Google Answers Logo
View Question
Q: Risks in Information Systems Outsourcing ( Answered 5 out of 5 stars,   0 Comments )
Subject: Risks in Information Systems Outsourcing
Category: Business and Money
Asked by: rchar2-ga
List Price: $20.00
Posted: 09 May 2004 13:24 PDT
Expires: 08 Jun 2004 13:24 PDT
Question ID: 343642
What are the risks associated with Information Systems Outsourcing? I need to
write a paper on this I need useful guidelines (links etc.) Please
note I am specifically interested in Information Systems Outsourcing
risks not just the outsourcing risk.
Subject: Re: Risks in Information Systems Outsourcing
Answered By: willie-ga on 10 May 2004 02:23 PDT
Rated:5 out of 5 stars
Hi, and thanks for the question

I am an IT manager and have negotiated several outsourcing deals, so
here is the benefit of my wisdom.

Firstly, there are the management risks

There is a succinct summary of the main management risks in
outsourcing IT here at "The Dangers of Outsourcing and what to do
about them"

The author says:

- long-term exclusive outsourcing isolates the organization from the
market i.e. there is a risk in tying yourself to one supplier in a
rapidly changing marketplace
- the skills you need to provide IT services internally are different
from those you need to govern outsourcing agreements. i.e. you lose
some degree of control over the staff doing the actual IT work and you
no longer have current IT skill at your command when the contract
- while vendors are busy running the IT services you have contracted
to them, they may also be busy building relationships with your
business peers and taking work that may have come your way


Then there are the technology risks

Some technlogy risk assessment considerations are outlined in a paper
for the Federal Reserve: "Risk Management of Outsourced Technology

"Outsourcing of information and transaction processing involves risks
that are similar to the risks that arise when these functions are
performed internally.

Risks include 
- threats to security, availability and integrity of systems and resources, 
- confidentiality of information
- regulatory compliance. 
- The broad geographic reach, ease of access, and anonymity of the Internet
brings risks in maintaining secure systems, intrusion detection and
reporting systems and customer authentication, verification, and
authorization when responsibility is handed over to an outsourcing

In addition, the nature of the service provided... can increase risk
if strategic business practices are not performed efficiently by the
outsourcing partners, leading to a risk to the company reputation.

The above paper gives sound advice and covers the range of Risk
Management activities and is a good source of info.


You'll also find a wealth of resources and case studies at
"Outsourcing Information Technology" at

In this month's issue, they have a paper: "Why We Need to Talk About Risk"

This defines risks in five areas:
- Financial. A risk that could change the expected financial outcome
of the solution.
- Operational. A risk that the solution would prevent the business
from meeting current or evolving requirements.
- Organizational. A risk that hinders the organization's ability to
enable the desired outcomes.
- Legal. A risk that creates legal penalties. 
- Strategic. A risk that the solution would not support the strategy
of the organization.

and shows an empirical method for analysing the risks using a model-based approach.


Software development outsourcing brings its own risks, including

- no control over Cost and Time over-runs for the project 
- possible selection of wrong  vendor that lacks expertise for
executing that particular  project
- cultural mismatches with outsourcing partner 
- data privacy
- requirements to have fully matching test and development environments
- requirements that the vendor fully understands the business
processes underlying the software they undertake to develop
- Intellectual property rights have to be clearly defined
- Turnover of Key Project Personnel is outwith your power

You'll find a good article on managing software outsourcing risks at :
Managing the Outsourcing Risks


Most recently, we've had offshore IT outsourcing hitting the headlines

The paper at Offshore IT ( )
defines the risks in 3 areas and gives lists of the risks in each

- Geographic Risks 
- Project Risks 
- Infrastructure and Operational Risks 

At the same site there is also an informative short article on
Blunders in Outsourcing ( )
that shows the source of some of the above risks.

There is also a one-page summary of offshore IT outsourcing risks,
using the same 3 categories, here:
Development Outsourcing Risks

There a nice article at "Analysts Corner: Top 10 Risks of Offshore Outsourcing"


All outsourcing risks can be mitigated by sound business practices

A detailed benchmark study of 24 major U.S. corporations at "Are you
Practicing Safe Outsourcing" ( ) showed the
following to be the most sound business practices for mitigating the
risks of IT outsourcing.

- Integrate information security and privacy into vendor selection process. 
- Appoint a high-level officer to assume responsibility for evaluating
vendors for adequacy to meet corporate policy and legal requirements.
- Evaluate historical experience and reputation of the vendor. One way
is to look at complaints and trace patterns back to a given activity
or campaign under the control of the outsourced vendor.
- Consider the vendor's location, critical infrastructure and national
backbone issues.
- Consider cultural and ethical dimensions that may impact due care in
the maintenance and protection of customer or employee information.
- Perform site evaluations and, when appropriate, consider independent audit. 
- Provide good faith disclosure to customers about outsourcing risks
(including fair redress process to report problems directly to the
- Ensure the vendor performs background checks, and provides good
supervision to its employees.
- Ensure the vendor has an upstream communication mechanism for
security and privacy breaches immediately after they occur.
- Balance sound information security and privacy risk management
against economic (cost minimization) objectives.


In summary, the main perceived risks in outsourcing IT are

- Risk of loss of specialist staff/expertise
- Risk of loss of control of strategic technological direction 
- Security risks to confidentiality/trade secrets/access to business data
- Risk of loss of control of vital business processes
- Risk that costs can increase
- Risks that staff will be resistant to change
- Risks of technological/cultural/legal problems with the supplier
- Business always changing, risk of being left behind/stagnating

These can all be mitigated by good business practices and risk
management procedures.

Hope that answers your question


Google Searches used:
IT risk outsourcing
"offshore outsourcing" risks
"software development" outsourcing risks
top outsourcing risks
rchar2-ga rated this answer:5 out of 5 stars and gave an additional tip of: $10.00
This was the first time I used Google answers. The response was great!
I will start using this more often and recommend to my friends.

There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy