Outsourcing has become a major trend in business during the last 20 years. There are numerous functions that an organization can outsource, including human resources, customer service and the company's information technology functions. Although outsourcing can be extremely beneficial, there are a number of risks firms should consider when evaluating the use of an outsourcing firm. A study performed by Oxford University's Institute of Information Management and the University of Missouri (USA) in 2000, which tracked 29 major outsourcing engagements over eight years, reported that more than 35 percent of the arrangements failed.1 Therefore, failure of an outsourcing relationship is not uncommon; organizations should be aware of the potential risks involved before entering into a relationship with a third-party outsourcing firm.
In 2003, to investigate which of these risk areas are perceived to be the most critical risks faced by a firm when considering outsourcing its IT functions, a survey instrument was developed and distributed to a small group of practitioners in the Big 4 US accounting firms and to business professors in several US universities and colleges. These two groups represent the practical side and the theoretical side of accounting, and may provide different assessments of the most important outsourcing risks. In total, 23 surveys were returned by three of the Big 4 firms and five universities.
The definition of outsourcing, for this study, is the decision by an organization to have all of its IT functions performed by a third-party outsourcing firm. It excludes decisions to employ offshore outsourcing firms.
Using several sources to compile a list of 23 outsourcing risks,2 the study considered personnel issues faced by organizations that choose to outsource, technical aspects that affect the outsourcing relationship, examples of real-world experiences with IT outsourcing, the legal consequences associated with outsourcing, and the strategic advantages and disadvantages of outsourcing. These 23 risks were consolidated into five risk areas: total dependence/exit barriers, physical IS security, legal consequences, logical IS security/confidentiality/privacy and human resource issues.
Total dependence/exit barriers refers to the complete reliance that the organization has on an outsourcing firm and the problems that arise when the outsourcing relationship ends. Physical IS security concerns the organization's loss of control over physical security, since security is now the responsibility of the outsourcing firm. By outsourcing, the organization gives up control over physical access to its system, location of the system, and the frequency and location of system backups. Legal consequences involve the lack of a fiduciary relationship between the organization and the outsourcing firm and the increase in liability that may arise during the creation of an outsourcing relationship. Logical IS security risks take into account the loss of confidentiality and privacy an organization experiences when it hires an outsourcing firm. Human resource issues result from the change in employee skill sets that an organization experiences when it chooses to outsource and the possible negative consequences caused by this shift in employee skill sets.
Each participant in the study was asked to consider risks associated with the outsourcing of a firm's IT functions in three organizational settings. The first setting was that of a large health care insurer, such as Anthem. The second was a large financial or banking institution, such as Bank of America. The third setting was that of a large retailer, such as Wal-Mart. Within each setting, the participants were asked to choose three out of the five risks they perceived to be the most threatening to an organization when considering outsourcing IT.
The top three frequencies in each of the three organizational settings as well as for the study as a whole were compiled (figure 1). No significant statistical differences were found between the responses from the accounting firms and the academics.
The overall frequencies were used to determine the three most importantly perceived outsourcing risks. Overall, logical IS security risks were selected most frequently as a major source of outsourcing risk, followed by total dependence/exit barriers and finally legal consequences. Logical IS security was chosen as a major risk in all three organizational settings, while legal consequences were considered extremely important only in health care organizations and in financial or banking firms. Total dependence/exit barriers was selected as one of the top three outsourcing risks in health care organizations and in a retail setting.
Because logical IS security, total dependence/exit barriers and legal consequences are perceived as the most threatening outsourcing risks to an organization, it is important to further discuss these risks.
Logical IS Security
Logical IS security deals with unauthorized access to the organization's information system. When an organization's IT functions are outsourced to a third party, the number of users with access to the system increases; in turn, this increases the likelihood of the system being breached. Furthermore, the organization loses control over its system security administration, which is the process through which the information system is protected against unauthorized access.3 Unauthorized access to an organization's information system can lead to the destruction or alteration of the firm's IT function. In addition, logical IS security includes the risks associated with losing confidentiality and privacy.
When an organization outsources its IT functions to a third party, it loses its confidentiality. The outsourcing firm gains access to all of the information that passes through the organization's computer system. This information includes financial data, which if released, could place the organization in a vulnerable position. Other information that passes through the computer system includes e-mails, sent both within the office and outside of the organization.4 Although the persons sending and receiving the e-mails may think the information is confidential, any employee of the outsourcing firm who has access to the mail functions of the organization can view these "confidential" e-mails.
Any specialized software that gives the company its strategic advantage can also be viewed and utilized by the outsourcing firm. An employee of the outsourcing firm could decide to sell a copy of the organization's strategic software to one of its competitors. This may lead to a loss of competitive edge because the organization may become indistinguishable from its competitors.5
Trade secrets are another confidentiality concern that organizations must consider before choosing to outsource. Trade secrets are defined as intellectual property of a special nature that most courts protect enthusiastically.6 If the confidentiality of a trade secret is broken and its contents are known, it is no longer considered a secret and can no longer be protected under the law.
Another risk is the loss of privacy an organization might encounter. This loss refers to the privacy concerning information on employees and clients. Employee records, payroll, legal identification numbers and a variety of other information are stored in the organization's computer system. The disclosure of, for example, salary information could be damaging to the organization. In addition, information on clients is also stored in the organization's computer system. Depending on the organizational setting, this information could include credit card information, health records, account information, etc. If clients become aware that this private information is being shared with a third party and possibly being leaked, the repercussions of these clients against the organization could be great.
Total Dependence/Exit Barriers
The second major outsourcing risk area identified by academics and accounting firms was the risk of total dependence/exit barriers. Total dependence on the services provided by the third-party outsourcing firm can become a major problem for organizations. Upon entering the outsourcing relationship, the organization turns over all control of its information systems to the outsourcing firm. As a result, the organization's IT functions cannot be executed, nor can changes in technology be made, without the cooperation and participation of the outsourcing firm.
When the IT functions are performed in-house, the IT staff is able to tailor the data processing, application usage, etc., to the needs of the organization. The outsourcing firm, however, may be ignorant of changes in the industry and incapable of tailoring to the special needs of the organization. As a result, the organization might have to spend time, money and energy convincing the outsourcing firm to utilize the new technologies available to the industry.
If the outsourcing firm is unable or unwilling to implement this change, the organization is left at a huge disadvantage. For example, BP Exploration, the division of the BP group that explores for and produces oil and gas, chose to outsource its IT functions. However, BP's outsourcers found it "difficult to keep up with BPX's radically changing technology base and service demands."7 As a result, BPX chose to reduce contracts with its outsourcers because being on the cutting edge of technology is crucial to the success of BPX.
Furthermore, if the outsourcing firm does not perform its duties correctly, the organization's information system could be damaged or destroyed. If this were to occur, the organization would not be able to deal with the in-house failure because it would no longer have that expertise, which could cause major concern about the viability of the organization. The amount of power and control held by the outsourcing firm is daunting, and is a major consideration for organizations contemplating the outsourcing of its IT functions.
The final element of the total dependence/exit barrier risk is the conclusion of the outsourcing relationship, either by choice or by force. If the organization chooses to end the outsourcing relationship, it is important to remember that the third-party firm has become an expert in terms of the organization's IT functions, and the organization no longer has any such expertise. Therefore, the outsourcing firm has a lot of power in exit negotiations; however, the organization should not become hostage to the outsourcing firm during these negotiations.
If the relationship ends by force, the organization will find itself in an even more difficult position. There are numerous scenarios that could cause the untimely end of an outsourcing relationship. For example, if the outsourcing firm experiences financial difficulties, it may be forced out of business. If the organization is forced to find an immediate replacement, this would be incredibly difficult to do and the organization would inevitably lose valuable time and money in the process.
Another possibility is that a larger firm could purchase the outsourcing firm. This larger firm may not be interested in continuing with the outsourcing function, thereby eliminating the organization's outsourcer. Although frightening, these are realistic scenarios and each organization that participates in outsourcing should create a backup plan to deal with these unexpected situations.
The final outsourcing risk, as recognized by the survey participants, is the risk of legal consequences. "Outsourcing involves two entities entering into an extremely intimate commercial relationship...which in itself is a recipe for legal complications."8 One such legal complication is the existence of fiduciary relationships. A fiduciary relationship requires that service providers, such as lawyers and physicians, use special consideration with their clients. The relationship between an organization and its outsourcing firm is not considered to be fiduciary.9 Therefore, the outsourcing firm has no special obligation, legally, to the organization in terms of liabilities.
Another legal consideration is that of the contract used to enter into the outsourcing relationship. Contractual difficulties span a variety of dilemmas, including bouts with clients, software providers and the third-party outsourcing firm.10 Many outsourcing firms use a standard contract that offers their services "as-is," with no commitment to take responsibility for the results of their services. If, for example, any of the privacy or confidentiality issues discussed previously turned into lawsuits, blame would be placed on the organization and not the outsourcing firm.11 Thus, entering into an outsourcing relationship increases the organization's liability toward its clients.
The relationship also increases the organization's liabilities to third parties, such as software licensors. Often, the sharing of software with an outsourcing firm causes a breach in the organization's licensing agreement or a copyright infringement. Each of these results creates legal difficulty for the organization. Furthermore, it is possible for the outsourcing firm to then share this software with its other clients. This creates an entirely new breach of the organization's licensing agreement, even if the organization had no knowledge of the actions taken by the outsourcing firm.
Accounting firms and academics perceived the three aforementioned risks as the most threatening to an organization. These risks need to be considered seriously by every organization interested in outsourcing part of its organization because the failure of an outsourcing venture can be extremely damaging to the company. To receive the full benefits that outsourcing can provide, firms must be prepared for the risks and potential downfalls involved when creating the outsourcing relationship.
Bragg, Steven M.; Outsourcing: A Guide to ... Selecting the Correct Business Unit ... Negotiating the Contract... Maintaining Control of the Process, New York, USA, John Wiley & Sons Inc., 1998
Champlain, Jack J.; Auditing Information Systems, 2nd Edition, New Jersey, USA, John Wiley & Sons Inc., 2003
Gay, Charles E.; James Essinger; Inside Outsourcing: The Insider's Guide to Managing Strategic Sourcing, London, Nicholas Brealey Publishing, 2000
Lacity, Dr. Mary C.; Dr. Leslie P. Willcocks; Global Information Technology Outsourcing, New York, USA, John Wiley & Sons Inc., 2001
Langfield-Smith, Kim; David Smith; Carolyn Stringer; Managing the Outsourcing Relationship, Sydney, Australia, UNSW Press, 2000
Milgate, Michael; Alliances, Outsourcing, and the Lean Organization, Connecticut, USA, Quorum Books, 2001
Mylott, Thomas R., III.; Computer Outsourcing: Managing the Transfer of Information Systems, New Jersey, USA, Prentice Hall, 1995
1 Gay, Charles E.; James Essinger; Inside Outsourcing: The Insider's Guide to Managing Strategic Sourcing, London, Nicholas Brealey Publishing, 2000
2 See references: Bragg, Champlain, Langfield-Smith, Lacity, Gay, Milgate and Mylott for a thorough discussion of these issues.
3 Champlain, Jack J.; Auditing Information Systems, 2nd Edition, New Jersey, USA, John Wiley & Sons Inc., 2003
4 Mylott, Thomas R., III.; Computer Outsourcing: Managing the Transfer of Information Systems, New Jersey, USA, Prentice Hall, 1995
5 Milgate, Michael; Alliances, Outsourcing, and the Lean Organization, Connecticut, USA, Quorum Books, 2001
6 Op. cit., Mylott
7 Lacity, Dr. Mary C.; Dr. Leslie P. Willcocks; Global Information Technology Outsourcing, New York, USA, John Wiley & Sons Inc., 2001
8 Op. cit., Gay
9 Op. cit., Mylott
10 Op. cit., Milgate
11 Op. cit., Mylott
Catherine Helen Wright
is an auditor with KPMG. The survey referred to in this article was conducted in the second half of 2003. Wright be contacted at firstname.lastname@example.org.