Managing IT outsourcing risks: the case of large organisations in South Africa.

Abstract

Information technology (IT) is significant to achieving business objectives. Despite the significance of IT to the business, organisations are outsourcing the whole, or part thereof, of their IT department to reduce cost and focus on the core of their business. The outsourcing of IT, however, comes together with risks such as vendor lock-in, loss of control and information breaches that could lead to IT outsourcing (ITO) failure. If these risks are not properly identified and managed, organisations will remain vulnerable. While studies have been conducted on ITO and risk management, very few have conducted exploratory research to address how to manage the risks of ITO. Hence, using a qualitative approach, this study explored how large organisations manage the common risks of ITO. These risks are the operational risk, business continuity risk, data privacy risk and compliance risk of the IT Service Provider (ITSP). The study further explored the impact of these risks on large organisations and the mitigating controls organisations can have in place to reduce their impact and likelihood of occurrence. Interviews, which were recorded, was conducted with 12 experts from two large organisations in South Africa. The recorded interviews were transcribed, coded using NVivo software and analysed using thematic analysis. The main themes of this study were governance, develop ITO risk profile, ITSP audit, risk treatment, and assurance. Findings show that organisations need to constitute a Risk Management Committee with a substantial level of experience in the management of risks and ITO. This is to ensure the effective identification, assessment and treatment of ITO risks. Furthermore, the constituted Risk Committee must conduct verification exercises to identify the inherent risks of ITO. They must also conduct maturity assessment and business impact analysis (BIA) in assessing the probability of occurrence and impact of ITO risks. The Committee must establish technical and administrative controls in mitigating the risks of ITO. The findings further show that organisations must integrate risk governance and assurance polices in their ITO risk management strategy to continuously monitor residual risks and identify potentially new risks. A governance Framework for IT Service Provider Risk Management (ITSPRM) that may serve as a guide in the effective management of ITO risks was also developed and presented.