Original source publication: de Sá-Soares, F., D. Soares and J. Arnaud (2014). Towards a Theory of Information Systems Outsourcing Risk. Proceedings of the Conference on Enterprise Information Systems 2014—CENTERIS 2014. Tróia (Portugal).
The final publication is available here.
Towards a Theory of Information Systems Outsourcing Risk
Universidade do Minho—Departamento de Sistemas de Informação—Centro ALGORITMI, Guimarães, Portugal
Abstract
Information systems outsourcing risks are a vital component in the decision and management process associated to the provision of information systems and technology services by a provider to a customer. Although there is a rich literature on information systems outsourcing risks, the accumulated knowledge on this area is fragmented. In view of this situation, an argument is put forward on the usefulness of having a theory that integrates the various constructs related to information systems outsourcing risks. This study aims to contribute towards the synthesis of that theory, by proposing a conceptual scheme for interpreting the literature and presenting a preliminary version of a catalog of information systems outsourcing risks. Proposals for subsequent work towards the generation of the theory of information systems outsourcing risk are suggested.
Keywords: Information Systems Outsourcing; Risk; Theory
1. Introduction
The survivability and prosperity of any organization depends crucially on its capability to perform a set of activities that result in the delivery of a valuable product or service for the market. In order to enhance their value chain, organizations use various technological and managerial solutions to support their business processes. These solutions may be developed internally or procured externally to the organization, configuring the two main ways to obtain any type of resources–insourcing and outsourcing. Confronted with fierce competition in the context of global economic and financial crises, companies strive for greater efficiency and reduced costs, while at the same time try to increase their specialization in a limited number of key areas. This state of affairs may tip organizations to the outsourcing side of the sourcing binomial, transforming the outsourcing option in a critical strategic decision [McIvor 2008].
In the realm of information systems (IS), outsourcing involves making arrangements with an external party for the partial or total provision of the management and operation of an organization’s information technology (IT) assets or activities [Kern and Willcocks 2001]. These arrangements take the form of contracts that state the agreement between two entities: the customer of the outsourcing services and the provider (or providers) of those services.
The relevance of IS outsourcing is evidenced by Gartner’s forecasts of a worldwide market reaching $288 billion in 2013 [Gartner 2013] and of a growth rate of 5.2% in 2014 [Gartner 2014]. It may also be appreciated by considering the accumulated knowledge produced on the area (cf. [Dibbern et al. 2004] and [Lacity et al. 2009]).
Prior to embark upon an IS outsourcing project, an organization should ponder the expected costs and benefits of the outsourcing option. If the organization decides to proceed with the outsourcing, the consideration of the costbenefit relationship should persist, in order to take into account the benefits really achieved and the costs incurred. Associated with benefits and costs of an outsourcing deal there is a set of risks. These risks need to be managed if the transaction between an outsourcing customer and one or more outsourcing providers is to be successful.
Various studies have been conducted on IS outsourcing risks, addressing issues such as sources of risks, profiling and prioritization of risks, and actions to reduce the impact of risks. To some extent, that collection of works forms a fragmented, although extremely valuable, set of contributions. This interpretation motivated us to seek an integrated view of IS outsourcing risks. In fact, some authors have already made efforts to that end, such as Bahli and Rivard [2003] who extended the risk assessment framework used in engineering to analyze IS outsourcing risks, suggesting the need to combine risk scenarios, risk factors, consequences and mitigation mechanisms. This paper builds upon that collection of studies and integrative efforts. Our goal is to contribute towards the synthesis of a theory of IS outsourcing risk. We believe this theory may prove particularly useful to practitioners analyzing the feasibility of an IS outsourcing project or steering ongoing IS outsourcing transactions and to researchers deepening our understanding of the IS outsourcing risk management process.
The paper is structured as follows. After this introduction, a conceptual scheme for interpreting the literature on IS outsourcing risks is proposed, followed by the description of the work. Next, a preliminary version of a catalog of IS outsourcing risks is presented and discussed. Finally, conclusions are drawn and future work is suggested.
2. Conceptual Scheme
The aim of this study is to make a contribution in the domain of IS outsourcing that may assist in the near future in the creation of a theory of IS outsourcing risk. As formulated, this ultimate objective builds on three main concepts: IS outsourcing, theory and risk. As a first step towards that research goal, we will briefly discuss each of these three concepts in order to develop a conceptual scheme on which to base the generation of such theory.
IS outsourcing is not a new phenomenon. Since its emergence in the 60s, it has undergone several changes: from an emphasis on time-sharing services, it evolved to the application service provision (ASP) model in the late 90s, and then to service-oriented computing (SOC) and on-demand/utility computing in the beginning of this century [Vassiliadis et al. 2006]. Also, from a geographical point of view, it has diversified from domestic provision of services by third parties to offshore outsourcing, where the responsibility for management and delivery of IT services is located in a different country from that of the customer [Sabherwal 1999].
The second fundamental concept we review is theory. A theory is a set of defined and interrelated constructs that presents a systematic view of phenomena [Kerlinger 1986]. In order to be considered a theory, a conceptual artifact must identify the constructs that compose it, specify the relationships among these constructs, and be so formulated that these relationships are able to be tested, i.e., are falsifiable [Doty and Glick 1994].
The importance of theory may be appreciated by considering its primary goals: analysis and description (description of the phenomenon of interest and analysis of the relationships among constructs), explanation (how, why, and when things happen), prediction (what will happen if certain preconditions hold) and prescription (provision of a recipe to the construction of an artifact) [Gregor 2006]. In this study we are interested in the IS outsourcing phenomenon from the perspective of risk, our third fundamental concept to discuss.
In the literature it is possible to find these different conceptions of risk. Aubert et al. argue that risk encompasses the meaning of negative outcome, such as shortfalls in systems performance, disruption of service to customer, and loss in innovative capacity, and the meaning of factors leading to negative outcomes, such as a continuing stream of requirement changes or personnel shortfalls, lack of upper management commitment, and business uncertainty [Aubert et al. 1998]. Similarly, in ISO 31000 standard is observed that risk is often characterized by reference to potential events, consequences, or a combination of these, being often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence [ISO 2009]. Willcocks and Lacity view risk as a negative outcome that has a known or estimated probability of occurrence [Willcocks and Lacity 1999]. Bahli and Rivard perceive risk as a danger or hazard [Bahli and Rivard 2003]. Lacity et al. [2009] define risk as the probability of an action adversely affecting an organization. Despite the diversity of meanings of the term risk, Renn isolated a common element among all definitions, namely the distinction between reality and possibility [Renn 1992]. Under this assumption, that author defined risk as the possibility that human actions or events lead to consequences that have an impact on what people value [Renn 1992]. In a similar vein, the standard ISO 31000 defines risk as the effect (positive and/or negative) of uncertainty on objectives [ISO 2009]. At this point a distinction between risk and uncertainty is needed. As soon as 1921, Knight contrasted between the concepts of uncertainty and risk, noting that the former is present when the likelihood of future events is indefinite or incalculable, while the latter is present when future events occur with measurable probability [Knight 1921]. This distinction contributes to correctly place the role of likelihood (probability) in risk related constructs. A final important derivation from the conception of risk by [Renn 1992] is that risks may be conceived as mental representations of threats capable of causing losses or as opportunities that can produce gains. This last alternative view of the concept of risk is in sharp contrast with the common view that associates risk to hazard. In this study we adopted the former view of risk, focusing our attention on the possibility of some unfavorable event or outcome occur in the realm of IS outsourcing. Nevertheless, we will address the usefulness of the alternative view of risk for the management of IS outsourcing in the conclusion section of this paper.
Given the aim of this study, the review of literature on the concepts of theory and risk prompted us to develop a conceptual scheme that could provide a basis for constructing a theory of IS outsourcing risk, by shaping and organizing our interpretation of the findings in IS outsourcing literature. To this end, we propose the conceptual scheme illustrated in Figure 1.
Figure 1: Conceptual Scheme
A danger is a potential cause of a negative outcome; it is not, by itself, a realized damage. A negative outcome is an adverse result from which derives an undesirable consequence. An undesirable consequence configures an explicit loss to the entity (in this case the organization), in terms of tangible or intangible assets or opportunities to reap future benefits. Both dangers and negative outcomes are possibilities that may culminate in undesirable consequences. A negative outcome and the originating danger are of interest to an organization due to the undesirable consequences that may entail for the organization. Associated with a danger and a negative outcome there is a likelihood of occurrence. Different dangers and negative outcomes may present distinct levels of severity. In contrast, a factor is an attribute of some entity or situation that increases the exposure of the organization to a danger. Contrary to dangers and negative outcomes, at a given time a factor has a well determined non-probabilistic value. Finally, a mitigation action consists in an act, usually performed by the entity that may suffer the undesirable consequence, expected to lessen the intensity of a negative outcome, eventually nullifying it.
3. Study Description
From this classification and characterization process resulted an artifact in the form of a catalog of IS outsourcing risks from the customer point of view which is presented in the next section.
4. Catalog of Information Systems Outsourcing Risks
The undesirable consequences for the IS outsourcing customer condensed from literature are shown in Table 1. Of the 17 issues, the loss of critical skills and competences by the customer on the domain of the services outsourced is the most referenced (14 authors), followed by unexpected transition costs of IS services and loss of control over IS decisions. The type of loss most often cited is financial, usually expressing situations where the customer incurs additional costs not expected or not anticipated. The group of undesirable consequences concentrates on the execution phase of the contract and on the post-contract phase.
Table 1: Customer-Side Undesirable Consequences
Table 2 groups the issues classified as negative outcomes. The most reported negative outcome relates to the general nature of the previous discussed financial undesirable consequences, namely the failure by the customer team responsible for the governance of the transaction to consider all the costs associated with the provision of IS outsourcing services. Of all 44 issues, 59% were classified in the Service category, with the outcomes regarding nondelivery or delayed delivery of services, unsatisfactory quality of services and security breaches in services concentrating the largest number of references. The second most represented category is Organizational, which includes the second most cited negative outcome, namely Provider lock-in. As it might be expected, the outsourcing stage that by far brings together more aspects is Outcomes (38 in 44). The stages Decision and Relationship Building have no issues, suggesting the need for more research on the adverse results that an organization may face during the crucial periods of deciding on outsourcing and laying the foundations for a smooth relationship with the provider.
Table 2: Customer-Side Negative Outcomes
The construct with the second largest number of issues is Danger, with a total of 104, as depicted in Table 3. Although the range of issues is very broad, three foci stand out: Governance (26 issues), Provider behavior (19 issues) and Contract (13 issues). This stresses the challenges customers face in terms of directing and managing the transaction, the potential hazardous relationship with a third party and the central role of the outsourcing contract as the fundamental instrument that structures and ultimately arbitrates the transaction. Concerning the stages of the outsourcing process we find a more balanced distribution, although jointly the relational categories gather the largest number of references, indicating that part of the negative outcomes may be traced to relational issues.
Table 3: Customer-Side Dangers
The fifty five factors that have resulted from the interpretation of the reviewed literature on IS outsourcing risks are presented in Table 4. This is the construct category where the issues have distributed more evenly over the six outsourcing process stages. Two factors–experience and expertise with IS outsourcing–are present throughout the lifecycle of outsourcing, with customer’s expertise being the most cited factor. The majority of the factors (30) have locus on the customer, followed by 20 factors related to the transaction and five factors being attributes of the provider. Concerning the issues with customer locus, the two major focus categories are Governance (14 factors), comprising a set of issues that shapes the perspective customers hold on outsourcing, followed by Capability (11 factors), as measures of the customer’s skills and competences on IS outsourcing.
Table 4: Customer-Side Factors
The analysis of the collected works resulted in the consolidation of 127 mitigation actions which are listed in Table 5. This is the construct with the largest pool of instances, although no single issue clearly stands out over the rest. Yet, the analysis by focus shows a strong incidence of the mitigation actions in governance related practices (Transaction Control and Project Management), followed by the Relationship and Capability categories. As it might be expected, the stage Outcomes does not contain any issue, highlighting the reasoning that mitigation actions must be timely implemented. A note of caution regarding this list is that some of the actions advanced in literature are actually goals, instead of specific means that may diminish the severity of negative outcomes.
Table 5: Customer-Side Mitigation Actions
5. Conclusion
The search for a theory of IS outsourcing risk is a long and difficult endeavor. In this paper we attempted to begin attacking that challenge by proposing a conceptual scheme comprising the main constructs of the theory and by elaborating a catalog of IS outsourcing risks based on literature. The move towards the generation of that theory admits (and requests) many future works. At the conclusion of this study we advance five avenues for research. One is to compose a catalog of IS outsourcing risks from the provider’s point of view. This would deal with the other party of the outsourcing dyad and allow relating the risk perspectives of the two stakeholders. A second suggestion is to complement the constructs danger and negative outcome with a risk profile. Recognizing the operational difficulty of adopting an approach that could take into account the contingencies of a specific customer or provider, an alternative way to assist in risk profiling might be to assess the possibility of dangers and negative outcomes by indexing it to the factors. A third proposal for future research is to conduct a field study in order to assess the comprehensiveness of the catalog. This could consist on a retrospective study of a series of IS outsourcing cases in the risk sphere. The fourth proposition involves equalizing the granularity of the issues that instantiate each of the constructs that make up the catalog. A final suggestion derives from the complementary view of risk as opportunity that can produce gains. Adopting this view, where IS outsourcing benefits are conceived as (eventually positive) risks, one could extend the theory to encompass the interplay between IS outsourcing dangers and opportunities.
Acknowledgments
This work is funded by FEDER funds through Programa Operacional Fatores de Competitividade—COMPETE and National funds by FCT—Fundação para a Ciência e Tecnologia under Project FCOMP-01-0124-FEDER-022674.
References
Abdullah, L. M. and J. M. Verner (2012). Analysis and application of an outsourcing risk framework. Journal of Systems and Software 85, 1930–1952.
Ackermann, T., A. Miede, P. Buxmann and R. Steinmetz (2001). Taxonomy of Technological IT Outsourcing Risks: Support for Risk Identification and Quantification. Proceedings of the Nineteenth European Conference on Information Systems.
Apte, U. M., M. G. Sobol, S. Hanaoka, T. Shimada, T. Saarinen, T. Salmeal and P. J. Vepsalainen (1997). IS outsourcing practices in the USA, Japan and Finland: a comparative study. Journal of Information Technology 12, 289–304.
Aron, R., E. K. Clemons and S. Reddi (2005). Just Right Outsourcing: Understanding and Managing Risk. Journal of Management Information Systems 22, 37–55.
Aubert, B. A., M. Patry and S. Rivard (1998). Assessing the risk of IT outsourcing. CIRANO—Centre interuniversitaire de recherché en analyse des organisations. https://depot.erudit.org/bitstream/000399dd/1/98s-16.pdf
Bahli, B. and S. Rivard (2003). The information technology outsourcing risk: a transaction cost and agency theory-based perspective. Journal of Information Technology 18, 211–221.
Bahli, B. and S. Rivard (2005). Validating measures of information technology outsourcing risk factors. Omega 33, 175–187.
Beulen, E., P. van Fenema and W. Currie (2005). From Application Outsourcing to Infrastructure Management: Extending the Offshore Outsourcing Service Portfolio. European Management Journal 23, 133–144.
Chou, D. C. and A. Y. Chou (2009). Information systems outsourcing life cycle and risks analysis. Computer Standards & Interfaces 31, 1036–1043.
Cullen, S., P. B. Seddon and L. P. Willcocks (2005). IT outsourcing configuration: Research into defining and designing outsourcing arrangements. Journal of Strategic Information Systems 14, 357–387.
Currie, W. L. (1998). Using multiple suppliers to mitigate the risk of IT outsourcing at ICI and Wessex Water. Journal of Information Technology 13, 169–180.
Dhar, S. and B. Balakrishnan (2006). Risks, Benefits, and Challenges in Global IT Outsourcing: Perpectives and Practices. Journal of Global Information Management 14, 39–69.
Dibbern, J., T. Goles, R. Hirschheim and B. Jayatilaka (2004). Information Systems Outsourcing: A Survey and Analysis of the Literature. The DATA BASE for Advances in Information Systems 35, 6–102.
Doty, D. H. and W. H. Glick (1994). Typologies as a Unique Form of Theory Building: Towards Improved Understanding and Modeling. Academy of Management Review 19, 230–251.
Earl, M. J. (1996). The Risks of Outsourcing IT. Sloan Management Review 37, 26–32.
Fan, Z. P., W. L. Suo and B. Feng (2012). Identifying risk factors of IT outsourcing using interdependent information: An extended DEMATEL method. Expert Systems with Applications 39, 3832–3840.
Gandhi, S. J., A. Gorod and B. Sauser (2012). Prioritization of outsourcing risks from a systemic perspective. Strategic Outsourcing: An International Journal 5, 39–71.
Gartner (2013). Press Release—Gartner Says Worldwide IT Outsourcing Market to Reach $288 Billion in 2013. Gartner, July 17.
Gartner (2014). Forecast Analysis: IT Outsourcing, Worldwide, 1Q14 Update. Gartner, April 14.
Gonzalez R., J. Gasco and J. Llopis (2009).Information systems outsourcing reasons and risks: an empirical study. International Journal of Human and Social Sciences 4, 181–192.
Gonzalez, R., J. Gasco and J. Llopis (2005). Information systems outsourcing risks: a study of large firms. Industrial Management & Data Systems 105, 45–62.
Gregor, S. (2006). The Nature of Theory in Information Systems. MIS Quarterly 30, 611–642.
ISO (2009). ISO 31000—Risk management—Principles and guidelines. International Organization for Standardization.
Iacovou, C. L. and R. Nakatsu (2008). A Risk Profile of Offshore-Outsourced Development Projects. Communications of the ACM 51, 89–94.
Jurison, J. (1995). The role of risk and return in information technology outsourcing decisions. Journal of Information Technology 10, 239–247.
Kerlinger, F. R. (1986). Foundations of Behavioral Research, third edition. Orlando: Harcourt Brace Jovanovich College Publishers.
Kern, T. and L. P. Willcocks (2001). The Relationship Advantage: Information Technologies, Sourcing, and Management. Oxford: Oxford University Press.
Kern, T., L. P. Willcocks and M. C. Lacity (2002). Application Service Provision: Risk Assessment and Mitigation. MIS Quarterly Executive 1, 113–126.
Khidzir, N. Z., A. Mohamed and N. H. Arshad (2013). ICT Outsourcing Information Security Risk Factors: An Exploratory Analysis of Threat Risks Factor for Critical Project Characteristics. Journal of Industrial and Intelligent Information 1, 218–222.
Knight, F. H. (1921). Risk, Uncertainty, and Profit. Hart, Boston: Houghton Mifflin Company.
Lacity, M. C. and R. Hirschheim (1993). The Information Systems Outsourcing Bandwagon. Sloan Management Review 35, 73–86.
Lacity, M. C., S. A. Khan and L. P. Willcocks (2009). A review of the IT outsourcing literature: Insights for practice. Journal of Strategic Information System 18, 130–146.
McIvor, R. (2008). What is the right outsourcing strategy for your process? European Management Journal 26, 24–34.
Renn, O. (1992). Concepts of Risk: A Classification. In Krimsky, S. and S. Golding (Eds.), Social Theories of Risk, 53–79. Westport: Praeger.
Sabherwal, R. (1999). The role of trust in outsourced IS development projects. Communications of the ACM 42, 80–86.
Sakthivel, S. (2007). Managing Risk in Offshore Systems Development. Communications of the ACM 50, 69–75.
Slovic, P. (1999). Comment: Are trivial risks the greatest risks of all? Journal of Risk Research 2, 281–288.
Tafti, M. H. A. (2005). Risks factors associated with offshore IT outsourcing. Industrial Management & Data Systems 105, 549–560.
Varajão, J., C. Pereira, L. Amaral and S. Castro (2011). Outsourcing de serviços de sistemas de informação na banca em Portugal. Computerworld.
Varajão, J., R. Gonçalves, L. Barroso and L. Amaral (2006). Outsourcing de serviços de sistemas de informação. Revista Dirigir, 93.
Vassiliadis, B., A. Stefani, J. Tsaknakis and A. Tsakalidis (2006). From application service provision to service-oriented computing: a study of the IT outsourcing evolution. Telematics and Informatics 23, 271–293.
Whitten, D. and R. L. Wakefield (2006). Measuring Switching Costs in IT Outsourcing Services. Journal of Strategic Information Systems 15, 219–248.
Willcocks, L. P. and M. C. Lacity (1999). IT outsourcing in insurance services: risk, creative contracting and business advantage. Information Systems Journal 9, 163–180.
Willcocks, L. P., M. C. Lacity and T. Kern (1999). Risk mitigation in IT outsourcing strategy revisited: longitudinal case research at LISA. Journal of Strategic Information Systems 8, 285–314.