Understanding IT outsourcing risk: incorporating risk management in your IT sourcing strategy

Risk Management, Sourcing

Outsourcing decisions have long term consequences. Understanding how IT organisations and IT executives make decisions, value risk and manage risk is an integral part of IT outsourcing. The consequences of poor decision making with resulting lock-in effects can be detrimental to competitiveness, undermine organisational morale and incur significant costs. Managing risk during the IT sourcing life-cycle is at the heart of successful IT outsourcing.

Starting in the strategy phase of an IT sourcing initiative and through the entire project, companies should work with a structured approach to risk management. IT executives need to ensure that the organisation understands the multiple impacts that the decision to outsource IT will have and be able to evaluate the risks versus the returns. They should consider how to manage and maintain internal control over outsourced IT deliveries. Additionally, depending on industry there are regulatory requirements that need to be considered, such as GL 44 within the financial sector.

There are a number of risks in IT outsourcing that have to be managed on strategic, tactical and operational level. Companies need to manage outsourcing and third party risk actively. The risk management approach needs to include the reporting and monitoring arrangements that should be implemented from inception to the end of an IT outsourcing agreement – including the business case, the contract, the implementation of the contract to its expiry, contingency plans and exit strategies. This approach also needs to be operationalised during the contract life-cycle. It is not a one-time, discrete event.

However, in order to leverage the true value of IT sourcing, transformation is key and with it comes risks. IT organisations need to balance the operational agenda with more forward-looking strategic initiatives. They need to balance risk exposure with transformational change. From a decision-making perspective, this is a critical management issue. As the authors of the HBR article The hidden traps in decision making state:

“Before deciding on a course of action, prudent managers evaluate the situation confronting them. Unfortunately, some managers are cautious to a fault—taking costly steps to defend against unlikely outcomes. Others are overconfident—underestimating the range of potential outcomes. And still others are highly impressionable—allowing memorable events in the past to dictate their view of what might be possible now.”

There are numerous traps in decision making and the best tool to manage these is awareness. Awareness of the decision making traps helps companies and executives to avoid the pitfalls of bias, false sense of security from estimates, excessive caution, overconfidence and failure to ignore sunk costs. This awareness is the basis and foundation of a suitable risk management framework and process in an IT outsourcing initiative.

A common pitfall in IT outsourcing initiatives is to think that risk can be outsourced. 3gamma has in close co-operation with clients noticed and worked through the issues of getting stuck with a vendor that is not delivering. The strategies to manage these situations are as diverse as the reasons for them; ranging from keep-and-develop approaches, transformational resourcing to selective insourcing. The contract plays a significant role to cover different eventualities, but it can also be an underlying root cause for the issues at hand.

To reduce risk and achieve the business objectives through IT outsourcing, companies need to apply a holistic approach. They must consider the entire outsourcing life-cycle – combining business, IT and legal IT outsourcing expertise – and have a transparent discussion with vendors about the exit strategy up front. But it is not merely a legal or contractual issue – it is imperative to also include this approach in the IT sourcing strategy through the definition and clustering of IT sourcing objects, IT architecture and application integration considerations. In addition, the risk needs to be managed from strategy to inception to renewal through a regular risk management assessment process on strategic, tactical and operational level focussing on:

  • Reviewing the alignment with business objectives and a regular business case assessment.
  • Assessing the impact of limitations in flexibility and understanding lock-in mechanisms (processes, architecture, integration, tools etc.)
  • Monitoring contractual alignment and the contract’s validity to the services required and delivered, understanding potential scope creep and contract leakages
  • Assessing the change effort required and exit-mechanism applicability
  • Understanding available external market capabilities (market insight) for the services in scope
  • Understanding of internal execution capability, i.e. an ability to transfer services from one vendor to another vendor (or insource)

The risk management approach is continuous and should not be limited to the actual decision. Savvy IT executives revisit their decisions regularly and manage their vendor base as a portfolio to optimise its business value.

About the authors

Maria has significant experience in all aspects of outsourcing across several domains, with a specialization in transformational outsourcing and outsourcing transition. She has worked for PA Consulting group and has actively contributed in building fast growing international software companies in the financial sector.

Related Articles

IT needs to move from passive procurement to active service integration

Sourcing, Strategy & Architecture

3gamma is witnessing a shift from cost focused outsourcing to value creation and capability acquisition. Companies are now looking for partners that can contribute with a piece of the innovation puzzle and has a unique competitive capability.

Improving flexibility in IT outsourcing by collaboration and relationship management


There is significant pressure on companies to be flexible and adapt quickly to new business challenges. The business wants an IT organisation that is proactive, has a good understanding of the business and delivers value on strategic, tactical and operational level. IT is expected to be a proactive business partner and an active supporter and enabler of the business strategy.

Why the incident is not critical but communication is


Working within service operation is a 24×7 task – never knowing when an incident will happen and how it will affect your business. One thing you do know is that your businesses will ‘hang-you-high’ if you can’t manage the communication around the incident. It is probably not your fault that an incident occurs and business owners will understand that, but if you don’t give them the right level of communication and take the right action, they will definitely blame you.

Getting from Idea to Project: Why enterprise architecture is becoming the new foundation point for business change

Change Management

With the continuous pressure to drive efficiencies and closely integrate business functions, more organisations are turning to enterprise architecture as a way to make their strategies become reality.

Are you getting stuck in the blame game?


Service integration is becoming more common with the increase in multi-sourcing, hybrid-cloud and off-shored services. There’s a growing need for organisations to have a service integration and management…