Hi, and thanks for the question
I am an IT manager and have negotiated several outsourcing deals, so
here is the benefit of my wisdom.
Firstly, there are the management risks
There is a succinct summary of the main management risks in
outsourcing IT here at "The Dangers of Outsourcing and what to do
The author says:
- long-term exclusive outsourcing isolates the organization from the
market i.e. there is a risk in tying yourself to one supplier in a
rapidly changing marketplace
- the skills you need to provide IT services internally are different
from those you need to govern outsourcing agreements. i.e. you lose
some degree of control over the staff doing the actual IT work and you
no longer have current IT skill at your command when the contract
- while vendors are busy running the IT services you have contracted
to them, they may also be busy building relationships with your
business peers and taking work that may have come your way
Then there are the technology risks
Some technlogy risk assessment considerations are outlined in a paper
for the Federal Reserve: "Risk Management of Outsourced Technology
"Outsourcing of information and transaction processing involves risks
that are similar to the risks that arise when these functions are
- threats to security, availability and integrity of systems and resources,
- confidentiality of information
- regulatory compliance.
- The broad geographic reach, ease of access, and anonymity of the Internet
brings risks in maintaining secure systems, intrusion detection and
reporting systems and customer authentication, verification, and
authorization when responsibility is handed over to an outsourcing
In addition, the nature of the service provided... can increase risk
if strategic business practices are not performed efficiently by the
outsourcing partners, leading to a risk to the company reputation.
The above paper gives sound advice and covers the range of Risk
Management activities and is a good source of info.
You'll also find a wealth of resources and case studies at
"Outsourcing Information Technology" at
In this month's issue, they have a paper: "Why We Need to Talk About Risk"
This defines risks in five areas:
- Financial. A risk that could change the expected financial outcome
of the solution.
- Operational. A risk that the solution would prevent the business
from meeting current or evolving requirements.
- Organizational. A risk that hinders the organization's ability to
enable the desired outcomes.
- Legal. A risk that creates legal penalties.
- Strategic. A risk that the solution would not support the strategy
of the organization.
and shows an empirical method for analysing the risks using a model-based approach.
Software development outsourcing brings its own risks, including
- no control over Cost and Time over-runs for the project
- possible selection of wrong vendor that lacks expertise for
executing that particular project
- cultural mismatches with outsourcing partner
- data privacy
- requirements to have fully matching test and development environments
- requirements that the vendor fully understands the business
processes underlying the software they undertake to develop
- Intellectual property rights have to be clearly defined
- Turnover of Key Project Personnel is outwith your power
You'll find a good article on managing software outsourcing risks at :
Managing the Outsourcing Risks
Most recently, we've had offshore IT outsourcing hitting the headlines
The paper at Offshore IT Outsourcing.com (
defines the risks in 3 areas and gives lists of the risks in each
- Geographic Risks
- Project Risks
- Infrastructure and Operational Risks
At the same site there is also an informative short article on
Blunders in Outsourcing (
that shows the source of some of the above risks.
There is also a one-page summary of offshore IT outsourcing risks,
using the same 3 categories, here:
Development Outsourcing Risks
There a nice article at "Analysts Corner: Top 10 Risks of Offshore Outsourcing"
All outsourcing risks can be mitigated by sound business practices
A detailed benchmark study of 24 major U.S. corporations at "Are you
Practicing Safe Outsourcing" (
http://www.darwinmag.com/read/040104/ponemon.html ) showed the
following to be the most sound business practices for mitigating the
risks of IT outsourcing.
- Integrate information security and privacy into vendor selection process.
- Appoint a high-level officer to assume responsibility for evaluating
vendors for adequacy to meet corporate policy and legal requirements.
- Evaluate historical experience and reputation of the vendor. One way
is to look at complaints and trace patterns back to a given activity
or campaign under the control of the outsourced vendor.
- Consider the vendor's location, critical infrastructure and national
- Consider cultural and ethical dimensions that may impact due care in
the maintenance and protection of customer or employee information.
- Perform site evaluations and, when appropriate, consider independent audit.
- Provide good faith disclosure to customers about outsourcing risks
(including fair redress process to report problems directly to the
- Ensure the vendor performs background checks, and provides good
supervision to its employees.
- Ensure the vendor has an upstream communication mechanism for
security and privacy breaches immediately after they occur.
- Balance sound information security and privacy risk management
against economic (cost minimization) objectives.
In summary, the main perceived risks in outsourcing IT are
- Risk of loss of specialist staff/expertise
- Risk of loss of control of strategic technological direction
- Security risks to confidentiality/trade secrets/access to business data
- Risk of loss of control of vital business processes
- Risk that costs can increase
- Risks that staff will be resistant to change
- Risks of technological/cultural/legal problems with the supplier
- Business always changing, risk of being left behind/stagnating
These can all be mitigated by good business practices and risk
Hope that answers your question
Google Searches used:
IT risk outsourcing
"offshore outsourcing" risks
"software development" outsourcing risks
top outsourcing risks