the university of sheffielddagda.shef.ac.uk/dispub/dissertations/2003-04/... · 5.3.10 using third...
TRANSCRIPT
Risk Management Practices in Information System
Outsourcing: an investigation into a commercial bank
in UK
A Study submitted in partial fulfilment of the requirements for the degree of Master of Science in Information Systems
at
THE UNIVERSITY OF SHEFFIELD
By
JYOTI BAHIRWANI
SEPTEMBER 2004
ABSTRACT This research work focuses on the risk management practices in information system
outsourcing adopted by a commercial bank in UK. It is motivated by the risks identified
in the academic literature. Though ample research has been conducted to identify risks
and decision frameworks for outsourcing, there is little or no study conducted to identify
the risk management practices. The research illustrates the globally increasing trend of
outsourcing IS and demonstrates the various strategies and decision frameworks adopted
for outsourcing.
The research draws largely from the analysis of the interviews conducted with the
various stakeholders in the outsourcing process namely: technology head, project
manager, compliance manager, procurement manager, support manager and business
development manager. After analyzing the interviews, an inductive qualitative research
approach was used to draw conclusions. The interviewees agree that adopting risk
management practices while outsourcing information systems is very important.
The findings revealed that although managers of various departments in the bank
identify the significant risks in information systems outsourcing, not many follow a set
framework for assessing the risks and depend largely on intuition and previous
experience. The study also discovered that the bank has formulated policies and
guidelines to comply with the legal regulations set for the process of outsourcing.
2
ACKNOWLEDGMENT A lot of people played various roles in ensuring that this research work is of merit.
While I deeply appreciate the contributions of all these people, I wish to place on record
the efforts of Dr Miguel Baptista Nunes, my project supervisor for his unending support
and intellectual insights, which enhanced the quality of this work. This thesis could not
have been written without his help. I also truly appreciate Mr Niall Woodhead for his
attention, support and cooperation throughout my research in London. Finally, I give
great thanks to God for His abiding presence.
3
Title page
Abstract 2
Acknowledgement 3
Table of Contents 4-10
1. INTRODUCTION 11
1.1 Background of Study 11
1.2 Problem Statement 12
1.3 Research Objectives 13
1.4 Research Questions 13
1.5 Research Approach and Strategy 14
1.6 Case Study Approach 15
1.7 Research Tools 15
1.8 Target population 16
1.9 Limitations to the Study 16
1.9.1 Banks’ attitude to research 16
1.9.2 Availability of staff 16
1.9.3 Time 17
1.10 Confidentiality 17
1.10.1 The ethical code 17
1.11 Dissertation Overview 18
2. OUTSOURCING 20
2.1 Introduction 20
2.2 Definition of Information System Outsourcing 20
2.3 Objective of Information System Outsourcing 22
2.4 Case for Outsourcing 24
2.5 Risks associated with Information System Outsourcing 25
2.6 Information Systems Outsourcing Strategy 28
4
2.6.1 Types of Outsourcing 29
2.6.2 Types of Outsourcing Relationships 30
2.7 Trends in Outsourcing 32
2.8 Information Systems Outsourcing Process 34
2.9 Framework for Decision Making in IS Outsourcing 36
2.10 Risk Thinking in Decision Making 43
3. RISK MANAGEMENT 45
3.1 Introduction 45
3.2 Concept of Risk 46
3.3 Concept of Risk Management 48
3.4 Risk Management Frameworks 51
3.5 Risk Management Process 52
3.5.1 Steps in Risk Management 53
3.5.2 Risk Identification 54
3.5.3 Risk Assessment 57
3.5.4 Risk Control 59
3.6 Rationale for Risk Management 64
3.7 Risk Management for outsourcing information systems 64
3.8 Current Risk Management Models 65
4. CASE STUDY 68
4.1 Introduction 68
4.2 The Organization 68
4.3 Outsourcing Options 70
4.4. Outsourcing Process 70
4.5 Software Development Life Cycle 71
5
5. RESULTS AND FINDINGS 74
5.1 Presentation of the results and findings 74
5.2 Key Concepts 75
5.3 Interview One: Compliance Manager 75
5.3.1 Role in Decision Making Process 76
5.3.2 The Outsourcing Process 76
5.3.3 Objective of Outsourcing 77
5.3.4 Risks in Outsourcing 77
5.3.5 Risk Identification Process 78
5.3.6 Risk Assessment Process 78
5.3.7 Strategies & Policies for managing risk 79
5.3.8 Risk Management Techniques 80
5.3.9 Suggested Measures 80
5.3.10 Using third party consultants 81
5.3.11 Future Trends in Outsourcing 82
5.3.12 Concept Map 82
5.4 Interview Two: The Procurement Manager 84
5.4.1 Role in Decision Making Process 84
5.4.2 Outsourcing Process 84
5.4.2.1 Issues in managing the Outsourcing Process 85
5.4.3 Objective of Outsourcing 88
5.4.4 Risks in Outsourcing 88
5.4.5 Risk Identification Process 89
5.4.6 Strategies & Policies for managing risk 89
5.4.7 Using Third Party Consultants 90
5.4.8 Future Trends in Outsourcing 90
5.4.9 Concept Map 91
5.5 Interview Three – Production Support Manager 92
5.5.1 Role in Decision Making Process 92
5.5.2 Outsourcing Process 92
5.5.2.1 Issues in managing the Outsourcing Process 93
6
5.5.3 Risks in Outsourcing 96
5.5.4 Risk Identification 98
5.5.5 Risk Management Techniques 98
5.5.6 Key factors in Decision Making 99
5.5.7 Suggested Measures 100
5.5.8 Using Third Party Consultants 100
5.5.9 Future Trends in Outsourcing 101
5.5.10 Concept Map 102
5.6 Interview Four – Business Development Manager 103
5.6.1 Role in Decision Making Process 103
5.6.2 Outsourcing Process 103
5.6.2.1 Issues in managing the Outsourcing Process 104
5.6.3 Risks in Outsourcing 105
5.6.4 Suggested Measures 106
5.6.5 Risk Management Techniques 108
5.6.6 Key factors in Decision Making 109
5.6.7 Using Third Party Consultants 110
5.6.8 Concept Map 110
5.7 Interview Five – Project Manager 111
5.7.1 Role in the decision making process 111
5.7.2 Outsourcing Process 111
5.7.3 Objective of Outsourcing 112
5.7.4 Risks in Outsourcing 112
5.7.5 Risk Assessment Process 113
5.7.6 Strategies and Policies for managing risk 114
5.7.7 Risk Management Techniques 114
5.7.8 Suggested Measures 116
5.7.9 Need for third party consultant 116
5.7.10 Future Trends 116
5.7.11 Concept Map 117
5.8 Interview Six – Head of Department 118
7
5.8.1 Role in Decision Making Process: 118
5.8.2 Outsourcing Process 118
5.8.3 Objective of Outsourcing 119
5.8.4 Risks in Outsourcing 119
5.8.5 Strategies & Policies for managing risk 120
5.8.6 Risk Management Techniques 121
5.8.7 Suggested Measures 121
5.8.8 Using Third Party Consultants 122
5.8.9 Future Trends in Outsourcing 122
5.8.10 Concept Map 123
5.9 Discussion 123
5.9.1 Summarizing the key concepts 123
5.10 Findings 128
5.10.1 Objective of Outsourcing 128
5.10.2 Outsourcing Process 130
5.10.3 Risks in Outsourcing 132
5.10.4 Risk Identification Process 134
5.10.5 Risk Assessment Process 136
5.10.6 Strategies & Policies for managing risk 137
5.10.7 Risk Management Techniques 138
5.10.8 Use of Third Party Consultant 140
5.10.9 Suggested Measures 141
5.10.10Future Trends 142
6 RECOMMENDATIONS & CONCLUSIONS 145
6.1 Recommendations 145
6.2 Conclusions 146
6.3 Future Research 148
BIBLIOGRAPHY 149-154
8
LIST OF FIGURES
Figure 2.1: Components of IT outsourcing risk exposure 28
Figure 2.2: The Evolution of IT Outsourcing 31
Figure 2.3: Outsourcing Process Framework 35
Figure 2.4: The Four-S Outsourcing Model 36
Figure 2.5: IS Cost/Service trade-off 39
Figure 3.1: The risk management process is a repetitive cycle 52
Figure 3.2: Risk Probability/Impact Chart 59
Figure 3.3: Risk Mitigation Plan 61
Figure 3.4: Sample Risk Analysis Sheet 63
Figure 3.5: Risk-Return-Rating (R3) Method 66
Figure 4.1: Organizational Structure 68
Figure 4.2: Technology Unit 69
Figure 4.3: Sourcing Strategy in Software Development Life Cycle of the Bank 72
Figure 5.1: Concept Map of Interview 1 - Compliance Manager 83
Figure 5.2: Concept Map of Interview 2 - Procurement Manager 91
9
Figure 5.3: Concept Map of Interview 3 – Production Support Manager 102
Figure 5.4: Concept Map of Interview 4 – Business Development Manager 110
Figure 5.5: Concept Map of Interview 5 – Project Manager 117
Figure 5.6: Concept Map of Interview 6 – Head of Department 123
Figure 5.7: Analysis Chart 127
Figure 5.8: Concept Map of Key Element 1 – Objective of Outsourcing 129
Figure 5.9: The Outsourcing Decision Process 132
Figure 5.10: Concept Map of Key Element 3 – Risks in Outsourcing 134
Figure 5.11: Concept Map of Key Element 4 – Risk Identification 136
Figure 5.12: Concept Map of Key Element 5 – Risk Assessment 137
Figure 5.13: Concept Map of Key Element 6 – Strategies & Policies 138
Figure 5.14: Concept Map of Key Element 7 – Risk Management Techniques 139
Figure 5.15: Concept Map of Key Element 7 – Use of third party consultant 140
Figure 5.16: Concept Map of Key Element 8 – Suggested Measures 142
10
1. INTRODUCTION
1.1 Background of Study
The DFC terms a bank as “a federally regulated financial institution that, in general,
engages in the business of taking deposits, lending, and providing other financial
services”. In the last 10 years substantial changes in the business environment left
commercial banks with longstanding advantages in core processes at a competitive cost
disadvantage relative to new competitors. Deregulation opened the most profitable
segments of retail financial services to non-bank competitors while IT innovations
extended production options to offer cost reductions to both new players and existing
banks (Wood, 2001). Technology challenged integration solutions by giving existing
and new competitors a new range of strategies based on in sourcing and outsourcing that
redefined supply chains in respect of client capture, distribution or asset securitization.
Financial services organizations increasingly chose outsourcing solutions, driven by
business need to create usage based costing, increase flexibility and release working
capital. According to DataMontor.com the end of 2002 showed a number of key
corporate willing to consider outsourcing all or part of their IT functions. In 2002,
money on IT outsourcing reached $9.7bn. Datamonitor predicts that European
corporates and financial services firms will spend $12.4bn by 2005 (Sangani, 2003).
Thus we can observe that outsourcing is an inevitable development in the financial
services industry.
The key business drivers that attract these financial institutions to outsourcing are
increasing IT resource costs including salaries, hiring expenses, staff training and career
development and increasing IT capital investment costs like the cost of technology,
disaster recovery and capacity planning. The financial institutions that are exploring the
outsourcing option are typically making an important distinction between commoditized
activities, which are good candidates for outsourcing, and core competencies that are
11
strategic and critical to the success of the business (Free, 2001). However there are many
strategic and tactical issues that make the outsourcing decision a difficult one and the
one that carries considerable risk. Thus in an outsourcing relationship, only enterprises
that can effectively manage risk will be able to address the issues that will inevitably
arise and could prevent a successful outcome. The Gartner group predicts that by 2005,
75 percent of enterprises that fail to recognize and mitigate risk throughout the
outsourcing life cycle will fail to meet their outsourcing goals because of misaligned
objectives, unrealized expectations, poor service quality and cost overruns (Murphy,
2003). This study observes these suggestions and focuses the research area into a
commercial bank in UK. It attempts to find out the risk management strategies presently
adopted by a bank and makes an effort to identify critical success factors for managing
risk in IS outsourcing.
1.2 Problem Statement
The general problem domain of this research is the risks associated with IS outsourcing.
However, the specific emphasis of the research can be formulated in the following
problem statement:
‘How can organizations identify and assess risks when taking an IS outsourcing
decision?’
12
1.3 Research Objectives
The objectives of the research are listed below:
• To evaluate the strategic framework of outsourcing by examining the theoretical
models presenting different views towards outsourcing.
• To identify various categories of risk associated with IT outsourcing.
• To investigate the risk management practices currently adopted by a commercial
bank in UK in their information system outsourcing efforts.
• To determine how the decision-making processes in information systems
outsourcing can be supported in order to reduce the associated risks
• To identify a model of good practice for outsourcing decision.
1.4 Research Questions
The primary research question this study seeks to answer is “Do commercial bank
managers follow risk management practices in the decision making process to outsource
information systems?”
The following issues will be examined in order to answer the primary research question
stated above:
• Is there a formal decision making process for IS outsourcing?
• What are the criteria for selecting outsourcing as an option?
13
• What and how are the risks identified in outsourcing?
• How are the risks assessed in the decision making process?
• Does the organization have policies and guidelines for outsourcing of
information systems? Are they strictly adhered to?
• What are the future trends and risks in outsourcing of Information Systems?
1.5 Research Approach and Strategy
This research adopts an inductive research approach, which reasons the works from
specific observations to broader generalisation and theories (William, 2002). Inductive
approach enables ‘a cause-effect link to be made between particular variables without an
understanding of the way in which humans interpreted their social world’ (Saunders et
al., 2000, pg. 89).
This study follows the qualitative research methodology. Qualitative research
methodologies are designed to provide the researcher with the perspective of target
audience members through immersion in a culture or situation and direct interaction
with the people under study. The methods to be used in the study include observations
and in-depth interviews. These methods are designed to help researchers understand the
meanings people assign to social phenomena and to elucidate the mental processes
underlying behaviors. The study would generate hypotheses during data collection and
analysis, and measurement would be subjective (Weinreich, 2003).
The motivation for doing qualitative research, as opposed to quantitative research,
comes from the observation that, if there is one thing which distinguishes humans from
the natural world, it is our ability to talk! Qualitative research methods are designed to
help researchers understand people and the social and cultural contexts within which
14
they live. Some researchers argue that the goal of understanding a phenomenon from the
point of view of the participants and its particular social and institutional context is
largely lost when textual data are quantified (Myers, 1997).
1.6 Case Study Approach
The case study approach has been adopted in this research. The case study is a
commercial bank in London, UK. Case study research is the most common qualitative
method used in information systems. Although there are numerous definitions, the scope
of a case study is defined as follows (Myers, 1997):
A case study is an empirical inquiry that:
• investigates a contemporary phenomenon within its real-life context, especially
when
• The boundaries between phenomenon and context are not clearly evident"
It is mentioned by many researchers that the case study research method is particularly
well-suited to IS research, since the object of the discipline is the study of information
systems in organizations, and interest has shifted to organizational rather than technical
issues (Myers, 1997). My Case study research would be interpretive and critical.
1.7 Research Tools
The primary mode of data collection used in this study was interviews and e-mail
exchanges with a significant representation of the key population. The interviews were
semi-structured in order to provide the flexibility necessary to obtain valuable qualitative
data, whilst maintaining a focus on the specific research question. The secondary
sources are books, journals, articles, white papers, websites, previous dissertations,
reports and opinions of regulatory bodies.
15
1.8 Target population
The primary source of information in this study were the strategic managers who are
involved in long-term decision-making in the bank, Heads of IS departments who are
working in association with the providers of the outsourcing service providers and user
departments in the bank.
1.9 Limitations to the Study
Like most studies, the findings of this research may have been limited by some factors.
Attempts were however made to reduce these limitations. Some of which are detailed
below:
1.9.1 Banks’ attitude to research
There was an initial reluctance on the part of bank to disclose information to a researcher
from an academic institution. I had to re-emphasize the confidentiality of information,
concluding that the academic exercise would add to the body of knowledge.
1.9.2 Availability of staff
The availability of staff has been an important issue. It was a limiting factor as the
research was conducted over the summer months when many employees choose to take
long vacations. In some occasions the staff had other commitments that may have been
on a higher priority than supporting student research projects.
16
1.9.3 Time
Time has been the most significant limiting factor in this research. The research has been
undertaken in the months between June and September 2003 as the exams and
coursework associated with the taught element of the course were timetabled until the
end of May. The restriction on time can be considered to have had a small impact on the
quality of this research project. Had more time been available, it would have been
possible to study the literature in greater depth and interview more stakeholders in the
outsourcing process.
1.10 Confidentiality
Having discussed the confidentiality and ethical considerations with the interviewees at
the organization supplying the case study, the following ethical code has been adhered to
throughout the research:
1.10.1 The ethical code
The organization shall not be mentioned explicitly in the dissertation or any
further research that might take place as a result of the dissertation;
All participants in the research shall remain anonymous. The names of
respondents will not appear in the final report;
All confidential information will be treated with discretion. Only the researcher
will have access to data that associates an individual with any confidential
comments; and participants will be able to request a digital copy of the final
report.
The research will attempt to explore risk identification in practice.
It is hoped that the final report will be of benefit to those who take part in the research.
17
1.11 Dissertation Overview
This thesis takes literature available from published journals, books, and reports, from
academic sources and finally literature from the white papers and published news
articles, linked to four main themes. The objective of this thesis is fourfold. First is an
introduction of the study with the research questions and objectives. The introduction
makes the argument that adoption of risk management practices is crucial in outsourcing
information systems for banks. In order to harness the benefits of outsourcing
Information system, there is need for management to define objectives and formulate
strategies. Second is a review and classification of the body of knowledge in relation to
the outsourcing, the risks involved in outsourcing and the need for a risk management
framework in decision making. Third is an investigation of the risk management
practices in decision making of outsourcing in a commercial bank. Fourth is an analysis
of the findings along with discussions. Lastly is the conclusion of the research with brief
overview, with a short summary of areas for future research.
Outsourcing
This section provides an overview of outsourcing, the benefits and objectives, the risks
involved in outsourcing information systems. This section also describes the outsourcing
strategies, the framework for decision making and the importance of risk thinking in
decision making
Risk Management
This section looks at the concept and components of risk management, the rationale for
risks management, the risk management process, the management of information
systems and outsourcing risks and current risk management practices.
18
Case Study
Having discussed the global risk management practices in outsourcing of information
systems, this section describes the organization taken as the case study, the
organizational structure, the outsourcing process followed by the bank and the software
development life cycle model.
Results analysis and discussions
This section presents the results and analysis of the survey findings, including:
• Outsourcing objectives
• Risks identified in outsourcing
• Outsourcing process
• Risk management, practices and guidelines
• Suggested Measures
• Future Trends
Recommendations, conclusion and future research
This section describes the overview of the research, conclusions and my views for
further research.
19
2. OUTSOURCING
2.1 Introduction
Tracing its roots to the time-sharing and professional services of the 1960s, outsourcing
has become an important option today for information systems (IS) and corporate
executives (Apte et. al., 1997). The practice of outsourcing is an international
phenomenon. There has been increasing interest in the opportunities provided by
outsourcing (Butler et. al., 2001; Lacity & Willcocks (1996); Loh & Venkatraman,
1995; McCarthy, 1996). However, there is also a growing body of evidence of a high
failure rate in such arrangements. One cause of this is the high level of risk associated
with alliances, compared to `in-house' activities (Smith & Smith, 2003).
This section looks at the 1) Definition of Outsourcing 2) Objective of Outsourcing 3)
Case for Outsourcing 4)Risks in Information Systems Outsourcing 5) Information
System Outsourcing Strategies 6) Types of Outsourcing and Outsourcing Relationships
7) Trends in Outsourcing 8) Outsourcing Process 9) Framework for Decision Making in
Outsourcing 10) Risk Thinking in Decision Making
2.2 Definition of Information System Outsourcing
Numerous definitions for the term ‘outsourcing’ have been stated in the past.
Outsourcing in its most basic form was conceived as, purchase of a good or service that
was previously provided internally (Lacity and Hirschheim, 1993). However precise
definitions of information technology (IT) outsourcing differ in the literature (Glass,
1996). Some of the notable definitions are as follows:
20
‘Outsourcing means turning over or sharing responsibility for all or part of an
organization’s information technology function with a third party’ –Oltman, 1990
‘It is a significant contribution by external vendors in the physical and/or human
resources associated with the entire or specific components of the IT infrastructure in the
user organization’ - Loh and Venkatraman, 1995
“It is the procurement of products or services from sources that are external to the
organization” - Lankford and Parsa, 1999
‘Outsourcing refers to the transfer of assets-computers, networks and people-from a
user to vendor, the vendor taking over the responsibility for the outsourced activity.’ -
Takac, 1994
‘Outsourcing is a new word for facilities management, but it is broader in term of IT
services and a changing relationship between client and external vendor’ - Huff, 1991
“Outsourcing is selectively turning over to a vendor some or all of the information
systems functions, ranging from simple data entry to software development and
maintenance, data center operations and full system integration” - Apte et al, 1997
“ IS outsourcing is the commissioning of part or all of the information systems activities
an organization needs, and/or transferring the associated human and other information
systems resources, to one or more external IS suppliers.” - De Looff, 1997
Though there are different aspects considered in all the definitions, there seems to be a
general agreement about outsourcing being a process of carrying out of IT functions by
third parties (Kettler and Walstrom, 1993). However today, outsourcing has grown to
span multiple systems and represents a significant transfer of assets, leases and staff to a
vendor that now assumes profit and loss responsibility (Lacity and Hirschheim, 1995).
21
In order to gain the profits of outsourcing, one needs to analyze the key objectives of
such a strategic decision
2.3 Objective of Information System Outsourcing
Although information technology (IT) is integral to the operations of most organizations
and requires a much higher level of skill, it happens to be one of the most outsourced
services (Domberger and Fernandez, 2000). One might ponder on the thought that why
do senior managers prefer to entrust outside firms with critical tasks? There have been
several attempts to understand the objective of outsourcing. McCarthy (1996) describes
them as follows:
• Outsourcing allows companies to refocus their resources on their core business.
• Corporations can buy technology from a vendor that would be too expensive for
them to replicate internally.
• Outsourcing lets companies re-examine their benefit plans, make them more
efficient, and save time and money while improving efficiencies.
• Companies outsource to improve the benefit plan service level to their employees
by making the information more consistent and more available.
• A final possible reason is to reduce costs, certainly over the longer term.
Domberger and Fernandez (2000) find the ever-increasing expenditure on IT services
and the often exceptionally high levels of service expected by users responsible for
much of the spotlight on IT outsourcing as an alternative method of service delivery.
Similarly, Bhattacharya et al (2003) observes that the drivers of outsourcing decisions
are both internal and external to the outsourcing organization. Smith et al. (1998)
22
explicitly classify these internal and external drivers of IS outsourcing into five
categories which are as follows:
1. Cost reduction
It is believed that an outside vendor can provide the same level of service at a
lower cost than the internal IS department because the vendor has better
economies of scale, tighter control over fringe benefits, and better access to
lower cost labor pools, and more focused expertise in managing IS.
2. Focus on core competence
Companies may also outsource their IS to streamline the management agenda
and focus on the firm’s core business (McFarlan and Nolan, 1995). Senior
executives often consider the IS function a commodity service best managed by a
large supplier (Bhattacharya et al, 2003).
.
3. Liquidity needs
Companies often outsource IS to generate cash and enhance liquidity (McFarlan
and Nolan, 1995). Many IS outsourcing agreements involve an introductory cash
payment by the vendor for the tangible and intangible IT assets of the client
(Smith et al., 1998). The vendor then uses this infrastructure and may also hire
the IS staff of the client to provide contract services to the client and others.
4. IS capability factors
IS capability factors also motivate outsourcing (Smith et al., 1998; McFarlan and
Nolan, 1995). Rapid technological advances may leave firms’ IS departments
lacking in current technical expertise and equipment. The vendor may have the
resources with special skills and expertise in managing the particular IT function
23
5. Environmental factors
Finally, environmental factors’ that play a role in the outsourcing decision
(McFarlan and Nolan, 1995) are external influences that exist in the industry or
in the economy at the time of outsourcing. For instance, the decision to outsource
IS may be driven by imitative behavior among firms (McFarlan and Nolan,
1995) or by a mix of external media, vendor pressure, and internal
communications at a personal level among managers (Bhattacharya et al, 2003). .
After the Kodak outsourcing decision, for example, many large firms began to
view IS outsourcing as a viable alternative (Smith et al., 1998).
2.4 Case for Outsourcing
Apart from the popular benefits of significant cost savings and competitive advantage
from outsourcing, Butler et. al. (2001) presents the business case for outsourcing:
1. Control:
Many companies are moving towards concentrating on their core
competencies and removing everything else from their direct responsibility.
The issues and overheads of in-house management can be devolved from the
company to another organization with expertise in that area, allowing the
company to concentrate in improving its business.
2. Speed of change:
The speed in which technology develops can be encapsulated in the statement
‘one elapsed year equals to seven IT years’. It is not feasible for the
company to ignore new technology and it is expensive to obtain all the
appropriate skills in-house.
24
3. Total cost of ownership:
The cost of running and maintaining an application in-house, over an average
life span of five years, is estimated to be four to five times the cost of the
original purchase. Comparatively the cost of outsourcing the development
and maintenance works out cheaper.
4. Maintaining employees:
The cost of recruiting staff and getting them trained can be eliminated
through the use of outsourcing.
5. Number of employees:
This is significantly reduced with outsourcing, as it requires only a single
resource to be responsible for the relationship with the outsource provider,
and often this would not be a dedicated role.
2.5 Risks associated with Information System Outsourcing Amid the rhetoric about outsourcing’s benefits, the risks and costs of outsourcing are
sometimes lost. Problems such as failure to achieve anticipated cost, losing control of
critical functions, lowering the morale of permanent employee and managing
relationships that go wrong (Curie and Willcocks, 1997) are due to outsourcing. Loss of
control over the quality of the software and the project’s timetable, reduced flexibility
and loss of strategic alignment are often expressed as drawbacks of outsourcing (Apte et
al., 1997).
Outsourcing of IT functions involve similar risks that may arise when these functions are
performed internally, such as threats to the availability of systems used to support
customer transactions, the integrity or security of customer account information, or the
integrity of risk management information systems (Spillenkothen, 2001).
25
Earl (1996) identifies eleven risks in outsourcing which in practice indicate the limits to
outsourcing:
1. Possibility of weak management
2. Inexperienced Staff
3. Business Uncertainty
4. Outdated Technology Skills
5. Endemic Uncertainty
6. Hidden Costs
7. Lack of organizational learning
8. Loss of innovative capacity
9. Danger of misunderstanding
10. Technological indivisibility
11. Fuzzy focus
Takac (1994) and Chalos (1995) have identified the following risks and sources of risks
or factors resulting in risks related to outsourcing:
• Business and technical change
• Supply of skilled resources
• Retention of in-house expertise
• Service level maintenance
• Culture factors
• Transfer of contracts
• Contractual complexity
• Change of outsourcers
• Performance expectations
• Breach of proprietary information
• Financial stability of the supplier
26
Aubert et al, 2001 identifies not only the risk factors in outsourcing but also their
potential negative consequences. These outcomes, with their associated factors are
summarized in the following figure.
Factors leading to outcome Undesirable outcomes
• Lack of experience and expertise of the client with the activity (Earl, 1996; Lacity et al, 1995)
• Lack of experience of the client with outsourcing (Earl, 1996)
• Uncertainty about the legal environment
Unexpected transition and management costs (Earl, 1996)
• Asset specificity • Small number of suppliers • Scope • Interdependence of activities
Switching costs (including lock-in, repatriation and transfer to another supplier)
• Uncertainty • Technological discontinuity (Lacity
et al. 1995) • Task complexity
Costly contractual amendments (Earl, 1996)
• Measurement problems • Lack of experience and expertise of
the client and/or of the supplier with outsourcing contracts (Earl, 1996; Lacity et al, 1995)
• Uncertainty about the legal environment
• Poor cultural fit
Disputes and litigation (Lacity and Hirschheim, 1993)
• Interdependence of activities • Lack of experience and expertise of
the supplier with the activity (Earl, 1996)
• Supplier size (Earl, 1996) • Supplier financial stability (Earl,
1996 ) • Measurement problems • Task complexity
Service debasement (Lacity and Hirschheim, 1993)
• Lack of experience and expertise of the client with contract
• management (Earl, 1996; Lacity et al, 1995)
• Measurement problems
Cost escalation (Lacity and Hirschheim, 1993; Lacity et al, 1995)
27
• Lack of experience and expertise of the supplier with the activity (Earl, 1996)
• Scope • Proximity of the core competencies • Interdependence of activities
Loss of organizational competencies (Earl, 1996; Lacity et al, 1995)
• Complexity of the activities • Measurement problems • Uncertainty
Hidden Service Costs (Lacity and Hirschheim, 1993)
Figure 2.1: Components of IT outsourcing risk exposure
(Adapted from Table 1 – Aubert et al, 2001) Besides Lacity et al (1996) notes the degree of the risks in outsourcing to be directly
proportional to the maturity and the degree of integration of the technical activities with
other processes. Activities which are technically immature and have a high degree of
technical integration with other business processes tend to have significantly high risks
in outsourcing. Thus in order to control the risks, the organization needs to select an
appropriate strategy depending on the activity being outsourced (Butler et. al., 2001)
2.6 Information Systems Outsourcing Strategy
Outsourcing of IT facilities ranges from specific areas such as helpdesk provision or
application development, right through to the outsourcing of the whole IT function,
including infrastructure, staff and the related business processes (Butler et. al, 2001). For
any enterprise that is outsourcing, or thinking about outsourcing, it needs to understand
what it means to have a sourcing strategy (Cohen, 2003). A sourcing strategy is a
continuous journey into the best balance between internal and external activities and
between services and know-how. It is a continuous alignment among business strategy,
business processes and IT services on behalf of the organization’s strategic
achievements. It is the researching of a path that always keeps a balance of the decisions
that an enterprise must make, the results that must be achieved and the options that can
be taken when necessary. It is an instrument for flexibility, not a rigid decision or a static
outsourcing contract based on a service provider’s brand (Cohen, 2003).
28
2.6.1 Types of Outsourcing
Lacity and Hirschheim (1993) have identified three types of outsourcing which are
based upon the extent to which responsibilities are being shared:
1. Body Shop:
The management uses outsourcing as a way to meet short term demand
through the use of contract programmers/personnel that are managed by
company employees
2. Project Management:
The management out sources a specific project or portion of IS work, such as
systems development, application support, handling of disaster recover,
provision of training, or network management. In these cases, the vendor is
responsible for managing and completing the work.
3. Total Outsourcing:
The vendor is in total charge of a significant piece f IS work. The most
common type is total outsourcing of hardware (e.g.: Data centre and/ or
telecommunication) operations. One of the outsourcing strategies is to turn
over entire hardware and software support to an outside vendor.
Takac (1993) identifies four categories of outsourcing based upon an alternative
approach which associates the ownership of assets to the administrational operations
1. Network service:
It employs the vendor’s network for communication requirements. The
infrastructure and day to day operations are the responsibility of the
company.
29
2. Service retention:
It is concerned with the operation and management of network services and
equipment. The customer retains ownership of network services but the
vendor processes billing for the services and performs day to day operations
3. Service transfer:
The vendor owns the network and manages the customer traffic. The
customer retains ownership of the equipment.
4. Asset transfer:
In addition to service transfer, asset transfer also involves the transfer of
assets. The customer liquidates or sells its facility assets generally to the
vendor as part of the contract.
2.6.2 Types of Outsourcing Relationships
According to Klepper (1995) outsourcing relationships are divided into 2 steps; namely,
contracting relationships and exchange relationship or partnership relationship.
1. Contracting relationships:
This relationship occurs over an extended period of time. It is ‘arm-length,
market based exchange relationships in which the IS department client
fosters competition between many suppliers and lets each contract on the
basis of the best combination of quality, time to deliver and price’ (p.220)
2. Exchange relationship or partnership relationship:
‘The outsourcing parties do repeated business with each other and take steps
to share the costs and gains of their outsourcing activity’(p.220).
30
Market researchers like Upton (2002) terms the distinction in outsourcing relationships
as different generation models. As the outsourcers and the vendors gain experience and
the relationship matures, there has been an evolution of a second generation model
which is fundamentally different from the first generation model and increasingly
focuses on strategic partnership. Following are the characteristics of the two models
which are distinctively different in their approach.
Figure 2.2: The Evolution of IT Outsourcing (Adapted from Table 1 – Upton, 2003, pg.2)
First Generation Model
First-generation outsourcing has been aimed at stabilizing and standardizing the
IT environment and offloading non-core business processes. The primary
objective of this model was to reduce organizational costs and allow the
company to focus on its main business.
31
Second Generation Model
Second-generation outsourcing is built upon this “offload to supplier” practice
for IT service delivery and focuses on building a business focused solution with
the client that leverages the IT environment for increased business benefits. It is
designed to facilitate customer intimacy and product leadership for an
organization. This is achieved through a transformation of IT architectures;
alignment of IT with the business; and the optimization of business processes to
take advantage of the new capabilities provided. To summarize second-
generation outsourcing shifts the relationship between outsourcer and the vendor
from trusted supplier to vital business partner.
Thus IT outsourcing functions have moved from providing merely technological support
to strategic business expertise.
2.7 Trends in Outsourcing
IT Outsourcing has existed for almost three decades. As early as 1963, EDS handled
data processing services for Frito-Lay and Blue Cross & Blue Shield. Other outsourcing
options that were exercised were the use of contract programmers, time-sharing and
purchase of packaged software (Lacity and Hirschheim, 1995). Outsourcing was seen as
a tool by small and low technology organizations to avoid the financial burden of an IT
department that either was not of any strategic importance, or they could not afford
(McFarlan & Nolan, 1995)
But in 1990s, the move by Kodak to outsource a large proportion of their IT activities
among three vendors marked a revolution in the outsourcing phenomena. Kodak termed
this relationship as a strategic partnership wherein it could focus on its core
competencies while using the IT expertise of its vendors. Thus the growing popularity
of outsourcing was attributed to two main reasons – focus on core competencies and the
perception of IS as a cost burden (Lacity and Hirschheim, 1995).
32
Outsourcing has developed into a global and total outsourcing trend, where companies
have started moving towards consolidating their vendors globally. Corporations have
increased their use of offshore delivery to lower the cost of developing and maintaining
its applications. Today’s outsourcing customers are no longer afraid to take drastic
measures if they feel that they are not getting what they want from their current supplier.
The single largest outsourcing contract announced in 2003 saw a major supplier
transition. The UK Inland Revenue Service switched from a dual supplier relationship
for the management of its IT infrastructure from EDS and Accenture, to a consortium of
suppliers led by Cap Gemini with Fujitsu Services and BT Group worth ₤3 billion
(Mayes, 2004). The UK Royal Mail also awarded a 2.4 billion contract to a consortium
headed by Computer Sciences Corp (CSC) to handle the company’s data centers, data
networks, voice services, desktop computers and other business applications. CSC’s
consortium, which also included Xansa and BT Group, was selected over its two larger
competitors IBM Global Services and EDS for the contract (Mayes, 2004). Thus the
latest trend is to outsource with a consortium of best-of-breed suppliers.
However the outsourcing phenomenon is moving on to bigger changes as vendors are
increasingly changing their service offerings by building them around standard building
blocks. Cohen at Gartner observes the building of a standardized delivery model which
he calls as a ‘factory environment’. This model is based on a mass customization of IT
services wherein vendors will build pre-fabricated infrastructure, common code and
applications to lower their development costs (Mayes, 2004). In 2004, IBM announced a
$575 million deal with investment bank Morgan Stanley to accept its mainframe
computing infrastructure to an on-demand model, which will automatically draw
processing power, storage capacity and networking bandwidth as needed from a shared
pool of data centre resources. IBM claims that Morgan Stanley will realize in cost
savings by switching to a variable pricing model (Mayes, 2004).
33
2.8 Information Systems Outsourcing Process
Today outsourcing has become a top management issue. Price Waterhouse Coopers
(1998) found that the decision on whether and how to outsource is steadily moving up
the organization to the CFO, COO, and CEO levels. Many researchers have come up
with detailed description on the process of outsourcing. Ptak and Noel (1998) lay stress
on the planning stage in the outsourcing process. Zhu et.al. (2001) have identified four
stages and the critical activities in the outsourcing process which are as follows:
1. The planning stage
1.1 A Sound Business Plan
2. The developing stage
2.1 The vendor agreement
2.2 The business relationship
2.3 The impact on employee benefits
2.4 The outsourcing timeline
2.5 The communication plan
3. The implementation stage
3.1 The transition plan
3.2 The transition checklist
4. The post-outsourcing review
Everest (1996) provides a framework to aid in the decision making process for
outsourcing. The model is based on the life cycle of outsourcing. It includes discreet
steps which are initial stage of decision making whether to outsource or not, the pre-
outsourcing phase which involves selection of vendors, the evaluation of bids received
from the vendors the procurement stage, followed by the management and change
management phase. The last two phases are important in terms of managing vendor
34
relationship and performance reviews. If not satisfied, the company has an option of
replacing the vendor. The process will now begin from the tendering exercise. The
outsourcing process is also diagrammatically presented as follows:
ement Phase
Replace the Outsourcer
Change Manag
Management Phase
Procurement Phase
The evaluation ofbids
Pre-Outsourcing Phase
Outsourcing or not
Figure 2.3: Outsourcing Process Framework The outsourcing process described above can be modified and extended to any specific
industry and can be used as a general guideline for outsourcing specific information
technology functions. However in order to achieve corporate goals rather than just cost
savings, there is a need to build decision models that would facilitate managers in
systematically identifying the best outsourcing candidates within the organization (Zhu
et.al., 2001).
35
2.9 Framework for Decision Making in IS Outsourcing As organizations strive towards greater competitiveness and flexibility, there is emphasis
on selecting the right candidates for outsourcing. Prior literature suggests models that
can be used to understand managerial motivations for IS outsourcing
Zucchini (1992) presents the Four-S Outsourcing Model to help guide a firm’s
outsourcing decision in a managerial context. The model is comprised of four quadrants,
varied along two dimensions where one addresses the organization’s objective in making
the decision (Economics/Expertise) and the other indicates the utility of the decision
(Functional/Dysfunctional). The resulting quadrants represent application types and are
identified as Scale, Specialty, Sale, and Surrender.
Figure 2.4: The Four-S Outsourcing Model (Zucchni, 1992)
36
Functional Decision
According to this model, outsourcing decision based on scale and specialty are
functional decisions. The scale factor is highlighted when a vendor is able to
provide the same service at a cost that is lower than what the outsourcing
company could achieve through in-house operations. Similarly the decision is
considered rational if it is based on taking advantage of the vendor’s specialized
technological or operational skills.
Dysfunctional Decision
On the other hand, the model considers the sale of IS resources in order to
achieve either short-term earnings or balance sheet improvements and surrender
of IS functions to be a dysfunctional approach to outsourcing. The sale of IS
resources generally results in the loss of valuable human resources and the
associated knowledge base and organizational memory. While outsourcers may
initially maintain personnel whose skills have been outsourced within the
organization, such personnel are soon reassigned to other projects once the
outsourcing engagement takes effect. In the second case, advances in the
technological environment often force organizations to consider outsourcing
whereby they effectively surrender control of the IS function to external
suppliers. However, such surrenders are usually motivated by short-term
considerations where the vendor does not have any incentive to become a
‘‘partner’’ in the business process. This leads to the surrender of mission-critical
IS functions to external parties. Furthermore, the recovery of such critical IS
functions once surrendered to outside providers often proves far more difficult
once the in-house expertise has left the organization (Weaver et al., 2000).
37
Furthermore Lacity and Hirschheim (1995, pg.181-216) present a sourcing methodology
that addresses a myriad of political and rational issues rather than treating it as a simple
make-or- buy decision. The methodology describes the decision model to be followed
and suggests a framework for the outsourcing process. It comprises of six phases which
are as follows:
1. Stakeholder Assessment:
This process is carried out to understand the different perceptions and
expectations of the stakeholders with regards to IS performance. The senior
management tend to view the entire IS function as a commodity rather than a
strategic asset or core competency. The main objective is to cut costs. On the
other hand, the business unit managers aim for service excellence thereby
viewing the IS activities as critical to business success but dismiss other units
IS activities as commodities. Like business unit managers, the end users also
tend to view IS as a critical contributor to daily business processes. IS
managers are caught somewhere in the middle, trying to juggle the
conflicting IS priorities set by senior management and the business units.
Lacity and Hirschheim (1995) present a matrix which depicts the IS
cost/service trade-off – that costs are directly proportional to service levels
(the better the service, the higher the costs). This matrix highlights the issue
of different perceptions and expectations of the stakeholders leads to
inconsistent agendas for IS, prevents IS strategy alignment with corporate
strategy, and offers IS virtually no hope for even marginal success, let alone
stardom.
38
Minimal Cost Premium Cost
Premium
Service
Superstar
Senior Management’s and
users’ expectations of IS
Differentiator
Realm of possible IS
performance
Minimal
Service
Commodity/ low cost
product
Realm of possible IS
performance
Black Hole
Senior Management’s and
users’ perception of IS
Figure 2.5: IS Cost/Service trade-off
(Adapted from Table 6.1 – Lacity and Hirschheim, 1995, pg.159)
2. Create a Shared Agenda by evaluating the activities
The senior executives, users and IS managers should work together to set IS
priorities by not only aligning IS strategies with corporate strategies, but by
including IS in the formulation of corporate strategies. Lacity and
Hirschheim (1995) have identified two critical success factors for classifying
different activities into ‘commodities’ and ‘differentiators’. Firstly,
stakeholders must ignore conventional arguments and generalizations.
Secondly, stakeholders must not let the accounting structure mask IS’s
business value. Once IS activities have been classified, the stakeholders can
set performance objectives. Typically for ‘differentiators’ the performance
objective is service excellence and for ‘commodities’ it is cost minimizations.
Once the priorities are established, the stakeholders can explore different
sourcing alternatives.
39
3. Selecting outsourcing Candidates
Most organizations will not consider activities classified as ‘differentiators’
for outsourcing because of their vital contribution to the business. In contrast,
IS activities classified as ‘commodities’ may be suitable for outsourcing if
the market can provide cheaper costs while still maintaining an acceptable
service level. However Lacity and Hirschheim (1995) suggest that cost
efficiency largely depends on adoption of efficient management practices and
to a lesser extent, economies of scale.
4. Comparing In-house provision with vendor offerings
Once the stakeholders have identified the outsourcing candidates, they need
to compare the vendor offerings against the in-house provision. This step
entails the following:
Informing the IS Staff
As the decision to outsource is being taken, the senior management must
address human resource issues head-on. Lacity and Hirschheim (1995)
suggests to treat employees as adults and by informing the IS staff of the
evaluation process could act as a galvanizing force, where the staff
develop a sense of team spirit and work together to develop an internal
bid. It could act as a catalyst for creativity as they seek new ways of
providing IS service in a cost-effective manner.
Creating Teams
Lacity and Hirschheim (1995) suggest creating three internal teams: an
evaluation team, an RFP team and an internal bid team proves to be an
effective approach for evaluation. The evaluation team typically headed
40
by a senior executive and containing representative from affected
business units and senior IS manager would develop the bid analysis
criteria, ensure fair treatment of bidding parties, analyze bids against the
criteria and make the sourcing decision. The RFP (request for proposal)
team typically headed by an IS manager and other members of the IS
staff can create a detailed proposal. An internal bid team comprising of
number of IS managers and employees who are not affected by the
decision.
Creating Evaluation Criteria
The major evaluation criteria will definitely be price. But as far as
auxiliary issues are concerned, the evaluation team could develop a host
of criteria for such issues as personnel, disposition of current IS assets,
disaster recovery, conversion processes, access to supplemental
technologies and talent, contract administration and termination. Finally
by formally weighing the decision criteria, the company can make a
qualitative assessment thereby extending beyond the price factor.
Assessing the Validity of the Bids
The evaluation team needs to not only compare bids but also assess the
validity of the proposals as regards whether the bidders can actually
deliver what they promise. In most cases, the winner outbids the others
cause of superior management practices, inherent economies of scale or
superior technical expertise. However Lacity and Hirschheim (1995)
propose inviting the top candidates to present their bids and explain as to
where and how they propose to meet there bid.
41
5. Contract negotiations with external vendors
The contract is said to be the only mechanism that establishes a balance of
power in the outsourcing relationship. Lacity and Hirschheim (1995) &
Everest (1996) mention the following factors to be considered during
contract negotiations
• Avoid vague ‘partnership’ talk
• Discard the vendor’s standard contract
• Do no sign incomplete contracts
• Hire outsourcing experts
• Measure everything during the baseline period
• Develop service level measures
• Develop service level reports
• Specify escalation procedures
• Include penalties for non-performance
• Include incentives for superior performance
• Determine growth
• Adjust changes to changes in business volume
• Select your account manager
• Include a termination clause
• Beware of ‘change of character’ clauses
6. Managing the decision
Whether an internal or external bid is selected, continued management of IS
activities is vital to ensure success. The senior management should select a
contract manager who can serve as a primary intermediary between users and
the vendor, work closely with the vendor account manger to prioritize
42
requests and handle disputes, monitor vendor performance and question and
review monthly bills and excess fees.
2.10 Risk Thinking in Decision Making A decision is a goal directed behavior made by the individual, in response to a certain
need, with the intention of satisfying the motive that the need occasions (Mcgrew,
1982). In fact a decision is the end state of a much more dynamic process which is
labeled ‘decision making’.
(Jennings and Wattam, 1998) treats decision making as synonymous with managing. In
so doing, they underline the fact that decision making as a process should not be reduced
simply to a choice among alternatives. Rather, this process involves conceptualization of
the problem to be solved and the description of how that final choice is made.
The decision process begins with identifying the organization objectives followed by
identification of a problem. The problem arises when a sought after goal can be obtained
via alternative and sometimes competing avenues. (Jennings and Wattam, 1998)
suggests that problem identification leads first to intelligence activity, which involves
searching the environment for various conditions reflecting on the decision. Within the
organization context, problem identification is followed by design activity in which all
options are analyzed. Choice activity and Implementation is the final step in the decision
process where an alternative is selected.
The decision making process is thus something tidy and which has is own internal logic.
Yet the most important element in real decision making is that of uncertainty. The
distinguishing characteristics of a decision and decision making are that it involves
choice under condition of uncertainty.
Risk is a dimension in many decisions. Risks have to be carefully calculated. When
considering the benefits of a risk, attention must be given to the consequences of
43
incurring the loss or danger which is at the heart of the risk. The assessment of
probability can give you guidance what to do. As Cicero said, ‘probabilities guide the
decisions of wise men’ (Haimes, 1998)
Risk based decision making and risk based approaches in decision making are terms
frequently used to indicate some systematic process that deals with uncertainties.
Uncertainty is inherent when the process attempts to answer the set of questions posed
by William W. Lowrance: “who should decide on the acceptability of what risk, for
whom, in what terms and why? (Lowrance, 1976) Risk based decision making is
complex and cross disciplinary. Risk assessment and management must be an integral
part of the decision making process, rather than a gratuitous add-on technical analysis.
Finally good risk management requires good decision making. Both require focusing on
how to best achieve the goals of a project under conditions of uncertainty. Both require
making trade-offs based upon what is most to least important. Risk management and
decision making are like tea and crumpets: in the right amount they go well together
(Kliem and Ludin, 1997).
44
3. RISK MANAGEMENT 3.1 Introduction Bernstein’s history of man’s effort to understand risk begins with the following
question: “What is it that distinguishes the thousands of years of history from what we
think of as modern times?” The following answer is provided: “The revolutionary idea
that defines the boundary between modern times and the past is the mastery of risk: the
notion that the future is more than a whim of the gods, and that men and women are not
passive before nature” (Bernstein, 1996, pg. 1). The question and its answer could be
transposed to the context of the management of Information Technology (IT)
outsourcing (Aubert, et al., 2000). While, three decade ago, firms considering to
outsource their IT activities were often portrayed as facing numerous and important risks
against which little could be done, there are now techniques and approaches that show
that these risks can be managed.
In case of financial institutions that are engaging in outsourcing, the Basel Committee on
Banking Supervision (2001) expects the institution to identify, address and manage the
risks in IT outsourcing in a prudent manner. Thus risk assessment and risk management
are crucial activities when taking an outsourcing decision.
This section looks at 1) the concept of risk 2) the concept of risk management 4) the risk
management framework 5) Risk Management Process 6) Risk Identification 7) Risk
Assessment 8) Risk Control 9) Risk Management for Outsourcing Information Systems
10) Current Risk Management Models 11) Risk Identification and Assessment in
Decision Making
45
3.2 Concept of Risk
“Risk is a choice rather than a fate”
Bernstein (1996, pg. 8)
Risk and risk management has been studied in many domains and each field addresses
risk in a manner relevant to its object of analysis, thus presenting different perspectives
of risk and risk management (Aubert et. al, 2001). Since it is essential that the
conceptualization of risk and of risk management adopted in a study be consistent, we
shall look at different perspectives presented by Aubert et. al. (2001) and identify the
perspective that is been adopted in this study of risk.
Risk as an undesirable event
In some domains, risk is equated to a possible negative event. As Levin and
Schneider (1997; pg. 38) defines risks as “… events that, if they occur, represent
a material threat to an entity’s fortune”. Applied in a management context, the
“entity” would be the organization and the risks can be managed using insurance,
therefore compensating the entity if the event occurs; they can also be managed
using contingency planning, thus providing a path to follow if an undesirable
event occurs.
Risk as a probability function
For some fields risk is the probability of the event occurring. For example,
medicine often focuses solely on the probability of disease (e.g. heart attack),
since the negative consequence is death in many cases. It would be useless to
focus on the consequence itself since it is irreversible.
46
Risk as variance
Finance adopts a different perspective of risk, where risk is equated to the
variance of the distribution of outcomes. Thus for a given rate of return,
managers will prefer lower volatility but would be likely to tolerate higher
volatility if the expected return was thought to be superior.
Risk as expected loss
The Insurance field follows the perspective of risk as expected loss. It defines
risk as the product of two functions: a loss function and a probability function.
However when it comes to IT outsourcing, many researchers have adopted a perspective
of risk as expected loss. It has been termed as risk exposure which is defined as:
RE = ∑i P(UOi) * L(UOi)
Where P(UOi) the probability of an undesirable outcome i, and L(UOi) the loss due to
the undesirable outcome i (Boehm, 1989; Teece et al, 1994 ). However it is important to
note that only the negative side of the distribution of all potential events is considered in
this definition of risk. Positive events are not considered.
Though this theory is simplistic in its approach, applying it in the real world is by no
means simple. If one is able to quantify the values of all the risks one had to face, the
above theory would prove invaluable, but that is most unlikely to be the case in practice.
Hence, for my research, the following notion of risk is emphasized:
If the risk occurs, what is the cause of the risk and what is its effect on costs, timescale
and performance and if it has not occurred, then whether it is still likely to occur in the
future (Marsh et. al., 1996).
47
3.3 Concept of Risk Management
The roots of risk management are traceable to 1700 B.C when the Babylonians
established a principle called bottomry as a method of handling the risks associated with
international trade. In 700 B.C the Greeks and Phoenicians first introduced business risk
control measures. The identification of risk management as a separate management
function may be attributed to Fayol who in 1916 identified six basic functions of
management which included technical, commercial, financial, accounting, managerial
and security activities. It is in the management function related to security activities that
Fayol recognized gave early recognition to the need for a security and loss-control
function within organizations, and today this area is being developed into a discipline in
its own right (Remenyi and Heafield, 1996).
Thus the concept has evolved in many years wherein many definitions were cited in the
literature that aimed to explain the concept of risk management. The following are a few
such definitions which indicate the scope of the idea of risk management.
“Risk management is a managerial function aimed at protecting the organization against
the consequences (adverse) of pure risk, more particularly aimed at reducing the severity
and variability of losses” - Valsamakis et al., 1992
“The identification, analysis and economic control of the risks which threaten the assets
or earning capacity of an organization” - Dickson, 1989
“Risk management is the science and art of recognizing the existence of threats,
determining their consequences on resources, and applying modifying factors cost
effectively to keep adverse consequences within bounds” - McGaughey et. al., 1994
48
The underlying notion of these definitions is that risk management includes the
identification, evaluation and control of risks facing the organization in order to
minimize its financial impact.
In this research, the following definition of risk management has been identified for the
IT outsourcing environment:
“Risk Management is the complete process involved in identifying risks and assessing
them for likelihood and potential impact. This includes the development of suitable
strategies to mitigate the impacts and the activities involved in budgeting for risk,
controlling and report risk status and the risks until the consequences are fully resolved.”
-Marsh et. al., 1996
The risk management process not only includes identifying and assessing the risks in
terms of its impact but also involves developing suitable mitigation strategies, budgeting
and risk reporting to control the risks and deal with it proactively. In order to carry out
these activities, it is imperative that the risk management process is embedded in the
organization strategy or project environment, rather than being tacked on as an
afterthought. To set this process, Marsh (1996: pg. 46) suggests the following principles
for an effective risk management approach:
Compatibility
The approach needs to be constructed to integrate smoothly into the organization
environment. Risk management should be embedded in the management process.
Flexibility
The approach must be flexible and enable the level of risk management
sophistication to be matched to the organization objectives
49
Visibility
The first requirement for an effective risk management process to take place is
that there should be clear visibility of the information needed for sound decision
making. The approach must provide an efficient means to ensure that the right
risks are identified, qualified, quantified, documented and analyzed.
Ownership
In order to achieve control of risk, it is essential that ownership of each risk is
allocated to one appropriate person, and that separate ownership is also ascribed
to each cause of that risk. The risk owner must have the power to take action to
control of the risk but must report it through the relevant channels like
project/risk manager concerning developments in his risk area.
Understanding and strategy development
The approach must make provision for educating/training all relevant staff
regarding risk so that they develop a real understanding of risk causes and the
skill to construct and implement risk mitigation strategies.
Continuous improvement
The approach should also make a provision for continual up-date and
improvement of risk knowledge and skill and thus establish a comprehensive
knowledge base of risks regularly faced by the organization.
50
3.4 Risk Management Frameworks
Many authors present the risk management processes as a series of discreet stages. There
are many variations to the suggested model, some of which are highlighted below:
“Planning, identification, quantitative and qualitative analysis, response planning, and
monitoring” (Hillson, 2001)
“Identification, assessment, actions” (Cadle and Yeates, 2001, pg. 200)
“Identify, analyze, plan, track, control, communicate” (Higuera, 1995)
“Identification, analysis, control and reporting” (Kleim and Ludin, 1998: pg. 9)
“Identify, analyze, evaluate, prioritize and treat the risks” (Willcocks and Magrett,
1994)
“Identification, evaluation, mitigation, budget provisioning, monitoring and control, risk
audits and continual improvement” (Marsh, 1996, pg.73)
Though these models include wide-ranging activities, the significant overlap between
the frameworks is very clear. Almost all the models include the identification,
assessment and risk control stages
The approach presented by Marsh (1996) which is popularly known as RISKMAN has
been adopted for this research as it encapsulates all the important activities for assessing
and controlling risks and also goes a step further by enhancing its usefulness by its
integration with the capturing of experience and ensuring continuous improvement.
51
3.5 Risk Management Process The risk management process is a cyclical process which can be compared to a
stopwatch. Just like the second hand goes around many times on a stopwatch, the risk
driven management process representing a sequence of stages runs its course through the
outsourcing management process. From the very outset of the outsourcing process, in
the project initiation phase, risks should be identified and mitigation strategies should be
developed a part of the quantification process. As the outsourcing process moves to the
management phase, the cycle should be repeated again to monitor and control the
unidentified risks.
Risk Modeling or Risk Analysis
Risk mitigation, reduction and/or optimization
Risk reporting and strategy development
Risk quantification and classification
Risk monitoring And control
Risk Identification and documentation
The Risk Management
Process
Figure 3.1: The risk management process is a repetitive cycle (Adapted from Fig: 3.20 – Marsh et al, 1996, pg. 71)
52
3.5.1 Steps in Risk Management
The risk management process consists of various risk activities; the breakdown of which
is shown in the following figure. These activities comprise of a number of steps, each of
which have to be addressed by the company’s functional and project managers, to
successfully implement risk management.
Risk Identification:
The work involved in identifying the potential risks, including classifying and
recording each risk, qualifying the risk by documenting a unique description of
the risk element, estimating its probability (likelihood) of occurrence, potential
impact in terms of timescales, costs or quality (performance) and assigning it to a
risk owner who is responsible for managing the risk
Risk Evaluation
The work involved in modeling the process, conducting a sensitivity analysis and
prioritizing the risks. Analysis is an important activity as it enables assessing the
exposure within the delivery timescales and costs to be quantified.
Risk Control
The work involved in monitoring and reporting to higher management of the
status of the risks and the effectiveness of the mitigation strategies. Mitigation
strategies are planned and means devised by which the impact of the risk may be
reduced, its occurrence prevented, the risk avoided, or the need for contingencies
to be put in place to compensate for the risk should it occur. Risk control also
includes the estimation and calculation of the risk exposure in financial terms,
53
caused by the impact of the risk with due consideration of the moderating effect
of the mitigation strategy.
Continuous Improvement
The work involved in training of personnel in best practices of risk management
and in the analysis of the corporate data within the project history file to extract
the lessons learned for future reference.
The risk activities can be shaped into a risk management process and thus integrated into
the company procedures for each functional area of the organization that is presently
being considered for outsourcing or already outsourced. Since I am researching into risk
management practices in decision making, I have restricted my detailed study of risk
management to identification and assessment of risks and mitigation strategies.
3.5.2 Risk Identification
Risk Identification is considered as the most important and difficult stage in the risk
management process (Elkinton and Smallman, 2002). To be effective, risk identification
requires considerable up front planning and research. Considerable effort occurs in
identifying and ranking the processes, or components, of a project, its major goals and
its risks. Several institutional factors influence how people perceive their risk
assessment. They include atmosphere, availability of information, management style,
market/economic conditions and policies (Kliem and Ludin, 1997, pg. 8).
In most companies risk identification is done by relying upon intuitive assessments by
the most experienced senior managers. However, in many cases once the
implementation commences, the contracts turn into disasters or the objectives are not
met (Marsh et. al., 1996 pg. 97).
54
In the identification process, managers need to determine the analysis technique to use,
select the primary participants who are to perform the risk identification, allow
participants time to perform it and decide where to conduct it. For research, they must
review project plans, interview people, calculate statistics and metrics and peruse
technical documentation (Kliem and Ludin, 1997, pg. 8).
Thus risk identification can be carried out by a combination of methods suggested by
Marsh et. al. (1996, pg. 98):
Use of experienced intuitive management
Relying only on the intuition of the experienced managers has proven to be
unsatisfactory in the past. Managers may adapt attitudes according to their
perception of the risks. They consider the risks identified by them but they may
be reluctant to accept the risks identified by others. Thus this method should be
supported by some other means to overcome its shortcomings.
Use of experts in departments
The experts of each department understand the nature of the business, the
problems of their field and the organization available to manage them out. Thus
if the culture of the company is one of openness and risk taking, then the experts
are the best people to identify risks.
Standard questionnaires and checklists
Standard questionnaires are a useful but not necessarily an effective way of
identifying risks. Checklists are simple and can be an effective means of
capturing and using corporate knowledge to assist in the process of risk
identification.
55
Use of expert computer-based systems
These may be developed using corporate experience assisted by specialists in
each discipline. However expert systems rarely reveal risks that are hidden and
tend to concentrate people’s attention on the obvious.
Structured interviews
It is a technique that has been used successfully for many years to extract
information. The prime aim is to initiate a risk-revealing discussion that draws
out the risks about the activity that has to be undertaken.
Brainstorming sessions
It is an extremely effective method however it requires bringing together
specialists and managers on a number of occasions to discuss each area in-depth
and potential solutions. They are also subject to being dominated by stronger
personalities who may push their ideas and the weaker voices may feel insecure
and threatened. Brainstorming sessions may need a skilled facilitator to
encourage and maintain a balance in the discussion.
Use of outside specialists/consultants
It can be an effective means of augmenting existing staff and bringing in
additional experience in the field of concern. There may be problems like time
and costs involved and the fact that when they leave, experience leaves with
them. However, despite their short-comings, their familiarity with the field
would immensely contribute to the risk identification and mitigation process.
56
3.5.3 Risk Assessment
The identification step is closely allied with the next step, risk analysis. Two categories
of risk analysis exist: quantitative and qualitative. Quantitative techniques rely heavily
on statistical approaches, such as the Monte Carlo simulation. Qualitative techniques
rely more on judgment than on statistical calculations such as heuristics (Kliem and
Ludin, 1997, pg. 8).
Statistics play an important role in risk analysis. The lists of techniques identified by
Kliem and Ludin (1997, pg. 68) that are used for risk analysis are:
• Three point estimate
• Decision tree
• Monte Carlo simulation
• Heuristics
There are many risk software products in the market that use variations of the Monte
Carlo method. Though the results of the computer work are most impressive, there have
been some fundamental criticisms which are stated as follows:
The data input to risk analysis tools is inevitable inaccurate, incomplete and
over-simplified thus indulging in GIGO- Garbage In is Garbage Out.
The more detailed and impressive the computer produced results, the more
management are seduced into believing them. This makes decision making even
more precarious.
Marsh et. al. (1996, pg. 106) in the RISKMAN methodology present the risk assessment
approach as a two stage activity. Stage 1 is the estimation of an impact and probability
for each risk. Stage 2 is the use of the impact and probability estimates with a model to
arrive at a quantitative estimate of the effect on timescales and costs.
57
Impact and probability estimates
Every risk must be assessed for its probability of occurrence and estimated
impact on timescales, cost and performance. The estimates are usually based on
intuition and experience and may be given in different formats as follows:
Probability
0-100%
Low/Medium/High
Scale Value 0-1
Impact
Nil/Low/Medium/High
Cost (in currency units or man days/man months)
Timescales weeks/months/years
Quality/performance (reduced specification)
The probabilities when given in any of the above format are related to the actual figures
by converting the scale to numerical quantities using conversion factors
High to a scale value between 0.3 -1.0 (30-100%)
Medium to a scale value between 0.1 -0.3 (10-30%)
Low to a scale value between 0.0 -0.1 (0-10%)
The risks can be entered on a chart to present the risk exposure. Thus this approach
provides a picture of risk sensitivity without having to quantify the impacts in actual
money or time limits.
58
Low Medium High
High Medium
Probability
Low Impact
Figure 3.2: Risk Probability/Impact Chart
(Adapted from Fig: 4.3 – Marsh et al, 1996, pg. 107)
3.5.4 Risk Control
Risk control is a mitigation strategy which requires an action to reduce, eliminate or
avert the potential impact of risks. The organization has an option to choose any path to
mitigate risk as shown in the process format and described as follows (Marsh et. al.1996,
pg. 113):
Avoidance
Deciding not to continue with a product or project in which the risk exposure to
the company is perceived to be too high.
Transference:
This comprises passing the risks onto others more capable of managing the risks.
Generally, one would transfer the activity onto the subcontractors who
understand the subject and are more capable of identifying and mitigating the
risks involved.
Reduction
59
The purpose of the reduction path is to take action which would finally reduce
the risk to an acceptable level. Since this path mainly relies upon expenditure of
money, it invariably increases costs e.g. the amount of insurance premium.
Management
This path comprises the majority of the risks that gives rise to daily problems in a
project. The activities include regular monitoring of progress, continuous
assessment of resources assigned and pre-preparation of fall-back (back-up) plan.
Contingency
The contingency path provides funds to cover those risks that are assessed to be
of a low likelihood and impact, and for risks that have been revealed during the
identification process i.e. residual risks. Generally these types of risks show
themselves during the implementation of the activity.
60
Risk Portfolio
Yes
Yes
Yes
Yes
No No
No
No
No
Successful
Secondary Risk
Residual Risk
Risk Control Plan
Risk Contingency Funds
Positive Action
Procurement Sub-Contract
Main Contract Alternative
Management Contingency Backup Plan Supervision
Reduction Insurance Information Consulting
Transference Risk Sharing Contracting
Avoidance Remove Causes Alternate Paths Contract Action
Risk Assessments
Identify Risks
Figure 3.3: Risk Mitigation Plan
(Adapted from Fig: 4.7 – Marsh et al, 1996, pg. 114)
61
All the above mitigation paths require an investment trade-off to be considered between
the funding to be included for contingency for the path selected and the cost or savings
to be made if an alternative path is taken.
An organization can document the whole process in a risk analysis sheet for each risk
identified. Thus it can be formed into a database for effective monitoring and control.
Besides, the risk register could be used for reporting that would enable continuous
improvement of the process.
62
Risk Analysis Sheet Project:___________________________ Responsibilities: _______________________ Risk Reference: ____________________ Generation Period: _____________________ Class: ____________________________ Active Period: _________________________ Description: (1) Process & Life Cycle Phases (2) Owner (3) Responsible for Management Exposure: _______________
Very High High Medium Low
Probability
Impact unit & Value Impact Description
Cost Time Requirement
Causes Effects
Description of Triggers Trigger 1 Trigger 2 Trigger 3 Trigger 4
Mitigation Strategy
Description
63
Backup Plan
Transference
Avoidance
Buy Information
Early Control
Insurance Contingency
Figure 3.4: Sample Risk Analysis Sheet (Adapted from Fig: 3.35 – Marsh et al, 1996, pg. 93)
3.6 Rationale for Risk Management
Risk is the price paid for progress. As progress drives globalization, firms in the
financial services sector worldwide face numerous market, operational, and credit risks.
Throughout the industry, companies are seeking effective solutions to address their
exposure to risks. In a January 2004 survey of US banks, Susan Cournoyer, a principal
analyst in the Global Industries group at Gartner Research, found respondents currently
allocate 8.7 percent of their IT budgets to controls (risk management and security). The
survey also revealed that 30 percent of the surveyed banks planned to spend more on
controls in the next 18 months (Goolsby, 2004). As another reference point, the world's
top financial services brand -- Citigroup, which enjoys enormous competitive
advantages also cited business risk management as number two among the firm's
leadership priorities, in a Citigroup presentation (Goolsby, 2004).
Moreover banking regulations like the New Basel framework focuses on processes,
people, and technology. Cost-effective management of IT and transactional back-office
processes have been a key market for outsourcing in banks for years. Significantly, as
64
globalization initiatives and terrorist acts have increased, financial services firms are
quickly turning to outsourcing to mitigate operational risks in protecting assets and
business continuity (Goolsby, 2004). The recent trends in industry in terms of
outsourcing urge the need for identifying a framework for managing these risks
effectively.
3.7 Risk Management for outsourcing information systems Financial institutions increasingly rely on services provided by other entities to support
an array of technology-related functions. While outsourcing to affiliated or nonaffiliated
entities can help financial institutions manage costs, obtain necessary expertise, expand
customer product offerings, and improve services, it also introduces the financial
institutions to a range of risks. FDIC (2000) has identified these risks which include
threats to security, availability and integrity of systems and resources, confidentiality of
information, and regulatory compliance.
FDIC (2000) also emphasizes that the management should consider additional risk
management controls when services involve the use of the Internet. The broad
geographic reach, ease of access, and anonymity of the Internet lead to the introduction
of potential risks from the functions of a system’s structure, design and controls. Thus it
requires close attention to maintaining secure systems, intrusion detection and reporting
systems, and customer authentication, verification, and authorization. FDIC (2000)
suggests measures which includes risk assessment, selection of service providers,
contract review, and monitoring of service providers. The Basel Committee on Banking
Supervision (2001) recommends the banks to develop risk management processes
appropriate for their individual risk profile, operational structure and corporate
governance culture.
3.8 Current Risk Management Models
65
Many research studies have analyzed transaction cost theory and agency theory for
evaluating the risks in IT outsourcing decisions (Lacity and Hirschheim, 1993; Hancox
and Hackney, 2000; Aubert et. al, 2000). Some of the other approaches for evaluating
IT outsourcing options include cost-benefit and weighted scoring methods. Lewis (1999)
examines the use of risk-remedy method for evaluating the information technology
outsourcing tenders. The risk-remedy method emphasizes on using the requirements
correctly, examines the cost of bidding, cost of delay, checks the bid’s carefully and uses
a design rather than a selection approach.
Other approaches like the risk ranking method adopted by the Department of Contract
and Management Services in Australia focus on rating, management planning and
monitoring of risks and applied in different phases like procurement planning, contract
development and management (Baccarini and Archer, 2001).
Market researchers have also applied various theories for balancing the risks of
outsourcing to economically cheap countries. Kleinhammer et. al. (2003) focuses on
understanding the geo-political risks in IT and recommends applying ‘risk portfolio
assessment’ to mitigate the risk created by deploying IT development across multiple
geographies. The Risks-Return-Rating method is recommended for managing the risk
portfolio in IT outsourcing. The R3 method is an assessment tool designed to help
companies balance the trade-off between risks and costs when implementing a strategy
of geographic diversification. This helps maintain a company's risk within risk tolerance
levels while continuing to generate good returns. The Figure below outlines the
framework of the R3 method.
66
Figure 3.5: Risk-Return-Rating (R3) Method (Adapted from Fig: 2 – Kleinhammer et. al., 2003)
Performing a risk portfolio assessment enables a company to benefit from using a better
combination of geographies and improve the company's risk-return from offshore
outsourcing. Thus by applying risk portfolio assessment to their outsourcing strategies,
companies not only gain the cost advantages from off shoring, but also achieve lower
risk with greater flexibility to deal with future events.
67
4. CASE STUDY
4.1 Introduction
An Information Technology Department of a large multinational bank has been used as a
case study in this research. The Department is into outsourcing of software development
and IT support functions. The Bank follows certain guidelines for outsourcing and has
set controls and follows adequate procedures for managing risk.
4.2 The Organization
68
The organization is a large multinational bank in United Kingdom. The Technological
Unit of the bank manages IT and IT support functions for 23 countries across Europe
and Asia. As described in the figure, the department is managed by the Head of
Department who is in charge of the technological provisions for all the countries
involving various banking functions like retail banking, consumer banking and products
like credits cards, consumer loans and other segments.
Figure 4.1: Organizational Structure
The departments include projects office which manages the software development and
project management. The products office is further categorized into credit card, banking
and consumer loans section. The program office deals with controls and compliance
issues. The Arch Group carries out functionality checks. The Regional Business Support
manages development support and production support for all the systems presently
implemented and being used in all the countries. And the countries would include local
technology units from 23 countries. The key stakeholders of the outsourcing process
come from all the offices under this department.
The Technology department is further divided into Information Technology (IT) and
Technology Infrastructure (TI). The IT department includes Projects, BAU Support and
Functionality. The IT functions are under the Head of the Technology Unit under study.
69
The (TI) department includes activities like Networks, Data Center and Desktop
Support.
Figure 4.2: Technology Unit
4.3 Outsourcing Options
As stated in the interviews, the bank currently practices all forms of sourcing strategies.
It considers in-house, on-site, near shore and off shore options for its application and
software development. The various in-sourcing options include their Asia Technology
Office in Singapore and Technology Office in Frankfurt. Near-shore options include
Poland and other European countries. In case of offshore outsourcing it is presently
outsourcing software development and support work to cheaper countries like India and
China.
70
4.4 Outsourcing Process
As observed by many participants in the interviews, the outsourcing process follows the
theoretical framework. The outsourcing process begins with an initiation by the business
to implement technological solutions for managing banking functions. The Project
Manager from the Projects Office reviews these business objectives and begins the
initial task of identifying the vendors. Based on his previous experience, the Project
Manager has an existing vendor base which is more of a personal list based on the skills
and product expertise of the vendors. The organization has also put together a global list
of vendors who have global contracts with the bank. On the basis of the requirements,
the Project Manager prepares Request for Proposal. On receiving the proposals, he
examines the quote proposed and shortlists three vendors. The process then goes to the
next step of negotiation with the three vendors. The procurement team takes over and
negotiates with the three vendors to try and attain discount. Finally the best deal which is
most cost effective along with other benefits is selected and the contract is signed with
the vendor. It is the procurement department that deals with the technical terms of the
contract and the legal regulations. Lastly the controls and compliance department ensure
that the vendor has all the necessary controls in place and follows the standards in terms
of compliance set by the bank.
4.5 Software Development Life Cycle
Once the contract is awarded to a vendor, the process of software development for the
product begins. Rather than totally outsourcing or totally in-sourcing application
development, the organization is efficiently accessing business and technical set of skills
through selective sourcing. To exploit the inherent advantages of the internal IS
department, the business requirements are determined in-house and to exploit the
technical skills of the vendors, the coding and testing is outsourced to the vendor. The
complete development process is managed by the Project Manager from the Project
71
Office. The process follows the typical Waterfall Method which includes stages like
Business Initiation, Requirement Analysis, Design, Development, Testing and
Implementation. However the contribution and responsibility of the technology (IT) unit
of the bank and the vendor varies at different stages. The following figure is a
diagrammatic representation of the role played by them at each stage of the software
development life cycle:
Figure 4.3: Sourcing Strategy in Software Development Life Cycle of the Bank
As the figure describes, the project initiation is by the business from a particular product
or region which is then managed by the Project Manager from the technology (IT)
72
department of the bank. In the beginning, the requirements are gathered by the
technology department in coordination with the developers of the vendor company. The
requirements are effectively gathered from the actual users of the system and business
and drafted in the requirement document. The requirement document is sent to the
developers of the vendor company. On the basis of the requirements, the vendor
prepares the functional specification document which technically describes the process
and the time scales. On receiving a sign off on the document, the developers proceed to
the next stage of design and development. Thus the vendor builds the system based on
the user requirements. Once the system is fully developed, the developers perform the
system integration testing (SIT) to check the functionalities and complete integration of
all modules. On the SIT being conducted successfully, the system is released to the bank
for user acceptance testing (UAT). The UAT is performed by the team specially
assigned for testing in the bank and by few actual users. On receiving sign-off from the
UAT Team, the system is released and goes live. The implementation is a coordinated
activity between the technology team of the bank and the developer team of the vendor.
Once the development process of the product is over, the project office gradually hands
over the process to the production support team of the Business As Usual (BAU)
department. It is this team of the technology unit of the bank that co-ordinates with the
technical support team of the vendor or any third-party for production issues or problems
faces by the users and changes in the system.
73
5. RESULTS AND FINDINGS
5.1 Presentation of the results and findings
The results and findings of each interview are introduced as a narrative, which is then
summarized in the form of concept maps.
Narrative
The narrative provides a textual description of the key results and findings. This
includes important quotes from the interviewee.
Concept Maps
Concept mapping is a technique for representing knowledge in graphs.
Knowledge graphs are networks of concepts. Networks consist of nodes
(points/vertices) and links (arcs/edges). Nodes represent concepts and links
represent the relations between concepts (Lanzing, 1997).
Concept mapping can be done for several purposes (Lanzing, 1997):
• to generate ideas (brain storming, etc.);
• to design a complex structure (long texts, hypermedia, etc.);
• to communicate complex ideas;
• to aid learning by explicitly integrating new and old knowledge;
74
• to assess understanding or diagnose misunderstanding.
Thus concept map has been used in this research as it allows you to understand
the relationships between ideas by creating a visual map of the connections.
Separate maps have been produced to represent the information gathered from
each interview. To create a concept map, I have identified the key concepts
which are common in all the interviews. These have then been combined to
produce an aggregated map that shows the entire groups perception of the
problem situation. Great care has been taken when merging the similar concepts
that appear on different maps to ensure that the concepts really do represent the
same situation.
5.2 Key Concepts
Having reviewed the literature to understand the outsourcing process, the risks involved
in outsourcing and the risk management practices to be followed in decision making, the
following key concepts for the interviews have been identified:
Role in Decision Making Process
Objective of Outsourcing
The Outsourcing Process
Risks in Outsourcing
Risk Identification Process
Risk Assessment Process
Strategies & Policies for managing risk
Risk Management Techniques
Suggested Measures
Using Third Party Consultants
Future Trends in Outsourcing
75
These key concepts have been developed by identifying themes from the following
literature Smith et al., 1998; Earl, 1996; Takac 1994; Chalos 1995; Aubert et al, 2001;
Lacity and Hirschheim, 1993; Everest, 1996; Zucchini, 1992; Lacity & Hirschheim,
1995
5.3 Interview One: Compliance Manager The interview with the developer took place in London on Tuesday 12th July 2004. This
meeting lasted around one hour.
5.3.1 Role in Decision Making Process
The compliance manager heads the program office in the department. The program
office basically ensures that adequate process is followed in vendor selection and the
selected vendor has the controls in place and meets the standards set by the company.
The responsibilities of a program office include ensuring that (a) the department has
followed an adequate vendor selection process, (b) the vendor is approved by the
organization, (c) the vendor relationship is defined and (d) the standard contract is in
place. The contract is in the form of Standard Level Agreement (SLA) and includes the
pricing and performance issues.
5.3.2 The Outsourcing Process
The manager believes that the way the company is organized, the process seems to be a
theoretical model which may not be fully followed.
“The way this company is organized is more of a theoretical model although
it is not always 100 % followed.”
However the manager commends the controls set of the company to exclude the project
manager in the negotiation process. Since the project manager is the one who initiates
76
the contact with all the vendors, this policy mitigates the risk of the manager entering
into any beneficial agreements with the selected vendor.
“In terms of risks in this whole process, one of the reasons why we don’t
want the project manager to be part of the negotiation process is because we
don’t’ want him to enter into any beneficial agreements so we are putting all
that under third party control so that it protects the vendors.”
5.3.3 Objective of Outsourcing
The manager suggests outsource as a right option in case (a) the company does not have
the right resources or (b) the right skill sets or (b) if it is comparatively cheaper than
building it in-house. The manager believes there may be many reasons for outsourcing
in this department but stresses on the presence of adequate controls in place.
“There might be many reasons as regards why you want to outsource and
when you have made that decision to outsource for those sorts of reasons you
then think about controls and make sure that you are giving it to the right
person with good qualities”
Besides the issue that probably the vendor may be serving the competitor is not much of
a concern to the organization. What is necessary is the level of controls to protect the
interests of the organization.
“Some software houses that we are going to are already seeing our
competitors. That is not necessarily an issue what’s more of an issue is what
sort of controls you have in case your vendor is selling the software to
another party, then in terms of intellectual property rights and also
confidentially”
77
5.3.4 Risks in Outsourcing
The manager identifies the acquisition of the required software as the ultimate risk in
outsourcing. Furthermore, information insecurity is termed as the biggest risk, as
information about customers is the most important asset to the organization. Thus it is
crucial to have the required controls to protect information security. Other areas of risk
like financial stability of the vendor, vendor ability and availability, system and resource
back-ups have been identified. This requires checking the financial proprietary means of
business continuity of the vendor. Moreover the transition from one vendor to another is
a difficult process for the company and the terms of the exit plan need to be effectively
considered during the contract agreement
“In fact in exit plans, say for example: we have software which is especially
developed for us and somehow we not happy with the support provided by the
vendor probably coz the technology is old like mainframe etc. So quite often
another software house maybe able to provide good support so actually we
find the transition quite difficult from company A to company B so that’s
quite a risk for us.”
5.3.5 Risk Identification Process
The manager mentions receiving excel sheets and presentations from vendors in the past
describing the work they do and financial information like account statements of past 3
years. However the manager believes that this method would not be fully effective in the
tendering exercise as every vendor would try to present that he can do everything but it’s
crucial for the company to verify the claims made by the vendor before taking a
decision. However in recent years the process has gradually changed with the company
collecting information by visiting the vendor site, gathering references, collecting
information like current staffing levels, experience levels of the staff and procedures
followed like escalation process.
78
5.3.6 Risk Assessment Process
The manager has experienced different methods being followed in the department. At
times it’s done using common sense, previous outsourcing experience and sometimes
it’s assessed by applying some basic numeric metrics. However the manager is unaware
of any process set by the company to evaluate the vendors.
“I am not aware if we got anything defined or set. I think it’s probably dealt
by case to case basis. I think it’s partly the procurement department who
takes care of the legal side and it would be up to us to confirm the capability
of the vendors.”
5.3.7 Strategies & Policies for managing risk
The compliance department follows the standards set by the organization. The
organization has its own information technology management process and the
compliance department ensures that every vendor follows these processes whether on-
site or off-site.
“Compliance for our department means you doing everything within the
company’s standards. We apply a simple rule of thumb to third party
vendors, we have our own information technology management process
which is within our compliance and control structure and we expect any
other party vendors who do work for us whether on site or offsite to conform
exactly to those processes”
The organization has a framework covering key areas like information security,
continuity of business, software management, resource management, vendor
79
management, performance analysis and vendor review. The Company also has an
outsourcing policy which states which activities can be outsourced and does not allow
outsourcing any critical activity related to information security.
“Typically we don’t’ outsource anything related to information security. For
example: you won’t typically outsource the maintenance of the systems.
Typically we don’t’ outsource hosting of websites. Our company website is
hacked or attempted to hack second largest number of times in the world. So
we are very sensitive of out websites and to information we try and put as
many controls as possible.”
5.3.8 Risk Management Techniques
The manager is not aware if there are any risk management techniques being followed in
the department in outsourcing IS functions. When asked if the performance of the
outsourced services is being measured against relevant benchmarks, the manager states
that presently it is not being practiced but agrees that it is a key issue to be considered in
the department. Furthermore the manager identifies the issue of the vendor’s
performance being measured only against initial expectations mentioned in the contract
and the inability of the department to hold the vendor liable for any new problems.
“Because we don’t have a set process for measuring, its difficult for us in case of
support to turn around and say that we asked you to do this and you are not been
doing it so what’s the problem? So that’s something that we can’t do now.”
5.3.9 Suggested Measures The manager lays stress on setting some standards for measuring the quality of products
or support provided. Furthermore measures like identifying the key performance
indicators to measure the performance and to review the services being provided are also
suggested.
80
“Not all really, we have sort of vague idea of what we expect to happen and
put in place service level agreements to try and set some standards and
quality guidance but we don’t’ have a standard or process for measuring the
quality of products or support provided and that’s something we trying to
work on at the moment. For example: we don’t’ do for third party vendor
who say is providing telecommunications support for one of the systems and
if they are, I suppose they are to work on what we think are the key
performance indicators so if you be able to track on this and this basis to
actually understand if they were meeting our scales or not. But because we
don’t do that we actually not have been able to make a decision of whether
we getting the support what we expect.”
5.3.10 Using third party consultants
The manager agrees in involving third party consultants on a personal basis. The
manager believes that management of vendors is a specialized job which requires certain
amount of skill. One of the reasons stated for the department having problems in
outsourcing is lack of skilled resources within the organization that specialize in vendor
management.
“Yes, I would on a personal basis. I don’t know if the corporation would
agree or not. Management of vendors is a specialized job I think. It takes a
certain amount of skill to it. Traditionally we don’t employ people with that
skill and specialist role to do that so I think because of that we get ourselves
into trouble so I know there are companies out there who do nothing but
provide vendor relationship management. I personally would consider such
an option.”
However the manager believes that the organization already has certain groups whose
role is to provide vendor management function. But one of the problems is of coverage,
81
which has not been possible in the organization. Also the process may not be completely
set but there is a need for having required controls.
“I don’t’ want to give you an impression that we don’t’ consider vendor
management as a risk. I think we do. The position for the process may not be
completely set. Yes, but going forward we could certainly consider the best
way to put controls going around it and at present I don’t know any
organization that really has success in vendor management in a positive
way.”
5.3.11 Future Trends in Outsourcing
The manager identifies the future trend of the department to be selective sourcing and
in-sourcing. The strategy of outsourcing to other countries than India like Poland and
China have been identified as they are not only comparatively cheaper but the
organization is aware of the fact that it has invested a lot in India and for risk
management reasons feels the need to spread the development work around.
“Poland is a lot cheaper now. India is not always the low cost. The other
thing is that we are conscious that we have a lot of investment in software
houses in India and as a cliché, you don’t’ have all your eggs in one basket
so for business for the real risk management reasons it makes sense to spread
the development work around.”
However the manager identifies the new risks that would emerge in following this
strategy. One of the risks identified is that lack of outsourcing management experience.
The other risks emerging are the language issues and technical competence of the staff.
82
“If it’s any other country one of the things you need to be careful is that they
don’t’ have any outsourcing management experience or background. We do
all the work in English and people in India speak to a very high level and
also some of them are extremely well educated and learn the technology
process.”
5.3.12 Concept Map
The Concept Map that summarizes the findings of the first interview in presented in the
following page.
83
Figure 5.1 Concept Map of Interview 1 - Compliance Manager
5.4 Interview Two: The Procurement Manager
The interview with the Procurement Manager took place in London on Tuesday 13th
July 2004. This meeting lasted approximately one and a half hours.
84
5.4.1 Role in Decision Making Process
The procurement manager is in charge of the data center procurement. The primary
function of the procurement office is to negotiate the best deal. The role involves
ensuring that negotiations take place on time and the contracts are signed. The deals are
negotiated with suppliers like HP, IBM and Sun and the one of the objectives to get
more discount than what is agreed on a global level with the corporation. The manager
mentions that at times a good rate is negotiated at a global level as the bank is one the
biggest customers of these suppliers. In few cases these suppliers have a relationship
with the bank in terms of banking so there is a mutual relationship. If not, the other
strategy adopted by the bank is to persuade the supplier to bank with them since the
bank is giving them business as well.
“You can find it difficult if it’s already negotiated quite good rate as we are one
of the bigger customers in the world for those companies. The other thing that is
not really tackled too much but is raised occasionally is lots of these companies
have relationship with our organization in terms of their banking. So often there
seems to be mutual relation. At times what we do is go to the company and say
we are spending a lot of money on you so you should be banking with us as well
if not a big discount.”
5.4.2 Outsourcing Process
The procurement manager does not have an active role in outsourcing, as presently
infrastructure is not being outsourced by the bank. However the manager was part of the
outsourcing deal in 1992 wherein the data center activity of the bank was outsourced to a
vendor. One of the primary reasons for deciding to outsource the data center activity was
an immediate reduction in headcount.
85
“Anyways, this had happened back in 1992 the way a lot of companies did this at
that time. It could probably not be for the same reason they do it now. The scene
was a quick way of sorting out the headcount. Probably the bank was trying to
cut costs. At that time a company came back with a wonderful plan. I think we
had around 70 people in the staff then in data center. This was the operation,
technical support staff, right unto the management and a couple of people that
managed it. They were involved in initiating the outsourcing deal. As they
outsourced themselves they went with it. So they took responsibility of the whole
of the staff and the equipment and the liaison with the software companies and
you know whatever.”
This was one of the first outsourcing contracts of the bank. There was a selection
process followed wherein the bank did look at 3 to 4 companies. It collected information
about the vendors like references, the financial situation and abilities of the vendor and
called for a proposal plan. During that period, there was no global list of vendors.
Though compliance was around it was not enforced as it is now. The decision making
team involved the senior management and some technical people. One of the reasons
identified for outsourcing was that along with the people, the vendor was also willing to
buy the equipment.
5.4.2.1 Issues in managing the Outsourcing Process
As the relationship began, the process was running smoothly as all the terms were stated
in the contract. The bank was satisfied with the services and felt that the vendor was
charging them correctly. The process was audited and new features are recommended
and implemented successfully. There were regular meetings and steering meetings
which was attended by both the banks.
“I think we just trusted them. There was no breach of contract. We didn’t like a
few people but mostly they were quite fair. We thought they were charging us
approximately. They had the right people doing the right things. It was audited.
86
We were pretty satisfied. There were issues of password security. They would
recommend and implement it. There were new processes.”
However as time passed by, there were requirements for additional hardware and
software and human resources for which the bank was being charged. So the bank set up
a service request procedure for extra requests and that was paid separately. However the
cost of these extra services to meet the processing demand was increasing tremendously
and at times, was more than the monthly fee paid to the vendor. Thus these extra costs
were a major source of concern for the bank. The contract was for 5 years and had
renewal options. To curb the variable costs, the bank brought in negotiators from its US
office to analyze the situation and take further action. However the manager felt that the
situation was out of control because the present condition was quite different from what
was mentioned in the contract. Though the negotiators and the management team did
look at other companies and the option of in sourcing, they finally decided to renew the
contract with some new conditions. The manager points out that one of the reasons that
the activity was not back in house was because of the headcount issue. However the
contract was renewed with the vendor with new conditions wherein a separate list of
people were identified from the rest of the operation. There were around 100 people and
each person was charged at a rate depending on their level or grade. Though the bank
paid for their services, they were employed by the vendor. The manager felt it turned
into a body shop affair and the new rate was comparatively higher than what they would
normally get with other benefits.
“There was an arrangement for a set fee for managing everything. I mean there
had these extras on top and it had to be changed. Rather they bought in a new
one which kind of separated the people form the rest of the operation. So they
had a list of people, they had around 100 people or more and then each person
was then charged at a rate depending on their level or grade. A senior consultant
or technician and there was a monthly rate for that person which was actually
quite high compared to what their salary would have been and obviously it
included other benefits like cars, bonus, etc.”
87
Along with the new process, the bank was also charged for the systems separately. The
old problem persisted and the bank kept receiving extra service requests which increased
the cost. At the same time, few activities became more critical and the bank started
focusing more on technology and started demanding more quality. To meet the demand,
the bank decided to get its own people to monitor the vendor’s activities. The manager
felt that the bank didn’t trust the vendor anymore and had its own people cross checking
each activity performed by the vendor. The bank reached a point where it decided to
conduct an exercise to find out how much would it cost if the whole activity and people
were bought in-house. The manager thinks that the two primary reasons for the bank to
consider in-sourcing were high variable cost and the lack of control. Everything that the
bank did was based on the capabilities of the vendor and the bank couldn’t make a free
decision. The other thing that the manager noticed was that the vendor staff was slowly
becoming complacent and the bank was unduly being charged extra for staff overtime
Furthermore the myth of outsourcing that the vendor has experts for everything is
identified. Practically these mythical people either didn’t exist or were never available.
Finally the activity was bought in-house around 3 years ago. The handover process was
smooth as the manager believes that the vendor had to co-operate as there would be risk
of reputation for them.
“Well it wasn’t a failure but it kind of came to a natural end almost. It reached
to a point where it made more sense to run it ourselves. Financially and in terms
of control and where we were trying to go, what we were trying to do. Difficult to
involve the other company, wait for them to respond, everything they did would
be based on what their capabilities were, couldn’t make a free decision. The
other myth about outsourcing, all these companies are going to tell you that they
got many people they can call on, they got experts who know everything, put
people on, in a minute’s notice but when you try to do it, they say these people
are busy with other projects, they going to come with excuses or they say we can
always recruit someone. They always have some mythical people that can do
88
anything but in practice it didn’t work very well. It wasn’t that you had people at
our beck and call which they pretended so that was one of the drawbacks.”
5.4.3 Objective of Outsourcing
The manager states that one of the primary reasons for deciding to outsource was an
immediate reduction in headcount.
“It was headcount reduction. They offered to buy the equipment we had, so we
transferred it. At that time it looked good. The hardware costs kept rising for the
processing power of the mainframe. They thought it would remain static.”
5.4.4 Risks in Outsourcing
The manager is not sure how much was considered during that deal in 1990s as if it was
then the contract would have been better than expected. However the manager is of an
opinion that currently outsourcing is less risky as there is so much information available,
so many companies have gathered experience in outsourcing and there are books and
resources for reference. One may still come across similar problems but one will be
prepared for them.
“I don’t think they looked at risks that much because if they had the contract
would have been better than expected. Now there is so much of information
available and also generally because so many companies have done it, there are
articles, books available, all sorts of sources to tell you what you should do and
steps and clauses. I think it’s a lot less risky these days coz there is so much more
that you can draw on, that could tell you, look what you should be doing, what
you look out for, so many people are doing it, I think its lots easier these days,
less risk, build more terms in to the contract, you need to do your homework.
89
Spend time finding out, look for advice, take time. You would still come across
problems, but you will be prepared for them.”
5.4.5 Risk Identification Process
The manager mentions that the bank follows a process of vendor selection and gathers
information about the vendors like references, the financial situation and abilities of the
vendor and called for a proposal plan.
“Information like financial situation of the vendor, references from his clients,
his abilities and a proposal plan.”
Furthermore with previous experience and by gathering information and taking advice,
the process can be effectively handled.
“Well, it all comes down to experience I think and anticipating and reading what
other people have done and what problems they have encountered.”
5.4.6 Strategies & Policies for managing risk
The manager is not aware of the exact procedures but mentions how the process has
changed. Presently there are more people involved. Outsourcing receives a lot of focus
these days and they are many people from the senior management involved.
“I don’t know. There would definitely be certain people who would have a say in it.
These days so many people would be involved, have an opinion and have a say in
it.”
90
5.4.7 Using Third Party Consultants
The manager does not have a strong opinion about using third party consultants.
However doesn’t mind having a risk management team if the bank was outsourcing all
the time. But if it was a one off thing then probably would bring in a consultant for
advice. However most program managers in the bank tend to believe they have enough
knowledge and experience and would tend to do it themselves.
“However here, most program managers tend to do it themselves. Enough
people to think they probably have enough experience or enough knowledge,
probably wouldn’t want someone… I mean…that’s my opinion.”
5.4.8 Future Trends in Outsourcing
The manager thinks that there wouldn’t be any sourcing strategies for data center
activities as presently it is being managed in-house however in case of procurement, the
bank is planning to reduce the number of suppliers. The strategy is that the reduction in
the number of suppliers would lead to better management. However the ultimate risk in
this strategy is less competition which may affect the pricing plans.
“I suppose the only risk if you reduce the number of suppliers of a particular
item too much, you don’t’ have so much competition if you want to get pricing
for different prices.”
However the risk is identified as low as it is believed that the risk would evolve in
relative unit so one can selectively choose the vendor.
“Risk is low, I think, because I see it evolve in relative unit. Hopefully choose the
suppliers that you might use, try to avoid the odd ones, smaller ones or ones that
are not used very often.”
91
5.4.9 Concept Map
The Concept Map that summarizes the findings of the second interview in presented as
follows.
Figure 5.2 Concept Map of Interview 2 - Procurement Manager
5.5 Interview Three – Production Support Manager
The interview with the Production Support Manager took place in London on Tuesday
13th July 2004. This meeting lasted approximately one and a half hours.
92
5.5.1 Role in Decision Making Process
The manager is in-charge of production support for one of the systems operated by the
bank. The support office deals with new features for development and also with any
production issues that come up specifically from the business. So basically the manager
is involved after the decision is made and manages the vendor relationship thereby
ensuring the quality of the work.
“Our team manages the relationships that are in place already and it is the head
of department that sets up the new contract, we just manage parts of the
relationship once the contract is in place. We try to make it work; ensure the
quality of the work and ensure that the processes are in place to manage the
supplier in the ongoing relationship.”
5.5.2 Outsourcing Process
In the outsourcing process, the manager plays a role of coordinating with the vendor,
negotiating the problems with the offshore system developers and makes sure they first
address the issues on priority and keeps a track on the status of these different issues
whether they have been resolved. The manager tries to get as many issues closed and
tries to get the system stable as soon as possible. However at times when the issues are
on priority, the work does get very stressful as one needs to coordinate with the offshore
team and resolve them at the earliest as the operations are on hold and the business is
waiting for the system to work.
“I help negotiate the problems with the developers, set priorities for the issues
that should be managed first and keep a track on what is happening with these
different issues. My aims are to try to get as many problems closed and try to get
the system stable as soon as possible. Priority one issues can be very stressful
93
because they can impact a team of people within the business who are unable to
deal with their daily tasks or it could have a direct impact on customers
This process is computerized and the issues are entered into the database by raising a
ticket. So it’s the business that raises the ticket and the same is notified to the off-shore
developer. However the manager has the access to the ticket and can check the progress
on the ticket. This system is identified to be very useful for coordinating and for
analyzing as regards why a ticket is raised, which issue is on priority, how it gets
resolved and how the business is using it.
“I think it’s this data system that really helps because you can see at a glance
what tickets are open, so you know how a system is performing and this system
stores all communication regarding a specific issue so that it is easy to track the
history of an issue.”
Furthermore, in case of new changes in the system, the process begins with the
requirements document prepared by the manger which is sent to the business and the
offshore team. The offshore team prepares the Statement of Work which calculates the
costs and other information and also sent to the business. The business then prepares the
Project Initiation Document (PID) which covers the changes and costs and sends it to the
Head. Finally the Head reviews all the documents to know the changes and gives a sign
off.
“What happens is, the requirement documents are sent to the business and the
offshore team. The business will transfer the information into the PID and also
add in additional information such as the cost benefits. The PID document is
then sent to the head of department.”
5.5.2.1 Issues in managing the Outsourcing Process
94
Though the manager commends this tracking system but identifies the problem with the
offshore development team does not fully understanding its significance. The tracking
system is effective in resolving the problems, but when it comes to implementing the
changes on the system, the offshore team has to state the required changes in a change
request system which is then implemented by the system administrator. Since the data
center activity is managed by an in-house team, the offshore application developers have
to co-ordinate with the in-house system administrators. It is this process, that the
manager is of an opinion, is not used efficiently by the offshore team. This leads to
delays in changes being implemented in the system due to mistakes being made when
completing process documents and forms that need to be issued to the implementer of
the change. The manager stresses that most of the problems are due to the bureaucratic
system in the bank and everyone not understanding the significance of this process as
regards why is it being used.
“I think we have systems that are in place but the developers end up not fully
understanding its significance. When it comes to fixing the problem we have to
raise a change request. And the whole change request is a bureaucratic system
that we have, which is not used by the developers efficiently because they don’t’
fully understand the significance of this process. We have been having problems
the development team not completely filling in the required form and missing
sections from the documents as the developers do not realize the necessity of the
information being requested. However through a number of training session the
development team now understand the information that needs to be completed
and why it has to be completed for the change to go through.”
When asked whether cultural difference is an issue in managing the relationship, the
manager did consider it as a cause of concern and observes a difference in approach by
the offshore team in managing customer relations. The manager does emphasize that the
offshore team are very hard working but finds them being too honest and lacking
professionalism
95
“I find the offshore team very hard working , they will always do everything they
can, you can count on them but sometimes they are too honest with their
responses, their customer relation isn’t as good as it must be for the European
market.”
Another issue identified by the manager is the air of authority while communicating with
the team. The team does not participate actively if the key manager is communicating in
the conference call.
“If it’s the developers who are on the phone, then they are very honest and open.
If their manager is on the phone, they won’t talk; they wait for the manager to
talk. That’s very difficult because they have the knowledge and then getting to
the route cause of an issue can take much longer. ”
Lastly she finds the different formats of Statement of Work prepared by different teams
an impediment to effective analysis of the vendor’s performance.
“Things like getting statement of work from the development team and really
understanding the costs can be very difficult. We have a number of teams and
you get information sent through from different teams in different formats. When
this happens it is difficult to compare costs or services being delivered by
different teams. It is now being requested that each teams send through
information in exactly the same standard format, it means that discrepancies are
easier to see. I think one of the examples I got is , we have 2 different projects
and we have two different statement of work and who did these are two different
teams, one with UAT and one without UAT so because of the differences one
would have the total hours of works and one would have a complete breakdown
in his cost. It is important to make sure that the costs delivered are consistent.”
5.5.3 Risks in Outsourcing
96
The manager points out that staff turnover are a huge risk in outsourcing. The manager
recalls an experience wherein there was a complete replacement of the team managing
the project and one could see a significant difference in the art in which the problems
were resolved. The second risk identified is the risk of the capabilities of the key
manager. The key manager is the top person from the vendor side who manages the
team. Incase this manager is not competent to get his ideas across to the business then
the business would not understand the technical solutions provided by him. The manager
then talks about effective requirement gathering from the business. This risk is rated as
high as the business requirements and functional specifications are most important in the
outsourcing process. If the specifications are not clear then when the project comes to
UAT, it merely faces so many bugs that it slips way past the deadline. However there
has been emphasizes on this issue and there have been recent changes in the vendor’s
approach wherein they go beyond the request and understand the process in a user sort
of the format. Furthermore the manager identifies time zone as a potential risk but
doesn’t see it having a huge impact to the outsourcing process Lastly if quality of
services is an objective then the manager considers it to be a high risk as well.
“Staff turnover definitely is a high risk. It’s a very hard one to control but it has
a huge impact on us I think. Understanding the specification that comes down to
strongly written formats and effective implementation, I consider that high as
well because whole way through my experience, the business requirements and
functional specifications are most important. In certain projects when it comes to
UAT, it slips and slips and slips because when it comes to UAT, you realize that
the specs are not clear, so I take interpretation as very high. Time zone is ok, I
think more between medium to low coz I think you can get around it but I think
it’s always an advantage to have people working in the same time zone as you
are.”
The other risk identified is lack of in-house technical knowledge. When the project is
developed and is sent across for UAT, the UAT team is capable for testing the front end
97
but lacks the skill and knowledge to verify the back end processes. Though the same is
required to be tested in SIT process by the developers, it is believed that the process is
not strictly adhered to. The manager does realize that finally one needs to trust the
developers for SIT but suggests a way to resolve the problem by demanding testing
screenshots to ensure that SIT is done thoroughly.
“I think the other area of risk is between SIT and UAT. The business does UAT
on the assumption that the offshore team had done SIT thoroughly the whole
system but I think that always doesn’t’ happen. To certain extent you have to
trust the developers and what we ask for is more and more testing screenshots to
ensure SIT is done in enough details.”
Though the skills of the developers in resolving the problems are satisfactory, at times
they provide a short term fix which is a cause of concern as they might have a long term
impact. So the manager also plays a role in pushing the offshore team to identify the root
cause of the problem
“I think that’s sometimes an issue. I think it’s very easy sometimes for the
development team to give a quick fix and you have to push to make sure that the
long term problem is also fixed, otherwise the issue will continue to reoccur.”
5.5.4 Risk Identification
The manager relies on previous experience to identify risks in outsourcing.
98
“I think mainly because we have done previous implementation before, we know
some of the risks.”
5.5.5 Risk Management Techniques
The manager thinks there are risk management techniques being followed in the bank
For example, there is a team which presently goes through the risks in projects then a
team which ensures adequate quality controls and a team which conducts different levels
of testing. There is documentation available to go through in case of small projects and
in case of big projects there would be an external risk management team involved
however the people involved in the project would also assess and analyze the risks
themselves. On being further questioned, the manager states that there are people
looking after quality and compliance however one has not yet interacted with the risk
team. Moreover there are escalation processes up to the regional level.
“My understanding is, there is a risk team and they have the documentation to
go through and review which would help to identify the risks in each project and
apply it to the project. The documentation is there for small projects but I think
for larger projects it would help to have an external team involved that can
assess the risks of the projects and remain more objective.”
When it comes to implementing new features in the existing system, the manager is
involved in the basic requirement gathering and project management. Its worth noting,
there isn’t specifically any point of risk in the setup plan. However the manager states
that the project does go through a complete risk evaluation process.
“The full plan goes through a complete risk evaluation to understand what the
key risks in the project are but I am unsure whether the business also carries out
a risk review at the point of requirements gathering.”
99
The tracking system used for issuing and resolving problems in the system is considered
as an effective risk management technique. The feature in the change request wherein
one can not raise the request without a ticket number is also commended.
Furthermore there is the authorized list of vendors and the process of global contracts.
The manager notes that there are sufficient controls in place but agrees that there is
always scope for improvement. The manager believes that the development function is
managed effectively however it’s the ongoing relationship which needs improvement.
5.5.6 Key factors in Decision Making
The manager considers product knowledge as a key factor for vendor selection and
would prefer a vendor who has already developed a similar tool and more so from the
European country. High importance to given to documentation, total commitment and
resource allocation. From past experience the manager has observed that the bank
potentially slips out as the demands are put across to the vendor but the vendors don’t
commit themselves and give the same excuse of the existing resources being busy with
other activities.
“I think that we in the organization sometimes create problems for suppliers
because we put demands on to supplier but then are not always able to supply
the business resource required to meet the project timelines because the
resources are also normally involved in the day to day running of the business as
well being on the project. It is crucial that a business has the resources and the
time available for the project to be able to meet the timelines.”
5.5.7 Suggested Measures
As regards the technical and business understanding of the vendor team, the manager
recommends some sort of training in the beginning so that the vendor understands the
100
significance of all different processes. Training would increase the cost but the vendor
companies are pretty huge by themselves and the manager believes, can very well afford
it.
“I think probably in the beginning, there needs to be some sort of training; this
will ensure that the vendor is clear on the process that needs to be followed to
meet our compliance standards.”
Secondly, the manager suggests uniformity in the standards followed by the vendor
while presenting statement of work. It would definitely help the bank analyze
effectively.
When asked whether a risk management team is needed in the department, the manager
positively responded preferring it more at a regional or global level.
“I think a team would be better so you could go to them because it’s not
something you need all the time. I think you need to dip into a pool of knowledge
whenever you need it.
5.5.8 Using Third Party Consultants
The manager strongly refuses using third party consultants for reasons of control over
the process. The manager believes it would result in too many people thus making it
difficult to manage. On the contrary, a control group within the organization is preferred.
“No because I would like to control the situation. I don’t’ want someone else
indulging in the relationship its just puts too may additional people in the way I
think if there has to be a control group its got to be within the organization. We
would have to have all the checks in place.”
101
5.5.9 Future Trends in Outsourcing
The manager believes that the bank would continue with outsourcing. More than cost
effectiveness, the bank is becoming more technology driven thus requiring a specialized
team to back up the technology. However there is a need of technical people in the bank
as well. So the bank has come up with a strategy to recruit few people from the vendor
company. The other strategy is to buy the small vendor companies so that the cash
remains within the organization. However one of the limitations to that use of outdated
technology as the bank would have to use the software developed by that vendor
company which may not be as steady and flexible as required.
“I think it has to stay with outsourcing. I think we are getting more and more
technology driven, teams are getting more and more specialized. Therefore to
meet these technical demands it is necessary to use teams external to the
company that are up to date with the latest technology. I think in this
organization we need to make sure that there is some resource within the
business to back up the technology and have system knowledge to be able to
access the vendor and the standard of the product delivered.”
Lastly the manager is of an opinion that core competencies should be kept in-house and
its just technology within limits that should be outsourced.
“I think the core competencies must be kept within the bank it is just
development expertise that has to be outsourced. There has to be a line otherwise
your business gets more and more dependant on someone else and that’s a risk.”
5.5.10 Concept Map
102
Figure 5.3 Concept Map of Interview 3 – Production Support Manager
5.6 Interview Four – Business Development Manager
103
The interview with the Business Development Manager was a telephonic conversation
as the manager was based in Spain. The interview took place on Wednesday 14th July
2004. This meeting lasted approximately one hour.
5.6.1 Role in Decision Making Process
The manager is the development manger in the technology department in one of the
countries. The manager is involved in providing a clear perspective of a part of the
business to the technology unit. The manager is a key point of co-ordination between the
technology team of the bank and the business side of the region. The manager is not
involved in the decision making process, but is into managing the relationship. The
manager manages the development efforts of the local technology team working on
different systems.
“At this point where I am I personally could not have an active role. I manage
the development efforts of the local technology team on a variety of systems that
are mainly based on liabilities side deposit account and investment account.”
5.6.2 Outsourcing Process
In terms of the process, the manager is aware of the process which begins after the
decision is taken and the vendor is selected. The process begins with the initial phase of
requirement gathering. From a methodology perspective, there is a process as regards
documentation that is being followed. In terms of requirement gathering, there are
certain technological or formal tools that are presently being used by the bank. As
regards the people involved in the process, the manager states that there are many key
people from different areas that are involved initially. To begin with, it is the
technology team of the bank which takes responsibility of gathering user requirements.
They co-ordinate with the users and push them to think about what improvements they
104
want. Once the system is implemented, the manager is in charge of coordinating with the
production support team and the offshore support team for production issues and new
changes to the system.
“In a methodology perspective, we have a process as regards documentation
that we follow. As regards collecting the requirements are more of the
technological tools or formal tools that are used. I am not sure if it answers your
question but people who are involved and the key responsible people within the
different user areas are responsible and obviously they all work together. The
local technology generally takes responsibility of pulling together people so that
the requirements are in completed detail. As many of the users don’t know how
to formulate the requirements and giving the full picture, they push them to think
about what improvements they want.”
5.6.2.1 Issues in managing the Outsourcing Process
The manager identifies a few issues in managing the outsourcing process. Based on
recent experiences, the manager identifies communication problems from the language
perspective as an issue. Then there are problems faced due to the geographical and time
zone difference. However an important issue from the outsourcing perspective is the
knowledge level of the vendor team providing support. The knowledge level should
include business related knowledge rather than just technical knowledge of the systems.
There is a need to understand how business uses the system and is affected by the
changes in the system. To summarize, the vendor team should not be working in the
theoretical or hypothetical world.
“Key issues based on the most recent experience here are the communication
from the language perspective. Another issue is the geographical and the time
zone difference. Rather important issue from outsourcing perspective is the level
of knowledge of people providing support and whether they actually have any
105
business relation knowledge at all or whether they are really a majority of them
in the programming base.”
The manager has no issues with the concept of outsourcing. But expects a high level of
service and mentions that when the same is not received then one is not satisfied with
the process. It’s attaining the detailed level which she finds very challenging in
managing the relationship
“I don’t have an issue with the concept of outsourcing but when outsourcing you
expect a high service level and when you don’t’ get that then you are not
satisfied with what you receiving and definitely what that service level is. To
attain the detailed level can be challenging but I don’t have an issue with the
concept of outsourcing.”
5.6.3 Risks in Outsourcing
The manager identifies lack of business understanding as one of the key risks in
outsourcing. This would result in a solution being developed which might not be as per
the user requirements. Though such a system would not be implemented however the
consequence is the loss of time in the whole process.
“Risks are that because of the lack of business knowledge that does pose a risk to
them, understanding the requirements are defined and they spend their time in
developing a solution that we may not actually need as per user requirement.
There is a gap in knowledge then we get solutions that don’t actually meet our
needs. That’s not to say that goes live but the impact could be that we lose a lot
of time because once the users have a hand and see what is developed and is
finally not what they wanted then they start again.”
106
The manager notes the risk process that was carried out a year ago by the bank when
globally things were becoming unstable. The risk of regional instability was the key
issue in the risk process. More than the technology factor for which controls like disaster
recovery and business continuity are supposedly in place in the bank, it’s the issue of
knowledge of an individual that was identified.
“The problem is not the disaster recovery from a technology perspective because
obviously that has to be in place coz that’s expected and demanded all the time
now. It was more an issue of knowledge of an individual.”
The other issue identified is the high staff turnover in the vendor team. It impacts the
ongoing process as the new people have to be given training on the business and system
functionalities.
“High turnover is the same issue of knowledge level of what is demanded of
basically we got people who were involved in the project and who got to
understand the business requirements of the project and then the key people left.
We had new people to start over and we had to send our people for the training
of what it was all about.”
5.6.4 Suggested Measures
From the geographical perspective the manager believes that the bank is considering
having some representatives from the technology team on to the business site to bridge
the distance thus using it as an alternative to mitigate risk.
“From the geographical perspective I know there has been discussion of having
some number of representatives in the technology people brought over a bit
locally just to bridge the distance. That is an alternative. That’s a potential way
to mitigate that risk.”
107
In terms of staff turnover, though the issue is not in their control, but there could be a
possibility of an arrangement wherein the bank demands the vendor to ensure that
enough time is spent on knowledge transfer. The other measure suggested is having
some form of backup.
“Risk of high turnover is something we don’t really have controls over that. In
the sense that we can demand somebody or people going to be leaving the area
or that company, if they have the ability to dedicate time to knowledge transfer
then that should happen. First thing that people are going to do is pick the door
and not return then obviously you can’t do much. The other thing to do is to
attempt to grow the internal staff so they have more desire and shares that
knowledge through their work, not leave out a project”
Furthermore having a representative on-site is an alternate measure to mitigate the risk
of knowledge gap. It would add to the cost, but it is believed to be very advantageous in
managing the relationship. As it would not only increase their business knowledge on
how the users actually use the system but it would increase their ability to resolve
problems and they would effectively convey it back to their offshore team. The manager
points out that the representative would be able to put across the problems more
effectively using the internal lingo that goes about in any company.
“The other comment is not based on my experience here but on previous
experience is having someone from the outsourcing vendor onsite with you that
can be very effective; it really increased their knowledge on how the users
actually use and how the business actually works. I think it increased their
ability, their ability, their responsibility and they can relay it back to their team
or whatever that is in the language that they understand. I am not talking about
English or Spanish, I am talking about the internal lingo that goes about with
any company. And definitely becomes more effective. Of course definitely that
adds to the cost but I think it just mitigates the risks of knowledge gap.”
108
Lastly, the manager recommended having a defined role of a system analyst for effective
gathering of user requirement. If someone capable from the business or the technological
side acts as a liaison between the developers and the users of the system then it would
definitely bridge the present knowledge gap. Furthermore including such a person with
immense knowledge and experience would definitely lead to high quality of requirement
gathering.
“One of the things that we do not have here right now is defined role of system
analyst. If the person could be assigned from the business or technological side
that doesn’t really matter but someone who acts as a liaison between the
developer side and user side and bridges the gap because of the knowledge and
experience, it generally leads to high quality of requirement gathering.”
5.6.5 Risk Management Techniques
When asked about risk management techniques being followed in the bank, the manager
states that though since last year there has been more focus on the decision making
process and depending on the focus and size of the project, the decision is now taken
more on the regional level than local. It is definitely part of risk mitigation and risk
management on variety of degrees.
“I don’t have detailed knowledge what I can comment on is there is definitely
more focus recently, maybe from last year in the bank to make sure that decision
especially on outsourcing in whatever capacity are not only on local level but
are brought at least up to the regional level and depending on the focus and size
o and the escalation level, I think there is definitely part of risk mitigation and
risk management on variety degrees. The details of which are actually dealt
throughout the process is what I don’t’ have information.”
109
5.6.6 Key factors in Decision Making
When asked about the key factors in decision making, the manager identified financial
stability of the vendor, the level of resources and their availability at different time
frames and commitment as important elements. The manager stresses on stating the
resource availability explicitly in the contract and reviewing it on a regular basis.
“One of other key points as regards risk control is regarding the company, the
financial stability, the level of resources they have to support the customer, their
availability, they all say they are going to be available to responses for issues at
different time frame but certainly that is something you agree initially and what
happens in practice needs to be controlled and reviewed along the way.”
In terms of having a risk management specialist, the manager is of an opinion that each
department is aware of the risks in its area. The person coordinating the outsourcing
process, which would be the project manager, should be responsible for collating all the
risks in different areas. He would be the one who would have the full risk picture.
“If there was an individual which specializes in that of course if it someone who
specializes in information security then that could be done. Managing risks the
way I understand is that each department is kind of expert in the risks that come
into play in that area and when you talking about outsourcing the person who is
running the effort is responsible for collating all the potential risks in different
areas. They have the full risk picture. If they were someone who had a
responsibility then it would be that same person or group of people.”
5.6.7 Using Third Party Consultants
110
The manager believes there is no need for third party consultants as the organization has
many experienced people. However if there is an institution which has the knowledge
and experience then probably it would be beneficial to the bank.
“I don’t think there is a need for having a third party to come in. I am saying in
terms of large organization there is awful lot of experience. If there is a foreign
institution which has the knowledge and experience then I definitely see the
benefit to it.”
5.6.8 Concept Map
Figure 5.4 Concept Map of Interview 4 – Business Development Manager
5.7 Interview Five – Project Manager
111
The interview with the Project Manager took place in London on Friday 16th July 2004.
This meeting lasted approximately one hour.
5.7.1 Role in the decision making process
The project manger runs the project office. The manager is responsible for implementing
IT solutions in number of products like credit cards, retail banking and consumer loans
across the unit in 23 countries. The role involves management of IT solutions and
managing the project managers in the project office.
5.7.2 Outsourcing Process
In terms of the outsourcing process, the manager plays the role of initiating the project
by identifying vendors. The selection criteria are mostly based on cost, product expertise
and skilled resources. The manager has an existing vendor list which he terms as
personal list and then also refers to the global list of vendors.
“We begin the process by looking at the existing vendor list. That would be my
personal vendor list. If there are no vendors within that selection for the skills
and expertise required for developing the required product, we then look at the
main global list that is prepared at an organizational level.”
On identifying the vendors, the manager then selects around 3 or 4 vendors and prepares
the Request for Proposal. The RFP is sent across to the short listed vendors. Once the
proposal is received, the negotiation takes place with all the vendors. Based on the
quotes proposed by the vendors and their product experience and knowledge, a vendor is
ultimately selected. On the vendor being selected, the contract is signed and Master
Service Level Agreement is prepared and all the required control levels are put across in
the Statement of Work.
112
“We have to make a choice for around 3 or 4 vendors and request for quote.
Based on the vendor proposal, his experience and product expertise, we make a
decision. We then draw upon the Master Service Level Agreement and Statement
of Work. Once the SOW is in place, we start with the development.”
5.7.3 Objective of Outsourcing
The manager recognizes cost effectiveness as one of the primary reasons to outsource.
One of the options is to carry out the development work in the Asia Technology Office.
Since the solutions may already be developed and been in use in some other country,
they can be deployed faster. Furthermore product expertise and previous experience are
other key drivers for outsourcing.
“The basic objective is it’s cheaper. If you looking at whether the task can be
performed internally or externally, then one reason to outsource is its cheaper.
Then we look at developing in the Asia Technology Office (ATO) as often
solutions can be deployed faster. Development is often based in India as they
have the expertise, product knowledge and project management experience”
5.7.4 Risks in Outsourcing
The manager considers lack of control over the vendor operations as one of the key risks
in outsourcing. The other factor quoted is the difference in performance drivers. The
manager explains that one would not be aware of what drives the vendor team and it
may cause problems in managing the relationship. Furthermore vendors have different
levels of technical and managerial skills. Every vendor has its own strengths and
weaknesses in these skills. The manager observes staff turnover as a potential risk but is
of an opinion that smaller the company, bigger the impact of this risk. Lastly,
113
geographical distance, languages and cultural differences are other risks identified by the
manager.
“The fact that people don’t work for you, you have no direct control over the
vendor staff. Then they may have different drivers. The bank does have certain
procedures for performing a particular task and one would be well aware of
them. However the vendor company would have its own set of drivers which one
would not be aware of. I would be one customer and I might lose that team
because there is another customer who is probably more important. Its about
losing the ability to set the agenda. Then one might come across certain vendors
who have good project management skills but lack in development and testing
skills and some of them would have excellent coding and testing skills but lack in
project management area. Each company would have its strengths and weakness
so the risks would be according to the projects and the vendor assigned. Then I
would consider staff turnover as a potential risk however if the company is
relatively small in size, it would be a high risk. Then I would consider
geographical distance, languages and cultural differences as other risks in
outsourcing.”
5.7.5 Risk Assessment Process
In terms of risk assessment, the Manager points out that there is no formal process being
followed in the organization. However they do conduct analysis in terms of taking a
decision to outsource between different countries.
“No. We don’t have a formal process. We do conduct analysis for different
countries.”
114
5.7.6 Strategies and Policies for managing risk
The manager mentions the existing policies framed by the organization to protect its
interests in terms of ensuring security, labour practices, business practices and continuity
of business. It is mandatory for the vendor to follow the controls set by the organization.
Moreover, in terms of diversifying its risks, the organization has a reasonable spread of
vendors.
“In terms of outsourcing, there are policies designed to ensure that the vendor
follows the standards set by the organization in terms of security, labour
practices, business practices, continuity of business. A vendor needs to comply
with those, if one plans to do business with this organization. In terms of
strategy, I would say reasonable spread of vendors. We have number of different
relationships geographically.”
However the organization does not have any particular standard to specify which
activities can be outsourced. What it does have are controls to protect the organization’s
interests when an activity is outsourced.
“In terms of what can be outsourced, I don’t think there is a particular standard
specifying that. What we have is when you outsource; you got to have controls in
place.”
5.7.7 Risk Management Techniques
The manager identifies various techniques like receiving quotes from minimum 3
vendors, the requirement of a back up plan and protection of critical source code through
escrow. There are sufficient risk management techniques from a control perspective
however from the project side, there is no set process or methods being followed and the
risks are analyzed on a case by case level.
115
“In terms of outsourcing, we are supposed to receive quotes from minimum 3
vendors, and then the vendors are required to have a back up plan. For critical
source code, we got escrow. So from the control perspective, yes, there are set
processes to manage risks in outsourcing. However from the project risk
perspective like geographical and cultural, there is nothing specifically
mentioned. It’s done more on a project by project basis.”
The manager discusses the new approach adopted by the bank to formulate a tool to
analyze the number of visits in the project life cycle to the offshore countries thus
studying the impact of geographical distances on the project budget and timescales.
“We are looking at some tool on how to formalize the day to day visits in the
project life cycle to the offshore countries. We do have standards for project
management”
Moreover, the organization has also formed a relation management team in one of its
offshore units in order to cover the problems at the ground level.
“The organization has come up with a relation management team in India which
would be staffed with the organization and local employees. The idea is good as
it covers the risk of geographic distance. It would be helpful in dealing with the
issues at the ground level. However at the application level, it’s interesting to see
how effective it turns out to be.”
5.7.8 Suggested Measures
116
When asked if a risk management model is required in the organization, the Manager is
of the view that one cannot have set processes for everything. But there could be
guidelines covering project risks.
“You can’t have processes for everything. What you can have are guidelines.
Guidelines for project risks and controls to mitigate the risks and ensure
training”
5.7.9 Need for third party consultant
The manager is of an opinion that the organization is big enough to have the relevant
experience and thinks cost is an issue when considering a third party consultant.
However it could be beneficial when one does not have the relevant experience or when
an organization wants a fresh perspective.
“No. I don’t think we need a third party consultant. The organization is big
enough with majority of them into projects. I see it being effective when there is
virtually no experience or if the organization wants an external or fresh view
point on things. For this sort of area, I don’t think we need it. Besides cost is an
issue.”
5.7.10 Future Trends
In terms of future trends the manager identifies the strategy of scale and spread of
vendors. Though it’s cheaper to shift development work to China but language is an
issue to be resolved. The manager believes the organization would continue with
outsourcing.
“Future Trends is people will be looking for scale in vendors. Last year we
looked at spread of vendors for decent selection of vendors. It’s less of India and
117
more of China we looking at. However they need to solve the language issue.
One of the reasons to outsource to China is cost. In terms of in-sourcing, I
haven’t seen any conscious decision to in-source. I believe we still with
outsourcing.”
5.7.11 Concept Map
Figure 5.5 Concept Map of Interview 5 – Project Manager
5.8 Interview Six – Head of Department
118
The interview with the Head of Department was a telephonic conversation as the
manager was out on a business trip. The interview took place on Monday 9th August
2004. This meeting lasted approximately one hour.
5.8.1 Role in Decision Making Process:
The senior manager is the head of technology for the bank and manages various banking
functions like retail banking, consumer banking and products like credits cards,
consumer plans, loans and other segments from Europe to 23 countries. When it comes
to decision making, the manager is the final arbitrator who takes the final decision.
“Within my department, I am the final arbitrator who decides whether we select
the vendor or not.”
5.8.2 Outsourcing Process
The Head is involved in taking the decision to in-source or to outsource the IT function.
If outsourcing is considered, then the Head ensures (a) the control levels of the vendors
and (b) whether all the necessary checks have been done as regards their financial
position. The head takes the advice of all the people involved in the process before
taking a decision to select a particular vendor.
“I within the geographic region look at whether we outsource outside the
organization, whether they have the controls level as per the organization or not,
all the checks been done as regards their financial position. I essentially take
the advice of all the people who take part in the decision process.”
119
Presently the bank is in the process of moving from legacy systems to state-of-art
technology in Asia Pacific. So a vast majority of application development is being
outsourced off-shore to Singapore, China and India.
5.8.3 Objective of Outsourcing
Since the bank is a multinational bank, there have been technological developments
around the world since 1978 in various segments like credit cards and retail banking.
Essentially the department plans to re-invent the wheel in the Asia Pacific region. The
head describes that other than cost, it’s about quality and taking benefit of the
knowledge that the organization has build in so many years.
“Primarily in divisional, not too much on cost, its little bit more on quality side
and the platforms we are moving on to in the organization already. The program
side since in 1978, the credit cards system this is used in the countries around
the world, the retail banking in most of the countries and we try and reinvent the
wheel here. It’s more of the knowledge that the organization has build for so
many years, just using that knowledge.”
5.8.4 Risks in Outsourcing
The Head identifies technical knowledge of the application and technical capability of
the resources as one of the risks in outsourcing. The next big thing for the bank is the
financial viability of the vendor and then its effective controls and compliance.
“Technical knowledge of the application, make sure that the people represent
knowledge of a quality product. After that it’s more of financial viability of the
vendor, which is one big thing we always look at. Then effectively, there is
120
essentially controls and compliance. It’s a combination of industry knowledge
and controls and compliance.”
The other issues that are considered by the Head include political stability, established
communication and language problems. English is the language that is used for
communication and the manager identifies the need of a high standard of English among
the people whom the bank is dealing with.
“We always go for places where we already have well established
communication links. Where there is political stability. I mean you can always
get a cheaper price if you go for a low cost location. We always look for
established communication links. Languages can be a barrier. There is
obviously, I mean, English is the language that is used for communication and
you need high standard of English among the people whom you are dealing with.
So whether you talking with someone in Spain or Sweden or Pakistan there got
to be English talking people having high standards. Culture not really.”
Lastly the Head believes that the biggest risk is not getting the right quality of the
product and believes that one can get something developed at a cheaper price but if its
not a quality product then the objective is not achieved
5.8.5 Strategies & Policies for managing risk
The Head lays emphasis that the selected vendor has to follow the control and
compliance standards that are set by the organization. It essentially would mean that the
vendors are being audited at the same level. Furthermore, the organization has put
together a list of approved vendors when they consider outsourcing. The Head believes
that the process is pretty rigorous.
121
“We have a list of approved vendors when we use a third party vendor. We look
at financial stability, and then we look at controls and compliance. It’s pretty
rigorous.”
Then in case of application development, there is a standard industry platform that is
being used and most of the platforms that the bank accesses have inbuilt quality controls
but the Head does mention that there needs to be compliance.
“There is a standard industry platform, where most of the platforms we have
they got to have inbuilt quality controls but there needs to be compliance.”
5.8.6 Risk Management Techniques
The Head believes there are sufficient techniques in place in terms of financial issues
with the vendor. Furthermore the bank also looks into what the vendor has provided to
its client, ask for proof of work. Basically carry out an internal audit of compliance to
ensure that all the controls are in place.
“In financial perspective, yes. We also look at what else have they done within
the industry, any proof of work. Essentially do an internal audit of compliance to
make sure they meet all the control requirements.”
5.8.7 Suggested Measures
Though there have been some successful vendor relationships, but incase if the bank
feels that the quality is not as was expected from the vendor, the Head suggests changing
the vendor.
122
“Well, you could change the vendors. That’s what we landed up doing. But it is
one of the examples. We have had other vendor contracts which have worked out
fine.”
5.8.8 Using Third Party Consultants
The Head does not agree on using third party consultants as they wouldn’t know the
controls set by the organization.
“No. they wouldn’t know the bank controls and it wouldn’t’ make sense.”
5.8.9 Future Trends in Outsourcing
The Head identifies an increasing trend to cheap development in other locations with
specialized knowledge. The organization has build up a long term relationship with
vendor companies in India but the trend is now more global. The organization has been
able to fund investments into international operations that have started in corporations
like in China.
“There is an increasing trend to cheap development in other locations with
specialized knowledge. The organization obviously had a large presence in India
all these years and built up the technology perspective. You need to build up a
long term relationship with the companies. I would say the trend would continue
to be global but we would like to bring it in-house again within the organization.
We are fortunate that we are able to fund investments into international
operations that have started in corporations like in shanghai.”
123
5.8.10 Concept Map
Figure 5.6 Concept Map of Interview 6 – Head of Department
5.9 Discussion
5.9.1 Summarizing the key concepts
The key concepts identified in each interview are summarized and presented in the
analysis chart presented as follows:
124
Interviewee Key concepts
Compliance Manager
Procurement Manager
Development Support Manager
Business Development Manager
Project Manager Department Head
Role in the company
Manages the compliance part in outsourcing projects
Manage procurement side, negotiation and signing of contracts
Manages offshore support team, new developments and handles production issues
Manages development effort of the local technology team
Manages the development in the technology office
Head of Technology for various segments in 23 countries
Objective of outsourcing
Lack of resources, Cheaper, Lack of skills, collaboration
Cost effective, reduction in headcount
Cheaper, productexpertise
Quality of services, use of technology, cost
Outsourcing options
In-source , outsource Onsite or offsite Personal list of vendors, Global list
In-house, outsource
Role in the decision making process
Ensure adequate process is followed in vendor selection, vendors follow the controls and standards set by the company
Negotiation with the vendors for discounts
Managing the relationship
Managing the relationship
Initiator of the project. Call for request for proposal, short list the vendors based on experience
Is the final arbitrator who decides on the selection of the vendor
Key Issues in outsourcing
Controls, Intellectual property rights, Confidentiality, Internet access
Lack of processunderstanding, bureaucratic, cultural differences, inconsistent standard of performance review
Language, Geographical Distance, Time Difference, Business Knowledge, Technical Capability, Knowledge gap, Quality of products, Knowledge transfer, Staff turnover
Quality of the services provided
125
Risks in outsourcing
Product delivery, information security, vendor ability, financial viability, backup plan, Exit plan
Quality of the product, effective pricing
High staff turnover, management issues, time zone, business knowledge, quality of services
Financial Stability, Level of resources, Resource availability, accountability
No direct control, procedures could be different, technical risks – key strength and weakness, staff turnover, geographical distance, languages, cultural differences, level of knowledge and experience
Technical knowledge of the product and process, financial viability of the vendor, presence of controls and compliance, strong communication channels
Risk Identification
Visit vendor site, references, company procedure, past account of 3 years, current staffing levels, experience levels of the staff
Experience, gather information on outsourcing
Previous experience
Gather information on : Company history, List of clients, Type of services, References, Feedback from the clients, Location of the vendor, Disaster recovery abilities
Gather information on : Company history, List of clients, Type of services,
Risk Assessment
Common sense, previous experience, numeric metrics
experience Whether theobjective is achieved, a high degree of control
experience
Strategies & Policies for managing risk
Framework covering: Information security, Continuity of business, software management, resource management, vendor management,
Escalation levels, senior management at a regional level involved in decision taking process
Risk management team, quality team and UAT. Approved list of vendors. Global contracts with vendors
Information securitypolices, labour law practices, business practices, continuity of business, no particular standard to say you shouldn’t be outsourcing, control
processes around
Controls and compliance standards, regular audits,
126
performance analysis, vendor review. Outsourcing policy which states which activities can be outsourced
outsourcing, legal regulations
Risk Management Techniques
Not aware Not aware Decision on outsourcing is taken on a regional level. Higher authority controls
Process for quotes from 3 vendors, backup/exit plan is considered in the contract, critical source code is covered/ escrow
Standard set for financial perspective
Key factors for decision making
ultimate cost, time to market, quality of product
Product knowledgeof the vendor, availability of off the shelf software, vendor’s clientele the software engineering process followed, commitment to the project, resource availability
Onsite- more controls Offsite – efficient services, less bureaucratic
Familiarity of product, project management expertise, cost, product expertise, skilled resources
Quality of the product, final delivery of the product
Use of consultant for vendor management
Yes. Management of vendors is a specialized job. It takes a certain amount of skill to it.
No. No. It just puts many additional people in the way.
No. sufficient experienced people in the organization
No. Impact on cost No. They wouldn’t know the company’s rule and controls issue.
Suggested Measures
Set a process to measure the quality of product and support. Identify key performance indicators
Training, lessbureaucratic process, need of a system analyst to understand the user requirements, Standardized
System analyst for effective gathering of user requirements, to bridge the gap between technology and business
127
performance reviews, provision of testing evidence or reports.
Future Trends in outsourcing
Bring it in-house to the other entities in the organization. Outsource to China
Reduce the number of vendors or suppliers
outsourcing Continue withoutsourcing
Increasing trend to cheap development in other locations with specialized knowledge
Future Risks Lack of outsourcing management experience, language problems
Less competition Same risks
Figure 5.7 Analysis Chart
128
5.10 Findings
Each key concept identified in all the interviews are put together and analyzed with the
theoretical framework identified in the literature in order to discuss the outsourcing
framework and risk management practices followed in the company.
5.10.1 Objective of Outsourcing
All the interviewees who are directly involved in the decision making process like the
compliance and project manager and the Head, have identified cost effectiveness as one
of the reasons for outsourcing. However they further state that cost is not the only factor,
they identify other factors like product expertise, skilled resources and quality of
services as other motives for outsourcing. These factors can be put together as IS
capability factors as identified by Smith et al., 1998; Lacity et al., 1994; McFarlan and
Nolan, 1995. Presently, the bank is in to outsourcing of IT functions like software
application development and maintenance support. The senior management does realize
the importance of considering product expertise and quality of services as crucial
decision factors in outsourcing these functions.
However, the outsourcing of the data center activity, in 1992, was motivated by several
factors. Firstly, the senior management considered the data center activity as a
commodity service which did not add primary value in the value chain analysis thus
making it a means of achieving a reduction in headcount. Secondly, the vendor had
agreed to the transfer of personnel and offered to buy the equipment thus giving the bank
the opportunity to generate cash and enhance liquidity. Thirdly, this was almost the first
outsourcing deal by the bank which took place around the same time when all the big
companies where vying outsourcing as an alternative after the Kodak decision. Thus
external influences that existed in the industry seem to have an indirect role in the
decision to outsource the IT function.
129
The motives identified can be analyzed as having negative outcomes. Firstly, as more
and more banking functions get technologically integrated, the data center activity can
no longer be termed as a commodity service but is very much a strategic activity. It is a
vital IT function that can have an impact on the business. Though the quality of the
services provided by the vendor was satisfactory, but as the bank became more and more
technologically dependant, it led to an increase in the demand for additional hardware
and software. Thus the management lacked foresight. Secondly, the deal provided
liquidity benefits and short-term earnings, through sale of assets. But it also led to loss of
valuable human resources and the associated knowledge base which resulted in lack of
managerial control and technological dependence on the vendor. This is termed as a
dysfunctional decision by Zucchini (1992) in his Four-S Outsourcing Model. Lastly,
market trends and environmental influences should not be a factor of motivation in
decision-making.
Figure 5.8 Concept Map of Key Element 1 – Objective of Outsourcing
130
5.10.2 Outsourcing Process
The project manager takes the initiative in coordinating the outsourcing process.
However for achieving the actual benefit of outsourcing, one needs to understand the
expectations of all the stakeholders in the project. The outsourcing effort will be
successful if it meets the objectives of the stakeholders and the organization as a whole.
Typically the senior management would look at cutting costs whereas the business units
would tend to view IS as a critical activity to daily business processes and look for
service excellence. The IS manager needs to understand the different perceptions of the
stakeholders and create a shared agenda by classifying the IS activities into
‘commodities’ and ‘differentiators’. As depicted in the matrix by Lacity (1993) which
illustrates the IS cost/service trade-off – that costs are directly proportional to service
levels (the better the service, the higher the costs)
The present outsourcing process of the bank typically follows the general framework as
suggested by Everest (1996) which includes the phases of deciding whether to outsource
or not, the pre-outsourcing phase, evaluation of bids, procurement phase, management
followed by change management phase. As recommended by Lacity (1993) the
organization does have different teams which include the Request for Proposal (RFP)
Team and the Evaluation Team. In this case, the Request for Proposal is prepared by the
Project Manager who co-ordinates with the vendors. The Evaluation Team consists of
the Procurement and the Controls departments who negotiate with the vendors and
ensure that the contract is in place. In the process, one of the risk management
techniques adopted by the bank, as pointed out by the Compliance Manager, is that the
Project Manager is not included in the evaluation team. This ensures that the interests of
all the vendors are protected and there is no scope of favoritism. The major evaluation
criterion as pointed out by the Procurement Manager is the price. However, the
Compliance Manager does stress on the different control levels like disaster recovery,
contingency plan, information security and contract administration and termination to be
in place. The IS activity can be outsourced only if the vendor follows the controls set by
131
the bank. Thus it can be commended that the bank does make a qualitative assessment
thereby extending much beyond the price factor.
Lastly, in the change management phase, the relationship is managed by the Project
Manager during development and gradually by the Production Support Manager. As
suggested by Lacity (1993) the senior management does have a key manager to
prioritize requests and handle disputes and monitor vendor performance.
In terms of the software development project, the company follows the typical waterfall
method wherein the organization plays a role in project initiation, collecting user
requirements and finally testing the product. However such a process has its drawbacks,
for example, the company will have to wait until the complete system is developed to
know if it fulfills all user requirements. This risk has been identified by the Development
Manager as well who states that the business can test the system only in the UAT phase.
Secondly, any changes can be implemented only once the whole cycle is completed.
New features would involve cost, time and resources.
132
Figure 5.9: The Outsourcing Decision Process (Adapted from Butler et. al, 2001, pg. 56)
5.10.3 Risks in Outsourcing
The main risks in outsourcing identified by all the interviewees are financial stability,
knowledge level in terms of technical and business, quality of services, level of controls
and geographical differences as identified by many researchers like Aubert and et al,
2001; Takac, 1994 and Chalos, 1995. However the rate of these risks as high, medium or
low in terms of its impact and consequences vary between the interviewees. The people
involved in managing the relationship like the Project Manager and Production Support
133
Manger also recognized staff turnover, resource availability, time zone and cultural
differences as potential risks in outsourcing. The Procurement Manager identifies hidden
costs as a risk which had a high impact in the outsourcing deal way back in 1992. The
Project Manager does emphasize lack of control as a high risk as it affects the service
delivery. Though there are specific risks like security threat, confidentiality of
information and legal regulations, but they have been identified by the organization and
strictly mitigated in the form of controls and compliance.
However there are other risks which may have not been identified or realized by the
people managing the relationship. These risks include business uncertainty, outdated
technology skills lack of organization learning, loss of innovation, technological
indivisibility and fuzzy focus (Earl, 1996). In terms of software development, the project
manager needs to identify project risks in terms of product, definition and maintenance
risks (Marsh et. al., 1996). The Head of the Department recognizes the fact that the
offshore units do outsource to global programmers.
“I know that units in Singapore and Shanghai do outsource themselves to global
programmers. It’s not something which we don’t do ourselves. I rely heavily on
the knowledge of the people in Singapore that they recruit or outsource the right
people.”
- Head of the Department
But when the development is sub-contracted by the vendor to the third party, it brings in
new level of risks like accountability and resource capability which need to be assessed
and controlled. Even though all the risks may not be present in every sourcing decision,
there are not unusual or esoteric risks (Earl, 1996).
134
Figure 5.10 Concept Map of Key Element 3 – Risks in Outsourcing
5.10.4 Risk Identification Process
Most of the participants have quoted intuitive assessments and prior experience as a
means of identifying risk. However, relying only on the intuition of the experienced
managers to identify risks has proven to be unsatisfactory in the past (Marsh et. al.,
1996). There are various other methods suggested by researchers which include
organizing brainstorming sessions with the managers to discuss the problems in-depth
and provide solutions; conducting structured interviews to initiate a risk revealing
discussion and at times to use expert computer-based systems or outside specialists or
consultants, thus bringing in additional experience in the field of concern.
Furthermore, every company should seek to adopt a risk identification method that is
suited to its culture and meets the depth of detail. A company having a formal method
for its estimating process may follow the checklist method whereas a company with a
participatory style of management may prefer brainstorming sessions, with the project
135
manager taking the record of the risks. A mixture of structured interviews and use of
specialists may have an effect on cost and time but their familiarity with the field would
definitely contribute to the risk identification process. Thus it’s crucial that risks are
identified because if the complete risk picture is not well understood before entering the
negotiation, it would lead to an increase in the risk exposure. It is a management
prerogative to accept the risks (Marsh et. al, 1996).
Since financial stability of the vendor and product knowledge are considered as high
risks, all the interviewees talk about various strategies for collecting vendor information.
The Head of the Department mentions gathering information like company history, list
of clients and types of services; the Compliance Manager suggests visiting the vendor
site, gathering references, examining accounts of past 3 years and information on current
staffing levels and experience levels of the staff; the Production Support Manager
mentions the location of the vendor and disaster recovery abilities as factors to be
considered for identifying risk. These methods would definitely be effective in
perceiving the capability of the vendor. Furthermore to validate the clams in the bidding
exercise and to review performance levels, the organization must make surprise visits
and conduct site audits.
136
Figure 5.11 Concept Map of Key Element 4 – Risk Identification
5.10.5 Risk Assessment Process
In terms of assessing the risks, the Compliance Manager points out that there are no set
methods being followed and he has mostly seen common sense, previous experience and
at times some numeric metrics being used.
“I have seen it done in a number of different ways. Sometimes I have seen it done
by using common sense and outsourcing experience. What I have also seen is
some basic numeric metrics.”
Though the common way to assess the risks is through intuition and experience, it is
important to assess the probability of occurrence of these risks and its impact on
timescales, costs and performance. A risk analysis is not complete until all major risks
137
are evaluated in terms of their total cost impact and due allowance has been made for
minor and residual risks (Marsh et. al., 1996). The company may follow any method or
use any computer aided program but it’s crucial to quantify risks in order to know its
impact on the decision and the outsourcing project.
Figure 5.12 Concept Map of Key Element 5 – Risk Assessment
5.10.6 Strategies & Policies for managing risk
The organization has set standards in terms of controls and compliance. It has a
framework that covers information security, continuity of business, software
management, resource management, vendor management, performance analysis and
vendor reviews. The organization also follows legal regulations; labour law practices
and has a quality team and a UAT team.
In terms of strategies, the Production Support Manager mentions the escalation levels
which go up to the regional level as means for managing risks. The Project Manager
emphasizes on various control procedures that have been put it place around the
138
outsourcing process. The Head of the Department stresses on regular audits as a strategy
for managing vendor related risks.
In terms of policies, the organization seems to have all the controls in place. It follows
the legal regulations set for the banking industry. What needs to be reviewed is the level
of implementation by the vendor companies. The same can be assessed through regular
audits which can be conducted by the organization on a regular basis.
Figure 5.13 Concept Map of Key Element 6 – Strategies & Policies
5.10.7 Risk Management Techniques
As regards risk management techniques, most of the interviewees were not aware of any
set procedure being followed by the bank. The Business Development Manager
mentions the role of high authority controls in decision making. The Head of the
Department discusses the standards set on financial grounds. The Project Manager
139
identifies few practices like the process of receiving quotes from 3 vendors, during the
negotiation process the backup and exit plan is considered in the contract thus the
reputation risk is also covered. The critical source code is covered through escrow. Thus
it can be observed that risk management techniques are presently followed in the bank in
the form of policies and guidelines.
Figure 5.14 Concept Map of Key Element 7 – Risk Management Techniques
140
5.10.8 Use of Third Party Consultant
The Compliance Manager personally agrees to the option of having a consultant to
manager the vendor relationship as he thinks it’s a specialized job.
“Management of vendors is a specialized job I think. It takes a certain amount of
skill to it. Traditionally we don’t employ people with that skill and specialist role
to do that so I think because of that we get ourselves into trouble so I know there
are companies out there who do nothing but provide vendor relationship
management. I personally would consider such an option.”
- Compliance Manager
But the rest of the participants are of the opinion that having a third party consultant
wouldn’t be advantageous due to many reasons. The Head of the Department states that
they wouldn’t know the controls set by the bank. The Project Manager mentions, it
would have an impact the cost. The Production Support Manager is of an opinion that
she wouldn’t want an outsider indulging in the relationship as it would just involve
additional people. Thus all of them view this concept from a different perspective which
is more or less related to their field.
Figure 5.15 Concept Map of Key Element 7 – Use of third party consultant
141
5.10.9 Suggested Measures
The measures suggested by the participants cater to the issues faced by them in their
respective areas. The Compliance Manager cites the need to set a process to measure the
quality of the product and suggests identifying key performance indicators for measuring
performance. The Production Support Manager insists on providing some formal
training to the vendor employees on the existing processes for effective coordination.
Furthermore, the manager suggests measures like uniformity in performance review
documents which would result in effective appraisal of performances. Lastly a process
of acquiring proof of testing from the vendors in order to ensure a thorough test of the
impact of the new system is also recommended. Both, the Production Support Manager
and the Development Manager, come in direct contact with the developers and the
ultimate user and have identified the need of a system analyst for effective gathering of
user requirements which would bridge the gap between technology and business.
Ironically, the head of the department is very much satisfied with the existing process
but stresses on the point that it’s very important to have all the controls in place for a
successful outsourcing experience.
142
Figure 5.16 Concept Map of Key Element 8 – Suggested Measures
5.10.10 Future Trends All the participants believe that the organization would continue outsourcing of
development work in future. However the trend is towards in-sourcing it to other entities
of the organization based in other countries. The Compliance Manager states that the
organization is aware of having a huge share of investment in software houses in India.
Therefore to diversify their risks, it is now looking at other avenues like Poland and
China.
“Poland is a lot cheaper now. India is not always the low cost. The other thing is
we are conscious that we have a lot of investment in software houses in India and
as a cliché, ‘you don’t’ have all your eggs in one basket’, so for business and for
risk management reasons it makes sense to spread the development work
around.”
- Compliance Manager
143
The Head of the Department stresses on moving to cheaper locations with specialized
knowledge. He insists on building a long term relationship with the vendor company
rather than taking it as a mere contract.
“There is an increasing trend to cheap development in other locations with
specialized knowledge. The organization obviously had a large presence in India
all these years and built up the technology perspective. You need to build up a
long term relationship with the companies. I would say the trend would continue
to be global but we would like to bring it in-house again within the
organization.”
- Head of Department
But outsourcing to other emerging countries would require analyzing the risks from a
different perspective. The probability and the rate of risks would differ for each country.
The language issue which would be considered as a medium or low risk when
outsourced to India would definitely be regarded as a high risk for China. This has been
identified by the Project Manager. He is aware of the huge investment in India and
recognizes the trend of outsourcing to cheaper locations like China but stresses on the
fact that unless they solve the language issue, it would be difficult to coordinate and
manage the relationship. He is of an opinion that probably it would take around 3 years
for China to emerge as a big competitor against India. Moreover, he recognizes the risks
of lack of project management expertise and outsourcing experience that should be
assessed before taking a decision.
The concept of in-sourcing to other entities within the organization causes an emergence
of different set of problems. One of the issues faced by the Production Support Manager
is the lack of professionalism on the part of the in-house team.
“The developers work hard but sometimes you feel they don’t treat you like a
client as they potentially should”
-Production Support Manager
144
Thus as identified by Lacity (1993), in-sourcing may not be an appropriate strategy as it
fails to capitalize on a vendor’s inherent cost advantages and creates a political
environment of complacency.
Furthermore, the Head of Department talks about using the existing technology and
knowledge that has been gained by the organization globally. The Procurement Manager
supports the view that it is a strategy adopted by the organization to keep the money
within the group. On analyzing the notion of using existing systems, it definitely would
be advantageous in terms of cost and product knowledge however the existing systems
may not always be the best option for the unit. It may lead to loss of innovation and use
of outdated technology. This is identified by the Production Support Manager as well
who believes that although the present systems provide the basic features and are steady,
there are systems available in the market which could provide better services and
superior quality products.
Lastly, the Procurement Manager observes the trend of reducing the number of vendors
or suppliers. It leads to effective management but has an impact on effective
competition. But the Procurement Manager considers this risk as low as it is believed to
evolve in relative unit. He suggests eliminating those vendors from the list who are not
frequently used as one would not be able to evaluate their performance. However the
Project Manager talks about scale in vendors and emphasizes on distributing the risks by
using different vendors thereby reducing the dependency on a particular vendor.
Furthermore the manager discusses the concept of spread of vendors to manage the
geographical risk. Thus one needs to identify vendors who have a global reach.
145
6. Recommendations & Conclusions
6.1 Recommendations
The comparative analysis of the interviews with the theoretical framework identified in
the literature resulted in key findings in the outsourcing concept. This research displays
the effective outsourcing process and control practices being followed by the bank. It
highlights the immense knowledge and experience gained by the organization since a
decade. The bank had started outsourcing the information technology functions in 1992.
This knowledge and experience has lead to formulation of policies and controls around
the outsourcing process. The technology unit of the bank follows these procedures and
complies with the legal regulations in terms of outsourcing.
However with the ever changing technological environment and the complex nature of
the systems and processes, there is always scope of improvement in the existing
procedures. It is commendable that each interviewee is aware of the existing issues and
recommends a possible solution. If the senior management could review these measures
and implement them, it would definitely have a positive impact on the performance
levels.
Furthermore the results showed that although the framework for outsourcing has been
developed, the bank does not follow a risk management framework in terms of project
management. The outsourcing of application development involves certain risks when
outsourced to offshore countries which need to be identified and effectively assessed in
the decision making process. Since there is no set process for risk identification and
assessment, the concept of risk management seems to be vague and unclear. The
organization needs to evaluate the risks on the project level effectively before selecting
the vendor. Risk management should be integral to the project management process.
In terms of the software development model being followed, it is recommended that the
organization considers an iterative process model wherein the system is developed on a
146
piecemeal basis and the business is actively involved in the development process. This
would mitigate the risk of uncertainty in terms of the product not being developed as per
the user requirements.
The results also highlighted the need for a system analyst in the bank who would be
technically competent and with the related experience and knowledge would bridge the
gap between the business and the technology team. It would result in effective gathering
of user requirements and would consequently have a trickling effect to the overall
process of outsourcing of software development.
Moreover when it comes to decision making, the organization needs to assess the
interests of all the stakeholders and take a strategic decision. In terms of managing the
relationship, the decision to involve a third party consultant is similar to an outsourcing
decision and involves a cost/service tradeoff.
Outsourcing is a global phenomenon. With increasing competition, the established
vendors and new entrants are offering more market-focused products and services. The
organization needs to align its outsourcing decision with its strategic objectives. With
international economic conditions and political instability, the views of the Project
Manager in terms of spread of vendors to manage geographical risk bear much relevance
to the current situation and takes into account the emerging opportunity of international
competition.
6.2 Conclusions This research set out to investigate the risk management practices in decision making of
outsourcing of information systems with the technology department of a large multi
national bank in United Kingdom providing the case study. There is enough literature on
the outsourcing phenomena, its benefits and risks and the decision process for
outsourcing, however not much has been stated on the risk management practices. This
147
research was initiated with an intention of developing a risk management heuristic to
add to the framework of risk management practices in the outsourcing process. The
investigation incorporated stages of the risk management cycle like identification,
assessment and control of the risks in the decision making process. This research has
been undertaken through conducting interviews with several key stakeholders of the
outsourcing process. The detailed findings relating to the outsourcing process, risks
involved and risk management practices associated with the case study have been
discussed in detail in the results and findings and recommendations sections. The
conclusions presented below are intended to provide an overview of the broader
relevance of the findings associated with this research.
The research discovered that the outsourcing process was being practiced by the bank
with more focus on following regulatory controls than formulating a risk management
process. This research concludes that banks lay more emphasis on mitigating financial
and business risks than technical and operational risks.
The results showed the increasing trend of the bank to outsource to cheaper locations,
however there is a need for identifying and assessing the risks on a comparative basis as
the probability and impact of the risks would differ for each offshore destination.
Furthermore the research evidence reveals an absence of a framework for assessing the
risks in outsourcing and its impact in terms of cost, scale and performance. Thus the
quantification of the risks was not possible within the purview of this research.
The results showed that although the bank had implemented the ideal framework for
outsourcing, much effort is needed in managing the relationship effectively. A periodical
performance review is highly desirable along with the identification of key performance
indicators of quality process and benchmarking.
148
6.3 Future Research
This study established an interesting empirical evidence of risk management practices in
outsourcing of information systems in a commercial bank. Management of other
organizations can use this evidence as an input to their own decision making to improve
the outsourcing process and achieve the objectives of outsourcing.
Future research should consider the assessment of the risks identified in terms of its
probability and impact and develop thorough analysis of risk management process. As
new strategies keep evolving in the outsourcing process, future research could develop a
futuristic framework for risk management practices for the future trends in outsourcing.
149
BIBLIOGRAPHY Apte et al., 1997, “IS outsourcing practices in the USA, Japan and Finland: a comparative study”, Journal of Information Technology 12, pg. 289-304
Aubert, et al., 2001, “Managing IT Outsourcing, Risk: Lessons Learned”, Scientific Series, CIRANO, Montréal, May 2001 http://www.cirano.qc.ca/pdf/publication/2000s-39.pdf [Accessed 28 July 2004] Aubert, et al., 2000, “IT Outsourcing Risk Management at British Petroleum” Scientific Series, CIRANO, Montréal http://www.cirano.qc.ca/pdf/publication/2000s-31.pdf [Accessed 28 July 2004] Baccarini, D. and Archer, R., 2001, “The risk ranking of Projects: a Methodology”, International Journal of Project Management, 19, pg. 139-145
Basel Committee on Banking Supervision, 2001, Risk Management Principles of Electronic Banking, Bank for International Settlements
Bernstein, P.L., 1996, “Against the Gods – The Remarkable Story of Risk”, John Wiley & Sons, New York Bhattacharya, S., Beharab, R., David, L., Gundersenc, E., “Business risk perspectives on information systems outsourcing”, International Journal of Accounting Information Systems 4, 2003, pg. 75–93 Boehm, B, B.W., 1989, “Software Risk Management”, IEEE Computer Society Press, Los Alamitos, California Butler, M., Holt, M., Menzies, K., Jones, G., Jennings, T., Jagger, E., Smith, E., Newman, J., Jones, T. & Gibbes, K., 2001, “Strategic Sourcing: Effective alternatives for enterprise”, Butler Group: Technology Infrastructure, Research and Advisory Services, October 2001 Cadle, J. and Yeates, D., 2001, Project Managers for Information Systems. Essex: Prentice Hall. Chalos, P., 1995, ‘Costing, Control and Strategic Analysis in Outsourcing Decisions’, Cost Management, Winter, pg. 31-37
150
Cohen, L., 2003 – Developing and Setting an Outsourcing Strategy, Gartner Group, October, 2003 http://www3.gartner.com/DisplayDocument?id=411574 [Accessed on 3 June, 2004]
De Looff, L., 1997, “Information Systems Outsourcing Decision Making: A Managerial Approach”, London: Idea Group Publishing, pg. 30
DFC, Department of Finance, Canada –Glossary http://www.fin.gc.ca/scripts/glossary.asp [Accessed on 3 June, 2004]
Dickson, G., 1989, “Risk management: what does the future hold”, Journal of the Society of Fellows London Chartered Insurance Institute Domberger, S. and Fernandez, P., 2000, “Modelling the price, performance and contract characteristics of IT outsourcing”, Journal of Information Technology, 2000 15, pg. 107–118
Earl, M.J., 1996, ‘Limits to IT Outsourcing’, London: London Business School Elkington, P. & Smallman, C., 2000 “Managing project risks: a case study from the utilities sector”, International Journal of Project Management, 20 49-57 http://www.elsevier.com/locate/iproman.html [Accessed: 28 July 2004]
Everest Software Corp.,1996-1997, ‘Outsourcing’ http://www.outsourcing-mgmt.com/html [Accessed 28 July 2004] Fairchild, A., “Enabling Usage-Based IT Costing in the Banking Sector”, Tilburg University, the Netherlands http://www.ejise.com/volume6-issue2/issue2-art10-fairchild.pdf [Accessed on 3 June, 2004]
FDIC, 2000, Risk Management of Technology Outsourcing, Federal Deposit Insurance Corporation, Washington, November, 2000
Free, D., 2001 – “Financial Services Strategies: The Case for Outsourcing Business Issues”, Gartner Research http://www3.gartner.com/DisplayDocument?id=349134 [Accessed on 3 June, 2004]
151
Haimes, Y.Y, 1998, “Risk Modeling, Assessment and Management”, John Wiley & Sons Inc Hancox, M. and Hackney, R., 2000, ‘IT Outsourcing: frameworks for conceptualizing practice and perception, Information systems journal 10, Blackwell Science Ltd, 2000, pg. 217-237
Hillson, D., 2001, “Extending the risk process to manage opportunities” International Journal of Project Management, Vol. 20, No. 3, pg. 235-240.
Higuera, R. P., 1995, “Team risk management” Crosstalk: U.S. Department of Defence, January 1995 pg. 2-4 Huff, S.L., 1991, ‘Outsourcing of Information Services’, Business Quarterly, spring 1991, pg. 62-65 Glass, R.L., 1996, ‘The end of the outsourcing era’. Information Systems Management, 13 (2), pg. 89-91 Goolsby, K., 2004, “The Reach of Risk in Financial Services”, Outsourcing Center, Everest Partners, April, 2004 http://www.outsourcing-information-technology.com/reach.html [Accessed 28 July 2004] Jennings, D. and Wattam, S., 1998 Decision Making- An Integrated Approach, Financial Times Management Kettler, K. and Walstrom, J., 1993, “The Outsourcing Decision”, International Journal of Information Management, 13(6), pg. 449-459 Kleinhammer, R., Nelson, T., Warner, A.J., 2003,“Balancing the Risks”, Darwin Magazine, CXO Media Inc, June, 2003 Klepper, R., 1995, ‘Outsourcing Relationships’, in Managing IT with Outsourcing, eds. Khosrowpour M., pg. 218-243
Kliem, L. R. and Ludin, S. I.,1997, Reducing Project Risks. Hampshire, England: Gower. Lacity, M.C and Hirschheim, R., 1993, ‘The Information Systems Outsourcing Bandwagon’, Sloan Management Review, fall 1993, pg.73-86 Lacity, M.C and Hirschheim, R., 1995, “Beyond the Information Systems Outsourcing Bandwagon”, Wiley & Sons, USA
152
Lacity, C.M, Willcocks, P.L, and Feeny, F.D., 1996, ‘The Value of selective IT sourcing, Sloan Management Review, Spring, pg. 13-25 Lankford, W.M. and Parsa, F., 1999, ‘Outsourcing: a Primer’, Management Decision, MCB University Press, 37/4 1999, pg. 310-316 Lanzing, J., 1997, The Concept Mapping Homepage http://users.edte.utwente.nl/lanzing/cm_home.htm [Accessed 28 July 2004]
Lewis, E., 1999, “Using the risk-remedy method to evaluate outsourcing tenders”, Journal of Information Technology, 14, pg. 203-211 Levin, M., Schneider, M., 1997, “Making the Distinction: Risk Management, Risk Exposure”, Risk Management, August 1997, pg. 36-42. Loh, L. & Venkatraman, N., 1995, “Information Technology Outsourcing: A Cross-Sectional Analysis, in Strategic Information management”, eds. Galliers R.D & Baker B.S.H., Butterworth-Heinemann UK, pg. 263-281 Lonsdale, C., 1999 - “Effectively managing vertical supply relationships: a risk management model for outsourcing” Supply Chain Management. An International Journal 4 (4), pg. 176-183. Lowrance, W. W., 1976, “Of Acceptable Risk, William Kaufmann, Los Altos, CA McGaughey, R. E. Jr., Snyder, C. A. and Carr, H. H.,1994, “Implementing Information Technology for competitive advantage: risk management issues”, Information and Management 26, pg. 273-280
Marsh, S., 1996, “Introducing RISKMAN: The European Project Risk Management Methodology”, The Stationery Office, 1996 Mayes, N., 2004, ‘The Next Generation’, Computer Business Review, June 2004, pg. 58-60 McCarthy, E., 1996, ``To outsource or not to outsource - what's right for you?,'' Pension Management, Vol. 32 No. 4, pg. 12-17 McFarlan, F.W. & Nolan R.L., 1995, ‘How To Manage an IT Outsourcing Alliance’, Sloan Management Review, Vol. 36, No. 2, Winter 1995, pg. 9-22 McGrew, G.A, 1982, Decision making – Approaches and Analysis, M.J. Wilson , Manchester University Press
153
Murphy, J., 2003 – Management Update: Evaluating and Mitigating Outsourcing Risk http://www3.gartner.com/DisplayDocument?id=406357 [Accessed on 3 June, 2004]
Myers, M., 1997- Qualitative Research in Information Systems, MISQ Discovery http://www.qual.auckland.ac.nz/ [Accessed on 3 June, 2004] Oltman, J.R., 1990, ”21st Century Outsourcing”, Computerworld, 16 April, pp. 77-79 Price Waterhouse Coopers, 1998, ‘Global Top Decision Makers Study on Business Process Outsourcing’, Price Waterhouse Coopers, New York, NY, London, Yankelovich Partners, Goldstein Consulting Group. Ptak, R.L. and Noel, J., 1998, “Avoiding outsourcing blues”, Business Communications Review, 1998
Remenyi, D. and Heafield, A., 1996, “Business process re-engineering: some aspects of how to evaluate and manage the risk exposure”, International Journal of Project Management , Vol. 14, No. 6, pp. 349-357, Elsevier Science Ltd and IPMA Saunders, M; Lewis, P. and Thornhill, A., 2000, “Research Methods for Business Students”, (2nd Edition) Prentice Hall Sangani, K., 2003 – Financial World http://www.financialworld.co.uk/mag.pdf/apr03/p28-34OutsouingFWApr03.pdf [Accessed on 3 June, 2004] Scardino, L., 2003 - A Blueprint for Successful Sourcing, Gartner Group, May, 2003 http://www3.gartner.com/DisplayDocument?id=393586 [Accessed on 3 June, 2004]
Smith M. A., Mitra S., Narasimhan S., “Information systems outsourcing: a study of pre-event firm characteristics”, Journal of Management Information Systems 1998, 15(2), pg. 61–93.
Smith, K.L and Smith, D., 2003, “Management Control Systems and trust in outsourcing relationships”, Management Accounting Research, Vol. 13, Issue. 3, September, 2003, pg. 281-307
Spillenkothen, R., 2001, ‘Outsourcing of Information and Transaction Processing’, Director, Division Of Banking Supervision And Regulation, Board of Governors Of The Federal Reserve System, Washington D.C., 2001
154
155
Takac, P.F., 1993, ‘Outsourcing Technology: Is Outsourcing a Threat or an Opportunity for greater efficiency and productivity? ’, Management Decision, Vol. 31, No. 1, 1993, pg. 26-37 Takac, P.F, 1994, ‘Outsourcing a Key to Controlling Escalating IT costs’, International Journal of Technological Management, Volume 9, Number 2, pg. 139-55 Teece, D. J., Rumelt, R., Dosi, G., Winter S., 1994, "Understanding Corporate Coherence, Theory and Evidence", Journal of Economic Behavior and Organization, 23, 1994, pg. 1-30 Upton, R. and Conway, J., 2002 “Second-Generation IT Outsourcing: A Primer”, White Paper, Managed Services, Fujitsu Consulting Inc Valsamakis, A. C., Vivian, R. W. and Du Toit, G. S., 1992, “The Theory and Principles of Risk Management”, Butterworth Publishers (Pty) Ltd, Durban
Ward, J. & Griffiths, P., 2001 “Strategic Planning for Information Systems”, Chichester: John Wiley & Sons. , pg. 96-154
Weinreich, N.K., 2003, Integrating Quantitative and Qualitative Methods in Social Marketing Research http://www.social-marketing.com/research.html [Accessed on 19 May, 2004] William, M.K., 2002, Deductive and Inductive thinking http://trochim.human.cornell.edu/kb/dedind.htm [Accessed on 3 June, 2004]
Willcocks, L. and Margetts, H., 1994,”Risk and information systems: developing the analysis”, In Information Management: The Evaluation of Information Systems Investments,Willcocks, L. (ed.), Chapman & Hall, London, pg. 207-30. Wood, Douglas, 2001, “Corporate Strategy, Centralization and Outsourcing in Banking:Case Studies on Paper Payments Processing”, Manchester Business School http://econwpa.wustl.edu:8089/eps/eh/papers/0301/0301005.pdf [Accessed on 3 June, 2004]
Zhu, Z., Hsu, K. and Lillie, J., 2001, “Outsourcing - a strategic move: the process and the ingredients for success”, Management Decision, MCB University Press, Volume 39 Number 5 2001, pg. 373-378