that adopting risk

management practices while outsourcing information systems is very important.

The findings revealed that although managers of various departments in the bank

identify the significant risks in information systems outsourcing, not many follow a set

framework for assessing the risks and depend largely on intuition and previous

experience. The study also discovered that the bank has formulated policies and

guidelines to comply with the legal regulations set for the process of outsourcing.

2

ACKNOWLEDGMENT A lot of people played various roles in ensuring that this research work is of merit.

While I deeply appreciate the contributions of all these people, I wish to place on record

the efforts of Dr Miguel Baptista Nunes, my project supervisor for his unending support

and intellectual insights, which enhanced the quality of this work. This thesis could not

have been written without his help. I also truly appreciate Mr Niall Woodhead for his

attention, support and cooperation throughout my research in London. Finally, I give

great thanks to God for His abiding presence.

3

Title page

Abstract 2

Acknowledgement 3

Table of Contents 4-10

1. INTRODUCTION 11

1.1 Background of Study 11

1.2 Problem Statement 12

1.3 Research Objectives 13

1.4 Research Questions 13

1.5 Research Approach and Strategy 14

1.6 Case Study Approach 15

1.7 Research Tools 15

1.8 Target population 16

1.9 Limitations to the Study 16

1.9.1 Banks’ attitude to research 16

1.9.2 Availability of staff 16

1.9.3 Time 17

1.10 Confidentiality 17

1.10.1 The ethical code 17

1.11 Dissertation Overview 18

2. OUTSOURCING 20

2.1 Introduction 20

2.2 Definition of Information System Outsourcing 20

2.3 Objective of Information System Outsourcing 22

2.4 Case for Outsourcing 24

2.5 Risks associated with Information System Outsourcing 25

2.6 Information Systems Outsourcing Strategy 28

4

2.6.1 Types of Outsourcing 29

2.6.2 Types of Outsourcing Relationships 30

2.7 Trends in Outsourcing 32

2.8 Information Systems Outsourcing Process 34

2.9 Framework for Decision Making in IS Outsourcing 36

2.10 Risk Thinking in Decision Making 43

3. RISK MANAGEMENT 45

3.1 Introduction 45

3.2 Concept of Risk 46

3.3 Concept of Risk Management 48

3.4 Risk Management Frameworks 51

3.5 Risk Management Process 52

3.5.1 Steps in Risk Management 53

3.5.2 Risk Identification 54

3.5.3 Risk Assessment 57

3.5.4 Risk Control 59

3.6 Rationale for Risk Management 64

3.7 Risk Management for outsourcing information systems 64

3.8 Current Risk Management Models 65

4. CASE STUDY 68

4.1 Introduction 68

4.2 The Organization 68

4.3 Outsourcing Options 70

4.4. Outsourcing Process 70

4.5 Software Development Life Cycle 71

5

5. RESULTS AND FINDINGS 74

5.1 Presentation of the results and findings 74

5.2 Key Concepts 75

5.3 Interview One: Compliance Manager 75

5.3.1 Role in Decision Making Process 76

5.3.2 The Outsourcing Process 76

5.3.3 Objective of Outsourcing 77

5.3.4 Risks in Outsourcing 77

5.3.5 Risk Identification Process 78

5.3.6 Risk Assessment Process 78

5.3.7 Strategies & Policies for managing risk 79

5.3.8 Risk Management Techniques 80

5.3.9 Suggested Measures 80

5.3.10 Using third party consultants 81

5.3.11 Future Trends in Outsourcing 82

5.3.12 Concept Map 82

5.4 Interview Two: The Procurement Manager 84


5.4.2 Outsourcing Process 84

5.4.2.1 Issues in managing the Outsourcing Process 85





5.4.7 Using Third Party Consultants 90



5.5 Interview Three – Production Support Manager 92




6


5.5.4 Risk Identification 98


5.5.6 Key factors in Decision Making 99





5.6 Interview Four – Business Development Manager 103







5.6.6 Key factors in Decision Making 109



5.7 Interview Five – Project Manager 111

5.7.1 Role in the decision making process 111





5.7.6 Strategies and Policies for managing risk 114



5.7.9 Need for third party consultant 116

5.7.10 Future Trends 116


5.8 Interview Six – Head of Department 118

7

5.8.1 Role in Decision Making Process: 118










5.9 Discussion 123

5.9.1 Summarizing the key concepts 123

5.10 Findings 128








5.10.8 Use of Third Party Consultant 140


5.10.10Future Trends 142

6 RECOMMENDATIONS & CONCLUSIONS 145

6.1 Recommendations 145

6.2 Conclusions 146

6.3 Future Research 148

BIBLIOGRAPHY 149-154

8

LIST OF FIGURES

Figure 2.1: Components of IT outsourcing risk exposure 28

Figure 2.2: The Evolution of IT Outsourcing 31

Figure 2.3: Outsourcing Process Framework 35

Figure 2.4: The Four-S Outsourcing Model 36

Figure 2.5: IS Cost/Service trade-off 39

Figure 3.1: The risk management process is a repetitive cycle 52

Figure 3.2: Risk Probability/Impact Chart 59

Figure 3.3: Risk Mitigation Plan 61

Figure 3.4: Sample Risk Analysis Sheet 63

Figure 3.5: Risk-Return-Rating (R3) Method 66

Figure 4.1: Organizational Structure 68

Figure 4.2: Technology Unit 69

Figure 4.3: Sourcing Strategy in Software Development Life Cycle of the Bank 72

Figure 5.1: Concept Map of Interview 1 - Compliance Manager 83

Figure 5.2: Concept Map of Interview 2 - Procurement Manager 91

9

Figure 5.3: Concept Map of Interview 3 – Production Support Manager 102

Figure 5.4: Concept Map of Interview 4 – Business Development Manager 110

Figure 5.5: Concept Map of Interview 5 – Project Manager 117

Figure 5.6: Concept Map of Interview 6 – Head of Department 123

Figure 5.7: Analysis Chart 127

Figure 5.8: Concept Map of Key Element 1 – Objective of Outsourcing 129

Figure 5.9: The Outsourcing Decision Process 132

Figure 5.10: Concept Map of Key Element 3 – Risks in Outsourcing 134

Figure 5.11: Concept Map of Key Element 4 – Risk Identification 136

Figure 5.12: Concept Map of Key Element 5 – Risk Assessment 137

Figure 5.13: Concept Map of Key Element 6 – Strategies & Policies 138

Figure 5.14: Concept Map of Key Element 7 – Risk Management Techniques 139

Figure 5.15: Concept Map of Key Element 7 – Use of third party consultant 140

Figure 5.16: Concept Map of Key Element 8 – Suggested Measures 142

10

1. INTRODUCTION

1.1 Background of Study

The DFC terms a bank as “a federally regulated financial institution that, in general,

engages in the business of taking deposits, lending, and providing other financial

services”. In the last 10 years substantial changes in the business environment left

commercial banks with longstanding advantages in core processes at a competitive cost

disadvantage relative to new competitors. Deregulation opened the most profitable

segments of retail financial services to non-bank competitors while IT innovations

extended production options to offer cost reductions to both new players and existing

banks (Wood, 2001). Technology challenged integration solutions by giving existing

and new competitors a new range of strategies based on in sourcing and outsourcing that

redefined supply chains in respect of client capture, distribution or asset securitization.

Financial services organizations increasingly chose outsourcing solutions, driven by

business need to create usage based costing, increase flexibility and release working

capital. According to DataMontor.com the end of 2002 showed a number of key

corporate willing to consider outsourcing all or part of their IT functions. In 2002,

money on IT outsourcing reached $9.7bn. Datamonitor predicts that European

corporates and financial services firms will spend $12.4bn by 2005 (Sangani, 2003).

Thus we can observe that outsourcing is an inevitable development in the financial

services industry.

The key business drivers that attract these financial institutions to outsourcing are

increasing IT resource costs including salaries, hiring expenses, staff training and career

development and increasing IT capital investment costs like the cost of technology,

disaster recovery and capacity planning. The financial institutions that are exploring the

outsourcing option are typically making an important distinction between commoditized

activities, which are good candidates for outsourcing, and core competencies that are

11

strategic and critical to the success of the business (Free, 2001). However there are many

strategic and tactical issues that make the outsourcing decision a difficult one and the

one that carries considerable risk. Thus in an outsourcing relationship, only enterprises

that can effectively manage risk will be able to address the issues that will inevitably

arise and could prevent a successful outcome. The Gartner group predicts that by 2005,

75 percent of enterprises that fail to recognize and mitigate risk throughout the

outsourcing life cycle will fail to meet their outsourcing goals because of misaligned

objectives, unrealized expectations, poor service quality and cost overruns (Murphy,

2003). This study observes these suggestions and focuses the research area into a

commercial bank in UK. It attempts to find out the risk management strategies presently

adopted by a bank and makes an effort to identify critical success factors for managing

risk in IS outsourcing.

1.2 Problem Statement

The general problem domain of this research is the risks associated with IS outsourcing.

However, the specific emphasis of the research can be formulated in the following

problem statement:

‘How can organizations identify and assess risks when taking an IS outsourcing

decision?’

12

1.3 Research Objectives

The objectives of the research are listed below:

• To evaluate the strategic framework of outsourcing by examining the theoretical

models presenting different views towards outsourcing.

• To identify various categories of risk associated with IT outsourcing.

• To investigate the risk management practices currently adopted by a commercial

bank in UK in their information system outsourcing efforts.

• To determine how the decision-making processes in information systems

outsourcing can be supported in order to reduce the associated risks

• To identify a model of good practice for outsourcing decision.

1.4 Research Questions

The primary research question this study seeks to answer is “Do commercial bank

managers follow risk management practices in the decision making process to outsource

information systems?”

The following issues will be examined in order to answer the primary research question

stated above:

• Is there a formal decision making process for IS outsourcing?

• What are the criteria for selecting outsourcing as an option?

13

• What and how are the risks identified in outsourcing?

• How are the risks assessed in the decision making process?

• Does the organization have policies and guidelines for outsourcing of

information systems? Are they strictly adhered to?

• What are the future trends and risks in outsourcing of Information Systems?

1.5 Research Approach and Strategy

This research adopts an inductive research approach, which reasons the works from

specific observations to broader generalisation and theories (William, 2002). Inductive

approach enables ‘a cause-effect link to be made between particular variables without an

understanding of the way in which humans interpreted their social world’ (Saunders et

al., 2000, pg. 89).

This study follows the qualitative research methodology. Qualitative research

methodologies are designed to provide the researcher with the perspective of target

audience members through immersion in a culture or situation and direct interaction

with the people under study. The methods to be used in the study include observations

and in-depth interviews. These methods are designed to help researchers understand the

meanings people assign to social phenomena and to elucidate the mental processes

underlying behaviors. The study would generate hypotheses during data collection and

analysis, and measurement would be subjective (Weinreich, 2003).

The motivation for doing qualitative research, as opposed to quantitative research,

comes from the observation that, if there is one thing which distinguishes humans from

the natural world, it is our ability to talk! Qualitative research methods are designed to

help researchers understand people and the social and cultural contexts within which

14

they live. Some researchers argue that the goal of understanding a phenomenon from the

point of view of the participants and its particular social and institutional context is

largely lost when textual data are quantified (Myers, 1997).

1.6 Case Study Approach

The case study approach has been adopted in this research. The case study is a

commercial bank in London, UK. Case study research is the most common qualitative

method used in information systems. Although there are numerous definitions, the scope

of a case study is defined as follows (Myers, 1997):

A case study is an empirical inquiry that:

• investigates a contemporary phenomenon within its real-life context, especially

when

• The boundaries between phenomenon and context are not clearly evident"

It is mentioned by many researchers that the case study research method is particularly

well-suited to IS research, since the object of the discipline is the study of information

systems in organizations, and interest has shifted to organizational rather than technical

issues (Myers, 1997). My Case study research would be interpretive and critical.

1.7 Research Tools

The primary mode of data collection used in this study was interviews and e-mail

exchanges with a significant representation of the key population. The interviews were

semi-structured in order to provide the flexibility necessary to obtain valuable qualitative

data, whilst maintaining a focus on the specific research question. The secondary

sources are books, journals, articles, white papers, websites, previous dissertations,

reports and opinions of regulatory bodies.

15

1.8 Target population

The primary source of information in this study were the strategic managers who are

involved in long-term decision-making in the bank, Heads of IS departments who are

working in association with the providers of the outsourcing service providers and user

departments in the bank.

1.9 Limitations to the Study

Like most studies, the findings of this research may have been limited by some factors.

Attempts were however made to reduce these limitations. Some of which are detailed

below:

1.9.1 Banks’ attitude to research

There was an initial reluctance on the part of bank to disclose information to a researcher

from an academic institution. I had to re-emphasize the confidentiality of information,

concluding that the academic exercise would add to the body of knowledge.

1.9.2 Availability of staff

The availability of staff has been an important issue. It was a limiting factor as the

research was conducted over the summer months when many employees choose to take

long vacations. In some occasions the staff had other commitments that may have been

on a higher priority than supporting student research projects.

16

1.9.3 Time

Time has been the most significant limiting factor in this research. The research has been

undertaken in the months between June and September 2003 as the exams and

coursework associated with the taught element of the course were timetabled until the

end of May. The restriction on time can be considered to have had a small impact on the

quality of this research project. Had more time been available, it would have been

possible to study the literature in greater depth and interview more stakeholders in the

outsourcing process.

1.10 Confidentiality

Having discussed the confidentiality and ethical considerations with the interviewees at

the organization supplying the case study, the following ethical code has been adhered to

throughout the research:

1.10.1 The ethical code

The organization shall not be mentioned explicitly in the dissertation or any

further research that might take place as a result of the dissertation;

All participants in the research shall remain anonymous. The names of

respondents will not appear in the final report;

All confidential information will be treated with discretion. Only the researcher

will have access to data that associates an individual with any confidential

comments; and participants will be able to request a digital copy of the final

report.

The research will attempt to explore risk identification in practice.

It is hoped that the final report will be of benefit to those who take part in the research.

17

1.11 Dissertation Overview

This thesis takes literature available from published journals, books, and reports, from

academic sources and finally literature from the white papers and published news

articles, linked to four main themes. The objective of this thesis is fourfold. First is an

introduction of the study with the research questions and objectives. The introduction

makes the argument that adoption of risk management practices is crucial in outsourcing

information systems for banks. In order to harness the benefits of outsourcing

Information system, there is need for management to define objectives and formulate

strategies. Second is a review and classification of the body of knowledge in relation to

the outsourcing, the risks involved in outsourcing and the need for a risk management

framework in decision making. Third is an investigation of the risk management

practices in decision making of outsourcing in a commercial bank. Fourth is an analysis

of the findings along with discussions. Lastly is the conclusion of the research with brief

overview, with a short summary of areas for future research.

Outsourcing

This section provides an overview of outsourcing, the benefits and objectives, the risks

involved in outsourcing information systems. This section also describes the outsourcing

strategies, the framework for decision making and the importance of risk thinking in

decision making

Risk Management

This section looks at the concept and components of risk management, the rationale for

risks management, the risk management process, the management of information

systems and outsourcing risks and current risk management practices.

18

Case Study

Having discussed the global risk management practices in outsourcing of information

systems, this section describes the organization taken as the case study, the

organizational structure, the outsourcing process followed by the bank and the software

development life cycle model.

Results analysis and discussions

This section presents the results and analysis of the survey findings, including:

• Outsourcing objectives

• Risks identified in outsourcing

• Outsourcing process

• Risk management, practices and guidelines

• Suggested Measures

• Future Trends

Recommendations, conclusion and future research

This section describes the overview of the research, conclusions and my views for

further research.

19

2. OUTSOURCING

2.1 Introduction

Tracing its roots to the time-sharing and professional services of the 1960s, outsourcing

has become an important option today for information systems (IS) and corporate

executives (Apte et. al., 1997). The practice of outsourcing is an international

phenomenon. There has been increasing interest in the opportunities provided by

outsourcing (Butler et. al., 2001; Lacity & Willcocks (1996); Loh & Venkatraman,

1995; McCarthy, 1996). However, there is also a growing body of evidence of a high

failure rate in such arrangements. One cause of this is the high level of risk associated

with alliances, compared to `in-house' activities (Smith & Smith, 2003).

This section looks at the 1) Definition of Outsourcing 2) Objective of Outsourcing 3)

Case for Outsourcing 4)Risks in Information Systems Outsourcing 5) Information

System Outsourcing Strategies 6) Types of Outsourcing and Outsourcing Relationships

7) Trends in Outsourcing 8) Outsourcing Process 9) Framework for Decision Making in

Outsourcing 10) Risk Thinking in Decision Making

2.2 Definition of Information System Outsourcing

Numerous definitions for the term ‘outsourcing’ have been stated in the past.

Outsourcing in its most basic form was conceived as, purchase of a good or service that

was previously provided internally (Lacity and Hirschheim, 1993). However precise

definitions of information technology (IT) outsourcing differ in the literature (Glass,

1996). Some of the notable definitions are as follows:

20

‘Outsourcing means turning over or sharing responsibility for all or part of an

organization’s information technology function with a third party’ –Oltman, 1990

‘It is a significant contribution by external vendors in the physical and/or human

resources associated with the entire or specific components of the IT infrastructure in the

user organization’ - Loh and Venkatraman, 1995

“It is the procurement of products or services from sources that are external to the

organization” - Lankford and Parsa, 1999

‘Outsourcing refers to the transfer of assets-computers, networks and people-from a

user to vendor, the vendor taking over the responsibility for the outsourced activity.’ -

Takac, 1994

‘Outsourcing is a new word for facilities management, but it is broader in term of IT

services and a changing relationship between client and external vendor’ - Huff, 1991

“Outsourcing is selectively turning over to a vendor some or all of the information

systems functions, ranging from simple data entry to software development and

maintenance, data center operations and full system integration” - Apte et al, 1997

“ IS outsourcing is the commissioning of part or all of the information systems activities

an organization needs, and/or transferring the associated human and other information

systems resources, to one or more external IS suppliers.” - De Looff, 1997

Though there are different aspects considered in all the definitions, there seems to be a

general agreement about outsourcing being a process of carrying out of IT functions by

third parties (Kettler and Walstrom, 1993). However today, outsourcing has grown to

span multiple systems and represents a significant transfer of assets, leases and staff to a

vendor that now assumes profit and loss responsibility (Lacity and Hirschheim, 1995).

21

In order to gain the profits of outsourcing, one needs to analyze the key objectives of

such a strategic decision

2.3 Objective of Information System Outsourcing

Although information technology (IT) is integral to the operations of most organizations

and requires a much higher level of skill, it happens to be one of the most outsourced

services (Domberger and Fernandez, 2000). One might ponder on the thought that why

do senior managers prefer to entrust outside firms with critical tasks? There have been

several attempts to understand the objective of outsourcing. McCarthy (1996) describes

them as follows:

• Outsourcing allows companies to refocus their resources on their core business.

• Corporations can buy technology from a vendor that would be too expensive for

them to replicate internally.

• Outsourcing lets companies re-examine their benefit plans, make them more

efficient, and save time and money while improving efficiencies.

• Companies outsource to improve the benefit plan service level to their employees

by making the information more consistent and more available.

• A final possible reason is to reduce costs, certainly over the longer term.

Domberger and Fernandez (2000) find the ever-increasing expenditure on IT services

and the often exceptionally high levels of service expected by users responsible for

much of the spotlight on IT outsourcing as an alternative method of service delivery.

Similarly, Bhattacharya et al (2003) observes that the drivers of outsourcing decisions

are both internal and external to the outsourcing organization. Smith et al. (1998)

22

explicitly classify these internal and external drivers of IS outsourcing into five

categories which are as follows:

1. Cost reduction

It is believed that an outside vendor can provide the same level of service at a

lower cost than the internal IS department because the vendor has better

economies of scale, tighter control over fringe benefits, and better access to

lower cost labor pools, and more focused expertise in managing IS.

2. Focus on core competence

Companies may also outsource their IS to streamline the management agenda

and focus on the firm’s core business (McFarlan and Nolan, 1995). Senior

executives often consider the IS function a commodity service best managed by a

large supplier (Bhattacharya et al, 2003).

.

3. Liquidity needs

Companies often outsource IS to generate cash and enhance liquidity (McFarlan

and Nolan, 1995). Many IS outsourcing agreements involve an introductory cash

payment by the vendor for the tangible and intangible IT assets of the client

(Smith et al., 1998). The vendor then uses this infrastructure and may also hire

the IS staff of the client to provide contract services to the client and others.

4. IS capability factors

IS capability factors also motivate outsourcing (Smith et al., 1998; McFarlan and

Nolan, 1995). Rapid technological advances may leave firms’ IS departments

lacking in current technical expertise and equipment. The vendor may have the

resources with special skills and expertise in managing the particular IT function

23

5. Environmental factors

Finally, environmental factors’ that play a role in the outsourcing decision

(McFarlan and Nolan, 1995) are external influences that exist in the industry or

in the economy at the time of outsourcing. For instance, the decision to outsource

IS may be driven by imitative behavior among firms (McFarlan and Nolan,

1995) or by a mix of external media, vendor pressure, and internal

communications at a personal level among managers (Bhattacharya et al, 2003). .

After the Kodak outsourcing decision, for example, many large firms began to

view IS outsourcing as a viable alternative (Smith et al., 1998).

2.4 Case for Outsourcing

Apart from the popular benefits of significant cost savings and competitive advantage

from outsourcing, Butler et. al. (2001) presents the business case for outsourcing:

1. Control:

Many companies are moving towards concentrating on their core

competencies and removing everything else from their direct responsibility.

The issues and overheads of in-house management can be devolved from the

company to another organization with expertise in that area, allowing the

company to concentrate in improving its business.

2. Speed of change:

The speed in which technology develops can be encapsulated in the statement

‘one elapsed year equals to seven IT years’. It is not feasible for the

company to ignore new technology and it is expensive to obtain all the

appropriate skills in-house.

24

3. Total cost of ownership:

The cost of running and maintaining an application in-house, over an average

life span of five years, is estimated to be four to five times the cost of the

original purchase. Comparatively the cost of outsourcing the development

and maintenance works out cheaper.

4. Maintaining employees:

The cost of recruiting staff and getting them trained can be eliminated

through the use of outsourcing.

5. Number of employees:

This is significantly reduced with outsourcing, as it requires only a single

resource to be responsible for the relationship with the outsource provider,

and often this would not be a dedicated role.

2.5 Risks associated with Information System Outsourcing Amid the rhetoric about outsourcing’s benefits, the risks and costs of outsourcing are

sometimes lost. Problems such as failure to achieve anticipated cost, losing control of

critical functions, lowering the morale of permanent employee and managing

relationships that go wrong (Curie and Willcocks, 1997) are due to outsourcing. Loss of

control over the quality of the software and the project’s timetable, reduced flexibility

and loss of strategic alignment are often expressed as drawbacks of outsourcing (Apte et

al., 1997).

Outsourcing of IT functions involve similar risks that may arise when these functions are

performed internally, such as threats to the availability of systems used to support

customer transactions, the integrity or security of customer account information, or the

integrity of risk management information systems (Spillenkothen, 2001).

25

Earl (1996) identifies eleven risks in outsourcing which in practice indicate the limits to

outsourcing:

1. Possibility of weak management

2. Inexperienced Staff

3. Business Uncertainty

4. Outdated Technology Skills

5. Endemic Uncertainty

6. Hidden Costs

7. Lack of organizational learning

8. Loss of innovative capacity

9. Danger of misunderstanding

10. Technological indivisibility

11. Fuzzy focus

Takac (1994) and Chalos (1995) have identified the following risks and sources of risks

or factors resulting in risks related to outsourcing:

• Business and technical change

• Supply of skilled resources

• Retention of in-house expertise

• Service level maintenance

• Culture factors

• Transfer of contracts

• Contractual complexity

• Change of outsourcers

• Performance expectations

• Breach of proprietary information

• Financial stability of the supplier

26

Aubert et al, 2001 identifies not only the risk factors in outsourcing but also their

potential negative consequences. These outcomes, with their associated factors are

summarized in the following figure.

Factors leading to outcome Undesirable outcomes

• Lack of experience and expertise of the client with the activity (Earl, 1996; Lacity et al, 1995)

• Lack of experience of the client with outsourcing (Earl, 1996)

• Uncertainty about the legal environment

Unexpected transition and management costs (Earl, 1996)

• Asset specificity • Small number of suppliers • Scope • Interdependence of activities

Switching costs (including lock-in, repatriation and transfer to another supplier)

• Uncertainty • Technological discontinuity (Lacity

et al. 1995) • Task complexity

Costly contractual amendments (Earl, 1996)

• Measurement problems • Lack of experience and expertise of

the client and/or of the supplier with outsourcing contracts (Earl, 1996; Lacity et al, 1995)

• Uncertainty about the legal environment

• Poor cultural fit

Disputes and litigation (Lacity and Hirschheim, 1993)

• Interdependence of activities • Lack of experience and expertise of

the supplier with the activity (Earl, 1996)

• Supplier size (Earl, 1996) • Supplier financial stability (Earl,

1996 ) • Measurement problems • Task complexity

Service debasement (Lacity and Hirschheim, 1993)

• Lack of experience and expertise of the client with contract

• management (Earl, 1996; Lacity et al, 1995)

• Measurement problems

Cost escalation (Lacity and Hirschheim, 1993; Lacity et al, 1995)

27

• Lack of experience and expertise of the supplier with the activity (Earl, 1996)

• Scope • Proximity of the core competencies • Interdependence of activities

Loss of organizational competencies (Earl, 1996; Lacity et al, 1995)

• Complexity of the activities • Measurement problems • Uncertainty

Hidden Service Costs (Lacity and Hirschheim, 1993)

Figure 2.1: Components of IT outsourcing risk exposure

(Adapted from Table 1 – Aubert et al, 2001) Besides Lacity et al (1996) notes the degree of the risks in outsourcing to be directly

proportional to the maturity and the degree of integration of the technical activities with

other processes. Activities which are technically immature and have a high degree of

technical integration with other business processes tend to have significantly high risks

in outsourcing. Thus in order to control the risks, the organization needs to select an

appropriate strategy depending on the activity being outsourced (Butler et. al., 2001)

2.6 Information Systems Outsourcing Strategy

Outsourcing of IT facilities ranges from specific areas such as helpdesk provision or

application development, right through to the outsourcing of the whole IT function,

including infrastructure, staff and the related business processes (Butler et. al, 2001). For

any enterprise that is outsourcing, or thinking about outsourcing, it needs to understand

what it means to have a sourcing strategy (Cohen, 2003). A sourcing strategy is a

continuous journey into the best balance between internal and external activities and

between services and know-how. It is a continuous alignment among business strategy,

business processes and IT services on behalf of the organization’s strategic

achievements. It is the researching of a path that always keeps a balance of the decisions

that an enterprise must make, the results that must be achieved and the options that can

be taken when necessary. It is an instrument for flexibility, not a rigid decision or a static

outsourcing contract based on a service provider’s brand (Cohen, 2003).

28

2.6.1 Types of Outsourcing

Lacity and Hirschheim (1993) have identified three types of outsourcing which are

based upon the extent to which responsibilities are being shared:

1. Body Shop:

The management uses outsourcing as a way to meet short term demand

through the use of contract programmers/personnel that are managed by

company employees

2. Project Management:

The management out sources a specific project or portion of IS work, such as

systems development, application support, handling of disaster recover,

provision of training, or network management. In these cases, the vendor is

responsible for managing and completing the work.

3. Total Outsourcing:

The vendor is in total charge of a significant piece f IS work. The most

common type is total outsourcing of hardware (e.g.: Data centre and/ or

telecommunication) operations. One of the outsourcing strategies is to turn

over entire hardware and software support to an outside vendor.

Takac (1993) identifies four categories of outsourcing based upon an alternative

approach which associates the ownership of assets to the administrational operations

1. Network service:

It employs the vendor’s network for communication requirements. The

infrastructure and day to day operations are the responsibility of the

company.

29

2. Service retention:

It is concerned with the operation and management of network services and

equipment. The customer retains ownership of network services but the

vendor processes billing for the services and performs day to day operations

3. Service transfer:

The vendor owns the network and manages the customer traffic. The

customer retains ownership of the equipment.

4. Asset transfer:

In addition to service transfer, asset transfer also involves the transfer of

assets. The customer liquidates or sells its facility assets generally to the

vendor as part of the contract.

2.6.2 Types of Outsourcing Relationships

According to Klepper (1995) outsourcing relationships are divided into 2 steps; namely,

contracting relationships and exchange relationship or partnership relationship.

1. Contracting relationships:

This relationship occurs over an extended period of time. It is ‘arm-length,

market based exchange relationships in which the IS department client

fosters competition between many suppliers and lets each contract on the

basis of the best combination of quality, time to deliver and price’ (p.220)

2. Exchange relationship or partnership relationship:

‘The outsourcing parties do repeated business with each other and take steps

to share the costs and gains of their outsourcing activity’(p.220).

30

Market researchers like Upton (2002) terms the distinction in outsourcing relationships

as different generation models. As the outsourcers and the vendors gain experience and

the relationship matures, there has been an evolution of a second generation model

which is fundamentally different from the first generation model and increasingly

focuses on strategic partnership. Following are the characteristics of the two models

which are distinctively different in their approach.

Figure 2.2: The Evolution of IT Outsourcing (Adapted from Table 1 – Upton, 2003, pg.2)

First Generation Model

First-generation outsourcing has been aimed at stabilizing and standardizing the

IT environment and offloading non-core business processes. The primary

objective of this model was to reduce organizational costs and allow the

company to focus on its main business.

31

Second Generation Model

Second-generation outsourcing is built upon this “offload to supplier” practice

for IT service delivery and focuses on building a business focused solution with

the client that leverages the IT environment for increased business benefits. It is

designed to facilitate customer intimacy and product leadership for an

organization. This is achieved through a transformation of IT architectures;

alignment of IT with the business; and the optimization of business processes to

take advantage of the new capabilities provided. To summarize second-

generation outsourcing shifts the relationship between outsourcer and the vendor

from trusted supplier to vital business partner.

Thus IT outsourcing functions have moved from providing merely technological support

to strategic business expertise.

2.7 Trends in Outsourcing

IT Outsourcing has existed for almost three decades. As early as 1963, EDS handled

data processing services for Frito-Lay and Blue Cross & Blue Shield. Other outsourcing

options that were exercised were the use of contract programmers, time-sharing and

purchase of packaged software (Lacity and Hirschheim, 1995). Outsourcing was seen as

a tool by small and low technology organizations to avoid the financial burden of an IT

department that either was not of any strategic importance, or they could not afford

(McFarlan & Nolan, 1995)

But in 1990s, the move by Kodak to outsource a large proportion of their IT activities

among three vendors marked a revolution in the outsourcing phenomena. Kodak termed

this relationship as a strategic partnership wherein it could focus on its core

competencies while using the IT expertise of its vendors. Thus the growing popularity

of outsourcing was attributed to two main reasons – focus on core competencies and the

perception of IS as a cost burden (Lacity and Hirschheim, 1995).

32

Outsourcing has developed into a global and total outsourcing trend, where companies

have started moving towards consolidating their vendors globally. Corporations have

increased their use of offshore delivery to lower the cost of developing and maintaining

its applications. Today’s outsourcing customers are no longer afraid to take drastic

measures if they feel that they are not getting what they want from their current supplier.

The single largest outsourcing contract announced in 2003 saw a major supplier

transition. The UK Inland Revenue Service switched from a dual supplier relationship

for the management of its IT infrastructure from EDS and Accenture, to a consortium of

suppliers led by Cap Gemini with Fujitsu Services and BT Group worth ₤3 billion

(Mayes, 2004). The UK Royal Mail also awarded a 2.4 billion contract to a consortium

headed by Computer Sciences Corp (CSC) to handle the company’s data centers, data

networks, voice services, desktop computers and other business applications. CSC’s

consortium, which also included Xansa and BT Group, was selected over its two larger

competitors IBM Global Services and EDS for the contract (Mayes, 2004). Thus the

latest trend is to outsource with a consortium of best-of-breed suppliers.

However the outsourcing phenomenon is moving on to bigger changes as vendors are

increasingly changing their service offerings by building them around standard building

blocks. Cohen at Gartner observes the building of a standardized delivery model which

he calls as a ‘factory environment’. This model is based on a mass customization of IT

services wherein vendors will build pre-fabricated infrastructure, common code and

applications to lower their development costs (Mayes, 2004). In 2004, IBM announced a

$575 million deal with investment bank Morgan Stanley to accept its mainframe

computing infrastructure to an on-demand model, which will automatically draw

processing power, storage capacity and networking bandwidth as needed from a shared

pool of data centre resources. IBM claims that Morgan Stanley will realize in cost

savings by switching to a variable pricing model (Mayes, 2004).

33

2.8 Information Systems Outsourcing Process

Today outsourcing has become a top management issue. Price Waterhouse Coopers

(1998) found that the decision on whether and how to outsource is steadily moving up

the organization to the CFO, COO, and CEO levels. Many researchers have come up

with detailed description on the process of outsourcing. Ptak and Noel (1998) lay stress

on the planning stage in the outsourcing process. Zhu et.al. (2001) have identified four

stages and the critical activities in the outsourcing process which are as follows:

1. The planning stage

1.1 A Sound Business Plan

2. The developing stage

2.1 The vendor agreement

2.2 The business relationship

2.3 The impact on employee benefits

2.4 The outsourcing timeline

2.5 The communication plan

3. The implementation stage

3.1 The transition plan

3.2 The transition checklist

4. The post-outsourcing review

Everest (1996) provides a framework to aid in the decision making process for

outsourcing. The model is based on the life cycle of outsourcing. It includes discreet

steps which are initial stage of decision making whether to outsource or not, the pre-

outsourcing phase which involves selection of vendors, the evaluation of bids received

from the vendors the procurement stage, followed by the management and change

management phase. The last two phases are important in terms of managing vendor

34

relationship and performance reviews. If not satisfied, the company has an option of

replacing the vendor. The process will now begin from the tendering exercise. The

outsourcing process is also diagrammatically presented as follows:

ement Phase

Replace the Outsourcer

Change Manag

Management Phase

Procurement Phase

The evaluation ofbids

Pre-Outsourcing Phase

Outsourcing or not

Figure 2.3: Outsourcing Process Framework The outsourcing process described above can be modified and extended to any specific

industry and can be used as a general guideline for outsourcing specific information

technology functions. However in order to achieve corporate goals rather than just cost

savings, there is a need to build decision models that would facilitate managers in

systematically identifying the best outsourcing candidates within the organization (Zhu

et.al., 2001).

35

2.9 Framework for Decision Making in IS Outsourcing As organizations strive towards greater competitiveness and flexibility, there is emphasis

on selecting the right candidates for outsourcing. Prior literature suggests models that

can be used to understand managerial motivations for IS outsourcing

Zucchini (1992) presents the Four-S Outsourcing Model to help guide a firm’s

outsourcing decision in a managerial context. The model is comprised of four quadrants,

varied along two dimensions where one addresses the organization’s objective in making

the decision (Economics/Expertise) and the other indicates the utility of the decision

(Functional/Dysfunctional). The resulting quadrants represent application types and are

identified as Scale, Specialty, Sale, and Surrender.

Figure 2.4: The Four-S Outsourcing Model (Zucchni, 1992)

36

Functional Decision

According to this model, outsourcing decision based on scale and specialty are

functional decisions. The scale factor is highlighted when a vendor is able to

provide the same service at a cost that is lower than what the outsourcing

company could achieve through in-house operations. Similarly the decision is

considered rational if it is based on taking advantage of the vendor’s specialized

technological or operational skills.

Dysfunctional Decision

On the other hand, the model considers the sale of IS resources in order to

achieve either short-term earnings or balance sheet improvements and surrender

of IS functions to be a dysfunctional approach to outsourcing. The sale of IS

resources generally results in the loss of valuable human resources and the

associated knowledge base and organizational memory. While outsourcers may

initially maintain personnel whose skills have been outsourced within the

organization, such personnel are soon reassigned to other projects once the

outsourcing engagement takes effect. In the second case, advances in the

technological environment often force organizations to consider outsourcing

whereby they effectively surrender control of the IS function to external

suppliers. However, such surrenders are usually motivated by short-term

considerations where the vendor does not have any incentive to become a

‘‘partner’’ in the business process. This leads to the surrender of mission-critical

IS functions to external parties. Furthermore, the recovery of such critical IS

functions once surrendered to outside providers often proves far more difficult

once the in-house expertise has left the organization (Weaver et al., 2000).

37

Furthermore Lacity and Hirschheim (1995, pg.181-216) present a sourcing methodology

that addresses a myriad of political and rational issues rather than treating it as a simple

make-or- buy decision. The methodology describes the decision model to be followed

and suggests a framework for the outsourcing process. It comprises of six phases which

are as follows:

1. Stakeholder Assessment:

This process is carried out to understand the different perceptions and

expectations of the stakeholders with regards to IS performance. The senior

management tend to view the entire IS function as a commodity rather than a

strategic asset or core competency. The main objective is to cut costs. On the

other hand, the business unit managers aim for service excellence thereby

viewing the IS activities as critical to business success but dismiss other units

IS activities as commodities. Like business unit managers, the end users also

tend to view IS as a critical contributor to daily business processes. IS

managers are caught somewhere in the middle, trying to juggle the

conflicting IS priorities set by senior management and the business units.

Lacity and Hirschheim (1995) present a matrix which depicts the IS

cost/service trade-off – that costs are directly proportional to service levels

(the better the service, the higher the costs). This matrix highlights the issue

of different perceptions and expectations of the stakeholders leads to

inconsistent agendas for IS, prevents IS strategy alignment with corporate

strategy, and offers IS virtually no hope for even marginal success, let alone

stardom.

38

Minimal Cost Premium Cost

Premium

Service

Superstar

Senior Management’s and

users’ expectations of IS

Differentiator

Realm of possible IS

performance

Minimal

Service

Commodity/ low cost

product

Realm of possible IS

performance

Black Hole

Senior Management’s and

users’ perception of IS

Figure 2.5: IS Cost/Service trade-off

(Adapted from Table 6.1 – Lacity and Hirschheim, 1995, pg.159)

2. Create a Shared Agenda by evaluating the activities

The senior executives, users and IS managers should work together to set IS

priorities by not only aligning IS strategies with corporate strategies, but by

including IS in the formulation of corporate strategies. Lacity and

Hirschheim (1995) have identified two critical success factors for classifying

different activities into ‘commodities’ and ‘differentiators’. Firstly,

stakeholders must ignore conventional arguments and generalizations.

Secondly, stakeholders must not let the accounting structure mask IS’s

business value. Once IS activities have been classified, the stakeholders can

set performance objectives. Typically for ‘differentiators’ the performance

objective is service excellence and for ‘commodities’ it is cost minimizations.

Once the priorities are established, the stakeholders can explore different

sourcing alternatives.

39

3. Selecting outsourcing Candidates

Most organizations will not consider activities classified as ‘differentiators’

for outsourcing because of their vital contribution to the business. In contrast,

IS activities classified as ‘commodities’ may be suitable for outsourcing if

the market can provide cheaper costs while still maintaining an acceptable

service level. However Lacity and Hirschheim (1995) suggest that cost

efficiency largely depends on adoption of efficient management practices and

to a lesser extent, economies of scale.

4. Comparing In-house provision with vendor offerings

Once the stakeholders have identified the outsourcing candidates, they need

to compare the vendor offerings against the in-house provision. This step

entails the following:

Informing the IS Staff

As the decision to outsource is being taken, the senior management must

address human resource issues head-on. Lacity and Hirschheim (1995)

suggests to treat employees as adults and by informing the IS staff of the

evaluation process could act as a galvanizing force, where the staff

develop a sense of team spirit and work together to develop an internal

bid. It could act as a catalyst for creativity as they seek new ways of

providing IS service in a cost-effective manner.

Creating Teams

Lacity and Hirschheim (1995) suggest creating three internal teams: an

evaluation team, an RFP team and an internal bid team proves to be an

effective approach for evaluation. The evaluation team typically headed

40

by a senior executive and containing representative from affected

business units and senior IS manager would develop the bid analysis

criteria, ensure fair treatment of bidding parties, analyze bids against the

criteria and make the sourcing decision. The RFP (request for proposal)

team typically headed by an IS manager and other members of the IS

staff can create a detailed proposal. An internal bid team comprising of

number of IS managers and employees who are not affected by the

decision.

Creating Evaluation Criteria

The major evaluation criteria will definitely be price. But as far as

auxiliary issues are concerned, the evaluation team could develop a host

of criteria for such issues as personnel, disposition of current IS assets,

disaster recovery, conversion processes, access to supplemental

technologies and talent, contract administration and termination. Finally

by formally weighing the decision criteria, the company can make a

qualitative assessment thereby extending beyond the price factor.

Assessing the Validity of the Bids

The evaluation team needs to not only compare bids but also assess the

validity of the proposals as regards whether the bidders can actually

deliver what they promise. In most cases, the winner outbids the others

cause of superior management practices, inherent economies of scale or

superior technical expertise. However Lacity and Hirschheim (1995)

propose inviting the top candidates to present their bids and explain as to

where and how they propose to meet there bid.

41

5. Contract negotiations with external vendors

The contract is said to be the only mechanism that establishes a balance of

power in the outsourcing relationship. Lacity and Hirschheim (1995) &

Everest (1996) mention the following factors to be considered during

contract negotiations

• Avoid vague ‘partnership’ talk

• Discard the vendor’s standard contract

• Do no sign incomplete contracts

• Hire outsourcing experts

• Measure everything during the baseline period

• Develop service level measures

• Develop service level reports

• Specify escalation procedures

• Include penalties for non-performance

• Include incentives for superior performance

• Determine growth

• Adjust changes to changes in business volume

• Select your account manager

• Include a termination clause

• Beware of ‘change of character’ clauses

6. Managing the decision

Whether an internal or external bid is selected, continued management of IS

activities is vital to ensure success. The senior management should select a

contract manager who can serve as a primary intermediary between users and

the vendor, work closely with the vendor account manger to prioritize

42

requests and handle disputes, monitor vendor performance and question and

review monthly bills and excess fees.

2.10 Risk Thinking in Decision Making A decision is a goal directed behavior made by the individual, in response to a certain

need, with the intention of satisfying the motive that the need occasions (Mcgrew,

1982). In fact a decision is the end state of a much more dynamic process which is

labeled ‘decision making’.

(Jennings and Wattam, 1998) treats decision making as synonymous with managing. In

so doing, they underline the fact that decision making as a process should not be reduced

simply to a choice among alternatives. Rather, this process involves conceptualization of

the problem to be solved and the description of how that final choice is made.

The decision process begins with identifying the organization objectives followed by

identification of a problem. The problem arises when a sought after goal can be obtained

via alternative and sometimes competing avenues. (Jennings and Wattam, 1998)

suggests that problem identification leads first to intelligence activity, which involves

searching the environment for various conditions reflecting on the decision. Within the

organization context, problem identification is followed by design activity in which all

options are analyzed. Choice activity and Implementation is the final step in the decision

process where an alternative is selected.

The decision making process is thus something tidy and which has is own internal logic.

Yet the most important element in real decision making is that of uncertainty. The

distinguishing characteristics of a decision and decision making are that it involves

choice under condition of uncertainty.

Risk is a dimension in many decisions. Risks have to be carefully calculated. When

considering the benefits of a risk, attention must be given to the consequences of

43

incurring the loss or danger which is at the heart of the risk. The assessment of

probability can give you guidance what to do. As Cicero said, ‘probabilities guide the

decisions of wise men’ (Haimes, 1998)

Risk based decision making and risk based approaches in decision making are terms

frequently used to indicate some systematic process that deals with uncertainties.

Uncertainty is inherent when the process attempts to answer the set of questions posed

by William W. Lowrance: “who should decide on the acceptability of what risk, for

whom, in what terms and why? (Lowrance, 1976) Risk based decision making is

complex and cross disciplinary. Risk assessment and management must be an integral

part of the decision making process, rather than a gratuitous add-on technical analysis.

Finally good risk management requires good decision making. Both require focusing on

how to best achieve the goals of a project under conditions of uncertainty. Both require

making trade-offs based upon what is most to least important. Risk management and

decision making are like tea and crumpets: in the right amount they go well together

(Kliem and Ludin, 1997).

44

3. RISK MANAGEMENT 3.1 Introduction Bernstein’s history of man’s effort to understand risk begins with the following

question: “What is it that distinguishes the thousands of years of history from what we

think of as modern times?” The following answer is provided: “The revolutionary idea

that defines the boundary between modern times and the past is the mastery of risk: the

notion that the future is more than a whim of the gods, and that men and women are not

passive before nature” (Bernstein, 1996, pg. 1). The question and its answer could be

transposed to the context of the management of Information Technology (IT)

outsourcing (Aubert, et al., 2000). While, three decade ago, firms considering to

outsource their IT activities were often portrayed as facing numerous and important risks

against which little could be done, there are now techniques and approaches that show

that these risks can be managed.

In case of financial institutions that are engaging in outsourcing, the Basel Committee on

Banking Supervision (2001) expects the institution to identify, address and manage the

risks in IT outsourcing in a prudent manner. Thus risk assessment and risk management

are crucial activities when taking an outsourcing decision.

This section looks at 1) the concept of risk 2) the concept of risk management 4) the risk

management framework 5) Risk Management Process 6) Risk Identification 7) Risk

Assessment 8) Risk Control 9) Risk Management for Outsourcing Information Systems

10) Current Risk Management Models 11) Risk Identification and Assessment in

Decision Making

45

3.2 Concept of Risk

“Risk is a choice rather than a fate”

Bernstein (1996, pg. 8)

Risk and risk management has been studied in many domains and each field addresses

risk in a manner relevant to its object of analysis, thus presenting different perspectives

of risk and risk management (Aubert et. al, 2001). Since it is essential that the

conceptualization of risk and of risk management adopted in a study be consistent, we

shall look at different perspectives presented by Aubert et. al. (2001) and identify the

perspective that is been adopted in this study of risk.

Risk as an undesirable event

In some domains, risk is equated to a possible negative event. As Levin and

Schneider (1997; pg. 38) defines risks as “… events that, if they occur, represent

a material threat to an entity’s fortune”. Applied in a management context, the

“entity” would be the organization and the risks can be managed using insurance,

therefore compensating the entity if the event occurs; they can also be managed

using contingency planning, thus providing a path to follow if an undesirable

event occurs.

Risk as a probability function

For some fields risk is the probability of the event occurring. For example,

medicine often focuses solely on the probability of disease (e.g. heart attack),

since the negative consequence is death in many cases. It would be useless to

focus on the consequence itself since it is irreversible.

46

Risk as variance

Finance adopts a different perspective of risk, where risk is equated to the

variance of the distribution of outcomes. Thus for a given rate of return,

managers will prefer lower volatility but would be likely to tolerate higher

volatility if the expected return was thought to be superior.

Risk as expected loss

The Insurance field follows the perspective of risk as expected loss. It defines

risk as the product of two functions: a loss function and a probability function.

However when it comes to IT outsourcing, many researchers have adopted a perspective

of risk as expected loss. It has been termed as risk exposure which is defined as:

RE = ∑i P(UOi) * L(UOi)

Where P(UOi) the probability of an undesirable outcome i, and L(UOi) the loss due to

the undesirable outcome i (Boehm, 1989; Teece et al, 1994 ). However it is important to

note that only the negative side of the distribution of all potential events is considered in

this definition of risk. Positive events are not considered.

Though this theory is simplistic in its approach, applying it in the real world is by no

means simple. If one is able to quantify the values of all the risks one had to face, the

above theory would prove invaluable, but that is most unlikely to be the case in practice.

Hence, for my research, the following notion of risk is emphasized:

If the risk occurs, what is the cause of the risk and what is its effect on costs, timescale

and performance and if it has not occurred, then whether it is still likely to occur in the

future (Marsh et. al., 1996).

47

3.3 Concept of Risk Management

The roots of risk management are traceable to 1700 B.C when the Babylonians

established a principle called bottomry as a method of handling the risks associated with

international trade. In 700 B.C the Greeks and Phoenicians first introduced business risk

control measures. The identification of risk management as a separate management

function may be attributed to Fayol who in 1916 identified six basic functions of

management which included technical, commercial, financial, accounting, managerial

and security activities. It is in the management function related to security activities that

Fayol recognized gave early recognition to the need for a security and loss-control

function within organizations, and today this area is being developed into a discipline in

its own right (Remenyi and Heafield, 1996).

Thus the concept has evolved in many years wherein many definitions were cited in the

literature that aimed to explain the concept of risk management. The following are a few

such definitions which indicate the scope of the idea of risk management.

“Risk management is a managerial function aimed at protecting the organization against

the consequences (adverse) of pure risk, more particularly aimed at reducing the severity

and variability of losses” - Valsamakis et al., 1992

“The identification, analysis and economic control of the risks which threaten the assets

or earning capacity of an organization” - Dickson, 1989

“Risk management is the science and art of recognizing the existence of threats,

determining their consequences on resources, and applying modifying factors cost

effectively to keep adverse consequences within bounds” - McGaughey et. al., 1994

48

The underlying notion of these definitions is that risk management includes the

identification, evaluation and control of risks facing the organization in order to

minimize its financial impact.

In this research, the following definition of risk management has been identified for the

IT outsourcing environment:

“Risk Management is the complete process involved in identifying risks and assessing

them for likelihood and potential impact. This includes the development of suitable

strategies to mitigate the impacts and the activities involved in budgeting for risk,

controlling and report risk status and the risks until the consequences are fully resolved.”

-Marsh et. al., 1996

The risk management process not only includes identifying and assessing the risks in

terms of its impact but also involves developing suitable mitigation strategies, budgeting

and risk reporting to control the risks and deal with it proactively. In order to carry out

these activities, it is imperative that the risk management process is embedded in the

organization strategy or project environment, rather than being tacked on as an

afterthought. To set this process, Marsh (1996: pg. 46) suggests the following principles

for an effective risk management approach:

Compatibility

The approach needs to be constructed to integrate smoothly into the organization

environment. Risk management should be embedded in the management process.

Flexibility

The approach must be flexible and enable the level of risk management

sophistication to be matched to the organization objectives

49

Visibility

The first requirement for an effective risk management process to take place is

that there should be clear visibility of the information needed for sound decision

making. The approach must provide an efficient means to ensure that the right

risks are identified, qualified, quantified, documented and analyzed.

Ownership

In order to achieve control of risk, it is essential that ownership of each risk is

allocated to one appropriate person, and that separate ownership is also ascribed

to each cause of that risk. The risk owner must have the power to take action to

control of the risk but must report it through the relevant channels like

project/risk manager concerning developments in his risk area.

Understanding and strategy development

The approach must make provision for educating/training all relevant staff

regarding risk so that they develop a real understanding of risk causes and the

skill to construct and implement risk mitigation strategies.

Continuous improvement

The approach should also make a provision for continual up-date and

improvement of risk knowledge and skill and thus establish a comprehensive

knowledge base of risks regularly faced by the organization.

50

3.4 Risk Management Frameworks

Many authors present the risk management processes as a series of discreet stages. There

are many variations to the suggested model, some of which are highlighted below:

“Planning, identification, quantitative and qualitative analysis, response planning, and

monitoring” (Hillson, 2001)

“Identification, assessment, actions” (Cadle and Yeates, 2001, pg. 200)

“Identify, analyze, plan, track, control, communicate” (Higuera, 1995)

“Identification, analysis, control and reporting” (Kleim and Ludin, 1998: pg. 9)

“Identify, analyze, evaluate, prioritize and treat the risks” (Willcocks and Magrett,

1994)

“Identification, evaluation, mitigation, budget provisioning, monitoring and control, risk

audits and continual improvement” (Marsh, 1996, pg.73)

Though these models include wide-ranging activities, the significant overlap between

the frameworks is very clear. Almost all the models include the identification,

assessment and risk control stages

The approach presented by Marsh (1996) which is popularly known as RISKMAN has

been adopted for this research as it encapsulates all the important activities for assessing

and controlling risks and also goes a step further by enhancing its usefulness by its

integration with the capturing of experience and ensuring continuous improvement.

51

3.5 Risk Management Process The risk management process is a cyclical process which can be compared to a

stopwatch. Just like the second hand goes around many times on a stopwatch, the risk

driven management process representing a sequence of stages runs its course through the

outsourcing management process. From the very outset of the outsourcing process, in

the project initiation phase, risks should be identified and mitigation strategies should be

developed a part of the quantification process. As the outsourcing process moves to the

management phase, the cycle should be repeated again to monitor and control the

unidentified risks.

Risk Modeling or Risk Analysis

Risk mitigation, reduction and/or optimization

Risk reporting and strategy development

Risk quantification and classification

Risk monitoring And control

Risk Identification and documentation

The Risk Management

Process

Figure 3.1: The risk management process is a repetitive cycle (Adapted from Fig: 3.20 – Marsh et al, 1996, pg. 71)

52

3.5.1 Steps in Risk Management

The risk management process consists of various risk activities; the breakdown of which

is shown in the following figure. These activities comprise of a number of steps, each of

which have to be addressed by the company’s functional and project managers, to

successfully implement risk management.

Risk Identification:

The work involved in identifying the potential risks, including classifying and

recording each risk, qualifying the risk by documenting a unique description of

the risk element, estimating its probability (likelihood) of occurrence, potential

impact in terms of timescales, costs or quality (performance) and assigning it to a

risk owner who is responsible for managing the risk

Risk Evaluation

The work involved in modeling the process, conducting a sensitivity analysis and

prioritizing the risks. Analysis is an important activity as it enables assessing the

exposure within the delivery timescales and costs to be quantified.

Risk Control

The work involved in monitoring and reporting to higher management of the

status of the risks and the effectiveness of the mitigation strategies. Mitigation

strategies are planned and means devised by which the impact of the risk may be

reduced, its occurrence prevented, the risk avoided, or the need for contingencies

to be put in place to compensate for the risk should it occur. Risk control also

includes the estimation and calculation of the risk exposure in financial terms,

53

caused by the impact of the risk with due consideration of the moderating effect

of the mitigation strategy.

Continuous Improvement

The work involved in training of personnel in best practices of risk management

and in the analysis of the corporate data within the project history file to extract

the lessons learned for future reference.

The risk activities can be shaped into a risk management process and thus integrated into

the company procedures for each functional area of the organization that is presently

being considered for outsourcing or already outsourced. Since I am researching into risk

management practices in decision making, I have restricted my detailed study of risk

management to identification and assessment of risks and mitigation strategies.

3.5.2 Risk Identification

Risk Identification is considered as the most important and difficult stage in the risk

management process (Elkinton and Smallman, 2002). To be effective, risk identification

requires considerable up front planning and research. Considerable effort occurs in

identifying and ranking the processes, or components, of a project, its major goals and

its risks. Several institutional factors influence how people perceive their risk

assessment. They include atmosphere, availability of information, management style,

market/economic conditions and policies (Kliem and Ludin, 1997, pg. 8).

In most companies risk identification is done by relying upon intuitive assessments by

the most experienced senior managers. However, in many cases once the

implementation commences, the contracts turn into disasters or the objectives are not

met (Marsh et. al., 1996 pg. 97).

54

In the identification process, managers need to determine the analysis technique to use,

select the primary participants who are to perform the risk identification, allow

participants time to perform it and decide where to conduct it. For research, they must

review project plans, interview people, calculate statistics and metrics and peruse

technical documentation (Kliem and Ludin, 1997, pg. 8).

Thus risk identification can be carried out by a combination of methods suggested by

Marsh et. al. (1996, pg. 98):

Use of experienced intuitive management

Relying only on the intuition of the experienced managers has proven to be

unsatisfactory in the past. Managers may adapt attitudes according to their

perception of the risks. They consider the risks identified by them but they may

be reluctant to accept the risks identified by others. Thus this method should be

supported by some other means to overcome its shortcomings.

Use of experts in departments

The experts of each department understand the nature of the business, the

problems of their field and the organization available to manage them out. Thus

if the culture of the company is one of openness and risk taking, then the experts

are the best people to identify risks.

Standard questionnaires and checklists

Standard questionnaires are a useful but not necessarily an effective way of

identifying risks. Checklists are simple and can be an effective means of

capturing and using corporate knowledge to assist in the process of risk

identification.

55

Use of expert computer-based systems

These may be developed using corporate experience assisted by specialists in

each discipline. However expert systems rarely reveal risks that are hidden and

tend to concentrate people’s attention on the obvious.

Structured interviews

It is a technique that has been used successfully for many years to extract

information. The prime aim is to initiate a risk-revealing discussion that draws

out the risks about the activity that has to be undertaken.

Brainstorming sessions

It is an extremely effective method however it requires bringing together

specialists and managers on a number of occasions to discuss each area in-depth

and potential solutions. They are also subject to being dominated by stronger

personalities who may push their ideas and the weaker voices may feel insecure

and threatened. Brainstorming sessions may need a skilled facilitator to

encourage and maintain a balance in the discussion.

Use of outside specialists/consultants

It can be an effective means of augmenting existing staff and bringing in

additional experience in the field of concern. There may be problems like time

and costs involved and the fact that when they leave, experience leaves with

them. However, despite their short-comings, their familiarity with the field

would immensely contribute to the risk identification and mitigation process.

56

3.5.3 Risk Assessment

The identification step is closely allied with the next step, risk analysis. Two categories

of risk analysis exist: quantitative and qualitative. Quantitative techniques rely heavily

on statistical approaches, such as the Monte Carlo simulation. Qualitative techniques

rely more on judgment than on statistical calculations such as heuristics (Kliem and

Ludin, 1997, pg. 8).

Statistics play an important role in risk analysis. The lists of techniques identified by

Kliem and Ludin (1997, pg. 68) that are used for risk analysis are:

• Three point estimate

• Decision tree

• Monte Carlo simulation

• Heuristics

There are many risk software products in the market that use variations of the Monte

Carlo method. Though the results of the computer work are most impressive, there have

been some fundamental criticisms which are stated as follows:

The data input to risk analysis tools is inevitable inaccurate, incomplete and

over-simplified thus indulging in GIGO- Garbage In is Garbage Out.

The more detailed and impressive the computer produced results, the more

management are seduced into believing them. This makes decision making even

more precarious.

Marsh et. al. (1996, pg. 106) in the RISKMAN methodology present the risk assessment

approach as a two stage activity. Stage 1 is the estimation of an impact and probability

for each risk. Stage 2 is the use of the impact and probability estimates with a model to

arrive at a quantitative estimate of the effect on timescales and costs.

57

Impact and probability estimates

Every risk must be assessed for its probability of occurrence and estimated

impact on timescales, cost and performance. The estimates are usually based on

intuition and experience and may be given in different formats as follows:

Probability

0-100%

Low/Medium/High

Scale Value 0-1

Impact

Nil/Low/Medium/High

Cost (in currency units or man days/man months)

Timescales weeks/months/years

Quality/performance (reduced specification)

The probabilities when given in any of the above format are related to the actual figures

by converting the scale to numerical quantities using conversion factors

High to a scale value between 0.3 -1.0 (30-100%)

Medium to a scale value between 0.1 -0.3 (10-30%)

Low to a scale value between 0.0 -0.1 (0-10%)

The risks can be entered on a chart to present the risk exposure. Thus this approach

provides a picture of risk sensitivity without having to quantify the impacts in actual

money or time limits.

58

Low Medium High

High Medium

Probability

Low Impact

Figure 3.2: Risk Probability/Impact Chart

(Adapted from Fig: 4.3 – Marsh et al, 1996, pg. 107)

3.5.4 Risk Control

Risk control is a mitigation strategy which requires an action to reduce, eliminate or

avert the potential impact of risks. The organization has an option to choose any path to

mitigate risk as shown in the process format and described as follows (Marsh et. al.1996,

pg. 113):

Avoidance

Deciding not to continue with a product or project in which the risk exposure to

the company is perceived to be too high.

Transference:

This comprises passing the risks onto others more capable of managing the risks.

Generally, one would transfer the activity onto the subcontractors who

understand the subject and are more capable of identifying and mitigating the

risks involved.

Reduction

59

The purpose of the reduction path is to take action which would finally reduce

the risk to an acceptable level. Since this path mainly relies upon expenditure of

money, it invariably increases costs e.g. the amount of insurance premium.

Management

This path comprises the majority of the risks that gives rise to daily problems in a

project. The activities include regular monitoring of progress, continuous

assessment of resources assigned and pre-preparation of fall-back (back-up) plan.

Contingency

The contingency path provides funds to cover those risks that are assessed to be

of a low likelihood and impact, and for risks that have been revealed during the

identification process i.e. residual risks. Generally these types of risks show

themselves during the implementation of the activity.

60

Risk Portfolio

Yes

Yes

Yes

Yes

No No

No

No

No

Successful

Secondary Risk

Residual Risk

Risk Control Plan

Risk Contingency Funds

Positive Action

Procurement Sub-Contract

Main Contract Alternative

Management Contingency Backup Plan Supervision

Reduction Insurance Information Consulting

Transference Risk Sharing Contracting

Avoidance Remove Causes Alternate Paths Contract Action

Risk Assessments

Identify Risks

Figure 3.3: Risk Mitigation Plan

(Adapted from Fig: 4.7 – Marsh et al, 1996, pg. 114)

61

All the above mitigation paths require an investment trade-off to be considered between

the funding to be included for contingency for the path selected and the cost or savings

to be made if an alternative path is taken.

An organization can document the whole process in a risk analysis sheet for each risk

identified. Thus it can be formed into a database for effective monitoring and control.

Besides, the risk register could be used for reporting that would enable continuous

improvement of the process.

62

Risk Analysis Sheet Project:___________________________ Responsibilities: _______________________ Risk Reference: ____________________ Generation Period: _____________________ Class: ____________________________ Active Period: _________________________ Description: (1) Process & Life Cycle Phases (2) Owner (3) Responsible for Management Exposure: _______________

Very High High Medium Low

Probability

Impact unit & Value Impact Description

Cost Time Requirement

Causes Effects

Description of Triggers Trigger 1 Trigger 2 Trigger 3 Trigger 4

Mitigation Strategy

Description

63

Backup Plan

Transference

Avoidance

Buy Information

Early Control

Insurance Contingency

Figure 3.4: Sample Risk Analysis Sheet (Adapted from Fig: 3.35 – Marsh et al, 1996, pg. 93)

3.6 Rationale for Risk Management

Risk is the price paid for progress. As progress drives globalization, firms in the

financial services sector worldwide face numerous market, operational, and credit risks.

Throughout the industry, companies are seeking effective solutions to address their

exposure to risks. In a January 2004 survey of US banks, Susan Cournoyer, a principal

analyst in the Global Industries group at Gartner Research, found respondents currently

allocate 8.7 percent of their IT budgets to controls (risk management and security). The

survey also revealed that 30 percent of the surveyed banks planned to spend more on

controls in the next 18 months (Goolsby, 2004). As another reference point, the world's

top financial services brand -- Citigroup, which enjoys enormous competitive

advantages also cited business risk management as number two among the firm's

leadership priorities, in a Citigroup presentation (Goolsby, 2004).

Moreover banking regulations like the New Basel framework focuses on processes,

people, and technology. Cost-effective management of IT and transactional back-office

processes have been a key market for outsourcing in banks for years. Significantly, as

64

globalization initiatives and terrorist acts have increased, financial services firms are

quickly turning to outsourcing to mitigate operational risks in protecting assets and

business continuity (Goolsby, 2004). The recent trends in industry in terms of

outsourcing urge the need for identifying a framework for managing these risks

effectively.

3.7 Risk Management for outsourcing information systems Financial institutions increasingly rely on services provided by other entities to support

an array of technology-related functions. While outsourcing to affiliated or nonaffiliated

entities can help financial institutions manage costs, obtain necessary expertise, expand

customer product offerings, and improve services, it also introduces the financial

institutions to a range of risks. FDIC (2000) has identified these risks which include

threats to security, availability and integrity of systems and resources, confidentiality of

information, and regulatory compliance.

FDIC (2000) also emphasizes that the management should consider additional risk

management controls when services involve the use of the Internet. The broad

geographic reach, ease of access, and anonymity of the Internet lead to the introduction

of potential risks from the functions of a system’s structure, design and controls. Thus it

requires close attention to maintaining secure systems, intrusion detection and reporting

systems, and customer authentication, verification, and authorization. FDIC (2000)

suggests measures which includes risk assessment, selection of service providers,

contract review, and monitoring of service providers. The Basel Committee on Banking

Supervision (2001) recommends the banks to develop risk management processes

appropriate for their individual risk profile, operational structure and corporate

governance culture.

3.8 Current Risk Management Models

65

Many research studies have analyzed transaction cost theory and agency theory for

evaluating the risks in IT outsourcing decisions (Lacity and Hirschheim, 1993; Hancox

and Hackney, 2000; Aubert et. al, 2000). Some of the other approaches for evaluating

IT outsourcing options include cost-benefit and weighted scoring methods. Lewis (1999)

examines the use of risk-remedy method for evaluating the information technology

outsourcing tenders. The risk-remedy method emphasizes on using the requirements

correctly, examines the cost of bidding, cost of delay, checks the bid’s carefully and uses

a design rather than a selection approach.

Other approaches like the risk ranking method adopted by the Department of Contract

and Management Services in Australia focus on rating, management planning and

monitoring of risks and applied in different phases like procurement planning, contract

development and management (Baccarini and Archer, 2001).

Market researchers have also applied various theories for balancing the risks of

outsourcing to economically cheap countries. Kleinhammer et. al. (2003) focuses on

understanding the geo-political risks in IT and recommends applying ‘risk portfolio

assessment’ to mitigate the risk created by deploying IT development across multiple

geographies. The Risks-Return-Rating method is recommended for managing the risk

portfolio in IT outsourcing. The R3 method is an assessment tool designed to help

companies balance the trade-off between risks and costs when implementing a strategy

of geographic diversification. This helps maintain a company's risk within risk tolerance

levels while continuing to generate good returns. The Figure below outlines the

framework of the R3 method.

66

Figure 3.5: Risk-Return-Rating (R3) Method (Adapted from Fig: 2 – Kleinhammer et. al., 2003)

Performing a risk portfolio assessment enables a company to benefit from using a better

combination of geographies and improve the company's risk-return from offshore

outsourcing. Thus by applying risk portfolio assessment to their outsourcing strategies,

companies not only gain the cost advantages from off shoring, but also achieve lower

risk with greater flexibility to deal with future events.

67

4. CASE STUDY

4.1 Introduction

An Information Technology Department of a large multinational bank has been used as a

case study in this research. The Department is into outsourcing of software development

and IT support functions. The Bank follows certain guidelines for outsourcing and has

set controls and follows adequate procedures for managing risk.

4.2 The Organization

68

The organization is a large multinational bank in United Kingdom. The Technological

Unit of the bank manages IT and IT support functions for 23 countries across Europe

and Asia. As described in the figure, the department is managed by the Head of

Department who is in charge of the technological provisions for all the countries

involving various banking functions like retail banking, consumer banking and products

like credits cards, consumer loans and other segments.

Figure 4.1: Organizational Structure

The departments include projects office which manages the software development and

project management. The products office is further categorized into credit card, banking

and consumer loans section. The program office deals with controls and compliance

issues. The Arch Group carries out functionality checks. The Regional Business Support

manages development support and production support for all the systems presently

implemented and being used in all the countries. And the countries would include local

technology units from 23 countries. The key stakeholders of the outsourcing process

come from all the offices under this department.

The Technology department is further divided into Information Technology (IT) and

Technology Infrastructure (TI). The IT department includes Projects, BAU Support and

Functionality. The IT functions are under the Head of the Technology Unit under study.

69

The (TI) department includes activities like Networks, Data Center and Desktop

Support.

Figure 4.2: Technology Unit

4.3 Outsourcing Options

As stated in the interviews, the bank currently practices all forms of sourcing strategies.

It considers in-house, on-site, near shore and off shore options for its application and

software development. The various in-sourcing options include their Asia Technology

Office in Singapore and Technology Office in Frankfurt. Near-shore options include

Poland and other European countries. In case of offshore outsourcing it is presently

outsourcing software development and support work to cheaper countries like India and

China.

70

4.4 Outsourcing Process

As observed by many participants in the interviews, the outsourcing process follows the

theoretical framework. The outsourcing process begins with an initiation by the business

to implement technological solutions for managing banking functions. The Project

Manager from the Projects Office reviews these business objectives and begins the

initial task of identifying the vendors. Based on his previous experience, the Project

Manager has an existing vendor base which is more of a personal list based on the skills

and product expertise of the vendors. The organization has also put together a global list

of vendors who have global contracts with the bank. On the basis of the requirements,

the Project Manager prepares Request for Proposal. On receiving the proposals, he

examines the quote proposed and shortlists three vendors. The process then goes to the

next step of negotiation with the three vendors. The procurement team takes over and

negotiates with the three vendors to try and attain discount. Finally the best deal which is

most cost effective along with other benefits is selected and the contract is signed with

the vendor. It is the procurement department that deals with the technical terms of the

contract and the legal regulations. Lastly the controls and compliance department ensure

that the vendor has all the necessary controls in place and follows the standards in terms

of compliance set by the bank.

4.5 Software Development Life Cycle

Once the contract is awarded to a vendor, the process of software development for the

product begins. Rather than totally outsourcing or totally in-sourcing application

development, the organization is efficiently accessing business and technical set of skills

through selective sourcing. To exploit the inherent advantages of the internal IS

department, the business requirements are determined in-house and to exploit the

technical skills of the vendors, the coding and testing is outsourced to the vendor. The

complete development process is managed by the Project Manager from the Project

71

Office. The process follows the typical Waterfall Method which includes stages like

Business Initiation, Requirement Analysis, Design, Development, Testing and

Implementation. However the contribution and responsibility of the technology (IT) unit

of the bank and the vendor varies at different stages. The following figure is a

diagrammatic representation of the role played by them at each stage of the software

development life cycle:

Figure 4.3: Sourcing Strategy in Software Development Life Cycle of the Bank

As the figure describes, the project initiation is by the business from a particular product

or region which is then managed by the Project Manager from the technology (IT)

72

department of the bank. In the beginning, the requirements are gathered by the

technology department in coordination with the developers of the vendor company. The

requirements are effectively gathered from the actual users of the system and business

and drafted in the requirement document. The requirement document is sent to the

developers of the vendor company. On the basis of the requirements, the vendor

prepares the functional specification document which technically describes the process

and the time scales. On receiving a sign off on the document, the developers proceed to

the next stage of design and development. Thus the vendor builds the system based on

the user requirements. Once the system is fully developed, the developers perform the

system integration testing (SIT) to check the functionalities and complete integration of

all modules. On the SIT being conducted successfully, the system is released to the bank

for user acceptance testing (UAT). The UAT is performed by the team specially

assigned for testing in the bank and by few actual users. On receiving sign-off from the

UAT Team, the system is released and goes live. The implementation is a coordinated

activity between the technology team of the bank and the developer team of the vendor.

Once the development process of the product is over, the project office gradually hands

over the process to the production support team of the Business As Usual (BAU)

department. It is this team of the technology unit of the bank that co-ordinates with the

technical support team of the vendor or any third-party for production issues or problems

faces by the users and changes in the system.

73

5. RESULTS AND FINDINGS

5.1 Presentation of the results and findings

The results and findings of each interview are introduced as a narrative, which is then

summarized in the form of concept maps.

Narrative

The narrative provides a textual description of the key results and findings. This

includes important quotes from the interviewee.

Concept Maps

Concept mapping is a technique for representing knowledge in graphs.

Knowledge graphs are networks of concepts. Networks consist of nodes

(points/vertices) and links (arcs/edges). Nodes represent concepts and links

represent the relations between concepts (Lanzing, 1997).

Concept mapping can be done for several purposes (Lanzing, 1997):

• to generate ideas (brain storming, etc.);

• to design a complex structure (long texts, hypermedia, etc.);

• to communicate complex ideas;

• to aid learning by explicitly integrating new and old knowledge;

74

• to assess understanding or diagnose misunderstanding.

Thus concept map has been used in this research as it allows you to understand

the relationships between ideas by creating a visual map of the connections.

Separate maps have been produced to represent the information gathered from

each interview. To create a concept map, I have identified the key concepts

which are common in all the interviews. These have then been combined to

produce an aggregated map that shows the entire groups perception of the

problem situation. Great care has been taken when merging the similar concepts

that appear on different maps to ensure that the concepts really do represent the

same situation.

5.2 Key Concepts

Having reviewed the literature to understand the outsourcing process, the risks involved

in outsourcing and the risk management practices to be followed in decision making, the

following key concepts for the interviews have been identified:

Role in Decision Making Process

Objective of Outsourcing

The Outsourcing Process

Risks in Outsourcing

Risk Identification Process

Risk Assessment Process

Strategies & Policies for managing risk

Risk Management Techniques

Suggested Measures

Using Third Party Consultants

Future Trends in Outsourcing

75

These key concepts have been developed by identifying themes from the following

literature Smith et al., 1998; Earl, 1996; Takac 1994; Chalos 1995; Aubert et al, 2001;

Lacity and Hirschheim, 1993; Everest, 1996; Zucchini, 1992; Lacity & Hirschheim,

1995

5.3 Interview One: Compliance Manager The interview with the developer took place in London on Tuesday 12th July 2004. This

meeting lasted around one hour.

5.3.1 Role in Decision Making Process

The compliance manager heads the program office in the department. The program

office basically ensures that adequate process is followed in vendor selection and the

selected vendor has the controls in place and meets the standards set by the company.

The responsibilities of a program office include ensuring that (a) the department has

followed an adequate vendor selection process, (b) the vendor is approved by the

organization, (c) the vendor relationship is defined and (d) the standard contract is in

place. The contract is in the form of Standard Level Agreement (SLA) and includes the

pricing and performance issues.

5.3.2 The Outsourcing Process

The manager believes that the way the company is organized, the process seems to be a

theoretical model which may not be fully followed.

“The way this company is organized is more of a theoretical model although

it is not always 100 % followed.”

However the manager commends the controls set of the company to exclude the project

manager in the negotiation process. Since the project manager is the one who initiates

76

the contact with all the vendors, this policy mitigates the risk of the manager entering

into any beneficial agreements with the selected vendor.

“In terms of risks in this whole process, one of the reasons why we don’t

want the project manager to be part of the negotiation process is because we

don’t’ want him to enter into any beneficial agreements so we are putting all

that under third party control so that it protects the vendors.”

5.3.3 Objective of Outsourcing

The manager suggests outsource as a right option in case (a) the company does not have

the right resources or (b) the right skill sets or (b) if it is comparatively cheaper than

building it in-house. The manager believes there may be many reasons for outsourcing

in this department but stresses on the presence of adequate controls in place.

“There might be many reasons as regards why you want to outsource and

when you have made that decision to outsource for those sorts of reasons you

then think about controls and make sure that you are giving it to the right

person with good qualities”

Besides the issue that probably the vendor may be serving the competitor is not much of

a concern to the organization. What is necessary is the level of controls to protect the

interests of the organization.

“Some software houses that we are going to are already seeing our

competitors. That is not necessarily an issue what’s more of an issue is what

sort of controls you have in case your vendor is selling the software to

another party, then in terms of intellectual property rights and also

confidentially”

77

5.3.4 Risks in Outsourcing

The manager identifies the acquisition of the required software as the ultimate risk in

outsourcing. Furthermore, information insecurity is termed as the biggest risk, as

information about customers is the most important asset to the organization. Thus it is

crucial to have the required controls to protect information security. Other areas of risk

like financial stability of the vendor, vendor ability and availability, system and resource

back-ups have been identified. This requires checking the financial proprietary means of

business continuity of the vendor. Moreover the transition from one vendor to another is

a difficult process for the company and the terms of the exit plan need to be effectively

considered during the contract agreement

“In fact in exit plans, say for example: we have software which is especially

developed for us and somehow we not happy with the support provided by the

vendor probably coz the technology is old like mainframe etc. So quite often

another software house maybe able to provide good support so actually we

find the transition quite difficult from company A to company B so that’s

quite a risk for us.”

5.3.5 Risk Identification Process

The manager mentions receiving excel sheets and presentations from vendors in the past

describing the work they do and financial information like account statements of past 3

years. However the manager believes that this method would not be fully effective in the

tendering exercise as every vendor would try to present that he can do everything but it’s

crucial for the company to verify the claims made by the vendor before taking a

decision. However in recent years the process has gradually changed with the company

collecting information by visiting the vendor site, gathering references, collecting

information like current staffing levels, experience levels of the staff and procedures

followed like escalation process.

78

5.3.6 Risk Assessment Process

The manager has experienced different methods being followed in the department. At

times it’s done using common sense, previous outsourcing experience and sometimes

it’s assessed by applying some basic numeric metrics. However the manager is unaware

of any process set by the company to evaluate the vendors.

“I am not aware if we got anything defined or set. I think it’s probably dealt

by case to case basis. I think it’s partly the procurement department who

takes care of the legal side and it would be up to us to confirm the capability

of the vendors.”

5.3.7 Strategies & Policies for managing risk

The compliance department follows the standards set by the organization. The

organization has its own information technology management process and the

compliance department ensures that every vendor follows these processes whether on-

site or off-site.

“Compliance for our department means you doing everything within the

company’s standards. We apply a simple rule of thumb to third party

vendors, we have our own information technology management process

which is within our compliance and control structure and we expect any

other party vendors who do work for us whether on site or offsite to conform

exactly to those processes”

The organization has a framework covering key areas like information security,

continuity of business, software management, resource management, vendor

79

management, performance analysis and vendor review. The Company also has an

outsourcing policy which states which activities can be outsourced and does not allow

outsourcing any critical activity related to information security.

“Typically we don’t’ outsource anything related to information security. For

example: you won’t typically outsource the maintenance of the systems.

Typically we don’t’ outsource hosting of websites. Our company website is

hacked or attempted to hack second largest number of times in the world. So

we are very sensitive of out websites and to information we try and put as

many controls as possible.”

5.3.8 Risk Management Techniques

The manager is not aware if there are any risk management techniques being followed in

the department in outsourcing IS functions. When asked if the performance of the

outsourced services is being measured against relevant benchmarks, the manager states

that presently it is not being practiced but agrees that it is a key issue to be considered in

the department. Furthermore the manager identifies the issue of the vendor’s

performance being measured only against initial expectations mentioned in the contract

and the inability of the department to hold the vendor liable for any new problems.

“Because we don’t have a set process for measuring, its difficult for us in case of

support to turn around and say that we asked you to do this and you are not been

doing it so what’s the problem? So that’s something that we can’t do now.”

5.3.9 Suggested Measures The manager lays stress on setting some standards for measuring the quality of products

or support provided. Furthermore measures like identifying the key performance

indicators to measure the performance and to review the services being provided are also

suggested.

80

“Not all really, we have sort of vague idea of what we expect to happen and

put in place service level agreements to try and set some standards and

quality guidance but we don’t’ have a standard or process for measuring the

quality of products or support provided and that’s something we trying to

work on at the moment. For example: we don’t’ do for third party vendor

who say is providing telecommunications support for one of the systems and

if they are, I suppose they are to work on what we think are the key

performance indicators so if you be able to track on this and this basis to

actually understand if they were meeting our scales or not. But because we

don’t do that we actually not have been able to make a decision of whether

we getting the support what we expect.”

5.3.10 Using third party consultants

The manager agrees in involving third party consultants on a personal basis. The

manager believes that management of vendors is a specialized job which requires certain

amount of skill. One of the reasons stated for the department having problems in

outsourcing is lack of skilled resources within the organization that specialize in vendor

management.

“Yes, I would on a personal basis. I don’t know if the corporation would

agree or not. Management of vendors is a specialized job I think. It takes a

certain amount of skill to it. Traditionally we don’t employ people with that

skill and specialist role to do that so I think because of that we get ourselves

into trouble so I know there are companies out there who do nothing but

provide vendor relationship management. I personally would consider such

an option.”

However the manager believes that the organization already has certain groups whose

role is to provide vendor management function. But one of the problems is of coverage,

81

which has not been possible in the organization. Also the process may not be completely

set but there is a need for having required controls.

“I don’t’ want to give you an impression that we don’t’ consider vendor

management as a risk. I think we do. The position for the process may not be

completely set. Yes, but going forward we could certainly consider the best

way to put controls going around it and at present I don’t know any

organization that really has success in vendor management in a positive

way.”

5.3.11 Future Trends in Outsourcing

The manager identifies the future trend of the department to be selective sourcing and

in-sourcing. The strategy of outsourcing to other countries than India like Poland and

China have been identified as they are not only comparatively cheaper but the

organization is aware of the fact that it has invested a lot in India and for risk

management reasons feels the need to spread the development work around.

“Poland is a lot cheaper now. India is not always the low cost. The other

thing is that we are conscious that we have a lot of investment in software

houses in India and as a cliché, you don’t’ have all your eggs in one basket

so for business for the real risk management reasons it makes sense to spread

the development work around.”

However the manager identifies the new risks that would emerge in following this

strategy. One of the risks identified is that lack of outsourcing management experience.

The other risks emerging are the language issues and technical competence of the staff.

82

“If it’s any other country one of the things you need to be careful is that they

don’t’ have any outsourcing management experience or background. We do

all the work in English and people in India speak to a very high level and

also some of them are extremely well educated and learn the technology

process.”

5.3.12 Concept Map

The Concept Map that summarizes the findings of the first interview in presented in the

following page.

83

Figure 5.1 Concept Map of Interview 1 - Compliance Manager

5.4 Interview Two: The Procurement Manager

The interview with the Procurement Manager took place in London on Tuesday 13th

July 2004. This meeting lasted approximately one and a half hours.

84


The procurement manager is in charge of the data center procurement. The primary

function of the procurement office is to negotiate the best deal. The role involves

ensuring that negotiations take place on time and the contracts are signed. The deals are

negotiated with suppliers like HP, IBM and Sun and the one of the objectives to get

more discount than what is agreed on a global level with the corporation. The manager

mentions that at times a good rate is negotiated at a global level as the bank is one the

biggest customers of these suppliers. In few cases these suppliers have a relationship

with the bank in terms of banking so there is a mutual relationship. If not, the other

strategy adopted by the bank is to persuade the supplier to bank with them since the

bank is giving them business as well.

“You can find it difficult if it’s already negotiated quite good rate as we are one

of the bigger customers in the world for those companies. The other thing that is

not really tackled too much but is raised occasionally is lots of these companies

have relationship with our organization in terms of their banking. So often there

seems to be mutual relation. At times what we do is go to the company and say

we are spending a lot of money on you so you should be banking with us as well

if not a big discount.”

5.4.2 Outsourcing Process

The procurement manager does not have an active role in outsourcing, as presently

infrastructure is not being outsourced by the bank. However the manager was part of the

outsourcing deal in 1992 wherein the data center activity of the bank was outsourced to a

vendor. One of the primary reasons for deciding to outsource the data center activity was

an immediate reduction in headcount.

85

“Anyways, this had happened back in 1992 the way a lot of companies did this at

that time. It could probably not be for the same reason they do it now. The scene

was a quick way of sorting out the headcount. Probably the bank was trying to

cut costs. At that time a company came back with a wonderful plan. I think we

had around 70 people in the staff then in data center. This was the operation,

technical support staff, right unto the management and a couple of people that

managed it. They were involved in initiating the outsourcing deal. As they

outsourced themselves they went with it. So they took responsibility of the whole

of the staff and the equipment and the liaison with the software companies and

you know whatever.”

This was one of the first outsourcing contracts of the bank. There was a selection

process followed wherein the bank did look at 3 to 4 companies. It collected information

about the vendors like references, the financial situation and abilities of the vendor and

called for a proposal plan. During that period, there was no global list of vendors.

Though compliance was around it was not enforced as it is now. The decision making

team involved the senior management and some technical people. One of the reasons

identified for outsourcing was that along with the people, the vendor was also willing to

buy the equipment.

5.4.2.1 Issues in managing the Outsourcing Process

As the relationship began, the process was running smoothly as all the terms were stated

in the contract. The bank was satisfied with the services and felt that the vendor was

charging them correctly. The process was audited and new features are recommended

and implemented successfully. There were regular meetings and steering meetings

which was attended by both the banks.

“I think we just trusted them. There was no breach of contract. We didn’t like a

few people but mostly they were quite fair. We thought they were charging us

approximately. They had the right people doing the right things. It was audited.

86

We were pretty satisfied. There were issues of password security. They would

recommend and implement it. There were new processes.”

However as time passed by, there were requirements for additional hardware and

software and human resources for which the bank was being charged. So the bank set up

a service request procedure for extra requests and that was paid separately. However the

cost of these extra services to meet the processing demand was increasing tremendously

and at times, was more than the monthly fee paid to the vendor. Thus these extra costs

were a major source of concern for the bank. The contract was for 5 years and had

renewal options. To curb the variable costs, the bank brought in negotiators from its US

office to analyze the situation and take further action. However the manager felt that the

situation was out of control because the present condition was quite different from what

was mentioned in the contract. Though the negotiators and the management team did

look at other companies and the option of in sourcing, they finally decided to renew the

contract with some new conditions. The manager points out that one of the reasons that

the activity was not back in house was because of the headcount issue. However the

contract was renewed with the vendor with new conditions wherein a separate list of

people were identified from the rest of the operation. There were around 100 people and

each person was charged at a rate depending on their level or grade. Though the bank

paid for their services, they were employed by the vendor. The manager felt it turned

into a body shop affair and the new rate was comparatively higher than what they would

normally get with other benefits.

“There was an arrangement for a set fee for managing everything. I mean there

had these extras on top and it had to be changed. Rather they bought in a new

one which kind of separated the people form the rest of the operation. So they

had a list of people, they had around 100 people or more and then each person

was then charged at a rate depending on their level or grade. A senior consultant

or technician and there was a monthly rate for that person which was actually

quite high compared to what their salary would have been and obviously it

included other benefits like cars, bonus, etc.”

87

Along with the new process, the bank was also charged for the systems separately. The

old problem persisted and the bank kept receiving extra service requests which increased

the cost. At the same time, few activities became more critical and the bank started

focusing more on technology and started demanding more quality. To meet the demand,

the bank decided to get its own people to monitor the vendor’s activities. The manager

felt that the bank didn’t trust the vendor anymore and had its own people cross checking

each activity performed by the vendor. The bank reached a point where it decided to

conduct an exercise to find out how much would it cost if the whole activity and people

were bought in-house. The manager thinks that the two primary reasons for the bank to

consider in-sourcing were high variable cost and the lack of control. Everything that the

bank did was based on the capabilities of the vendor and the bank couldn’t make a free

decision. The other thing that the manager noticed was that the vendor staff was slowly

becoming complacent and the bank was unduly being charged extra for staff overtime

Furthermore the myth of outsourcing that the vendor has experts for everything is

identified. Practically these mythical people either didn’t exist or were never available.

Finally the activity was bought in-house around 3 years ago. The handover process was

smooth as the manager believes that the vendor had to co-operate as there would be risk

of reputation for them.

“Well it wasn’t a failure but it kind of came to a natural end almost. It reached

to a point where it made more sense to run it ourselves. Financially and in terms

of control and where we were trying to go, what we were trying to do. Difficult to

involve the other company, wait for them to respond, everything they did would

be based on what their capabilities were, couldn’t make a free decision. The

other myth about outsourcing, all these companies are going to tell you that they

got many people they can call on, they got experts who know everything, put

people on, in a minute’s notice but when you try to do it, they say these people

are busy with other projects, they going to come with excuses or they say we can

always recruit someone. They always have some mythical people that can do

88

anything but in practice it didn’t work very well. It wasn’t that you had people at

our beck and call which they pretended so that was one of the drawbacks.”


The manager states that one of the primary reasons for deciding to outsource was an

immediate reduction in headcount.

“It was headcount reduction. They offered to buy the equipment we had, so we

transferred it. At that time it looked good. The hardware costs kept rising for the

processing power of the mainframe. They thought it would remain static.”


The manager is not sure how much was considered during that deal in 1990s as if it was

then the contract would have been better than expected. However the manager is of an

opinion that currently outsourcing is less risky as there is so much information available,

so many companies have gathered experience in outsourcing and there are books and

resources for reference. One may still come across similar problems but one will be

prepared for them.

“I don’t think they looked at risks that much because if they had the contract

would have been better than expected. Now there is so much of information

available and also generally because so many companies have done it, there are

articles, books available, all sorts of sources to tell you what you should do and

steps and clauses. I think it’s a lot less risky these days coz there is so much more

that you can draw on, that could tell you, look what you should be doing, what

you look out for, so many people are doing it, I think its lots easier these days,

less risk, build more terms in to the contract, you need to do your homework.

89

Spend time finding out, look for advice, take time. You would still come across

problems, but you will be prepared for them.”


The manager mentions that the bank follows a process of vendor selection and gathers

information about the vendors like references, the financial situation and abilities of the

vendor and called for a proposal plan.

“Information like financial situation of the vendor, references from his clients,

his abilities and a proposal plan.”

Furthermore with previous experience and by gathering information and taking advice,

the process can be effectively handled.

“Well, it all comes down to experience I think and anticipating and reading what

other people have done and what problems they have encountered.”


The manager is not aware of the exact procedures but mentions how the process has

changed. Presently there are more people involved. Outsourcing receives a lot of focus

these days and they are many people from the senior management involved.

“I don’t know. There would definitely be certain people who would have a say in it.

These days so many people would be involved, have an opinion and have a say in

it.”

90

5.4.7 Using Third Party Consultants

The manager does not have a strong opinion about using third party consultants.

However doesn’t mind having a risk management team if the bank was outsourcing all

the time. But if it was a one off thing then probably would bring in a consultant for

advice. However most program managers in the bank tend to believe they have enough

knowledge and experience and would tend to do it themselves.

“However here, most program managers tend to do it themselves. Enough

people to think they probably have enough experience or enough knowledge,

probably wouldn’t want someone… I mean…that’s my opinion.”


The manager thinks that there wouldn’t be any sourcing strategies for data center

activities as presently it is being managed in-house however in case of procurement, the

bank is planning to reduce the number of suppliers. The strategy is that the reduction in

the number of suppliers would lead to better management. However the ultimate risk in

this strategy is less competition which may affect the pricing plans.

“I suppose the only risk if you reduce the number of suppliers of a particular

item too much, you don’t’ have so much competition if you want to get pricing

for different prices.”

However the risk is identified as low as it is believed that the risk would evolve in

relative unit so one can selectively choose the vendor.

“Risk is low, I think, because I see it evolve in relative unit. Hopefully choose the

suppliers that you might use, try to avoid the odd ones, smaller ones or ones that

are not used very often.”

91

5.4.9 Concept Map

The Concept Map that summarizes the findings of the second interview in presented as

follows.

Figure 5.2 Concept Map of Interview 2 - Procurement Manager

5.5 Interview Three – Production Support Manager

The interview with the Production Support Manager took place in London on Tuesday

13th July 2004. This meeting lasted approximately one and a half hours.

92


The manager is in-charge of production support for one of the systems operated by the

bank. The support office deals with new features for development and also with any

production issues that come up specifically from the business. So basically the manager

is involved after the decision is made and manages the vendor relationship thereby

ensuring the quality of the work.

“Our team manages the relationships that are in place already and it is the head

of department that sets up the new contract, we just manage parts of the

relationship once the contract is in place. We try to make it work; ensure the

quality of the work and ensure that the processes are in place to manage the

supplier in the ongoing relationship.”


In the outsourcing process, the manager plays a role of coordinating with the vendor,

negotiating the problems with the offshore system developers and makes sure they first

address the issues on priority and keeps a track on the status of these different issues

whether they have been resolved. The manager tries to get as many issues closed and

tries to get the system stable as soon as possible. However at times when the issues are

on priority, the work does get very stressful as one needs to coordinate with the offshore

team and resolve them at the earliest as the operations are on hold and the business is

waiting for the system to work.

“I help negotiate the problems with the developers, set priorities for the issues

that should be managed first and keep a track on what is happening with these

different issues. My aims are to try to get as many problems closed and try to get

the system stable as soon as possible. Priority one issues can be very stressful

93

because they can impact a team of people within the business who are unable to

deal with their daily tasks or it could have a direct impact on customers

This process is computerized and the issues are entered into the database by raising a

ticket. So it’s the business that raises the ticket and the same is notified to the off-shore

developer. However the manager has the access to the ticket and can check the progress

on the ticket. This system is identified to be very useful for coordinating and for

analyzing as regards why a ticket is raised, which issue is on priority, how it gets

resolved and how the business is using it.

“I think it’s this data system that really helps because you can see at a glance

what tickets are open, so you know how a system is performing and this system

stores all communication regarding a specific issue so that it is easy to track the

history of an issue.”

Furthermore, in case of new changes in the system, the process begins with the

requirements document prepared by the manger which is sent to the business and the

offshore team. The offshore team prepares the Statement of Work which calculates the

costs and other information and also sent to the business. The business then prepares the

Project Initiation Document (PID) which covers the changes and costs and sends it to the

Head. Finally the Head reviews all the documents to know the changes and gives a sign

off.

“What happens is, the requirement documents are sent to the business and the

offshore team. The business will transfer the information into the PID and also

add in additional information such as the cost benefits. The PID document is

then sent to the head of department.”


94

Though the manager commends this tracking system but identifies the problem with the

offshore development team does not fully understanding its significance. The tracking

system is effective in resolving the problems, but when it comes to implementing the

changes on the system, the offshore team has to state the required changes in a change

request system which is then implemented by the system administrator. Since the data

center activity is managed by an in-house team, the offshore application developers have

to co-ordinate with the in-house system administrators. It is this process, that the

manager is of an opinion, is not used efficiently by the offshore team. This leads to

delays in changes being implemented in the system due to mistakes being made when

completing process documents and forms that need to be issued to the implementer of

the change. The manager stresses that most of the problems are due to the bureaucratic

system in the bank and everyone not understanding the significance of this process as

regards why is it being used.

“I think we have systems that are in place but the developers end up not fully

understanding its significance. When it comes to fixing the problem we have to

raise a change request. And the whole change request is a bureaucratic system

that we have, which is not used by the developers efficiently because they don’t’

fully understand the significance of this process. We have been having problems

the development team not completely filling in the required form and missing

sections from the documents as the developers do not realize the necessity of the

information being requested. However through a number of training session the

development team now understand the information that needs to be completed

and why it has to be completed for the change to go through.”

When asked whether cultural difference is an issue in managing the relationship, the

manager did consider it as a cause of concern and observes a difference in approach by

the offshore team in managing customer relations. The manager does emphasize that the

offshore team are very hard working but finds them being too honest and lacking

professionalism

95

“I find the offshore team very hard working , they will always do everything they

can, you can count on them but sometimes they are too honest with their

responses, their customer relation isn’t as good as it must be for the European

market.”

Another issue identified by the manager is the air of authority while communicating with

the team. The team does not participate actively if the key manager is communicating in

the conference call.

“If it’s the developers who are on the phone, then they are very honest and open.

If their manager is on the phone, they won’t talk; they wait for the manager to

talk. That’s very difficult because they have the knowledge and then getting to

the route cause of an issue can take much longer. ”

Lastly she finds the different formats of Statement of Work prepared by different teams

an impediment to effective analysis of the vendor’s performance.

“Things like getting statement of work from the development team and really

understanding the costs can be very difficult. We have a number of teams and

you get information sent through from different teams in different formats. When

this happens it is difficult to compare costs or services being delivered by

different teams. It is now being requested that each teams send through

information in exactly the same standard format, it means that discrepancies are

easier to see. I think one of the examples I got is , we have 2 different projects

and we have two different statement of work and who did these are two different

teams, one with UAT and one without UAT so because of the differences one

would have the total hours of works and one would have a complete breakdown

in his cost. It is important to make sure that the costs delivered are consistent.”


96

The manager points out that staff turnover are a huge risk in outsourcing. The manager

recalls an experience wherein there was a complete replacement of the team managing

the project and one could see a significant difference in the art in which the problems

were resolved. The second risk identified is the risk of the capabilities of the key

manager. The key manager is the top person from the vendor side who manages the

team. Incase this manager is not competent to get his ideas across to the business then

the business would not understand the technical solutions provided by him. The manager

then talks about effective requirement gathering from the business. This risk is rated as

high as the business requirements and functional specifications are most important in the

outsourcing process. If the specifications are not clear then when the project comes to

UAT, it merely faces so many bugs that it slips way past the deadline. However there

has been emphasizes on this issue and there have been recent changes in the vendor’s

approach wherein they go beyond the request and understand the process in a user sort

of the format. Furthermore the manager identifies time zone as a potential risk but

doesn’t see it having a huge impact to the outsourcing process Lastly if quality of

services is an objective then the manager considers it to be a high risk as well.

“Staff turnover definitely is a high risk. It’s a very hard one to control but it has

a huge impact on us I think. Understanding the specification that comes down to

strongly written formats and effective implementation, I consider that high as

well because whole way through my experience, the business requirements and

functional specifications are most important. In certain projects when it comes to

UAT, it slips and slips and slips because when it comes to UAT, you realize that

the specs are not clear, so I take interpretation as very high. Time zone is ok, I

think more between medium to low coz I think you can get around it but I think

it’s always an advantage to have people working in the same time zone as you

are.”

The other risk identified is lack of in-house technical knowledge. When the project is

developed and is sent across for UAT, the UAT team is capable for testing the front end

97

but lacks the skill and knowledge to verify the back end processes. Though the same is

required to be tested in SIT process by the developers, it is believed that the process is

not strictly adhered to. The manager does realize that finally one needs to trust the

developers for SIT but suggests a way to resolve the problem by demanding testing

screenshots to ensure that SIT is done thoroughly.

“I think the other area of risk is between SIT and UAT. The business does UAT

on the assumption that the offshore team had done SIT thoroughly the whole

system but I think that always doesn’t’ happen. To certain extent you have to

trust the developers and what we ask for is more and more testing screenshots to

ensure SIT is done in enough details.”

Though the skills of the developers in resolving the problems are satisfactory, at times

they provide a short term fix which is a cause of concern as they might have a long term

impact. So the manager also plays a role in pushing the offshore team to identify the root

cause of the problem

“I think that’s sometimes an issue. I think it’s very easy sometimes for the

development team to give a quick fix and you have to push to make sure that the

long term problem is also fixed, otherwise the issue will continue to reoccur.”

5.5.4 Risk Identification

The manager relies on previous experience to identify risks in outsourcing.

98

“I think mainly because we have done previous implementation before, we know

some of the risks.”


The manager thinks there are risk management techniques being followed in the bank

For example, there is a team which presently goes through the risks in projects then a

team which ensures adequate quality controls and a team which conducts different levels

of testing. There is documentation available to go through in case of small projects and

in case of big projects there would be an external risk management team involved

however the people involved in the project would also assess and analyze the risks

themselves. On being further questioned, the manager states that there are people

looking after quality and compliance however one has not yet interacted with the risk

team. Moreover there are escalation processes up to the regional level.

“My understanding is, there is a risk team and they have the documentation to

go through and review which would help to identify the risks in each project and

apply it to the project. The documentation is there for small projects but I think

for larger projects it would help to have an external team involved that can

assess the risks of the projects and remain more objective.”

When it comes to implementing new features in the existing system, the manager is

involved in the basic requirement gathering and project management. Its worth noting,

there isn’t specifically any point of risk in the setup plan. However the manager states

that the project does go through a complete risk evaluation process.

“The full plan goes through a complete risk evaluation to understand what the

key risks in the project are but I am unsure whether the business also carries out

a risk review at the point of requirements gathering.”

99

The tracking system used for issuing and resolving problems in the system is considered

as an effective risk management technique. The feature in the change request wherein

one can not raise the request without a ticket number is also commended.

Furthermore there is the authorized list of vendors and the process of global contracts.

The manager notes that there are sufficient controls in place but agrees that there is

always scope for improvement. The manager believes that the development function is

managed effectively however it’s the ongoing relationship which needs improvement.

5.5.6 Key factors in Decision Making

The manager considers product knowledge as a key factor for vendor selection and

would prefer a vendor who has already developed a similar tool and more so from the

European country. High importance to given to documentation, total commitment and

resource allocation. From past experience the manager has observed that the bank

potentially slips out as the demands are put across to the vendor but the vendors don’t

commit themselves and give the same excuse of the existing resources being busy with

other activities.

“I think that we in the organization sometimes create problems for suppliers

because we put demands on to supplier but then are not always able to supply

the business resource required to meet the project timelines because the

resources are also normally involved in the day to day running of the business as

well being on the project. It is crucial that a business has the resources and the

time available for the project to be able to meet the timelines.”

5.5.7 Suggested Measures

As regards the technical and business understanding of the vendor team, the manager

recommends some sort of training in the beginning so that the vendor understands the

100

significance of all different processes. Training would increase the cost but the vendor

companies are pretty huge by themselves and the manager believes, can very well afford

it.

“I think probably in the beginning, there needs to be some sort of training; this

will ensure that the vendor is clear on the process that needs to be followed to

meet our compliance standards.”

Secondly, the manager suggests uniformity in the standards followed by the vendor

while presenting statement of work. It would definitely help the bank analyze

effectively.

When asked whether a risk management team is needed in the department, the manager

positively responded preferring it more at a regional or global level.

“I think a team would be better so you could go to them because it’s not

something you need all the time. I think you need to dip into a pool of knowledge

whenever you need it.


The manager strongly refuses using third party consultants for reasons of control over

the process. The manager believes it would result in too many people thus making it

difficult to manage. On the contrary, a control group within the organization is preferred.

“No because I would like to control the situation. I don’t’ want someone else

indulging in the relationship its just puts too may additional people in the way I

think if there has to be a control group its got to be within the organization. We

would have to have all the checks in place.”

101


The manager believes that the bank would continue with outsourcing. More than cost

effectiveness, the bank is becoming more technology driven thus requiring a specialized

team to back up the technology. However there is a need of technical people in the bank

as well. So the bank has come up with a strategy to recruit few people from the vendor

company. The other strategy is to buy the small vendor companies so that the cash

remains within the organization. However one of the limitations to that use of outdated

technology as the bank would have to use the software developed by that vendor

company which may not be as steady and flexible as required.

“I think it has to stay with outsourcing. I think we are getting more and more

technology driven, teams are getting more and more specialized. Therefore to

meet these technical demands it is necessary to use teams external to the

company that are up to date with the latest technology. I think in this

organization we need to make sure that there is some resource within the

business to back up the technology and have system knowledge to be able to

access the vendor and the standard of the product delivered.”

Lastly the manager is of an opinion that core competencies should be kept in-house and

its just technology within limits that should be outsourced.

“I think the core competencies must be kept within the bank it is just

development expertise that has to be outsourced. There has to be a line otherwise

your business gets more and more dependant on someone else and that’s a risk.”

5.5.10 Concept Map

102

Figure 5.3 Concept Map of Interview 3 – Production Support Manager

5.6 Interview Four – Business Development Manager

103

The interview with the Business Development Manager was a telephonic conversation

as the manager was based in Spain. The interview took place on Wednesday 14th July

2004. This meeting lasted approximately one hour.


The manager is the development manger in the technology department in one of the

countries. The manager is involved in providing a clear perspective of a part of the

business to the technology unit. The manager is a key point of co-ordination between the

technology team of the bank and the business side of the region. The manager is not

involved in the decision making process, but is into managing the relationship. The

manager manages the development efforts of the local technology team working on

different systems.

“At this point where I am I personally could not have an active role. I manage

the development efforts of the local technology team on a variety of systems that

are mainly based on liabilities side deposit account and investment account.”


In terms of the process, the manager is aware of the process which begins after the

decision is taken and the vendor is selected. The process begins with the initial phase of

requirement gathering. From a methodology perspective, there is a process as regards

documentation that is being followed. In terms of requirement gathering, there are

certain technological or formal tools that are presently being used by the bank. As

regards the people involved in the process, the manager states that there are many key

people from different areas that are involved initially. To begin with, it is the

technology team of the bank which takes responsibility of gathering user requirements.

They co-ordinate with the users and push them to think about what improvements they

104

want. Once the system is implemented, the manager is in charge of coordinating with the

production support team and the offshore support team for production issues and new

changes to the system.

“In a methodology perspective, we have a process as regards documentation

that we follow. As regards collecting the requirements are more of the

technological tools or formal tools that are used. I am not sure if it answers your

question but people who are involved and the key responsible people within the

different user areas are responsible and obviously they all work together. The

local technology generally takes responsibility of pulling together people so that

the requirements are in completed detail. As many of the users don’t know how

to formulate the requirements and giving the full picture, they push them to think

about what improvements they want.”


The manager identifies a few issues in managing the outsourcing process. Based on

recent experiences, the manager identifies communication problems from the language

perspective as an issue. Then there are problems faced due to the geographical and time

zone difference. However an important issue from the outsourcing perspective is the

knowledge level of the vendor team providing support. The knowledge level should

include business related knowledge rather than just technical knowledge of the systems.

There is a need to understand how business uses the system and is affected by the

changes in the system. To summarize, the vendor team should not be working in the

theoretical or hypothetical world.

“Key issues based on the most recent experience here are the communication

from the language perspective. Another issue is the geographical and the time

zone difference. Rather important issue from outsourcing perspective is the level

of knowledge of people providing support and whether they actually have any

105

business relation knowledge at all or whether they are really a majority of them

in the programming base.”

The manager has no issues with the concept of outsourcing. But expects a high level of

service and mentions that when the same is not received then one is not satisfied with

the process. It’s attaining the detailed level which she finds very challenging in

managing the relationship

“I don’t have an issue with the concept of outsourcing but when outsourcing you

expect a high service level and when you don’t’ get that then you are not

satisfied with what you receiving and definitely what that service level is. To

attain the detailed level can be challenging but I don’t have an issue with the

concept of outsourcing.”


The manager identifies lack of business understanding as one of the key risks in

outsourcing. This would result in a solution being developed which might not be as per

the user requirements. Though such a system would not be implemented however the

consequence is the loss of time in the whole process.

“Risks are that because of the lack of business knowledge that does pose a risk to

them, understanding the requirements are defined and they spend their time in

developing a solution that we may not actually need as per user requirement.

There is a gap in knowledge then we get solutions that don’t actually meet our

needs. That’s not to say that goes live but the impact could be that we lose a lot

of time because once the users have a hand and see what is developed and is

finally not what they wanted then they start again.”

106

The manager notes the risk process that was carried out a year ago by the bank when

globally things were becoming unstable. The risk of regional instability was the key

issue in the risk process. More than the technology factor for which controls like disaster

recovery and business continuity are supposedly in place in the bank, it’s the issue of

knowledge of an individual that was identified.

“The problem is not the disaster recovery from a technology perspective because

obviously that has to be in place coz that’s expected and demanded all the time

now. It was more an issue of knowledge of an individual.”

The other issue identified is the high staff turnover in the vendor team. It impacts the

ongoing process as the new people have to be given training on the business and system

functionalities.

“High turnover is the same issue of knowledge level of what is demanded of

basically we got people who were involved in the project and who got to

understand the business requirements of the project and then the key people left.

We had new people to start over and we had to send our people for the training

of what it was all about.”


From the geographical perspective the manager believes that the bank is considering

having some representatives from the technology team on to the business site to bridge

the distance thus using it as an alternative to mitigate risk.

“From the geographical perspective I know there has been discussion of having

some number of representatives in the technology people brought over a bit

locally just to bridge the distance. That is an alternative. That’s a potential way

to mitigate that risk.”

107

In terms of staff turnover, though the issue is not in their control, but there could be a

possibility of an arrangement wherein the bank demands the vendor to ensure that

enough time is spent on knowledge transfer. The other measure suggested is having

some form of backup.

“Risk of high turnover is something we don’t really have controls over that. In

the sense that we can demand somebody or people going to be leaving the area

or that company, if they have the ability to dedicate time to knowledge transfer

then that should happen. First thing that people are going to do is pick the door

and not return then obviously you can’t do much. The other thing to do is to

attempt to grow the internal staff so they have more desire and shares that

knowledge through their work, not leave out a project”

Furthermore having a representative on-site is an alternate measure to mitigate the risk

of knowledge gap. It would add to the cost, but it is believed to be very advantageous in

managing the relationship. As it would not only increase their business knowledge on

how the users actually use the system but it would increase their ability to resolve

problems and they would effectively convey it back to their offshore team. The manager

points out that the representative would be able to put across the problems more

effectively using the internal lingo that goes about in any company.

“The other comment is not based on my experience here but on previous

experience is having someone from the outsourcing vendor onsite with you that

can be very effective; it really increased their knowledge on how the users

actually use and how the business actually works. I think it increased their

ability, their ability, their responsibility and they can relay it back to their team

or whatever that is in the language that they understand. I am not talking about

English or Spanish, I am talking about the internal lingo that goes about with

any company. And definitely becomes more effective. Of course definitely that

adds to the cost but I think it just mitigates the risks of knowledge gap.”

108

Lastly, the manager recommended having a defined role of a system analyst for effective

gathering of user requirement. If someone capable from the business or the technological

side acts as a liaison between the developers and the users of the system then it would

definitely bridge the present knowledge gap. Furthermore including such a person with

immense knowledge and experience would definitely lead to high quality of requirement

gathering.

“One of the things that we do not have here right now is defined role of system

analyst. If the person could be assigned from the business or technological side

that doesn’t really matter but someone who acts as a liaison between the

developer side and user side and bridges the gap because of the knowledge and

experience, it generally leads to high quality of requirement gathering.”


When asked about risk management techniques being followed in the bank, the manager

states that though since last year there has been more focus on the decision making

process and depending on the focus and size of the project, the decision is now taken

more on the regional level than local. It is definitely part of risk mitigation and risk

management on variety of degrees.

“I don’t have detailed knowledge what I can comment on is there is definitely

more focus recently, maybe from last year in the bank to make sure that decision

especially on outsourcing in whatever capacity are not only on local level but

are brought at least up to the regional level and depending on the focus and size

o and the escalation level, I think there is definitely part of risk mitigation and

risk management on variety degrees. The details of which are actually dealt

throughout the process is what I don’t’ have information.”

109

5.6.6 Key factors in Decision Making

When asked about the key factors in decision making, the manager identified financial

stability of the vendor, the level of resources and their availability at different time

frames and commitment as important elements. The manager stresses on stating the

resource availability explicitly in the contract and reviewing it on a regular basis.

“One of other key points as regards risk control is regarding the company, the

financial stability, the level of resources they have to support the customer, their

availability, they all say they are going to be available to responses for issues at

different time frame but certainly that is something you agree initially and what

happens in practice needs to be controlled and reviewed along the way.”

In terms of having a risk management specialist, the manager is of an opinion that each

department is aware of the risks in its area. The person coordinating the outsourcing

process, which would be the project manager, should be responsible for collating all the

risks in different areas. He would be the one who would have the full risk picture.

“If there was an individual which specializes in that of course if it someone who

specializes in information security then that could be done. Managing risks the

way I understand is that each department is kind of expert in the risks that come

into play in that area and when you talking about outsourcing the person who is

running the effort is responsible for collating all the potential risks in different

areas. They have the full risk picture. If they were someone who had a

responsibility then it would be that same person or group of people.”


110

The manager believes there is no need for third party consultants as the organization has

many experienced people. However if there is an institution which has the knowledge

and experience then probably it would be beneficial to the bank.

“I don’t think there is a need for having a third party to come in. I am saying in

terms of large organization there is awful lot of experience. If there is a foreign

institution which has the knowledge and experience then I definitely see the

benefit to it.”

5.6.8 Concept Map

Figure 5.4 Concept Map of Interview 4 – Business Development Manager

5.7 Interview Five – Project Manager

111

The interview with the Project Manager took place in London on Friday 16th July 2004.

This meeting lasted approximately one hour.

5.7.1 Role in the decision making process

The project manger runs the project office. The manager is responsible for implementing

IT solutions in number of products like credit cards, retail banking and consumer loans

across the unit in 23 countries. The role involves management of IT solutions and

managing the project managers in the project office.


In terms of the outsourcing process, the manager plays the role of initiating the project

by identifying vendors. The selection criteria are mostly based on cost, product expertise

and skilled resources. The manager has an existing vendor list which he terms as

personal list and then also refers to the global list of vendors.

“We begin the process by looking at the existing vendor list. That would be my

personal vendor list. If there are no vendors within that selection for the skills

and expertise required for developing the required product, we then look at the

main global list that is prepared at an organizational level.”

On identifying the vendors, the manager then selects around 3 or 4 vendors and prepares

the Request for Proposal. The RFP is sent across to the short listed vendors. Once the

proposal is received, the negotiation takes place with all the vendors. Based on the

quotes proposed by the vendors and their product experience and knowledge, a vendor is

ultimately selected. On the vendor being selected, the contract is signed and Master

Service Level Agreement is prepared and all the required control levels are put across in

the Statement of Work.

112

“We have to make a choice for around 3 or 4 vendors and request for quote.

Based on the vendor proposal, his experience and product expertise, we make a

decision. We then draw upon the Master Service Level Agreement and Statement

of Work. Once the SOW is in place, we start with the development.”


The manager recognizes cost effectiveness as one of the primary reasons to outsource.

One of the options is to carry out the development work in the Asia Technology Office.

Since the solutions may already be developed and been in use in some other country,

they can be deployed faster. Furthermore product expertise and previous experience are

other key drivers for outsourcing.

“The basic objective is it’s cheaper. If you looking at whether the task can be

performed internally or externally, then one reason to outsource is its cheaper.

Then we look at developing in the Asia Technology Office (ATO) as often

solutions can be deployed faster. Development is often based in India as they

have the expertise, product knowledge and project management experience”


The manager considers lack of control over the vendor operations as one of the key risks

in outsourcing. The other factor quoted is the difference in performance drivers. The

manager explains that one would not be aware of what drives the vendor team and it

may cause problems in managing the relationship. Furthermore vendors have different

levels of technical and managerial skills. Every vendor has its own strengths and

weaknesses in these skills. The manager observes staff turnover as a potential risk but is

of an opinion that smaller the company, bigger the impact of this risk. Lastly,

113

geographical distance, languages and cultural differences are other risks identified by the

manager.

“The fact that people don’t work for you, you have no direct control over the

vendor staff. Then they may have different drivers. The bank does have certain

procedures for performing a particular task and one would be well aware of

them. However the vendor company would have its own set of drivers which one

would not be aware of. I would be one customer and I might lose that team

because there is another customer who is probably more important. Its about

losing the ability to set the agenda. Then one might come across certain vendors

who have good project management skills but lack in development and testing

skills and some of them would have excellent coding and testing skills but lack in

project management area. Each company would have its strengths and weakness

so the risks would be according to the projects and the vendor assigned. Then I

would consider staff turnover as a potential risk however if the company is

relatively small in size, it would be a high risk. Then I would consider

geographical distance, languages and cultural differences as other risks in

outsourcing.”


In terms of risk assessment, the Manager points out that there is no formal process being

followed in the organization. However they do conduct analysis in terms of taking a

decision to outsource between different countries.

“No. We don’t have a formal process. We do conduct analysis for different

countries.”

114

5.7.6 Strategies and Policies for managing risk

The manager mentions the existing policies framed by the organization to protect its

interests in terms of ensuring security, labour practices, business practices and continuity

of business. It is mandatory for the vendor to follow the controls set by the organization.

Moreover, in terms of diversifying its risks, the organization has a reasonable spread of

vendors.

“In terms of outsourcing, there are policies designed to ensure that the vendor

follows the standards set by the organization in terms of security, labour

practices, business practices, continuity of business. A vendor needs to comply

with those, if one plans to do business with this organization. In terms of

strategy, I would say reasonable spread of vendors. We have number of different

relationships geographically.”

However the organization does not have any particular standard to specify which

activities can be outsourced. What it does have are controls to protect the organization’s

interests when an activity is outsourced.

“In terms of what can be outsourced, I don’t think there is a particular standard

specifying that. What we have is when you outsource; you got to have controls in

place.”


The manager identifies various techniques like receiving quotes from minimum 3

vendors, the requirement of a back up plan and protection of critical source code through

escrow. There are sufficient risk management techniques from a control perspective

however from the project side, there is no set process or methods being followed and the

risks are analyzed on a case by case level.

115

“In terms of outsourcing, we are supposed to receive quotes from minimum 3

vendors, and then the vendors are required to have a back up plan. For critical

source code, we got escrow. So from the control perspective, yes, there are set

processes to manage risks in outsourcing. However from the project risk

perspective like geographical and cultural, there is nothing specifically

mentioned. It’s done more on a project by project basis.”

The manager discusses the new approach adopted by the bank to formulate a tool to

analyze the number of visits in the project life cycle to the offshore countries thus

studying the impact of geographical distances on the project budget and timescales.

“We are looking at some tool on how to formalize the day to day visits in the

project life cycle to the offshore countries. We do have standards for project

management”

Moreover, the organization has also formed a relation management team in one of its

offshore units in order to cover the problems at the ground level.

“The organization has come up with a relation management team in India which

would be staffed with the organization and local employees. The idea is good as

it covers the risk of geographic distance. It would be helpful in dealing with the

issues at the ground level. However at the application level, it’s interesting to see

how effective it turns out to be.”


116

When asked if a risk management model is required in the organization, the Manager is

of the view that one cannot have set processes for everything. But there could be

guidelines covering project risks.

“You can’t have processes for everything. What you can have are guidelines.

Guidelines for project risks and controls to mitigate the risks and ensure

training”

5.7.9 Need for third party consultant

The manager is of an opinion that the organization is big enough to have the relevant

experience and thinks cost is an issue when considering a third party consultant.

However it could be beneficial when one does not have the relevant experience or when

an organization wants a fresh perspective.

“No. I don’t think we need a third party consultant. The organization is big

enough with majority of them into projects. I see it being effective when there is

virtually no experience or if the organization wants an external or fresh view

point on things. For this sort of area, I don’t think we need it. Besides cost is an

issue.”

5.7.10 Future Trends

In terms of future trends the manager identifies the strategy of scale and spread of

vendors. Though it’s cheaper to shift development work to China but language is an

issue to be resolved. The manager believes the organization would continue with

outsourcing.

“Future Trends is people will be looking for scale in vendors. Last year we

looked at spread of vendors for decent selection of vendors. It’s less of India and

117

more of China we looking at. However they need to solve the language issue.

One of the reasons to outsource to China is cost. In terms of in-sourcing, I

haven’t seen any conscious decision to in-source. I believe we still with

outsourcing.”

5.7.11 Concept Map

Figure 5.5 Concept Map of Interview 5 – Project Manager

5.8 Interview Six – Head of Department

118

The interview with the Head of Department was a telephonic conversation as the

manager was out on a business trip. The interview took place on Monday 9th August

2004. This meeting lasted approximately one hour.

5.8.1 Role in Decision Making Process:

The senior manager is the head of technology for the bank and manages various banking

functions like retail banking, consumer banking and products like credits cards,

consumer plans, loans and other segments from Europe to 23 countries. When it comes

to decision making, the manager is the final arbitrator who takes the final decision.

“Within my department, I am the final arbitrator who decides whether we select

the vendor or not.”


The Head is involved in taking the decision to in-source or to outsource the IT function.

If outsourcing is considered, then the Head ensures (a) the control levels of the vendors

and (b) whether all the necessary checks have been done as regards their financial

position. The head takes the advice of all the people involved in the process before

taking a decision to select a particular vendor.

“I within the geographic region look at whether we outsource outside the

organization, whether they have the controls level as per the organization or not,

all the checks been done as regards their financial position. I essentially take

the advice of all the people who take part in the decision process.”

119

Presently the bank is in the process of moving from legacy systems to state-of-art

technology in Asia Pacific. So a vast majority of application development is being

outsourced off-shore to Singapore, China and India.


Since the bank is a multinational bank, there have been technological developments

around the world since 1978 in various segments like credit cards and retail banking.

Essentially the department plans to re-invent the wheel in the Asia Pacific region. The

head describes that other than cost, it’s about quality and taking benefit of the

knowledge that the organization has build in so many years.

“Primarily in divisional, not too much on cost, its little bit more on quality side

and the platforms we are moving on to in the organization already. The program

side since in 1978, the credit cards system this is used in the countries around

the world, the retail banking in most of the countries and we try and reinvent the

wheel here. It’s more of the knowledge that the organization has build for so

many years, just using that knowledge.”


The Head identifies technical knowledge of the application and technical capability of

the resources as one of the risks in outsourcing. The next big thing for the bank is the

financial viability of the vendor and then its effective controls and compliance.

“Technical knowledge of the application, make sure that the people represent

knowledge of a quality product. After that it’s more of financial viability of the

vendor, which is one big thing we always look at. Then effectively, there is

120

essentially controls and compliance. It’s a combination of industry knowledge

and controls and compliance.”

The other issues that are considered by the Head include political stability, established

communication and language problems. English is the language that is used for

communication and the manager identifies the need of a high standard of English among

the people whom the bank is dealing with.

“We always go for places where we already have well established

communication links. Where there is political stability. I mean you can always

get a cheaper price if you go for a low cost location. We always look for

established communication links. Languages can be a barrier. There is

obviously, I mean, English is the language that is used for communication and

you need high standard of English among the people whom you are dealing with.

So whether you talking with someone in Spain or Sweden or Pakistan there got

to be English talking people having high standards. Culture not really.”

Lastly the Head believes that the biggest risk is not getting the right quality of the

product and believes that one can get something developed at a cheaper price but if its

not a quality product then the objective is not achieved


The Head lays emphasis that the selected vendor has to follow the control and

compliance standards that are set by the organization. It essentially would mean that the

vendors are being audited at the same level. Furthermore, the organization has put

together a list of approved vendors when they consider outsourcing. The Head believes

that the process is pretty rigorous.

121

“We have a list of approved vendors when we use a third party vendor. We look

at financial stability, and then we look at controls and compliance. It’s pretty

rigorous.”

Then in case of application development, there is a standard industry platform that is

being used and most of the platforms that the bank accesses have inbuilt quality controls

but the Head does mention that there needs to be compliance.

“There is a standard industry platform, where most of the platforms we have

they got to have inbuilt quality controls but there needs to be compliance.”


The Head believes there are sufficient techniques in place in terms of financial issues

with the vendor. Furthermore the bank also looks into what the vendor has provided to

its client, ask for proof of work. Basically carry out an internal audit of compliance to

ensure that all the controls are in place.

“In financial perspective, yes. We also look at what else have they done within

the industry, any proof of work. Essentially do an internal audit of compliance to

make sure they meet all the control requirements.”


Though there have been some successful vendor relationships, but incase if the bank

feels that the quality is not as was expected from the vendor, the Head suggests changing

the vendor.

122

“Well, you could change the vendors. That’s what we landed up doing. But it is

one of the examples. We have had other vendor contracts which have worked out

fine.”


The Head does not agree on using third party consultants as they wouldn’t know the

controls set by the organization.

“No. they wouldn’t know the bank controls and it wouldn’t’ make sense.”


The Head identifies an increasing trend to cheap development in other locations with

specialized knowledge. The organization has build up a long term relationship with

vendor companies in India but the trend is now more global. The organization has been

able to fund investments into international operations that have started in corporations

like in China.

“There is an increasing trend to cheap development in other locations with

specialized knowledge. The organization obviously had a large presence in India

all these years and built up the technology perspective. You need to build up a

long term relationship with the companies. I would say the trend would continue

to be global but we would like to bring it in-house again within the organization.

We are fortunate that we are able to fund investments into international

operations that have started in corporations like in shanghai.”

123

5.8.10 Concept Map

Figure 5.6 Concept Map of Interview 6 – Head of Department

5.9 Discussion

5.9.1 Summarizing the key concepts

The key concepts identified in each interview are summarized and presented in the

analysis chart presented as follows:

124

Interviewee Key concepts

Compliance Manager

Procurement Manager

Development Support Manager

Business Development Manager

Project Manager Department Head

Role in the company

Manages the compliance part in outsourcing projects

Manage procurement side, negotiation and signing of contracts

Manages offshore support team, new developments and handles production issues

Manages development effort of the local technology team

Manages the development in the technology office

Head of Technology for various segments in 23 countries

Objective of outsourcing

Lack of resources, Cheaper, Lack of skills, collaboration

Cost effective, reduction in headcount

Cheaper, productexpertise

Quality of services, use of technology, cost

Outsourcing options

In-source , outsource Onsite or offsite Personal list of vendors, Global list

In-house, outsource

Role in the decision making process

Ensure adequate process is followed in vendor selection, vendors follow the controls and standards set by the company

Negotiation with the vendors for discounts

Managing the relationship

Managing the relationship

Initiator of the project. Call for request for proposal, short list the vendors based on experience

Is the final arbitrator who decides on the selection of the vendor

Key Issues in outsourcing

Controls, Intellectual property rights, Confidentiality, Internet access

Lack of processunderstanding, bureaucratic, cultural differences, inconsistent standard of performance review

Language, Geographical Distance, Time Difference, Business Knowledge, Technical Capability, Knowledge gap, Quality of products, Knowledge transfer, Staff turnover

Quality of the services provided

125

Risks in outsourcing

Product delivery, information security, vendor ability, financial viability, backup plan, Exit plan

Quality of the product, effective pricing

High staff turnover, management issues, time zone, business knowledge, quality of services

Financial Stability, Level of resources, Resource availability, accountability

No direct control, procedures could be different, technical risks – key strength and weakness, staff turnover, geographical distance, languages, cultural differences, level of knowledge and experience

Technical knowledge of the product and process, financial viability of the vendor, presence of controls and compliance, strong communication channels

Risk Identification

Visit vendor site, references, company procedure, past account of 3 years, current staffing levels, experience levels of the staff

Experience, gather information on outsourcing

Previous experience

Gather information on : Company history, List of clients, Type of services, References, Feedback from the clients, Location of the vendor, Disaster recovery abilities

Gather information on : Company history, List of clients, Type of services,

Risk Assessment

Common sense, previous experience, numeric metrics

experience Whether theobjective is achieved, a high degree of control

experience

Strategies & Policies for managing risk

Framework covering: Information security, Continuity of business, software management, resource management, vendor management,

Escalation levels, senior management at a regional level involved in decision taking process

Risk management team, quality team and UAT. Approved list of vendors. Global contracts with vendors

Information securitypolices, labour law practices, business practices, continuity of business, no particular standard to say you shouldn’t be outsourcing, control

processes around

Controls and compliance standards, regular audits,

126

performance analysis, vendor review. Outsourcing policy which states which activities can be outsourced

outsourcing, legal regulations

Risk Management Techniques

Not aware Not aware Decision on outsourcing is taken on a regional level. Higher authority controls

Process for quotes from 3 vendors, backup/exit plan is considered in the contract, critical source code is covered/ escrow

Standard set for financial perspective

Key factors for decision making

ultimate cost, time to market, quality of product

Product knowledgeof the vendor, availability of off the shelf software, vendor’s clientele the software engineering process followed, commitment to the project, resource availability

Onsite- more controls Offsite – efficient services, less bureaucratic

Familiarity of product, project management expertise, cost, product expertise, skilled resources

Quality of the product, final delivery of the product

Use of consultant for vendor management

Yes. Management of vendors is a specialized job. It takes a certain amount of skill to it.

No. No. It just puts many additional people in the way.

No. sufficient experienced people in the organization

No. Impact on cost No. They wouldn’t know the company’s rule and controls issue.

Suggested Measures

Set a process to measure the quality of product and support. Identify key performance indicators

Training, lessbureaucratic process, need of a system analyst to understand the user requirements, Standardized

System analyst for effective gathering of user requirements, to bridge the gap between technology and business

127

performance reviews, provision of testing evidence or reports.

Future Trends in outsourcing

Bring it in-house to the other entities in the organization. Outsource to China

Reduce the number of vendors or suppliers

outsourcing Continue withoutsourcing

Increasing trend to cheap development in other locations with specialized knowledge

Future Risks Lack of outsourcing management experience, language problems

Less competition Same risks

Figure 5.7 Analysis Chart

128

5.10 Findings

Each key concept identified in all the interviews are put together and analyzed with the

theoretical framework identified in the literature in order to discuss the outsourcing

framework and risk management practices followed in the company.


All the interviewees who are directly involved in the decision making process like the

compliance and project manager and the Head, have identified cost effectiveness as one

of the reasons for outsourcing. However they further state that cost is not the only factor,

they identify other factors like product expertise, skilled resources and quality of

services as other motives for outsourcing. These factors can be put together as IS

capability factors as identified by Smith et al., 1998; Lacity et al., 1994; McFarlan and

Nolan, 1995. Presently, the bank is in to outsourcing of IT functions like software

application development and maintenance support. The senior management does realize

the importance of considering product expertise and quality of services as crucial

decision factors in outsourcing these functions.

However, the outsourcing of the data center activity, in 1992, was motivated by several

factors. Firstly, the senior management considered the data center activity as a

commodity service which did not add primary value in the value chain analysis thus

making it a means of achieving a reduction in headcount. Secondly, the vendor had

agreed to the transfer of personnel and offered to buy the equipment thus giving the bank

the opportunity to generate cash and enhance liquidity. Thirdly, this was almost the first

outsourcing deal by the bank which took place around the same time when all the big

companies where vying outsourcing as an alternative after the Kodak decision. Thus

external influences that existed in the industry seem to have an indirect role in the

decision to outsource the IT function.

129

The motives identified can be analyzed as having negative outcomes. Firstly, as more

and more banking functions get technologically integrated, the data center activity can

no longer be termed as a commodity service but is very much a strategic activity. It is a

vital IT function that can have an impact on the business. Though the quality of the

services provided by the vendor was satisfactory, but as the bank became more and more

technologically dependant, it led to an increase in the demand for additional hardware

and software. Thus the management lacked foresight. Secondly, the deal provided

liquidity benefits and short-term earnings, through sale of assets. But it also led to loss of

valuable human resources and the associated knowledge base which resulted in lack of

managerial control and technological dependence on the vendor. This is termed as a

dysfunctional decision by Zucchini (1992) in his Four-S Outsourcing Model. Lastly,

market trends and environmental influences should not be a factor of motivation in

decision-making.

Figure 5.8 Concept Map of Key Element 1 – Objective of Outsourcing

130


The project manager takes the initiative in coordinating the outsourcing process.

However for achieving the actual benefit of outsourcing, one needs to understand the

expectations of all the stakeholders in the project. The outsourcing effort will be

successful if it meets the objectives of the stakeholders and the organization as a whole.

Typically the senior management would look at cutting costs whereas the business units

would tend to view IS as a critical activity to daily business processes and look for

service excellence. The IS manager needs to understand the different perceptions of the

stakeholders and create a shared agenda by classifying the IS activities into

‘commodities’ and ‘differentiators’. As depicted in the matrix by Lacity (1993) which

illustrates the IS cost/service trade-off – that costs are directly proportional to service

levels (the better the service, the higher the costs)

The present outsourcing process of the bank typically follows the general framework as

suggested by Everest (1996) which includes the phases of deciding whether to outsource

or not, the pre-outsourcing phase, evaluation of bids, procurement phase, management

followed by change management phase. As recommended by Lacity (1993) the

organization does have different teams which include the Request for Proposal (RFP)

Team and the Evaluation Team. In this case, the Request for Proposal is prepared by the

Project Manager who co-ordinates with the vendors. The Evaluation Team consists of

the Procurement and the Controls departments who negotiate with the vendors and

ensure that the contract is in place. In the process, one of the risk management

techniques adopted by the bank, as pointed out by the Compliance Manager, is that the

Project Manager is not included in the evaluation team. This ensures that the interests of

all the vendors are protected and there is no scope of favoritism. The major evaluation

criterion as pointed out by the Procurement Manager is the price. However, the

Compliance Manager does stress on the different control levels like disaster recovery,

contingency plan, information security and contract administration and termination to be

in place. The IS activity can be outsourced only if the vendor follows the controls set by

131

the bank. Thus it can be commended that the bank does make a qualitative assessment

thereby extending much beyond the price factor.

Lastly, in the change management phase, the relationship is managed by the Project

Manager during development and gradually by the Production Support Manager. As

suggested by Lacity (1993) the senior management does have a key manager to

prioritize requests and handle disputes and monitor vendor performance.

In terms of the software development project, the company follows the typical waterfall

method wherein the organization plays a role in project initiation, collecting user

requirements and finally testing the product. However such a process has its drawbacks,

for example, the company will have to wait until the complete system is developed to

know if it fulfills all user requirements. This risk has been identified by the Development

Manager as well who states that the business can test the system only in the UAT phase.

Secondly, any changes can be implemented only once the whole cycle is completed.

New features would involve cost, time and resources.

132

Figure 5.9: The Outsourcing Decision Process (Adapted from Butler et. al, 2001, pg. 56)


The main risks in outsourcing identified by all the interviewees are financial stability,

knowledge level in terms of technical and business, quality of services, level of controls

and geographical differences as identified by many researchers like Aubert and et al,

2001; Takac, 1994 and Chalos, 1995. However the rate of these risks as high, medium or

low in terms of its impact and consequences vary between the interviewees. The people

involved in managing the relationship like the Project Manager and Production Support

133

Manger also recognized staff turnover, resource availability, time zone and cultural

differences as potential risks in outsourcing. The Procurement Manager identifies hidden

costs as a risk which had a high impact in the outsourcing deal way back in 1992. The

Project Manager does emphasize lack of control as a high risk as it affects the service

delivery. Though there are specific risks like security threat, confidentiality of

information and legal regulations, but they have been identified by the organization and

strictly mitigated in the form of controls and compliance.

However there are other risks which may have not been identified or realized by the

people managing the relationship. These risks include business uncertainty, outdated

technology skills lack of organization learning, loss of innovation, technological

indivisibility and fuzzy focus (Earl, 1996). In terms of software development, the project

manager needs to identify project risks in terms of product, definition and maintenance

risks (Marsh et. al., 1996). The Head of the Department recognizes the fact that the

offshore units do outsource to global programmers.

“I know that units in Singapore and Shanghai do outsource themselves to global

programmers. It’s not something which we don’t do ourselves. I rely heavily on

the knowledge of the people in Singapore that they recruit or outsource the right

people.”

- Head of the Department

But when the development is sub-contracted by the vendor to the third party, it brings in

new level of risks like accountability and resource capability which need to be assessed

and controlled. Even though all the risks may not be present in every sourcing decision,

there are not unusual or esoteric risks (Earl, 1996).

134

Figure 5.10 Concept Map of Key Element 3 – Risks in Outsourcing


Most of the participants have quoted intuitive assessments and prior experience as a

means of identifying risk. However, relying only on the intuition of the experienced

managers to identify risks has proven to be unsatisfactory in the past (Marsh et. al.,

1996). There are various other methods suggested by researchers which include

organizing brainstorming sessions with the managers to discuss the problems in-depth

and provide solutions; conducting structured interviews to initiate a risk revealing

discussion and at times to use expert computer-based systems or outside specialists or

consultants, thus bringing in additional experience in the field of concern.

Furthermore, every company should seek to adopt a risk identification method that is

suited to its culture and meets the depth of detail. A company having a formal method

for its estimating process may follow the checklist method whereas a company with a

participatory style of management may prefer brainstorming sessions, with the project

135

manager taking the record of the risks. A mixture of structured interviews and use of

specialists may have an effect on cost and time but their familiarity with the field would

definitely contribute to the risk identification process. Thus it’s crucial that risks are

identified because if the complete risk picture is not well understood before entering the

negotiation, it would lead to an increase in the risk exposure. It is a management

prerogative to accept the risks (Marsh et. al, 1996).

Since financial stability of the vendor and product knowledge are considered as high

risks, all the interviewees talk about various strategies for collecting vendor information.

The Head of the Department mentions gathering information like company history, list

of clients and types of services; the Compliance Manager suggests visiting the vendor

site, gathering references, examining accounts of past 3 years and information on current

staffing levels and experience levels of the staff; the Production Support Manager

mentions the location of the vendor and disaster recovery abilities as factors to be

considered for identifying risk. These methods would definitely be effective in

perceiving the capability of the vendor. Furthermore to validate the clams in the bidding

exercise and to review performance levels, the organization must make surprise visits

and conduct site audits.

136

Figure 5.11 Concept Map of Key Element 4 – Risk Identification


In terms of assessing the risks, the Compliance Manager points out that there are no set

methods being followed and he has mostly seen common sense, previous experience and

at times some numeric metrics being used.

“I have seen it done in a number of different ways. Sometimes I have seen it done

by using common sense and outsourcing experience. What I have also seen is

some basic numeric metrics.”

Though the common way to assess the risks is through intuition and experience, it is

important to assess the probability of occurrence of these risks and its impact on

timescales, costs and performance. A risk analysis is not complete until all major risks

137

are evaluated in terms of their total cost impact and due allowance has been made for

minor and residual risks (Marsh et. al., 1996). The company may follow any method or

use any computer aided program but it’s crucial to quantify risks in order to know its

impact on the decision and the outsourcing project.

Figure 5.12 Concept Map of Key Element 5 – Risk Assessment


The organization has set standards in terms of controls and compliance. It has a

framework that covers information security, continuity of business, software

management, resource management, vendor management, performance analysis and

vendor reviews. The organization also follows legal regulations; labour law practices

and has a quality team and a UAT team.

In terms of strategies, the Production Support Manager mentions the escalation levels

which go up to the regional level as means for managing risks. The Project Manager

emphasizes on various control procedures that have been put it place around the

138

outsourcing process. The Head of the Department stresses on regular audits as a strategy

for managing vendor related risks.

In terms of policies, the organization seems to have all the controls in place. It follows

the legal regulations set for the banking industry. What needs to be reviewed is the level

of implementation by the vendor companies. The same can be assessed through regular

audits which can be conducted by the organization on a regular basis.

Figure 5.13 Concept Map of Key Element 6 – Strategies & Policies


As regards risk management techniques, most of the interviewees were not aware of any

set procedure being followed by the bank. The Business Development Manager

mentions the role of high authority controls in decision making. The Head of the

Department discusses the standards set on financial grounds. The Project Manager

139

identifies few practices like the process of receiving quotes from 3 vendors, during the

negotiation process the backup and exit plan is considered in the contract thus the

reputation risk is also covered. The critical source code is covered through escrow. Thus

it can be observed that risk management techniques are presently followed in the bank in

the form of policies and guidelines.

Figure 5.14 Concept Map of Key Element 7 – Risk Management Techniques

140

5.10.8 Use of Third Party Consultant

The Compliance Manager personally agrees to the option of having a consultant to

manager the vendor relationship as he thinks it’s a specialized job.

“Management of vendors is a specialized job I think. It takes a certain amount of

skill to it. Traditionally we don’t employ people with that skill and specialist role

to do that so I think because of that we get ourselves into trouble so I know there

are companies out there who do nothing but provide vendor relationship

management. I personally would consider such an option.”

- Compliance Manager

But the rest of the participants are of the opinion that having a third party consultant

wouldn’t be advantageous due to many reasons. The Head of the Department states that

they wouldn’t know the controls set by the bank. The Project Manager mentions, it

would have an impact the cost. The Production Support Manager is of an opinion that

she wouldn’t want an outsider indulging in the relationship as it would just involve

additional people. Thus all of them view this concept from a different perspective which

is more or less related to their field.

Figure 5.15 Concept Map of Key Element 7 – Use of third party consultant

141


The measures suggested by the participants cater to the issues faced by them in their

respective areas. The Compliance Manager cites the need to set a process to measure the

quality of the product and suggests identifying key performance indicators for measuring

performance. The Production Support Manager insists on providing some formal

training to the vendor employees on the existing processes for effective coordination.

Furthermore, the manager suggests measures like uniformity in performance review

documents which would result in effective appraisal of performances. Lastly a process

of acquiring proof of testing from the vendors in order to ensure a thorough test of the

impact of the new system is also recommended. Both, the Production Support Manager

and the Development Manager, come in direct contact with the developers and the

ultimate user and have identified the need of a system analyst for effective gathering of

user requirements which would bridge the gap between technology and business.

Ironically, the head of the department is very much satisfied with the existing process

but stresses on the point that it’s very important to have all the controls in place for a

successful outsourcing experience.

142

Figure 5.16 Concept Map of Key Element 8 – Suggested Measures

5.10.10 Future Trends All the participants believe that the organization would continue outsourcing of

development work in future. However the trend is towards in-sourcing it to other entities

of the organization based in other countries. The Compliance Manager states that the

organization is aware of having a huge share of investment in software houses in India.

Therefore to diversify their risks, it is now looking at other avenues like Poland and

China.

“Poland is a lot cheaper now. India is not always the low cost. The other thing is

we are conscious that we have a lot of investment in software houses in India and

as a cliché, ‘you don’t’ have all your eggs in one basket’, so for business and for

risk management reasons it makes sense to spread the development work

around.”

- Compliance Manager

143

The Head of the Department stresses on moving to cheaper locations with specialized

knowledge. He insists on building a long term relationship with the vendor company

rather than taking it as a mere contract.

“There is an increasing trend to cheap development in other locations with

specialized knowledge. The organization obviously had a large presence in India

all these years and built up the technology perspective. You need to build up a

long term relationship with the companies. I would say the trend would continue

to be global but we would like to bring it in-house again within the

organization.”

- Head of Department

But outsourcing to other emerging countries would require analyzing the risks from a

different perspective. The probability and the rate of risks would differ for each country.

The language issue which would be considered as a medium or low risk when

outsourced to India would definitely be regarded as a high risk for China. This has been

identified by the Project Manager. He is aware of the huge investment in India and

recognizes the trend of outsourcing to cheaper locations like China but stresses on the

fact that unless they solve the language issue, it would be difficult to coordinate and

manage the relationship. He is of an opinion that probably it would take around 3 years

for China to emerge as a big competitor against India. Moreover, he recognizes the risks

of lack of project management expertise and outsourcing experience that should be

assessed before taking a decision.

The concept of in-sourcing to other entities within the organization causes an emergence

of different set of problems. One of the issues faced by the Production Support Manager

is the lack of professionalism on the part of the in-house team.

“The developers work hard but sometimes you feel they don’t treat you like a

client as they potentially should”

-Production Support Manager

144

Thus as identified by Lacity (1993), in-sourcing may not be an appropriate strategy as it

fails to capitalize on a vendor’s inherent cost advantages and creates a political

environment of complacency.

Furthermore, the Head of Department talks about using the existing technology and

knowledge that has been gained by the organization globally. The Procurement Manager

supports the view that it is a strategy adopted by the organization to keep the money

within the group. On analyzing the notion of using existing systems, it definitely would

be advantageous in terms of cost and product knowledge however the existing systems

may not always be the best option for the unit. It may lead to loss of innovation and use

of outdated technology. This is identified by the Production Support Manager as well

who believes that although the present systems provide the basic features and are steady,

there are systems available in the market which could provide better services and

superior quality products.

Lastly, the Procurement Manager observes the trend of reducing the number of vendors

or suppliers. It leads to effective management but has an impact on effective

competition. But the Procurement Manager considers this risk as low as it is believed to

evolve in relative unit. He suggests eliminating those vendors from the list who are not

frequently used as one would not be able to evaluate their performance. However the

Project Manager talks about scale in vendors and emphasizes on distributing the risks by

using different vendors thereby reducing the dependency on a particular vendor.

Furthermore the manager discusses the concept of spread of vendors to manage the

geographical risk. Thus one needs to identify vendors who have a global reach.

145

6. Recommendations & Conclusions

6.1 Recommendations

The comparative analysis of the interviews with the theoretical framework identified in

the literature resulted in key findings in the outsourcing concept. This research displays

the effective outsourcing process and control practices being followed by the bank. It

highlights the immense knowledge and experience gained by the organization since a

decade. The bank had started outsourcing the information technology functions in 1992.

This knowledge and experience has lead to formulation of policies and controls around

the outsourcing process. The technology unit of the bank follows these procedures and

complies with the legal regulations in terms of outsourcing.

However with the ever changing technological environment and the complex nature of

the systems and processes, there is always scope of improvement in the existing

procedures. It is commendable that each interviewee is aware of the existing issues and

recommends a possible solution. If the senior management could review these measures

and implement them, it would definitely have a positive impact on the performance

levels.

Furthermore the results showed that although the framework for outsourcing has been

developed, the bank does not follow a risk management framework in terms of project

management. The outsourcing of application development involves certain risks when

outsourced to offshore countries which need to be identified and effectively assessed in

the decision making process. Since there is no set process for risk identification and

assessment, the concept of risk management seems to be vague and unclear. The

organization needs to evaluate the risks on the project level effectively before selecting

the vendor. Risk management should be integral to the project management process.

In terms of the software development model being followed, it is recommended that the

organization considers an iterative process model wherein the system is developed on a

146

piecemeal basis and the business is actively involved in the development process. This

would mitigate the risk of uncertainty in terms of the product not being developed as per

the user requirements.

The results also highlighted the need for a system analyst in the bank who would be

technically competent and with the related experience and knowledge would bridge the

gap between the business and the technology team. It would result in effective gathering

of user requirements and would consequently have a trickling effect to the overall

process of outsourcing of software development.

Moreover when it comes to decision making, the organization needs to assess the

interests of all the stakeholders and take a strategic decision. In terms of managing the

relationship, the decision to involve a third party consultant is similar to an outsourcing

decision and involves a cost/service tradeoff.

Outsourcing is a global phenomenon. With increasing competition, the established

vendors and new entrants are offering more market-focused products and services. The

organization needs to align its outsourcing decision with its strategic objectives. With

international economic conditions and political instability, the views of the Project

Manager in terms of spread of vendors to manage geographical risk bear much relevance

to the current situation and takes into account the emerging opportunity of international

competition.

6.2 Conclusions This research set out to investigate the risk management practices in decision making of

outsourcing of information systems with the technology department of a large multi

national bank in United Kingdom providing the case study. There is enough literature on

the outsourcing phenomena, its benefits and risks and the decision process for

outsourcing, however not much has been stated on the risk management practices. This

147

research was initiated with an intention of developing a risk management heuristic to

add to the framework of risk management practices in the outsourcing process. The

investigation incorporated stages of the risk management cycle like identification,

assessment and control of the risks in the decision making process. This research has

been undertaken through conducting interviews with several key stakeholders of the

outsourcing process. The detailed findings relating to the outsourcing process, risks

involved and risk management practices associated with the case study have been

discussed in detail in the results and findings and recommendations sections. The

conclusions presented below are intended to provide an overview of the broader

relevance of the findings associated with this research.

The research discovered that the outsourcing process was being practiced by the bank

with more focus on following regulatory controls than formulating a risk management

process. This research concludes that banks lay more emphasis on mitigating financial

and business risks than technical and operational risks.

The results showed the increasing trend of the bank to outsource to cheaper locations,

however there is a need for identifying and assessing the risks on a comparative basis as

the probability and impact of the risks would differ for each offshore destination.

Furthermore the research evidence reveals an absence of a framework for assessing the

risks in outsourcing and its impact in terms of cost, scale and performance. Thus the

quantification of the risks was not possible within the purview of this research.

The results showed that although the bank had implemented the ideal framework for

outsourcing, much effort is needed in managing the relationship effectively. A periodical

performance review is highly desirable along with the identification of key performance

indicators of quality process and benchmarking.

148

6.3 Future Research

This study established an interesting empirical evidence of risk management practices in

outsourcing of information systems in a commercial bank. Management of other

organizations can use this evidence as an input to their own decision making to improve

the outsourcing process and achieve the objectives of outsourcing.

Future research should consider the assessment of the risks identified in terms of its

probability and impact and develop thorough analysis of risk management process. As

new strategies keep evolving in the outsourcing process, future research could develop a

futuristic framework for risk management practices for the future trends in outsourcing.

149

BIBLIOGRAPHY Apte et al., 1997, “IS outsourcing practices in the USA, Japan and Finland: a comparative study”, Journal of Information Technology 12, pg. 289-304

Aubert, et al., 2001, “Managing IT Outsourcing, Risk: Lessons Learned”, Scientific Series, CIRANO, Montréal, May 2001 http://www.cirano.qc.ca/pdf/publication/2000s-39.pdf [Accessed 28 July 2004] Aubert, et al., 2000, “IT Outsourcing Risk Management at British Petroleum” Scientific Series, CIRANO, Montréal http://www.cirano.qc.ca/pdf/publication/2000s-31.pdf [Accessed 28 July 2004] Baccarini, D. and Archer, R., 2001, “The risk ranking of Projects: a Methodology”, International Journal of Project Management, 19, pg. 139-145

Basel Committee on Banking Supervision, 2001, Risk Management Principles of Electronic Banking, Bank for International Settlements

Bernstein, P.L., 1996, “Against the Gods – The Remarkable Story of Risk”, John Wiley & Sons, New York Bhattacharya, S., Beharab, R., David, L., Gundersenc, E., “Business risk perspectives on information systems outsourcing”, International Journal of Accounting Information Systems 4, 2003, pg. 75–93 Boehm, B, B.W., 1989, “Software Risk Management”, IEEE Computer Society Press, Los Alamitos, California Butler, M., Holt, M., Menzies, K., Jones, G., Jennings, T., Jagger, E., Smith, E., Newman, J., Jones, T. & Gibbes, K., 2001, “Strategic Sourcing: Effective alternatives for enterprise”, Butler Group: Technology Infrastructure, Research and Advisory Services, October 2001 Cadle, J. and Yeates, D., 2001, Project Managers for Information Systems. Essex: Prentice Hall. Chalos, P., 1995, ‘Costing, Control and Strategic Analysis in Outsourcing Decisions’, Cost Management, Winter, pg. 31-37

150

http://www.cirano.qc.ca/pdf/publication/2000s-39.pdf

http://www.cirano.qc.ca/pdf/publication/2000s-31.pdf

Cohen, L., 2003 – Developing and Setting an Outsourcing Strategy, Gartner Group, October, 2003 http://www3.gartner.com/DisplayDocument?id=411574 [Accessed on 3 June, 2004]

De Looff, L., 1997, “Information Systems Outsourcing Decision Making: A Managerial Approach”, London: Idea Group Publishing, pg. 30

DFC, Department of Finance, Canada –Glossary http://www.fin.gc.ca/scripts/glossary.asp [Accessed on 3 June, 2004]

Dickson, G., 1989, “Risk management: what does the future hold”, Journal of the Society of Fellows London Chartered Insurance Institute Domberger, S. and Fernandez, P., 2000, “Modelling the price, performance and contract characteristics of IT outsourcing”, Journal of Information Technology, 2000 15, pg. 107–118

Earl, M.J., 1996, ‘Limits to IT Outsourcing’, London: London Business School Elkington, P. & Smallman, C., 2000 “Managing project risks: a case study from the utilities sector”, International Journal of Project Management, 20 49-57 http://www.elsevier.com/locate/iproman.html [Accessed: 28 July 2004]

Everest Software Corp.,1996-1997, ‘Outsourcing’ http://www.outsourcing-mgmt.com/html [Accessed 28 July 2004] Fairchild, A., “Enabling Usage-Based IT Costing in the Banking Sector”, Tilburg University, the Netherlands http://www.ejise.com/volume6-issue2/issue2-art10-fairchild.pdf [Accessed on 3 June, 2004]

FDIC, 2000, Risk Management of Technology Outsourcing, Federal Deposit Insurance Corporation, Washington, November, 2000

Free, D., 2001 – “Financial Services Strategies: The Case for Outsourcing Business Issues”, Gartner Research http://www3.gartner.com/DisplayDocument?id=349134 [Accessed on 3 June, 2004]

151

http://www3.gartner.com/DisplayDocument?id=411574

http://www.elsevier.com/locate/iproman.html

http://www.outsourcing-mgmt.com/html

http://www.ejise.com/volume6-issue2/issue2-art10-fairchild.pdf


Haimes, Y.Y, 1998, “Risk Modeling, Assessment and Management”, John Wiley & Sons Inc Hancox, M. and Hackney, R., 2000, ‘IT Outsourcing: frameworks for conceptualizing practice and perception, Information systems journal 10, Blackwell Science Ltd, 2000, pg. 217-237

Hillson, D., 2001, “Extending the risk process to manage opportunities” International Journal of Project Management, Vol. 20, No. 3, pg. 235-240.

Higuera, R. P., 1995, “Team risk management” Crosstalk: U.S. Department of Defence, January 1995 pg. 2-4 Huff, S.L., 1991, ‘Outsourcing of Information Services’, Business Quarterly, spring 1991, pg. 62-65 Glass, R.L., 1996, ‘The end of the outsourcing era’. Information Systems Management, 13 (2), pg. 89-91 Goolsby, K., 2004, “The Reach of Risk in Financial Services”, Outsourcing Center, Everest Partners, April, 2004 http://www.outsourcing-information-technology.com/reach.html [Accessed 28 July 2004] Jennings, D. and Wattam, S., 1998 Decision Making- An Integrated Approach, Financial Times Management Kettler, K. and Walstrom, J., 1993, “The Outsourcing Decision”, International Journal of Information Management, 13(6), pg. 449-459 Kleinhammer, R., Nelson, T., Warner, A.J., 2003,“Balancing the Risks”, Darwin Magazine, CXO Media Inc, June, 2003 Klepper, R., 1995, ‘Outsourcing Relationships’, in Managing IT with Outsourcing, eds. Khosrowpour M., pg. 218-243

Kliem, L. R. and Ludin, S. I.,1997, Reducing Project Risks. Hampshire, England: Gower. Lacity, M.C and Hirschheim, R., 1993, ‘The Information Systems Outsourcing Bandwagon’, Sloan Management Review, fall 1993, pg.73-86 Lacity, M.C and Hirschheim, R., 1995, “Beyond the Information Systems Outsourcing Bandwagon”, Wiley & Sons, USA

152

http://www.outsourcing-information-technology.com/reach.html

Lacity, C.M, Willcocks, P.L, and Feeny, F.D., 1996, ‘The Value of selective IT sourcing, Sloan Management Review, Spring, pg. 13-25 Lankford, W.M. and Parsa, F., 1999, ‘Outsourcing: a Primer’, Management Decision, MCB University Press, 37/4 1999, pg. 310-316 Lanzing, J., 1997, The Concept Mapping Homepage http://users.edte.utwente.nl/lanzing/cm_home.htm [Accessed 28 July 2004]

Lewis, E., 1999, “Using the risk-remedy method to evaluate outsourcing tenders”, Journal of Information Technology, 14, pg. 203-211 Levin, M., Schneider, M., 1997, “Making the Distinction: Risk Management, Risk Exposure”, Risk Management, August 1997, pg. 36-42. Loh, L. & Venkatraman, N., 1995, “Information Technology Outsourcing: A Cross-Sectional Analysis, in Strategic Information management”, eds. Galliers R.D & Baker B.S.H., Butterworth-Heinemann UK, pg. 263-281 Lonsdale, C., 1999 - “Effectively managing vertical supply relationships: a risk management model for outsourcing” Supply Chain Management. An International Journal 4 (4), pg. 176-183. Lowrance, W. W., 1976, “Of Acceptable Risk, William Kaufmann, Los Altos, CA McGaughey, R. E. Jr., Snyder, C. A. and Carr, H. H.,1994, “Implementing Information Technology for competitive advantage: risk management issues”, Information and Management 26, pg. 273-280

Marsh, S., 1996, “Introducing RISKMAN: The European Project Risk Management Methodology”, The Stationery Office, 1996 Mayes, N., 2004, ‘The Next Generation’, Computer Business Review, June 2004, pg. 58-60 McCarthy, E., 1996, ``To outsource or not to outsource - what's right for you?,'' Pension Management, Vol. 32 No. 4, pg. 12-17 McFarlan, F.W. & Nolan R.L., 1995, ‘How To Manage an IT Outsourcing Alliance’, Sloan Management Review, Vol. 36, No. 2, Winter 1995, pg. 9-22 McGrew, G.A, 1982, Decision making – Approaches and Analysis, M.J. Wilson , Manchester University Press

153

http://users.edte.utwente.nl/lanzing/cm_home.htm

Murphy, J., 2003 – Management Update: Evaluating and Mitigating Outsourcing Risk http://www3.gartner.com/DisplayDocument?id=406357 [Accessed on 3 June, 2004]

Myers, M., 1997- Qualitative Research in Information Systems, MISQ Discovery http://www.qual.auckland.ac.nz/ [Accessed on 3 June, 2004] Oltman, J.R., 1990, ”21st Century Outsourcing”, Computerworld, 16 April, pp. 77-79 Price Waterhouse Coopers, 1998, ‘Global Top Decision Makers Study on Business Process Outsourcing’, Price Waterhouse Coopers, New York, NY, London, Yankelovich Partners, Goldstein Consulting Group. Ptak, R.L. and Noel, J., 1998, “Avoiding outsourcing blues”, Business Communications Review, 1998

Remenyi, D. and Heafield, A., 1996, “Business process re-engineering: some aspects of how to evaluate and manage the risk exposure”, International Journal of Project Management , Vol. 14, No. 6, pp. 349-357, Elsevier Science Ltd and IPMA Saunders, M; Lewis, P. and Thornhill, A., 2000, “Research Methods for Business Students”, (2nd Edition) Prentice Hall Sangani, K., 2003 – Financial World http://www.financialworld.co.uk/mag.pdf/apr03/p28-34OutsouingFWApr03.pdf [Accessed on 3 June, 2004] Scardino, L., 2003 - A Blueprint for Successful Sourcing, Gartner Group, May, 2003 http://www3.gartner.com/DisplayDocument?id=393586 [Accessed on 3 June, 2004]

Smith M. A., Mitra S., Narasimhan S., “Information systems outsourcing: a study of pre-event firm characteristics”, Journal of Management Information Systems 1998, 15(2), pg. 61–93.

Smith, K.L and Smith, D., 2003, “Management Control Systems and trust in outsourcing relationships”, Management Accounting Research, Vol. 13, Issue. 3, September, 2003, pg. 281-307

Spillenkothen, R., 2001, ‘Outsourcing of Information and Transaction Processing’, Director, Division Of Banking Supervision And Regulation, Board of Governors Of The Federal Reserve System, Washington D.C., 2001

154


http://www.qual.auckland.ac.nz/

http://www.financialworld.co.uk/mag.pdf/apr03/p28-34OutsouingFWApr03.pdf


155

Takac, P.F., 1993, ‘Outsourcing Technology: Is Outsourcing a Threat or an Opportunity for greater efficiency and productivity? ’, Management Decision, Vol. 31, No. 1, 1993, pg. 26-37 Takac, P.F, 1994, ‘Outsourcing a Key to Controlling Escalating IT costs’, International Journal of Technological Management, Volume 9, Number 2, pg. 139-55 Teece, D. J., Rumelt, R., Dosi, G., Winter S., 1994, "Understanding Corporate Coherence, Theory and Evidence", Journal of Economic Behavior and Organization, 23, 1994, pg. 1-30 Upton, R. and Conway, J., 2002 “Second-Generation IT Outsourcing: A Primer”, White Paper, Managed Services, Fujitsu Consulting Inc Valsamakis, A. C., Vivian, R. W. and Du Toit, G. S., 1992, “The Theory and Principles of Risk Management”, Butterworth Publishers (Pty) Ltd, Durban

Ward, J. & Griffiths, P., 2001 “Strategic Planning for Information Systems”, Chichester: John Wiley & Sons. , pg. 96-154

Weinreich, N.K., 2003, Integrating Quantitative and Qualitative Methods in Social Marketing Research http://www.social-marketing.com/research.html [Accessed on 19 May, 2004] William, M.K., 2002, Deductive and Inductive thinking http://trochim.human.cornell.edu/kb/dedind.htm [Accessed on 3 June, 2004]

Willcocks, L. and Margetts, H., 1994,”Risk and information systems: developing the analysis”, In Information Management: The Evaluation of Information Systems Investments,Willcocks, L. (ed.), Chapman & Hall, London, pg. 207-30. Wood, Douglas, 2001, “Corporate Strategy, Centralization and Outsourcing in Banking:Case Studies on Paper Payments Processing”, Manchester Business School http://econwpa.wustl.edu:8089/eps/eh/papers/0301/0301005.pdf [Accessed on 3 June, 2004]

Zhu, Z., Hsu, K. and Lillie, J., 2001, “Outsourcing - a strategic move: the process and the ingredients for success”, Management Decision, MCB University Press, Volume 39 Number 5 2001, pg. 373-378

http://www.social-marketing.com/research.html

http://trochim.human.cornell.edu/kb/dedind.htm

http://econwpa.wustl.edu:8089/eps/eh/papers/0301/0301005.pdf

the university of sheffielddagda.shef.ac.uk/dispub/dissertations/2003-04/... · 5.3.10 using third...

Documents