A Framework for Information Technology Outsourcing Risk Management

Abstract

This paper takes stock from several studies on Information Technology outsourcing risk. A definition of risk is offered, and an illustration from five case studies is used to show how risk can be managed. Results show that an active risk management approach can reduce risk exposure substantially while enabling the organizations to still reap the benefits associated with outsourcing.

ACM Categories: K.6

Keywords: Outsourcing, Risk, Risk Management, Information System, Contract Design

Introduction

"You'll never have all the information you need to make a decision - if you did, it would be a foregone conclusion, nota decision"(Mahoney, 1988, p. 156).

Information Technology (IT) outsourcing entails a number of decisions regarding a variety of issues, be they the choice of the activities to outsource and of those to keep in-house, the selection of a service provider, or the identification of the most appropriate way to manage an outsourcing contract. As stated by Mahoney (1988), managers never have all the information they need to decide on these issues. Yet, research on IT outsourcing has provided a number of models and tools that are aimed at decreasing the level of uncertainty or that help in dealing with the uncertainty in which the decision is necessarily clouded. Such is the case for instance of the studies that examine the characteristics of the activities that are good candidates for outsourcing and of those that should be kept in-house (Aubert et al., 1996); that compare outsourcing to insourcing, evaluating if, and how, in-house services could be reorganized to provide firms with benefits similar to those of outsourcing (Lacity & Hirschheim, 1995); or that attempt to identify those characteristics of a vendor-client partnership that will be conducive to outsourcing success (Lee & Kim, 1999).

This paper develops this strand of research in its adoption of a risk management perspective to outsourcing decisions, and in its proposition of a risk assessment framework. As shown through a series of case studies, the risk assessment framework contributes to reducing decision-making uncertainty in that its use can help better anticipate - and sometimes alleviate - problems potentially associated with IT outsourcing, and to select contract mechanisms that are most appropriate for the types of activities to be outsourced.

We begin by drawing upon past research to provide a synthesis of the main lessons of IT outsourcing risk and risk management. The paper first presents various definitions of risk found in the literature, discusses the definition adopted here, and applies it to the context of IT outsourcing risk. Drawing from the IT outsourcing, the Transaction Cost, and the Agency Theory literature, it then presents a framework of IT outsourcing risk exposure. Finally, using five case studies, key elements pertaining to outsourcing risk and risk management are discussed.

Risk Defined

Risk and risk management have been studied in a variety of domains, such as Insurance, Economics, Management, Medicine, Operations Research, and Engineering. Each field addresses risk in a fashion relevant to its object of analysis, hence, adopts a particular perspective. Since it is essential that the conceptualizations of risk and of risk management adopted in a given study be consistent, authors ought to clearly state their perspective. This section reviews the main conceptualizations of risk and of risk management found in various fields, and then presents the perspective we opted for in our research on IT outsourcing risk and risk management. Subsequently, the key concepts from Transaction Cost Theory and Agency Theory relevant to the assessment of IT outsourcing risk are introduced, followed by a presentation of the risk assessment framework we propose.

Risk as an Undesirable Event

In some situations, risk is equated to a possible negative event. Levin and Schneider (1997) define risks as "... events that, if they occur, represent a material threat to an entity's fortune" (p. 38). Using this definition, risks are the multiple undesirable events that may occur. Applied in a management context, the "entity" would be the organization. Given this perspective, risks can be managed using insurance, therefore compensating the entity if the event occurs; they can also be managed using contingency planning, thus providing a path to follow if an undesirable event occurs. This definition of risk is analogous to the concept of risk as a possible reduction of utility discussed by Arrow (1983).

Risk as a Probability Function

Some fields, instead of focusing on negative events, are primarily concerned with the probability of occurrence of an event. For example, medicine often focuses solely on the probability of a disease's occurrence (e.g., heart attack), since the negative consequence is death in many cases. It would be useless to focus on the consequence itself since it is irreversible. Odds of occurrence are the key element. Data is used to determine which factors can influence those probabilities (heredity, smoking habits, cholesterol level, etc.). In its definition of sentinel events (occurrence involving death or serious injury), the Joint Commission on the Accreditation of Healthcare Organizations uses "risk" as "the chance of serious adverse outcome" (Kobs, 1998). Life insurance adopts this approach and uses mortality tables to estimate probabilities. In this context, a "good risk" will be a person with a low probability of dying within a given period (and hence, for the insurance company, a low probability of having to pay a compensation) and a "bad risk" would be a person with a high probability of dying within the period.

Risk as Variance

Finance adopts a different perspective of risk, where risk is equated to the variance of the distribution of outcomes. The extent of the variability in results (whether positive or negative) is the measure of risk. Risk is defined here as the volatility of a portfolio's value (Levine, 2000). Risk management means arbitrating between risk and returns. For a given rate of return, managers will prefer lower volatility but would be likely to tolerate higher volatility if the expected return was thought to be superior. Portfolio managers therefore aim to build a portfolio that is on the efficient frontier, meaning it has "the highest expected return for a given level of risk, and the lowest level of risk for a given expected return" (Schirripa & Tecotzky, 2000, p. 30).

Risk as Expected Loss

Other fields, such as casualty insurance, adopt a perspective of risk as expected loss. They define risk as the product of two functions: a loss function and a probability function. Car insurance is a good example. In the eventuality of an accident, there is a loss function that represents the extent of the damages to the car, which can range from very little damage to the total loss of the car. There is also a probability function that represents the odds that an incident will occur. The expected loss (risk) is the product of these two functions (Bowers et al., 1986).

Endogenous and Exogenous Risk

Another important distinction in risk analysis is the notion of endogenous versus exogenous risk. Exogenous risks are risks over which we have no control and which are not affected by our actions. Earthquakes or hurricanes are good examples of exogenous risks. Although we have some control over the extent of damage by selecting construction standards, we have no control over the occurrence of such natural events. Endogenous risks, on the other hand, are risks that are dependent on our actions. A car accident is an example of risk where a strong portion is endogenous. While a driver has no control over other drivers (the exogenous portion), the probability of an accident is strongly influenced by the driver's behavior and ability (endogenous). The driver also controls part of the loss function, by deciding to drive an expensive car or a cheap car. This could explain why there is always a deductible amount with car insurance, to ensure that the driver will behave in a way that will minimize the endogenous portion of the risk. By being made responsible for a portion of the damages, the driver is enticed to act with caution.

Risk management tools take into account whether risk is endogenous or exogenous. In finance, for example, risk is considered exogenous. The methods used to manage risk are concerned with diversification, insurance, and allocation of assets. There is no direct action that managers can take to reduce the probability of a given event. In engineering or medicine, a portion of the risk is always endogenous. Risk management takes this into account. Patients are informed of the portion they control and are proposed healthier diets and lifestyles; employees are provided withsecurity guidelines and actions are taken to reduce directly the probability of undesirable consequences.

IT Outsourcing Risk Exposure

In their study of managerial perspectives on risk and risk taking, March and Shapira (1987) posit that managers do not equate the risk of an alternative with the variance of the probability distribution of possible outcomes, and they do not treat uncertainty about positive outcomes as an important aspect of risk.

IMAGE MAP 1

Figure 1. Risk Exposure Map

Rather, to them, the potential positive outcomes constitute the attractiveness of an alternative, while risk is associated with its negative outcomes. That is, risk is perceived as a "danger or hazard". March and Shapira also emphasize the fact that, to managers, the magnitude of the loss due to a negative outcome is salient.

In order to take into account these two aspects of the managerial perspective, we adopt the notion of risk exposure, which is defined as a function of the probability of a negative outcome and the importance of the loss due to the occurrence of this outcome:

RE = S^sub 1^ P(UO^sub i^) * L(UO^sub i^)

where P(UO^sub i^) is the probability of an undesirable outcome i, and L(UO^sub i^) the loss due to the undesirable outcome i (Boehm, 1991; Teece et al., 1994). Therefore, we consider simultaneously the potential losses associated with an outsourcing contract and the probability function of such losses.

While, theoretically, risk exposure can be computed and a value of risk established in dollar terms, in practice it is more useful to map the risk exposure on a two-dimensional plane (the usefulness of this representation will be discussed in the risk management sub-section). Therefore, the loss associated with a given undesirable outcome is evaluated and the likelihood of realization of the outcome is estimated. Instead of multiplying the two, a point is mapped on a plane where the likelihood of realization of an undesirable outcome is measured along the x-axis and the magnitude of the loss if that outcome occurs is measured along the y-axis. Figure 1 illustrates the mapping of risk exposure for three undesirable outcomes (UO).

To evaluate the risk exposure for a given outsourcing contract, it is therefore essential to identify the array of potential undesirable outcomes that could occur with respect to the outsourcing arrangement; the magnitude of the losses incurred should each of the undesirable outcomes materialize; as well as the probability of occurrence of such outcomes. In any situation, several undesirable outcomes may occur. The magnitude of loss due to a given undesirable outcome can be approximated either via quantitative analysis (for instance, by evaluating the sales lost due to disruption of service to customers) or via qualitative assessment of the organizational impact of each negative outcome (by using Likert scales to assess the importance of the impact of the undesirable outcome).

To evaluate the risk exposure for a given outsourcing contract, it is therefore essential to identify the array of potential undesirable outcomes that could occur with respect to the outsourcing arrangement; the magnitude of the losses incurred should each of the undesirable outcomes materialize; as well as the probability of occurrence of such outcomes.

In any situation, several undesirable outcomes may occur. The magnitude of loss due to a given undesirable outcome can be approximated either via quantitative analysis (for instance, by evaluating the sales lost due to disruption of service to customers) or via qualitative assessment of the organizational impact of each negative outcome (by using Likert scales to assess the importance of the impact of the undesirable outcome).

While in certain circumstances, the probability of occurrence of an undesirable outcome can be estimated on the basis of past performance characteristics of the object under study (Linerooth-Bayer & Wahlstrom, 1991), in several areas, probabilities are often difficult, if not impossible to assess on the basis of past performance (Barki et al., 1993). Consequently, several risk assessment methods adopt the approach of approximating the probability of undesirable outcomes by identifying and assessing factors that influence their occurrence (Anderson & Narasimhan, 1979; Boehm, 1991; Barki et al., 1993). In a software development context, for instance, Barki et al. have identified such factors, which belong to five broad categories: technological newness, application size, software development team's lack of expertise, application complexity, and organizational environment. The degree to which each factor is present in a software project will contribute to the increased probability of the occurrence of an undesirable outcome (here, project failure). Once this list is drawn, risk management methods try to simultaneously reduce the loss related to the undesirable event itself (such as penalties compensating for delays in the system delivery) or by reducing the probability of occurrence of such an event, by reducing the level of the risk factors (for example, by carefully selecting team members). While the definition of risk is not explicit about probability distribution, these probabilities (taking the form of factors) are taken into account when the risk evaluation is performed. Therefore, risk factors can be seen as the drivers of undesirable outcomes, and P(UO^sub i^) = f(RF^sub j^) where the probability of an undesirable outcome i is a function of its influencing risk factor j.

Once this list of factors is drawn and assessed, managers try to reduce the probability of occurrence of an undesirable outcome by reducing the level of the risk factors. For example, when a person quits smoking, the person knows she is reducing the probability of illness, even if the exact impact on the probability is unknown to her.

The risk assessment framework proposed here relies mostly on Transaction Cost and Agency theories. These economic theories tackle directly the problems related to contracting and provide both a roadmap to potential undesirable outcomes and their corresponding drivers.

Reference Theories

In order to determine the list of undesirable events and their associated risk factors, a first group of elements was deducted from Transaction Cost and Agency Theories. These undesirable events and corresponding factors are presented in the following section. All these elements are later summarized in Table 1 (Components of IT outsourcing risk exposure). In addition to this first list extracted from theory, a few items were identified by reviewing other (scientific and practitioner) sources describing outsourcing consequences. These are also included in Table 1.

Agency Theory and Transaction Cost Theory

Fundamentally, outsourcing is a contract in which a client relies on a supplier for a given service, instead of depending on internal provision. With outsourcing, the client relies on the market rather than on employment contracts. In a principal-agent framework, the client is the principal, while the supplier is the agent, performing a series of tasks for the principal.

Agency Theory. The presence of private information lies at the root of opportunism. Any information possessed by one party that is not verifiable by the other party is "private." When private information and conflicting interests are joined, agency problems develop. In the absence of complete contracts, the parties will try to reduce the importance of agency problems by a better alignment of objectives or by reducing the asymmetry (Holmstrom, 1979).

IMAGE TABLE 2

Table 1. Components of IT outsourcing risk exposure

(Adapted from Table 1 - Aubert et al., 2001, p. 2)

Agency Theory is concerned with the client's problem with choosing an agent (the supplier in our case), and motivating and coordinating the agent's decisions and behavior with those of the organization, under the constraint of information asymmetry. In addition, the agent is presumed risk adverse, thus unwilling to be rewarded solely on his performance (Nilakant & Rao, 1994).

Agency Theory generally distinguishes three main villains: moral hazard, adverse selection, and imperfect commitment (Aubert et al., 2003). Moral hazard stems from the fact that it is impossible for a principal to observe an agent's behavior at no cost. Since the client cannot tell, and since the supplier knows this, the supplier can always blame poor performance on circumstances beyond its control. Cheating, shirking, free-riding, cost padding, exploiting a partner, or simply being negligent are everyday instances of moral hazard. Adverse selection will develop when the principal cannot observe the characteristics of the agent. Failure to deal adequately with adverse selection will make it very difficult for the client to choose the right supplier. The last potentially damaging manifestation of opportunism is imperfect commitment. For instance, clients and suppliers may be tempted to renege on their promises and commitments, arguing unforeseen events like changes in requirements (costly contractual amendments) (Sappington, 1991).

The client wants the supplier to perform its tasks as required. However, writing and enforcing complete contracts is Utopia. The agency costs include the cost of writing and enforcing contractual agreements and the residual loss resulting from inadequate coordination or motivation. Agency Theory tackles the important issue of designing efficient contractual agreements (Eisenhardt, 1989).

One key negative outcome suggested by Agency Theory is the management costs associated with the contract. These management costs will be caused by information asymmetry. The asymmetry (lack of knowledge from the client) can be estimated by evaluating the experience and expertise of the client with the activities to be outsourced. Experienced and knowledgeable clients will suffer from less asymmetry than nave ones.

Agency theory also suggests that measurement problems will facilitate the manifestation of moral hazard. This would lead to cost escalation and hidden service costs. High uncertainty and complexity would increase the probability of the appearance of hidden service costs, since they make cost assessment more difficult.

Agency Theory is concerned with the monitoring abilities of the principal. These abilities can be acquired through experience. As described by Sappington (1991), principals can compare multiple contracts and can learn about performance over time. This suggests that lack of experience with outsourcing would be a risk factor. It would increase the likelihood of cost escalation and management costs.

Transaction Cost theory. According to Transaction Cost theory, the market and the internal organization of a firm are seen as alternative mechanisms to regulate a transaction (Coase, 1937). A party will select the mechanism which costs less: total costs include production and transaction costs. One of the advantages of using the market is that it often provides for lower production costs because of economies of scale and scope. On the other hand, using the market entails certain transaction costs: finding the appropriate prices, inquiring about the quality of the other party, negotiating, establishing guarantees and bonds, etc. These activities are required because Transaction Cost Theory recognizes that humans have bounded rationality and are opportunistic (Williamson, 1985). This implies that parties will conclude bargains with imperfect information and will try to take advantage of any asymmetry. The potential magnitude of the transaction costs will depend on: the specificity of the assets, the uncertainty surrounding the transaction, and the frequency of the transaction.

Asset specificity refers to the degree to which an asset can be redeployed without sacrificing its productive value if the contract is to be interrupted or prematurely terminated (Williamson, 1985). Because the "next best use" value of a specific asset is much lower, the investor would lose part of its investment if the transaction were not completed. The specificity of an asset creates a lock-in situation where a party could extract a quasi-rent from the contracting party by threatening to withdraw from the transaction (Teece, 1986).

Asset specificity is therefore a risk factor. When an outsourcing contract is signed, investments in specific assets will tie the client and the supplier together. This creates a situation where one or very few suppliers can provide service to the client. Small number bargaining is also a risk factor. Contracts of a large scope would also increase lock-in. The larger the scope of the contract, the more difficult is the transfer to a second supplier. These factors can lead to high switching costs because of the lock-in created between the two parties.

A concept akin to asset specificity is the level of interdependency of an activity with the other activities of the firm. The more interdependent, the higher the switching costs (Langlois & Robertson, 1992). The interdependent character of the activities is also linked to the quality of service.

The usual manner in which asset specificity constraints are resolved calls for the use of long term contracts (Joskow, 1987). However, uncertainty may preclude the implementation of long term contracts at a reasonable cost. For a market to be efficient, parties must be able to predict with enough certainty the activities to be performed in a contract and to measure the value of the elements exchanged. This is often proven false. Transactions are conducted with a certain level of uncertainty and are subject to measurement problems (Barzel, 1982). Uncertainty may preclude contract agreement since the parties cannot predict what will be needed in the future and, consequently, cannot write a contract (Williamson, 1985; 1989). This is a serious limit to the use of long term contracts (in order to solve asset specificity constraints).

Uncertainty of the future needs is a risk factor. An indicator of the level of uncertainty is the complexity of the task (Aubert et al., 1996). High uncertainty will force parties to renegotiate the contract when changes occur. These costly changes are an undesirable outcome.

According to Perry (1989), a contract is incomplete if "it fails to specify performance obligations for the parties in all states of nature, or fails to specify the nature of the performance itself (p. 221). Most, if not all, IT contracts will have some level of incompleteness since nobody can foresee all possible states of nature. Reducing the level of incompleteness implies refining the contract. This is costly. Cracker and Masten (1991) even show that there is an optimal level of incompleteness for a contract.

Therefore, the presence of measurement problems is another risk factor. These measurement problems can lead to potential haggling, disputes, and eventually litigation. Severe measurement problems might also prevent contractual agreement when it becomes impossible to know if performance is attributable to one party's action or to externalities (Alchian & Demsetz, 1972). When it is impossible to measure the marginal contributions of each party to a transaction, trying to compensate the workers according to their individual productivity is futile (Alchian & Demsetz, 1972). This problem is often settled, in an incomplete contract, by substituting measurement of effort to measurement of output (Cheung, 1983). This suggests that measurement problems can also lead to inferior performance (service debasement).

When transaction costs are too high, it might be cheaper to purchase the residual rights over the activities in exchange for a salary (Grossman & Hart, 1986). This contract enables one party (the employer) to choose, in the future, the actions appropriate to the context (Simon, 1991).

Finally, in some circumstances, a firm will prefer to bear the cost of the risk associated with specific investment or uncertainty rather than to invest in order to internalize a single transaction. Internal organization is efficient only for frequent transactions (Williamson, 1985). The design and setting-up costs of a governance structure are fixed costs: only recurring or particularly significant transactions will make bearing these costs economically sound.

Undesirable outcomes. Agency (AT) and Transaction Cost (TCT) Theories share similar theoretical foundations. To explain contractual arrangements, they both include elements like imperfect measurement, bounded rationality, opportunism, and cheating and shirking behaviors. However, they differ in several ways. For instance, TCT explicitly considers the role of irreversible investments in the transaction. AT considers the risk aversion of the agents. TCT is more concerned with the institutional arrangement (market or firm) while AT looks at the governance mechanisms used, independently of the institutional setting. The extension and refinement of incentive considerations in TCT (which AT offers) provides a better institutional model (see Hennart, 1993 for an instructive discussion). Taken together, AT and TCT suggest seven undesirable outcomes (summarized in Table 1, along with their associated risk factors). First, both theories recognize that no contract is complete or perfect and that unforeseen events or nave actions can lead to unexpected transition and management costs. Both also recognize that incompleteness can eventually lead to costly contractual amendments. TCT specifically addresses the problem of specific assets, small number bargaining, and the associated switching costs problems. TCT is also giving special attention to disputes and litigation. Haggling, legally or administratively, increases transaction costs. Both theories moved away from the optimization premises of classical economics and recognize that there will be inefficiencies in production, translated as service debasement in the context of outsourcing. Agency Theory, with its special attention on moral hazard, puts more emphasis on cost escalation problems.

Other Elements

Agency and Transaction Cost Theories enabled the identification of seven undesirable outcomes: unexpected transition and management costs, switching costs, costly contractual amendments, disputes and litigation, service debasement, cost escalation, and hidden service costs. Their main associated factors were also identified.

Once these factors and undesirable outcomes were established, the outsourcing literature describing outsourcing outcomes and risks was reviewed to identify the elements that might not be included in the Transaction Cost and Agency Theories. This review also provided support for the stylized negative outcomes suggested by Agency and Transaction Cost Theories. Moreover, it helped us identify new elements and new links between factors and outcomes.

One negative outcome that is not discussed in Transaction Cost and Agency Theories is the loss of organizational competency. Outsourcing often means departing from knowledge possessed by the employees transferred to the supplier. Essential skills can be lost if outsourced activities are too close to the core business of the firm (Prahalad & Hamel, 1990). Because of a reliance on external provision, the organization will stop nurturing some skills. When these are close to the core competency of the organization, such loss might threaten future organization action (Roy & Aubert, 2000). The larger the scope of the contract, and the more interdependent these activities are with the other activities of the firm, the higher the likelihood of a loss of organizational competency.

The review of literature unearthed other factors (not predicted by Transaction Cost and Agency Theories) associated with the undesirable outcomes. Quality of service is reputed to be highly dependent on the supplier's characteristics (size, stability and expertise) (Earl, 1996). The lack of experience and expertise of the supplier is also associated with cost escalation.

There are also specific types of uncertainty, distinct from requirement uncertainty. Uncertainty about the legal environment can lead to unexpected management costs (Cross, 1995), while technological discontinuities can entail costly contractual amendments (Lacity & Hirschheim, 1993). Finally, the lack of experience of the partners with outsourcing and the lack of cultural fit are associated with higher chances of disputes.

We group the risk factors into three main categories: those pertaining to the principal, to the agent, and to the transaction itself. The undesirable outcomes, with their associated factors, are summarized in Table 1. The outcomes are presented with the factors having the strongest effect on the likelihood of each outcome. This does not imply that other factors cannot have an influence on a given outcome; it simply means that these are the critical factors. Negative outcomes suggested in Agency and Transaction Cost Theories receive support through examples in the outsourcing literature.

Research Method

In order to explore the usefulness of the proposed risk assessment framework, illustrated in Figure 1 and detailed in Table 1, data from five case studies was used.

Case Selection

Case selection was based on site availability and potential contribution to the research project. cases were therefore selected for the new insights they could provide on risk assessment and risk management and there is no claim that they are representative of an industry or organizations in general. All cases describe large outsourcing contracts with significant risks for the client organization. Some were successful, some were not. Some were well-managed, some were not. case 1 was self-selected. Indeed, the IS manager of an insurance company whom we approached in the context of a large-scale survey invited us to interview him in order to obtain a detailed and complete description of an outsourcing deal gone awry. Since it is seldom that failures can be documented, the case was considered as a precious source of data for our study of IT outsourcing risk management. case 2's peculiarity is that it offered the possibility to compare, within the same firm, two different system development projects that were considered candidates for outsourcing. case 3's unique contribution is the proximity to core competency of the activity supported by the application the development and maintenance of which were considered for outsourcing. case 4 was selected because the firm was known to have a long IT outsourcing experience, including that of contract renewal. It was thought that studying successive contracts would add to our understanding of risk assessment and risk management. Finally, case 5's distinguishing feature was the fact that this large firm had concluded contracts with three different suppliers. Finding out how these contracts were designed and how this dual sourcing arrangement played a role in outsourcing risk management was the main motivation for selecting the case.

Data Collection

In addition to presenting the components of IT outsourcing risk, the case studies were aimed at improving our understanding of how risk was managed. Risk management is defined here as the use of different mechanisms to help reduce the level of risk exposure. A given mechanism can either reduce the losses associated with the undesirable outcomes, lower the expected probability of occurrence of such outcomes, or achieve both at the same time. Consequently, rich data were sought not only on the components of IT outsourcing risk, but also on the risk management mechanisms that had been used in each case.

Several data collection means were used. For cases 1 and 5, each organization's leading information systems' manager acted as the key informant. Data collection was done on site, starting with semistructured interviews with the IS manager. These interviews enabled the researchers to gather substantial information and get an overview of the situation. Available documentation was collected. After the first analysis of this information was completed, a series of written questions were sent to each respondent to follow-up on queries raised during the analysis of the first interview. Respondents returned their written answers when it was convenient for them. Later, phone interviews were conducted with the respondents to gather any details that were still missing in the case descriptions. Complete case descriptions were written and were submitted to the IS managers for approval. Data collection for the other three cases involved several respondents, from over half a dozen in cases 2 and 3 to approximately 15 in case 4. These respondents were managers who had been involved in the decision-making process, and managers in charge of overseeing the contracts. In case 4, some user managers were also interviewed. Numerous documents were made available to the researchers, including requests for proposals, supplier proposals, contracts and addenda, materials from presentations, and audit reports. In these three cases, the contents of write-ups were also approved by some - or all - of the interviewees.

Data Analysis

On the basis of these data, each researcher independently rated each risk factor and the magnitude of the potential loss associated with each undesirable outcome by rating the risk factors and the undesirable outcomes listed in Table 1. The impact of each outcome was assessed on a 1 (very low) to 7 (very high) scale. The probability of occurrence of each outcome was estimated (on a 1 to 7 scale) by first evaluating each of the risk factors associated with the outcome and then by averaging the values of these factors. As well, risk management mechanisms were identified, where they had been used, and their impact on either the probability or the severity of the occurrence of an undesirable outcome was assessed. While perceptual measures were used, the researchers attempted to substantiate each score with facts, taken from the case descriptions. As well, items from formal measures that had been validated in a former study were used to identify the dimensions of each factor that had to be taken into account in the assessment (e.g., measures from Aubert et al., 1996b). The individual assessments were then discussed among the researchers, and a consensus was reached. A risk exposure map, similar to that of Figure 1, was then drawn. This risk exposure map summarizes the results of the assessment, since it plots, for each undesirable outcome, the estimated probability (i.e., the mean value of the risk factors related to this undesirable outcome, as per Table 1) and the magnitude of loss, would the undesirable outcome occur. A detailed write-up of this final assessment was done as in cases 2, 3 and 4. In the first two cases, the write-up was formally presented to most of the managers who had participated in the interviews. In case 4, it was submitted to three of these managers. In all three cases, managers agreed with the researchers' assessments. Only in case 2 were the managers surprised that the degree of risk they had perceived through "gut feeling" was different from what was presented to them. As will be discussed in the results section, even in this case, managers agreed with the individual assessments that had been made of each risk factor and each potential loss.

The Five cases

The cases illustrate five different dimensions of IT outsourcing risk management. The first case illustrates problems and stresses the importance of managing different activities in different ways. The second case shows the importance of using a formal measure of risk and of explicitly assessing risk. The third illustrates how risk evaluation can influence the supplier selection process. The fourth exemplifies how risk management is the result of a series of compromises, since reducing the impact of a risk factor often increases the impact of another one. Finally, the fifth case is an epitome of risk management; it is an example in which the client had the resources and the knowledge to negotiate a contract with an impressive array of risk management mechanisms.

Each case is presented as follows. First a short description of the case's salient features is provided, referring to the case risk exposure map. As well, when such mechanisms were applied, the effect of risk management mechanisms is illustrated. This is done using arrows that originate at the exposure level, for a given undesirable outcome prior to the use of the risk management mechanism; and end at the residual level of risk exposure.

Case 1: Risk Is Complex and Should Be Managed Accordingly

INS is a North-American insurance company. After evaluating that its information systems needed a major upgrade, INS turned to the market to find a supplier for its needs. It selected a software package produced by VND, a software vendor not established in North America, who also offered to manage INS' data centre. VND saw this contract as an opportunity to enter the North American market. Both parties anticipated a win-win association. The contract involved few performance measures for IS operations. In the case of the software package, which required some tailoring, a general agreement was reached in which 80% of the functionalities in a complete online system would be delivered for a fixed price, and the remaining functionalities would be delivered later for a price to be negotiated. The contract was thus largely incomplete and made room from the outset for further negotiations between the parties.

In this case, the undesirable outcome with the largest magnitude of potential loss was that of reduced quality. Since all activities in the insurance business rely on information systems, any deficiency would be very costly. As one respondent said: "If we cannot configure a product on the system, we cannot sell it." The three other severe potential losses were cost escalation, contractual amendments, and lock-in. The insurance market is highly competitive and increases in IT costs would harm the competitiveness of INS' insurance rates.

IMAGE GRAPH 3

Figure 2. Insurance Company

As shown in Figure 2, the intensity of risk exposure for the software tailoring component of the contract was different from that of the risk exposure associated with the day-to-day operations (although they were managed through the same contract and the same governance mechanisms). For software tailoring, the risk exposure was generally higher, mainly due to the value of the risk factors. Client and supplier had limited experience with outsourcing. Activities were not unduly complex, but software tailoring was subject to severe measurement problems (the exact elements to be delivered were vaguely defined at best). Operations were easier to measure, and they were also subject to less uncertainty than software tailoring. While there were numerous suppliers willing to operate the data centre, only a few had the knowledge to develop and implement the software.

Outsourcing of the data centre did not provide the anticipated benefits. No gains were realized on the operation, and performance deteriorated. VND began to haggle over the definitions of the service level clauses. On the software tailoring side, client and supplier began arguing constantly about what constituted the basic system and the extra functionalities, what was to be delivered for the fixed price, and what might be developed for an additional compensation. After long negotiations, the contract was finally terminated.

Insight. In this case, no formal risk analysis was done before signing the agreement. Ex post evaluation of the contract reveals some key elements. First, potential problems can arise even when suppliers and clients behave in good faith at the time of contract signature. Risk analysis could have helped anticipate some of these problems. second, such an analysis would have revealed that operations and software tailoring had very different characteristics and should have been managed differently. More measures should have been defined for the IS operations. As for software tailoring, richer and more flexible mechanisms, like the exchange of information and of employees, for example, should have been established in order to reduce information asymmetry. Finally it might have been advantageous to outsource each group of activities to different suppliers to introduce a third party opinion on each supplier's work, thus reducing the risk of lock-in and instilling a measure of competition.

Case 2: Managers' Attitudes Toward Risk

The second case is that of GVDL, a large insurance company. Two system development outsourcing decisions and the resulting contracts were analyzed (Aubert et al., 1999a). The first project was the Y2K conversion of the legacy system. The effort required for migrating all the systems through the millennium was estimated at more than 25,000 person-days. The second project was called the Application development partnership project. The client had decided to stop awarding contracts to many different suppliers and had chosen to select a single (or maybe a few) application partners that would invest time and resources in understanding the company and its needs. The results of the risk assessment for these two outsourcing decisions are presented in Figure 3 (arrows represent reduction of risk level through contract mechanisms).

IMAGE GRAPH 4

Figure 3. GVDL

From Figure 3, it seems quite clear that project 1 (Y2K) was less risky than project 2. While many potential undesirable outcomes (service debasement, lock-in and cost escalation) had high values for project 1, the probabilities were generally very low, with the exception of cost escalation, which was fairly probable. Project 2 was riskier. Items 3, 6, and 7 have mid-range values on the factor axis (probabilities), and the losses associated with both lock-in and contractual amendments would be very high. As a result, the organization took several measures to lower the risk exposure associated with both contracts.

In the case of the Y2K contract, protection against lock-in was sought through sequential contracting. By splitting the work to be done in many sequential steps, the client ties the duration of the contract to verifiable performance on the one hand, and leaves open the possibility of walking out of the relationship if things were to take a bad turn on the other hand. In the case of service debasement, the main mechanism used by the client to reduce the probability of occurrence was the inclusion of an important penalty for underperformance. This penalty was equal to five times the total value of the contract. Doing so elicits greater effort from the supplier and serves as a type of insurance, thus reducing the monetary value of the consequences. Finally, in view of cost escalation, the client secured guaranteed rates and the parties agreed ex ante on the evaluation method and relied on a detailed inventory of the various components, languages, platforms, size, complexity, testing environments, interactions with other systems, etc. As shown by the arrows drawn in Figure 3, the potential losses associated with lock-in, service debasement and cost escalation were accordingly substantially reduced.

In the second contract, the risk exposure stemming from lock-in was reduced in two ways. The first one implied multiple sourcing: three suppliers were selected to work concurrently, which seriously curtails the probability of the client being locked in. Renegotiation problems and costly contractual amendments were handled through the separation of assignments in addenda. This enabled the partners to actually modify their contract without costly renegotiations. It is an ongoing modification process that is included in the contract (sequential contracting). Residual risk was thus greatly reduced.

Among the interesting facts found in this case are managers' perceptions. As shown in Figure 3, it is quite clear that project 2 was riskier than project 1, whether one considers risk exposure before or after risk management mechanisms are introduced. This result greatly surprised the firm's managers. Their initial impression was that risk exposure was much greater with their Y2K project than with the partnership one. They agreed with the results presented in Figure 3 and realized that their evaluation was inaccurate. Their mistaken evaluation is coherent with remarks made by March and Shapira (1987). Managers often perceive risk because some potential losses are perceived to be high, failing to recognize that the probabilities of such losses (in project 1) are dim. Another explanation resides in the time frame of the two projects. Consequences from problems with project one were almost immediate (January 2000). On the other hand, project 2 was a long term venture and many potential undesirable outcomes would only unfold in a 2- to 5-year horizon. This might explain why project 2 was perceived as less risky. The risks involved were not recognized because they were too distant.

Insights. This case teaches us three main lessons. First, conducting a formal assessment of risk exposure, and explicitly mapping the risk exposure associated with a contract enables efficient risk management. Managers can immediately target the elements presenting high risk exposure and implement risk management mechanisms. second, explicitly charting risk exposure offers a remedy to possible biases in managers' perceptions. In this case, managers failed to recognize potential threats that would not materialize in the immediate future. Their evaluation of events with very low probabilities was also biased. Third, by comparing projects and ordering them more accurately in terms of risk exposure, the organization can manage its outsourcing portfolio more effectively, thus ensuring that efforts in risk management are allocated where they are the most profitable.

IMAGE GRAPH 5

Figure 4. Large Corporation

Case 3: Risk Management and Contract Negotiation

The third case takes place in a large organization that employs over 15,000 people. This company had an unprofitable division it wanted to sell. To entice buyers to take this division, the company offered an outsourcing contract for another service. The company evaluated that the outsourcing contract could be very profitable and would lure suppliers to make a joint offer to buy the unprofitable division along with taking the contract. The company negotiated with a first supplier (see Figure 4). The price negotiated for both the sale of the division and the outsourcing contract seemed adequate.

The contract was ready for signature. The only step left was the evaluation by the internal risk management group. The evaluation came as a shock to top management. The contract contained little protection for the client, and the selected supplier was far from ideal (even if it was a very large firm). The activities supported by the system were core and any disruption could lower the quality of service drastically. Loss of competency was also feared because of the closeness to the core business. The reluctance of the risk analysis group was so strong that the evaluation went all the way to the CEO. The deal was finally cancelled.

A few months later, negotiations were in progress with a different supplier. The new supplier was more experienced with outsourcing and with the activities under consideration than the first one, which lowered the value of some of the risk factors. The contract to be signed was also significantly different. Since little could be done to reduce losses (the activities themselves were too close to the company's core business for the losses to be significantly altered would a problem occur), all efforts were made to reduce the likelihood of occurrence of the negative outcomes. Risk factors were assessed and mechanisms were introduced: sequential contracting to reduce lock-in and likelihood of contractual amendments; the setting up of an arbitration structure to settle differences in points of view; and a one-year benchmark period to develop a complete set of measures, which would reduce the likelihood of hidden costs.

Insights. This case illustrates two elements. First, formal risk analysis helps companies sign better contracts with more appropriate service providers. In this case, both contracts were comparable in terms of prices and outcomes (selling the unprofitable division). However, the contract that was finally signed had a much better chance of delivering the anticipated benefits. The client used the information from the first risk analysis exercise to better select the second service provider. The other interesting element is the illustration of the endogenous component of IT outsourcing risk exposure. In this case, after receiving the analysis from the risk management group, the division manager used several tactics to prevent the first deal. From a distance, his behavior could be interpreted in two ways: by warning everyone and pointing out the high risk involved, he was serving the organization well and protecting himself at the same time. He knew that top management really wanted the deal to be signed (mostly because it wanted to get rid of the unprofitable division). However, if the outsourcing deal went sour, the division responsible for the activities supported by the outsourced system would suffer and he would be blamed later on. By preventing the first contract and, later, going ahead with a better one, with a different supplier, the division manager reduced the risks for the overall organization, for his division, as well as for himself.

case 4: Risk Management as a Series of Compromises

The fourth case study was conducted in a large firm in the energy sector. This case illustrates how risk management and learning can eventually transform risk into a "choice" rather than a "fate". This firm has extensive outsourcing experience, and a history of risk evaluation and management. The company employs more than 60,000 people worldwide. Two contracts are compared. The first one, labeled A, involved the outsourcing of IT activities of a large business unit of the company, while the second contract - B concerned the whole IT organization (head office and divisions).

First Contract. The first contract was the firm's first major outsourcing venture, covering data centre management, telecommunications, maintenance, and systems development. Risk exposure was high (see Figure 5). Because of the extent of the contract, hidden service costs were found to be the major threat. The main feature of the contract, in terms of risk management, was to rely on a consortium of three vendors to supply the services. Also, the contractual framework enabled the company to renegotiate several clauses annually, further reducing this risk.

Disputes and litigation, costly contractual amendments, and loss of organizational competency were next in order of importance in terms of risk exposure. The firm recognized that disagreements would probably arise both between the suppliers themselves, and between the client and its suppliers. The client consequently tried to reduce the impacts of disputes and litigation but found out that European antitrust laws prevented the three suppliers from joining in a formal alliance as originally planned. Given the type of contract selected (multiple sourcing), contractual amendments and contract renegotiation would presumably be limited by the portfolio of activities of each supplier, thus limiting the extent of changes. Loss of innovative capacity (competency) was considered the biggest potential loss resulting from moving so many staff out of the organization, especially since the company had decided to become a knowledge organization. Again, the consortium was the means whereby the firm could reduce this risk because several suppliers would give access to a broader array of innovative services (and knowledge) than a single supplier. However, no supplier would have the big picture of the industry and the technology portfolio.

second Contract. In 1998, the company changed its outsourcing strategy radically and decided that a single supplier should replace the multiple sourcing strategy it had previously adopted, thus replacing a fragmented assortment of suppliers by a single strategic partner.lt evaluated that only two suppliers in the world were capable of providing services on such a scale. Therefore, a costly lock-in situation could easily develop. To alleviate the potential problems due to the lock-in situation, the client included a one-year notice of termination, to help reduce the impact of a potential lock-in.

IMAGE GRAPH 6

Figure 5. Energy

Other potential undesirable outcomes were cost escalation and transition costs. The factors linked to cost escalation suggested a low probability of occurrence. The company had extensive expertise and experience with outsourcing, the supplier was very experienced with the activities included in the contract, and was very competent in managing contractual relationships. The most threatening factor was the presence of measurement problems. One of the tools to reduce them would be systematic benchmarking. Transition costs could also bring severe penalties. They would come with service deterioration and business disruption. Transferring activities to the supplier presented different risks in different regulatory situations (different countries). To reduce the transition-related problems, the client increased the planning efforts in a wide variety of aspects. Interestingly, the overall cost of transition was not necessarily reduced, but the unexpected part of it was.

Insights. This case provides two lessons. First, it is clear that learning occurred through the management of the first contract, which translated into both lower probabilities for the undesirable consequences and better risk management strategies in the second contract. Many of the contractual choices were made with less naivety. Managers were more realistic about potential loopholes in the arrangements and were more aware of the limits of contracts. A key decision in the second contract was to remove software development from the agreement. Development activities are more uncertain, more specific, and more complex than operations. By keeping them outside the portfolio of outsourced activities, the managers reduced the probabilities of occurrence of several undesirable consequences.

The second lesson is the notion that risk is a choice. The case showed that risk profiles can be seen as compromises. A given risk management mechanism could lower one type of risk while increasing another one. For example, when the client decided in the second contract to deal with a single supplier, risks related to measurement problems were less probable. However, this was done at the expense of an increase in the risk of lock-in. As managers become more aware of the control they have on the risk profile of ther IT outsourcing strategy, they should bear more responsibility over the outcomes.

case 5: Risk Management and Contract Design

The last lessons come from the outsourcing contract of Niagara (name changed) (Aubert et al., 1999b). Niagara is a large Canadian Crown corporation, employing more than 50,000 people, with an annual income of over $5 billion. It concluded a complex outsourcing arrangement with three suppliers. When it decided to outsource its IT services, the organization was extensively developing new software (using over 1,000 full-time employees) and having a hard time doing so.

IMAGE GRAPH 7

Figure 6. Niagara

Although Niagara recognized that IT could radically change the way it did business, the corporation felt that IT and software development were not within its core competency. The organization had problems hiring and retaining IT people. It was dealing with a vast number of consultants, without taking advantage of the consultants' distinctive skills. Finally, Niagara felt that some of the software solutions developed were innovative and could be sold to other similar organizations in the world. However, it did not have the skills nor the infrastructure to do so. Selling software was not its business.

The level of risk exposure associated with outsourcing all IT services, as intended, was high (see Figure 6). Lock-in was the most important threat. Because of the sheer size of the contract, lock-in could be very costly. The probability of a lock-in was also high, mostly because of the highly specific nature of the software developed, and the limited number of suppliers that could handle such a large contract. Hidden costs were also to be feared. The complexity of the activities, the number of different systems to integrate, and the scope of the contract made hidden costs a likely menace. Similarly, cost escalation and costly contractual amendments would lead to severe losses. In the case of such a large contract, it would be tempting for a supplier to argue higher than expected costs and renege on the promised fees. Changes to any contract would also be probable because of the wide variety of services and the level of innovation in the field.

Niagara had some precious resources when considering outsourcing. Most notably, the organization had a long tradition of measurement. Every activity in the organization was measured, and the organization had impressive charts and data about the resources required for developing or operating software. There existed measurement guidelines for all types of applications, based on the vast number of projects done by the organization or sub-contracted. The organization also had enough internal data to benchmark potential suppliers.

Niagara finally signed an original contract, integrating several risk management mechanisms. It decided to rely on a multiple sourcing strategy and retained three suppliers. Each one was responsible for a given portfolio of activities and had an area of responsibility. Hence, the portfolios partially overlapped. As a result, this outsourcing strategy placed the three outsourcers in the unusual situation of having to cooperate and/or compete on almost every project. Each service provider had a group of activities allotted to them. For any new project, Niagara asked one of its three suppliers for a cost estimate. This estimate was compared to internally prepared estimates and, if acceptable, the contract could be given without further delay. If unsatisfactory, Niagara could ask the other suppliers to bid. External bids could also be sought. The three suppliers were chosen because they had a much better knowledge of the organization. Yet, they still had to remain honest to retain their share of the overall IT activities.

Another element of interest was the outside deals. The suppliers had the infrastructure to sell, outside of Canada, the software developed. In fact, the outsourcing deal created a partnership between Niagara and its suppliers which allowed them to do so. At the time the case was written, the technology was being transferred to eight countries. Neither the client nor the outsourcers would have had the capacity to market the technology alone. The reputation of Niagara and the skills of the suppliers were essential elements in the success of the joint sales abroad. These external deals were extremely attractive for the outsourcers. While they were a source of revenue, they also served as great goal alignment mechanisms between Niagara and its suppliers, reducing potential "cultural" differences at the same time. They acted as a bond, guaranteeing satisfactory service to the client.

The competition between the suppliers reduced the expected losses associated with hidden costs and cost escalation, so did benchmarking. Before undertaking a new software project, key indicators such as cost per milestone, total development cost, elapsed time, and total cost minus fixed assets, were used to assess it. These parameters were clearly specified ex ante so the suppliers knew how they were being evaluated. Activities were measured on a regular basis, graphing the number and types of problems, their category according to security level, and their overall impact. Also, by separating the portfolio into three parts, any cost escalation due to opportunistic behavior of a supplier would be limited to a third of the overall portfolio.

Cost escalation was also limited by the use of countervailing incentives. In their dealings with Niagara, the outsourcers were responsible for the maintenance of the systems they had developed. Consequently, they had a strong incentive to develop efficient systems, so as to minimize their maintenance efforts. Linking two stages of production can provide an incentive for an agent to perform in the principal's interest. When two stages of production are not independent an agent may be motivated to perform better if it is responsible for both stages. By putting extra effort into the first stage, it will reduce the effort required at the subsequent stage. Inversely, by shirking during the first stage, it will increase the effort required later. As a result, the agent cannot claim to have made an excessive effort at both stages.

Monitoring was used extensively to reduce the risk of service debasement. Each deliverable done by a supplier had to be approved by one of the two other suppliers. Once a piece of work was approved, the supplier approving the work became responsible for its judgment (and for handling the costs related to problems). An interesting result of this type of arrangement was that Niagara automatically obtained a third party view of each supplier's work.

Insights. This case teaches two lessons. First, risk can be managed and efficient contract design can drastically reduce residual risk. In many ways, Niagara was able to implement several of the features that the energy producer (see case 4 above) wanted to include in its first contract. Because the regulatory regime in Canada is different than the European one, there was no obstacle to such contract design. One key element of this contract is that risk is not eliminated; it is mostly transferred to the suppliers. They become responsible for many of the potential undesirable outcomes that can occur. They are positioned in a way that makes them guardians of the other suppliers on behalf of Niagara. Such risk taking is unusual for the suppliers. When Niagara proposed this agreement to several potential suppliers, many declined to bid. This further reduced the number of potential suppliers, which explains why the probability of lock-in increased (while the potential loss decreased because of the dividing of the portfolio into three parts).

The other lesson is that size does matter. This sophisticated contract would not have been possible if the portfolio of activities had been smaller. The suppliers agreed to enter into this relationship because they expected to make money. They accepted to shoulder more risk than they usually do because they anticipated greater benefits. Each one dedicated approximately 350 employees to the contract with Niagara. Moreover, the outside deals were a powerful incentive. These other contracts made the relationship with Niagara especially precious and guaranteed the client that suppliers would not threaten this relationship. All that machinery is economically justifiable only if the size of the contract is significant.

Conclusion

The research showed that the combination of insights from Transaction Cost and Agency Theories into the structure provided by the risk framework enable interesting predictions about likely contract outcomes, and suggested possible improvements or alternatives to contract structures. The case analyses also provided support for the usefulness of the reference theories.

The cases reported here illustrate how the proposed risk framework helps to understand the components of risk exposure of an outsourcing project and the mechanisms of risk management. First, risk analysis helps anticipating problems and select appropriate contract types, that take into account the characteristics of the activities considered for outsourcing. Moreover, this framework allows for the correction of some of the managers' biases. It is difficult to compare alternatives that are associated with both different probability distributions and different loss functions. The human mind can only deal with a limited number of scenarios and a formal analysis ensures that all key elements are taken into account. Organizing the information in a structured framework facilitates the managers' evaluation.

The cases generated several results. First, the use of the list of risk factors was found to be a useful means of providing information about the probability of occurrence of the undesirable outcomes. This supports the idea that risk is measurable and that contracting strategies can be adjusted accordingly. Several of these contracting strategies were illustrated with the five cases.

This is probably the most interesting result from the case studies. Looking at the cases, it is possible to suggest appropriate strategies for each undesirable outcome. In order to deal with unexpected transition and management costs, companies adopted extensive planning (case 2) and transferred some of these costs, through contract structure, to their suppliers (case 5). It is interesting to note, with respect to this outcome, that the management mechanism did little to reduce the absolute cost but focused more on correctly anticipating such costs, or transferring them to another party. To avoid lock-in, multiple suppliers were used (cases 2 and 5), which prevented from being made prisoner of one. These two cases also showed that costly contractual amendments could be managed by using sequential contracts. These contracts, redefined over time within a general agreement, enabled the parties to deal with the inherent uncertainty of long term arrangements. Disputes and litigation were managed through different mechanisms. Arbitration was adopted in one case (3), formal culture evaluation (to reduce the likelihood of a dispute) was done in another (case 4), while efforts on measurement were made in a third instance (case 5). These efforts, clarifying the contract assessment, also reduced the probability of disputes. Service debasement was managed through the use of detailed measurement and benchmarking (case 4), paired with penalties (case 2). These enabled the client to adequately ensure that the supplier delivered the promised quality. To prevent increased costs of services, measurement was used (case 2), along internal competition (cases 2 and 5). This competition enticed the suppliers to lower their prices in order to secure a significant share of the business. From the cases, it seems that little can be done to prevent the loss of competency. No mechanisms proved effective to reduce this risk. It appears that the only way to prevent such loss is to carefully select the activities to outsource. Not outsourcing core activities might be the only manner in which a party can secure its core competency. Finally, hidden costs were handled efficiently in case 3, where the client imposed a one-year transition period over which client and supplier defined the adequate levels of performance and their measure. The client kept a retracting clause over the transition period, allowing it to return to internal governance if it was not satisfied with the supplier's performance.

This suggests that outsourcing risk is largely a matter of choice: it is very much an endogenous risk. Managers clearly have a choice between different sourcing strategies, between outsourcing and doing internally, and between numerous contracts for any given activity. When selecting any one of them, they should be aware of what they are selecting, and what they are discarding. Risk exposure, once made explicit, transforms the unexpected into an option selected consciously. These selections are always compromises. Most risk management mechanisms involve reducing some types of risk while increasing others, or accepting to pay a fee to reduce a given risk. The comparison of the risk reduction introduced by the management mechanisms with the cost of such mechanisms (for example when a company decides to deal with two suppliers instead of one) makes the assessment of the real value of the management mechanism easier.

One limit of this study is that the cost of these mechanisms is not made explicit. Because the scale on which the consequences are evaluated is not in absolute dollars, and because the cost of each mechanism is not in dollar terms either, it is difficult to evaluate if each of the management mechanisms implemented was worth its cost. The reduction in the risk exposure has to be compared with the incurred fixed costs.

Another limit is the lack of consideration for the risk aversion profile of the managers. If managers are risk adverse, they will be inclined to adopt more risk management mechanisms than might be required. By omitting this consideration, we presumed, when evaluating the cases, that expected value of risk, as risk exposure is defined, could be applied directly, without considering the managers' utility functions.

These limitations suggest an interesting path for research. First, it will be interesting to refine the evaluation in order to achieve an evaluation, in dollar terms, of the potential losses and of the management mechanisms. This would enable a very formal assessment of the scenarios and a risk/benefit evaluation of each management mechanism. Once such a measure available, it would be possible to use simulation to measure the risk profile of the managers and to formally evaluate their preferences between different scenarios.

In conclusion, once risk exposure is made explicit, and the possible compromises rendered clear to the managers, risk becomes a lot more manageable. In fact, the cases presented and analyzed here also suggest that assessing and managing outsourcing risk can pay off: it leads to lower residual risks or to a greater performance through better contract design. One caveat to keep in mind is that the costs associated with these risk reduction measures were not assessed in the cases. Risk management is generally a complex exercise and its conclusions are often far from precise. Yet, it provides valuable information and increases the quality of the decisionmaking process. Not surprisingly, organizations with a lot of resources, awarding larger contracts, will have more flexibility when managing their risk portfolio and greater possibilities to reduce their risk exposure.

REFERENCE

References

Alchian, A. A. and Demsetz, H. (1972). "Production, Information Cost, and Economic Organization," American Economic Review, Vol.62, No.5, pp. 777-795.

Anderson, J. and Narasimhan, R. (1979). "Assessing Implementation Risk: A Methodological Approach," Management Science, Vol.25, No.6, pp. 512-521.

Arrow, K. (1983). "Behaviour Under Uncertainty and Its Implications for Policy," in Stigurn, B., and Wenslop, F. (Eds.), Foundations of Utility and Risk Theory with Applications, Dordrecht, Holland: Reidel Publishing Company, pp. 19-34.

Aubert, B. A., Dussault, S., Patry, M., and Rivard, S. (1999a). "Managing the Risk of IT Outsourcing," Proceedings of the Thirty-second Hawaii International Conference on System Sciences, Hawaii, 10 pages (CDROM).

Aubert, B. A., Patry, M., and Rivard, S. (1997). "The Outsourcing of IT: Autonomous Versus Systemic Activities", 28th Annual Meeting of the Decision Sciences Institute, San Diego, CA, pp. 809-812.

Aubert, B. A., Patry, M., and Rivard, S. (1999b). "Impartition des Services Informatiques au Canada : Une Comparaison 1993-1997," in Poitevin, M. (Ed.), Impartition Fondements et Analyse, Qubec, Presses de l'Universit Lavai, pp. 203-220.

Aubert, B. A., Patry, M., Rivard, S., and Smith, H. (2001). "IT Outsourcing Risk Management at British Petroleum," Proceedings of the Thirty-fourth Hawaii International Conference on Systems Sciences, Hawaii, 10 pages (CDROM)

Aubert, B. A., Patry, M., and Rivard, S. (2003) "A Tale of Two Outsourcing Contracts - An Agency Theoretical Perspective," Wirtschaftsinformatik, Vol.45, No.2, pp.181-190.

Aubert, B. A., Rivard, S., and Patry, M. (1996). "A Transaction Cost Approach to Outsourcing Behavior: Some Empirical Evidence," Information and Management, Vol.30, pp. 51-64.

Aubert, B. A., Rivard, S., and Patry, M. (1996b). "Development of Measures to Assess Dimensions of IS Operation Transactions," Omega, International Journal of Management Science, Vol.24, No.6, pp. 661-680.

Barki, H., Rivard, S., and Talbot, J. (1993). "Toward an Assessment of Software Development Risk," Journal of Management Information Systems, Vol.10, No.2, pp. 203-225.

Barzel, Y. (1982). "Measurement Cost and the Organization of Markets," Journal of Law and Economics, Vol.25, No.1, pp. 27-48.

Boehm, B.W. (1991). "Software Risk Management: principles and practices", IEEE Software, Vol.8, No.1, pp.32-41.

Bowers, L. N., Gerber, U. H., Hickman, C. J., Jones, A. D., and Nesbit, J. C. (1986). Actuarial Mathematics, ltasca: The Society of Actuaries.

Cheung, S. (1983). "The Contractual Nature of the Firm," Journal of Law and Economics, Vol.26, No.1, pp. 1-21.

Coase, R. (1937). "The Nature of the Firm," Economica, Vol.4, No. 16, pp. 396-405.

Cracker, K. and Masten, S. (1991). "Pretia ex Machina? Prices and Process in Long-Term Contracts," Journal of Law and Economics, Vol.34, No.1, pp. 69-99.

Cross, J. (1995). "IT Outsourcing: British Petroleum's Competitive Approach," Harvard Business Review, No.3, pp. 95-102.

Dorn, P. (1989). "Selling One's Birthright," Information Week, Vol.241, pp. 52.

Earl, M. J. (1996). "The Risks of Outsourcing IT," Sloan Management Review, Vol.37, No.3, pp. 26-32.

Eisenhardt, K. (1989). "Agency Theory: An Assessment and Review," Academy of Management Review, Vol.14, No.1, pp. 57-74.

Grossman, S. and Hart, O. (1986). "The Costs and Benefits of Ownership: A Theory of Vertical and Lateral Integration," Journal of Political Economy, Vol.94, pp. 691-719.

Holmstrom, B. (1979). "Moral Hazard and Observability," Bell Journal of Economics, Vol.10, No. 1, pp. 74-91.

Joskow, P. L. (1987). "Contract Duration and Relationship-Specific Investments: Empirical Evidence from Coal Markets," American Economic Review, Vol.77, No.1, pp. 168-185.

Kobs, A. (1998). "Sentinel Events - A Moment in Time, A Lifetime to Forget," Nursing Management, Vol.29, No.2, pp. 10-13.

Lacity, M. C. and Hirschheim, R. (1993). Information Systems Outsourcing, New York: John Wiley & Sons.

Lacity, M. and Hirschheim, R. (1995), Beyond the Information Systems Bandwagon: The lnsourcing Response, Chichester: Wiley.

Lacity, M. C., Willcocks, L. P., and Feeny, D. F. (1995). "IT Outsourcing: Maximize Flexibility and Control," Harvard Business Review, Vol.73, No.3, pp. 84-93.

Langlois, R. N. and Robertson, P. L. (1992). "Networks and Innovation in a Modular System: Lessons from the Microcomputer and Stereo Component Industries," Research Policy, Vol.21, pp. 297-313.

Lee, J. N. and Kim, Y. G. (1999). "Effect of Partnership Quality on IS Outsourcing: Conceptual Framework and Empirical Validation," Journal of Management Information Systems, Vol.15, No.4, pp. 29-61.

Levin, M. and Schneider, M. (1997). "Making the Distinction: Risk Management, Risk Exposure," Risk Management, Vol.44, No.8, pp. 36-42.

Levine, E. (2000). "Defining Risks," CA Magazine, Vol.133, No. 3, pp. 45-46.

Linerooth-Bayer, J. and Wahlstrom, B. (1991). "Applications of Probabilistic Risk Assessments: the Selection of Appropriate Tools," Risk Analysis, Vol.11, No.2, pp. 239-248.

Mahoney, D. (1988). Confessions of a Street-Smart Manager, New York: Simon & Shuster.

March, J. and Shapira, Z. (1987). "Managerial Perspectives on Risk and Risk-Taking," Management Science, Vol.33, No.11, pp. 1404-1418.

Nam, K., Rajagopalan, S., Rao, H. R., and Chaudhury, A. (1996). "A Two-Level Investigation of Information Systems Outsourcing," Communications of the ACM, Vol.39, No.7, pp. 37-44.

Nelson, P., Richmond, W., and Seidman, A. (1996). "Two Dimensions of Software Acquisition," Communications of the ACM, Vol.39, No.7, pp. 29-35.

Nilakant, V. and Rao, H. (1994). "Agency Theory and Uncertainty in Organizations: An Evaluation," Organization Studies, Vol.15, No.5, pp. 649-672.

O'Leary, M. (1990). "The Mainframe Doesn't Work Here Anymore," CIO, Vol.6, No.6, pp. 77-79.

Perry, M. K. (1989). "Vertical Integration: Determinants and Effects," in Shmalensee, R., and Willig, R. (Eds.) Handbook of Industrial Organization, Amsterdam: North-Holland, pp. 183-255.

Prahalad, C. V. and Hamel, G. (1990). "The Core Competence of the Corporation," Harvard Business Review, Vol.68, No.3, pp. 79-91.

Roy, V. and Aubert, B. A. (2000). "A Resource Based View of the Information Systems Sourcing Mode," Proceedings of the 33rd Hawaii International Conference on Systems Sciences, Maui, Hawaii, 10 pages (CD ROM).

Sappington, D. (1991). "Incentives in Principal-agent Relationships," Journal of Economic Perspectives, Vol.5, No.2, pp. 45-68.

Schirripa, F. and Tecotzky, N. (2000). "An Optimal Frontier," The Journal of Portfolio Management, Vol.26, No.4, pp. 29-40.

Simon, H. A. (1991). Organizations and Markets," Journal of Economic Perspectives, Vol.5, No.2, pp. 25-44.

Teece, D. J. (1986). "Firm Boundaries, Technological Innovation and Strategic Management," in Thomas, L. (Ed.), The Economics of Strategic Planning, Lexington, M A: Lexington Books, pp. 187-199.

Teece, D. J., Rumelt, R., Dosi, G., and Winter, S. (1994). "Understanding Corporate Coherence, Theory and Evidence," Journal of Economic Behavior and Organization, Vol.23, pp. 1-30.

Williamson, O. E. (1985). The Economic Institutions of Capitalism, New York: The Free Press.

Williamson, O. E. (1989). "Transaction Costs Economics," in Shmalensee, R., and Willig, R. (Eds.), Handbook of Industrial Organization, Amsterdam: North-Holland, pp. 136-178.

AUTHOR_AFFILIATION

Benoit A. Aubert

HEC Montral

CIRANO

Michel Patry

HEC Montral

CIRANO

Suzanne Rivard

HEC Montral

CIRANO

Acknowledgement

The authors are grateful to the anonymous reviewers for their thorough comments and most useful suggestions. This research was supported by Fonds FCAR (Canada). An earlier (abridged) version of this paper was published in Managing IT Outsourcing Risk: Lessons Learned, in Information Systems Outsourcing: Enduring Themes, Emergent Patterns and Future Directions, Hirschheim, R.A., Heinzl, A., and Dibbern, J. (eds.), Springer-Verlag, Berlin, Heidelberg, New York, 2002:155-176.

AUTHOR_AFFILIATION

About the Authors

Benoit A. Aubert is Professor and Director of Research at HEC Montreal and Fellow at the CIRANO (Center for Interuniversity Research and Analysis on Organizations). His main research areas are outsourcing, ERP implementation, and risk management. He also published papers on trust, ontology, and health care information systems. He is currently investigating the links between corporate strategy and outsourcing.

Michel Patry is Professor at the Institut d'conomie applique of HEC Montral and CEO of CIRANO (Center for Interuniversity Research and Analysis on Organizations). A specialist of the industrial organization, Dr Patry's recent work covers the areas of outsourcing and delegated management, the economics of IT, the analysis of regulation and contracts, and the impact of regulation on productivity.

Suzanne Rivard is Professor and holder of the Chair in Strategic Management of Information Technology at HEC Montral. Her research interests encompass ERP implementation, outsourcing, software project risk management, and strategic alignment. She published in Communications of the ACM, Data Base, Information and Management, Journal of Information Technology, Journal of Management Information Systems, MIS Quarterly, Omega, and others.