You are on page 1of 34

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/262354538

Managing risk in information technology outsourcing: An approach for


analysing and prioritising using fuzzy analytical network process

Article  in  International Journal of Business Information Systems · February 2013


DOI: 10.1504/IJBIS.2013.052052

CITATIONS READS

6 170

3 authors:

Abbas Keramati Homa Samadi


University of Tehran Islamic Azad University, South Tehran Branch
90 PUBLICATIONS   737 CITATIONS    5 PUBLICATIONS   23 CITATIONS   

SEE PROFILE SEE PROFILE

Salman Nazari-Shirkouhi
University of Tehran
42 PUBLICATIONS   662 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Evaluation and Optimization of Organizational Performance by Integration of Service Quality and Resilience Engineering Indicators View
project

All content following this page was uploaded by Homa Samadi on 05 March 2015.

The user has requested enhancement of the downloaded file.


210 Int. J. Business Information Systems, Vol. 12, No. 2, 2013

Managing risk in information technology outsourcing:


an approach for analysing and prioritising using
fuzzy analytical network process

Abbas Keramati*
Department of Industrial Engineering,
College of Engineering,
University of Tehran,
P.O. Box 11155-4563, Tehran, Iran
E-mail: Keramati@ut.ac.ir
*Corresponding author

Homa Samadi
Department of Industrial Engineering,
Islamic Azad University,
South Tehran Branch,
P.O. Box 11155-4563, Tehran, Iran
E-mail: homasamadi@yahoo.com

Salman Nazari-Shirkouhi
Department of Industrial Engineering,
College of Engineering,
University of Tehran,
P.O. Box 11155-4563, Tehran, Iran
E-mail: snnazari@ut.ac.ir

Abstract: For achieving potential benefits such as cost reduction, improved


quality of services and access to technological expertise, information
technology outsourcing (ITO) is a favourable option for many organisations.
But ITO processing activities is a complex issue that entails considerable risks
that it sometimes leads to undesirable consequence. The main purpose of this
study was that identify the risk factors related to ITO projects by considering
literature review of key articles published in the time period of 1998 to 2011
and then propose a structure for evaluating and prioritising of them. Risk
factors are studied domestically from the perspective of client. Because of
network structure of the proposed method and multi-dimensional nature of risk,
fuzzy analytical network process (F-ANP) for prioritising of risk factors based
on experts’ judgments have been used. According to experts’ opinions in
Iranian organisations, risk factor “supplier’s lack of expertise with an IT
operation” has been identified as the best risk factor. Also, risk factor
‘Relatedness’ has the lowest priority.

Keywords: information technology outsourcing; ITO; priority; fuzzy analytical


network process; F-ANP; domestic outsourcing; client perspective.

Copyright © 2013 Inderscience Enterprises Ltd.


Managing risk in information technology outsourcing 211

Reference to this paper should be made as follows: Keramati, A., Samadi, H.


and Nazari-Shirkouhi, S. (2013) ‘Managing risk in information technology
outsourcing: an approach for analysing and prioritising using fuzzy analytical
network process’, Int. J. Business Information Systems, Vol. 12, No. 2,
pp.210–242.

Biographical notes: Abbas Keramati is an Associate Professor of Industrial


Engineering at the University of Tehran, Tehran, Iran. He received his PhD in
the area of IT and Productivity from Tarbiat Modarres University, Iran. He
has published several papers in well-established international journals
such as Industrial Marketing Management, Computers and Education and
Telecommunications Policy. His major teaching and research interests include
customer relationship management, investment evaluation in IT/IS, intelligent
systems and modelling, and quantitative analysis for decision making.

Homa Samadi received her BS and MS respectively in 2007 and 2010, in


Industrial Engineering from the Islamic Azad University, South Tehran Branch,
Iran. Her research interests are applications of decision making analysis,
systems analysis and project management.

Salman Nazari-Shirkouhi received his BS in Industrial Engineering from Iran


University Science and Technology (IUST) in 2006, MS in Socio-Economic
Systems Engineering from University of Tehran, Iran in 2009. He is a PhD
candidate of Industrial Engineering at University of Tehran, Iran. His Research
interests are applications of decision making analysis, performance evaluation,
quality engineering as well as CRM.

1 Introduction

Generically outsourcing can be defined as “the transfer of previously in-house activities


to a third party” (Adeleye et al., 2004). De Looff (1997) defined IS outsourcing as
“the commissioning of part or all of the information systems activities an organization
needs, and/ or transferring the associated human and other IS resources, to one or more
external IS suppliers”. IS outsourcing is an innovative organisational tool for IS
management in both private and public sector organisations (Kahraman et al., 2009).
Outsourcing IT operations is a topic that has gained popularity since Kodak first
announced a major outsourcing agreement in 1989 (Bahli and Rivard, 2005). He turned
over its entire data centre; network and microcomputer operation to three IS external
parties (Adeleye et al. 2004).
What is new and interesting in IT outsourcing is the increasing scale in the adoption
and practice of the idea, compounded by the unstoppable forces of change brought about
by the impact of new information technologies and customers’ increasing demand
(Akomode et al., 1998).
Outsourcing has become a major component of information technology strategy in
many companies around the world (Varajao et al., 2009), because outsourcing
information technology operations has been recognised to have important potential
benefits, including cost reduction, improved quality of service, and access to
technological expertise (Bahli and Rivard, 2005; Mani et al., 2010; Aghazadeh, 2011).
212 A. Keramati et al.

More concisely, distinguished two forms of outsourcing, namely: full outsourcing and
selective outsourcing. In full outsourcing, all the services are outsourced to the vendor.
This is an extreme outsourcing strategy because the entire department information
systems duties are assigned to the outsourcing partner as in the case of Eastman Kodak.
This, according to Pearlson (2001), happens when an organisation does not see ‘IT as a
strategic advantage’ that should be developed internally. Arguments for full outsourcing
usually involve the allocation of organisational resources to areas that can add greater
value to the organisation’s value chain or reduce cost per transaction due to economies of
scale. In selective outsourcing, only a range of services is selectively outsourced or
contracted to a third party. It often results in greater flexibility and better services
(Adeleye et al. 2004).
Indeed, while firms enter outsourcing agreements with the objective of cutting costs
and improving the level of service rendered to users, the outcome of such contracts may
be just the opposite. Researchers and practitioners also recognise that, in some
circumstances, information technology outsourcing (ITO) entails risk, and that it
sometimes leads to undesirable consequences that are the opposite of the expected
benefits (Bahli and Rivard, 2005).
Because of mentioned explanations and interest of companies to outsource in this
field and also that outsourcing of information technology projects makes competitive
advantage, risk management of outsourcing of information technology projects is of high
importance. According to PMBOK (2004) standard project risk management includes the
process of conducting risk management planning, identification, analysis, response
planning, and monitoring and control on a project. The objectives of project risk
management are to increase probability and impact of positive events, and decrease the
probability and impact of negative events in the project (see Figure 1).

Figure 1 Steps to manage risks and the relationships among them


Managing risk in information technology outsourcing 213

The next step after risk management planning including definition of how different
activities of risk management for a project should be lead is the risk identification. One of
risk identification methods is providing a check list of risk factors (Burkeh, 1999). The
literature review related to risk identification shows the effective results (e.g., Hahn et al.,
2009; Peng et al., 2009; Williams et al., 2010; Boholm, 2010; Pfohl et al., 2010). Having
a list of present risks in a type of project helps the project managers through review of
potential risks and examination of dominant conditions on project to decide which types
of considered risks in the list can be major dangers of their projects to plan for dealing
with them.
To achieve a list of risks in ITO projects and determine their importance, the
organisation of the paper is as follows. The literature review and identification
of risk factors in outsourcing of information technology projects are presented in
Sections 2 and 3, respectively. This section entails methodology, description of risk
factors, and proposal of structure for risk factors. In Section 4, evaluating and prioritising
of ITO risks are presented. It continues to discuss methodology, providing suitable
questionnaire, and analysing questionnaire. The validation of the proposed model is
discussed in Section 5. Sections 6 to 8 include conclusion, managerial implementations,
and limitations and future research, respectively.

2 Literature review

Different aspects of the ITO were considered in the literature. For example, among South
Korean IT executives, Goo et al. (2009) investigated how specific characteristics of
service level agreements impact relational governance in ITO relationships. Results
showed that the fundamental proposition of complementarily between formal contracts
and relational governance, and well-structured service level agreements have significant
positive influence on the various aspects of relational governance in IT outsourcing
relations. Varajao et al. (2009) compared information systems services in companies that
outsource these services and other companies that keep inside services. Rai et al. (2009)
found relation between relational factors and two measures of offshore IS project success,
called project cost overruns and client satisfaction, were answer question of how and why
relational factors affect the success of offshore of IS projects. Data were gathered among
155 offshore IS projects managed by 22 project leaders. With considering two case
studies, Ruzzier et al. (2008) studied successes and failures IT outsourcing. Gefen et al.
(2008) examined the role of business familiarity in determining how software
development outsourcing projects were managed and priced to address risks. Implications
about integrating trust into agency theory and incomplete contract theory, as well as
implications regarding trust premiums and software development outsourcing were
discussed in Gefen et al. (2008). Rustagi et al. (2008) considered client control over
vendor as a critical factor in successfully managing ITO relationships. Among
138 client-vendor matched pairs working in this field, the results suggested that task
uncertainty was found to be positively associated with the amount of formal control while
the degree of core competency involved in the outsourced activity was not found to be
related to the amount of formal control. Blumenberg et al. (2009) investigated the
differential various types of knowledge transfer on shared knowledge between
outsourcing banks and their providers and considered effect of these on the resulting
214 A. Keramati et al.

outsourcing performance. Their results were showed that transfer of tacit knowledge
proves to be most effective. Paper of Alsudairi and Dwivedi (2010) proposed a survey of
the literature belonging to research on IS/IT outsourcing. Their analyses were presented
by listing and illustrating subject category, journals, year of publications and country, etc.
With considering of risks that exposure client and supplier, Brandas (2010) proposed a
series of objectives for ITO audit. Smith (2009) investigated positive and negative
aspects of IT outsourcing and suggested corrective action to minimise the negative
impacts of such practices with change management principles. Dey et al. (2010)
presented a contract-theoretic model to analyse how software outsourcing contracts can
be designed. Also, type of performance-based contract called quality-level agreement was
examined. Because of transaction cost theory has widely been used in ITO research to
explain and predict outsourcing decisions and outsourcing-related outcomes,
Alaghehband et al. (2011) considered various results that made of TCT to study IT
outsourcing. Ponisio and Vruggink (2011) studied of four outsourcing projects for
discovering mechanisms to support managerial decision making during software
development processes. As a result, the key role of modularisation and standardisation to
assist in value creation was suggested by facilitating information flow and keeping the
overview of the project. Faisal and Banwet (2009) proposed a suitable technique of
analytical network process (ANP) for analysing IT outsourcing decision.
Risks of the ITO were investigated and categorised as follow. Aundhe and
Mathew’s (2009) research revealed that there are three broad categories of risks: project
specific, relationship specific, and macroeconomic. A case-based approach using the
principles of grounded theory was used for studying the risks and considered interaction
among the categories. Chou and Chou (2009) identified an information systems
outsourcing life cycle through three project related periods: pre-contract phase, contract
phase, and post-contract phase. Also, various risk factors associated with each phase of
the information system outsourcing practice have been identified and examined.
Willcocks et al. (1999) categorised these risks: contextual, building to contract and
post-contract issues. A contribution of the paper was proposed a framework for analysing
the risk and then presented a case study. Bhattacharya et al. (2003) categorised these
risks: risk exposure of supplier capabilities and risk exposure of company capabilities.
Akomode et al. (1998) categorised these risks: performance, technical expertise,
commitment, adequate time-to-volume, quality and adequate forecasting of total cost.
They discussed IT outsourcing in detail and proposed a customised computer-orientated
model based on action research and analytical hierarchy process. Currie (2003)
categorised these risks: delivery and enablement; integration; management and
operations; business transformation; and client/vendor relationships and attempts to make
knowledge explicit, whilst also recognising the tacit aspects of evaluating consortium,
project-based outsourcing. Abdullah and Verner (2009) identified several categories
associated with organisational environment, team, user, complexity, contract,
requirements, planning and control, and execution. Insights from transaction costs theory,
Bahli and Rivard (2005) suggested that there are three major sources of risk factors for IT
outsourcing: the transaction, the client and the supplier. They applied partial least squares
(PLS) to assess their reliability and validity of these risk factors. In the other papers, in
spite of paying attention to identify the lists of ITO risks, they have not categorised them
(Adeleye et al., 2004; Nakatsu and Iacovou, 2009; Osei-Bryson and Ngwenyama, 2006;
Lacity et al., 2009; Gonzalez et al., 2010; Mathew, 2011).
Managing risk in information technology outsourcing 215

Figure 2 The schematic diagram of proposed model

Literature review of ITO project indicated that a few number of papers was considered
risk management of IT projects outsourcing. Among papers considering risks of ITO
projects, a few number have analysed the risks of these projects and most of them have
just mentioned the risks factors. Thus, lack of research aiming collection of a complete
set of risk factors in outsourcing of IT projects and prioritising of mentioned factors is
evident. Therefore, the research goals of current paper are as follows:
216 A. Keramati et al.

a Identifying the risk factors in the outsourcing of information technology projects,


general classification, and presenting a novel structure for analysis of them
In this regard, to form a comprehensive list of risk factors, key articles present in the
literature of risk management of outsourcing of IT projects have been reviewed. The
main aim of putting risk factors in the more general categories is the simplification
of prioritising of risk factors in outsourcing of information technology projects using
experts’ opinions. Thus, all kinds of general categories and classifications present in
the literature have been reviewed and the best categorisation for including the
extracted risk factors inside it was selected. Finally, after putting the extracted risk
factors inside the best chosen category, a new structure of risks present in
outsourcing of IT projects was presented. In addition, for this structure to be
applicable, three experts, each of them has more than ten years experiences were
consulted and the proposed structure was approved by them.
b Prioritising of risk factors in outsourcing of information technology projects
To do this, a questionnaire including general categories of risks and risks factors in
outsourcing of ITO projects was distributed among respected project managers.
Then, using experts’ opinions and fuzzy ANP, risks factors extracted from the
literature were prioritised. Also the schematic diagram of proposed model is shown
in Figure 2.

3 Risk factors in ITO projects

3.1 Methodology for extracting risk factors


For extraction of risk factors, key articles related to the subject were studied and risks
factors presented in them were analysed. Achieved results are as follows.
Articles presented related to risks in outsourcing of IT projects can be classified from
two approaches which they will be elaborated in detail.
This study analyses domestic IT outsourcing risks from the perspective of client. It is
noteworthy that other papers on this subject have been reviewed and all common risks
presented in them have been extracted.
For evaluation of risk factors of projects, without inclusion of mentioned risks in the
general classification, comparison and prioritising of them would be hard and with some
errors. In the literature of risk management of projects, different categorisation for
risk factors can be found. With review of general categorisation of risk factors in
outsourcing of IT projects, it can be grasped that the main motivation of researchers for
presentation of different categorisations, like most of research works performed in
information technology projects, is the clarification of concept and nature of risks in these
projects.
Managing risk in information technology outsourcing 217

Table 1 Summary of risks in related to outsourcing of IT projects

Reference Focus Type of outsourcing


Willcocks et al. (1999) Client Domestic
Chou and Chou (2009) Client _
Adeleye et al. (2004) Client Domestic
Bahli and Rivard (2005) Client Domestic
Akomode et al. (1998) Client Domestic
Nakatsu and Iacovou (2009) Client Domestic/offshore
Lacity et al. (2009) Client Domestic/offshore
Osei-Bryson and Ngwenyama (2006) Client/supplier Domestic
Bhattacharya et al. (2003) Client/supplier BPO1
Currie (2003) Client/supplier ASP2
Aundhe and Mathew (2009) Supplier Offshore
Abdullah and Verner (2009) Client Domestic
Gonzalez et al. (2010) Client Domestic
Mathew (2011) Client Offshore
1
Notes: Business process outsourcing (BPO) entails a supplier taking over the execution
of a client’s business processes within functions such as human resource
management, finance, and accounting. As with IT outsourcing, cost savings,
greater flexibility, and access to specialised process expertise remain key
motivators of BPO (Lacity et al., 2009).
2
Application service provision (ASP) was a business model in which suppliers
hosted and rented standard applications to clients over the internet. ASP was one
way small client firms could access expensive software – like enterprise resource
planning software by SAP or Oracle – while avoiding high infrastructure costs,
support costs, or hefty software license fees (Lacity et al., 2009).
The results of categorising act over key papers of ITO risks which have been published
between the years 1998 to 2011, the details of these papers have been reviewed from the
point of any risk, used methods and its categorising. These papers have been selected
from among researches which have been mentioned by Bahli and Rivard (2005) for
general categorising of risks and details of them. Also, other risks that have been
described in pointed papers were evaluated and the common risks have been derived and
placed in our categorised model. So, if there is any risk that not considered can be
described (see Tables 2 and 3). For being certain from the validity of derived risk factors,
three experts were consulted. These experts have more than ten years of good experience
in ITO field.
At the end of this stage, risk factors are extracted and classified and a comprehensive
list of risk factors for ITO projects is introduced. At the next stage, all of the risk factors
are described in detail and each concept of them will be elaborated.
218 A. Keramati et al.

Table 2 Risk factors of ITO projects

Source of risk Risk factors


C1-Transaction C11-Uncertainty
C12-Relatedness
C13-Small number of suppliers
C14-Measurement problems
C15-Asset specificity
C2-Client C21-lack of expertise of the client with outsourcing
C22-Client’s lack of expertise with an IT operation
C23-Inadequate user involvement
C3-Supplier C31-lack of expertise of the supplier with outsourcing
C32-Supplier’s lack of expertise with an IT operation
C33-Breach of contract by the vendor
C34-Vendor viability

Table 3 Frequency of risk factors in literature

Code of risks authors C11 C12 C13 C14 C15 C21 C22 C23 C31 C32 C33 C34
Bahli and Rivard 9 9 9 9 9 9 9 9
(2005)
Nakatsu and 9 9 9 9 9 9 9 9 9 9
Iacovou (2009)
Lacity et al. (2009) 9 9 9 9 9 9 9 9 9
Osei-Bryson and 9 9
Ngwenyama (2006)
Bhattacharya 9 9 9 9 9
et al. (2003)
Akomode et al. (1998) 9 9 9 9 9
Willcocks et al. (1999) 9 9 9 9 9
Adeleye et al. (2004) 9 9 9 9 9
Chou and Chou (2009) 9 9 9
Aundhe and 9 9 9 9 9
Mathew (2009)
Currie (2003) 9 9 9 9 9 9
Abdullah and 9 9 9 9
Verner (2009)
Mathew (2011) 9 9 9
Gonzalez et al. (2010) 9 9
Frequency in literature 8 7 3 9 6 10 10 2 7 9 1 1
Managing risk in information technology outsourcing 219

3.2 Description of risk factors


3.2.1 Uncertainty (C11)
In this condition, this issue reflects humans’ calculating limits; given an array of possible
contingencies, people are unable to compute the underlying possibilities that govern the
yet undisclosed future. Williamson (1985) puts it, “Environment uncertainty, when these
[underlying possibilities] become so numerous that they cannot all be considered,
presumably exceeds the data processing capabilities of the parties. The complete decision
tree simply cannot be generated”. In the concept of IT outsourcing, uncertainty may be
presented because there are many known potential alternatives, because the transacting
parties have incomplete or imperfect information, or because there are numerous
unimaginable possibilities, which may arise during the course of the transaction. This
means that, in the face of uncertainty, contracts are unavoidably incomplete, and may
require renegotiation and frequent adjustments when unexpected contingencies take place
(Williamson, 1985).
Not achieving the planned benefits, not meeting agreed deadlines, using more
resources than initially foreseen, change in functional and procedural requirements, and
budget overrun that they may result in Uncertainties(Adeleye et al., 2004; Bahli and
Rivard, 2005).
Lack of market and vendor information (Chou and Chou, 2009), not having
distinctive external and internal context and histories (Willcocks et al., 1999) all of them
may lead to uncertainty in ITO project.

3.2.2 Relatedness (C12)


Relatedness which is sometimes called interdependence or connectedness, refers to the
dependency among tasks, business units or functions, i.e., the performance of one definite
piece of work depends on the completion of other definite pieces of work (Van der Vegt
et al., 1998; Wybo and Goodhue, 1995). Some consequences of relatedness may have a
potentially negative bearing on business performance resulting in inflexibilities and poor
responsiveness to market changes. The more the interdependence, the more the need for
coordination, joint problem solving, and mutual adjustment, which may impede cost
control. In the IT outsourcing context, two types of relatedness are identified.
1 an outsourced IT operation may have a direct (or indirect) dependency to another IT
operation that is kept in-house
2 an outsourced IT operation may have a direct (or indirect) dependency to another
outsourced IT operation (Earl, 1996).
Lack of active management of supplier on contract and relationship dimensions
(Willcocks et al., 1999), lack of top management support, lack of project management
know-how by client, lack of commitment (Nakatsu and Iacovou, 2009), and changes in
client’s corporate structure (Aundhe and Mathew, 2009), all of them may lead to
relatedness’ risk.
220 A. Keramati et al.

3.2.3 Small number of suppliers (C13)


Having limited choices regarding suppliers will leave the client in a poor position to
negotiate future contracts and with little leveraging power to switch to another supplier
without incurring costs. The client is then subject to opportunistic bargaining power
throughout the contract as well as at the time of contract renewal since the supplier will
have the advantage over other bidders of knowing the real incurred costs (Ngwenyama
and Bryson, 1999; O’Looney, 1998). Among them, opportunistic bargaining refers to a
supplier’s ability to demand higher than markets price (Osei-Bryson and Ngwenyama,
2006). Also, vender market and client strategies and capability can be effective with this
risk (Willcocks et al., 1999).

3.2.4 Measurement problems (C14)


Williamson (1985) identified two types of measurement problems:
1 the team production, where it is impossible to evaluate the individual contributions
of the parties
2 the measure of the fair value of these contributions.
When performance cannot be assessed easily, using markets can be ‘inefficient’ because
it is not known what to reward and how (Williamson, 1985). In the absence of such
accurate measurements, buyers must engage in a costly process of monitoring, or sellers
must engage in a costly process of signalling (Barzel, 1982). Thus, the ability to easily
measure outcomes is critical to the overall performance of markets (Genus, 1997).
Differences related to the interpretation of the performance of the supplier led to disputes
between the parties (Bahli and Rivard, 2005). Because most IS projects involve a group
of individuals, there is no way to adequately assess the effort spent in a team production
(Alchian and Demsetz, 1972; Barzel, 1982). This will lead the parties to argue about and
haggle over quality of the measurement instruments used, and the criteria chosen
(Aubert et al., 1998). If it is difficult to evaluate the external supplier’s contribution,
disagreements between the client and the external supplier on the quality/price ratio are to
be feared. These disagreements can lead to service deterioration (Bahli and Rivard,
2005).
Lack of quality control process, lack of assess measurement, metrics, and tool, lack of
certification and quality model (Chou and Chou, 2009), loss of control over vendor, and
inflexible contracts (Lacity et al., 2009) may be caused by this risk.
Risks of delivery and enablement refer to measurement problems risk that supplier
could not meet client’s satisfaction level (Currie, 2003).
Measurement problems could lead to shirking. To minimise the risk of shirking, the
outsourcer can invest in monitoring and coordinating mechanisms (Osei-Bryson and
Ngwenyama, 2006) or a relationship management strategy ensuring reasonable profits to
the client could mitigate shirking risk (Mathew, 2011).

3.2.5 Asset specificity (C15)


Asset specificity refers to investments in physical or human assets that are assigned to a
particular relationship and whose redeployment entails considerable switching costs
Managing risk in information technology outsourcing 221

(Heide, 1994; Williamson, 1985). In each case, should the relationship be terminated
prematurely, the investment would be foregone (Klein et al., 1978). Asset specificity
makes the investor vulnerable to ex-post exploitation, hence the lock-in problem (Slater
and Spencer, 2000). The supplier may use its specific investments into a relationship as
bargaining power over the client at the time of contract renewal, since other suppliers
would have to make the same investment if they were to get the contract (Grossman and
Hart, 1986). Under these situations, once the existence of a relationship-specific
investment is recognised, switching suppliers is no longer a credible threat, and
transaction costs related to negotiating, monitoring, and enforcing the contract are
incurred (Pilling et al., 1994).
As a result of this risk are excessive transaction cost (that means supplier employee
turnover/burnout) (Lacity et al., 2009) and inadequate staffing by vendor (Nakatsu and
Iacovou, 2009).

3.2.6 Lack of expertise of the client with outsourcing (C21)


Aubert et al. (1998) suggested, “A lack of expertise of the client with outsourcing
contracts may lead to increased costs of service since the prospective supplier may have
negotiated dozens of contracts”.
This risk can lead to incomplete contracting, difficulties in constructing deals for
technical/business change, unrealistic expectations with multiple objectives for
outsourcing, power asymmetries developing in favour of vendor (Willcocks et al., 1999),
and inadequate forecasting of costs (Akomode et al., 1998).
The result of this risk is outsourcing for short-term financial restructuring/cash
injection rather than leveraging IT asset for business advantage (Willcocks et al., 1999).

3.2.7 Client’s lack of expertise with an IT operation (C22)


In ITO, it was suggested that a client’s lack of expertise with an IT operation could lead
to hidden costs and, therefore, subject the client to a loss of control over unexpected
transition and management expenditures (Aubert et al., 1998). On the other hand, a
supplier may unable to respond to a rapid change in business conditions, may not have a
firm grasp of the client’s business and objectives, as well as the necessary range of
expertise required to fulfil its needs (Clark et al., 1995), causing disputes between the
parties over the rendered services (Aubert et al., 1998).
Change in functional and procedural requirements, deficient change over systems
(Adeleye et al., 2004), inadequate outsourcing plan and lack of outsourcing strategy
(Chou and Chou, 2009), difficulties adapting deal in the face of business/technical change
(Willcocks et al., 1999), and difference in development methodology/process (Nakatsu
and Iacovou, 2009), could touch client’s lack of expertise with an IT operation.

3.2.8 Inadequate user involvement (C23)


This risk means that client have quality control process but do not put it in practice.
For example client does not have a good control on revenue’s supplier (experts’ point of
view).
222 A. Keramati et al.

3.2.9 Lack of expertise of the supplier with outsourcing (C31)


The information advantage the supplier has about the IS processes and contract subtleties
gives him a definite edge in experience and knowledge. Hence, the supplier may hide
information that will appear later in the contract (Aubert et al., 1998). An inexperienced
supplier may find himself haggling with the client over contract provisions, performance,
service expectations, planning demands, etc., which will result in cost escalation (Aubert
et al., 1996). Expertise of the supplier with outsourcing compensates loss of option to
wait since they have to exercise outsourcing contracts at clients’ given timing (Jiang
et al., 2008).
Not achieving the planned benefits, not meeting agreed deadlines, and change in
functional and procedural requirements may lead the result of this risk (Adeleye et al.,
2004).

3.2.10 Supplier’s lack of expertise with an IT operation (C32)


The supplier may overestimate his capabilities and/or may be unable to handle the
operation as technology changes (Aubert et al., 1998). If the supplier’s skills do not
advance, service will certainly decline and the cost-reduction potential will be lessened;
target setting is therefore suboptimal (Earl, 1996). Therefore, failure to meet performance
requirements affects the quality of service the client receives. If the supplier lacks
expertise with the business aspect of the activity, the supplier exposes the client to a
business risk, which may affect the client’s profitability. Since the supplier does not
possess comparable knowledge of both internal and industry requirements, the client has
to invest in training the supplier’s personnel and explaining user’s requirements, which
may be costly (Bahli and Rivard, 2005).
Lack of knowledge of new technology (Nakatsu and Iacovou, 2009), unsuitable
quality of service (Akomode et al., 1998), hidden cost (Lacity et al., 2009), and inability
to adapt to the new technologies (Gonzalez et al., 2010) could associate with supplier’s
lack of expertise with an IT operation.

3.2.11 Breach of contract by the vendor (C33)


When project activities are carrying out, if supplier breach contract and contract get
cancel, he/she suffer excessive cost and must pay indemnity (experts’ point of view).

3.2.12 Vendor viability (C34)


This risk means that financial ability of supplier for keeping performance in market.
Client could consider this risk with checking supplier’s contract with other firm or paying
tax (experts’ point of view).

3.3 Proposal structure for risk factors


After specifying of derived risks, classification of them, risk’s detail and paying attention
to the concept of each one, dependency and independency of them have been evaluated
and then consulted with these three experts. Obviously, for providing suitable conditions,
both client and supplier have impacts on transaction. Client alone could have impression
on supplier and transaction. For example, when the client’s policy on ITO project alters,
Managing risk in information technology outsourcing 223

statuses of transaction and supplier change. Also, there is similar situation for supplier.
The conclusion of this subject is that existence of interactions among client, supplier, and
transaction are undeniable and they affect on each other. Many decision-making
problems cannot be structured hierarchically because they involve interaction of various
factors, with high-level factors occasionally depending on low-level factor. Structuring a
problem with functional dependencies that allows for feedback among clusters is
considered to be a network system. Saaty (1996) suggested the use of AHP to solve the
problem of independence among alternatives or criteria, and the use of ANP to solve the
problem of dependence among alternatives or criteria. With due attention to consult with
these three experts and concept of risks, we propose a structure for analysing ITO risks
with ANP model (see Figure 3).

Figure 3 Proposed structure of analysis for ITO risk factors

4 Evaluating and prioritising of ITO risks

4.1 Methodology
In order to make decisions in the presence of multiple and conflicting criteria, MCDM is
applied. One of these techniques in MCDM that is used widely in decision making
process is AHP. AHP was introduced by Saaty (1980). The basic assumption of AHP is
224 A. Keramati et al.

dependency among each level related to upper level and itself. Many decision-making
problems cannot be considered hierarchically because they have interaction in various
levels. Saaty (1996) suggested the use of AHP to solve the problem when there is
independency among alternatives or criteria, and the use of ANP to solve the problem
when dependency among alternatives or criteria exists. In reality, the elements within the
hierarchy are often interdependent. The computation of local weights in ANP is exactly
the same as AHP method pair wise comparisons among elements that need to be
constructed. The result of computations or weights in ANP approach forms a
supermatrix. After the computation of all weights in the supermatrix, it is possible to
derive the weights of priorities.
Figure 4 is a general form of the supermatrix introduced by Saaty (1996) to deal with
the interdependence characteristics among alternatives and criteria. A supermatrix is
actually a partitioned matrix, where each matrix segment represents a relationship
between two groups of nodes (clusters) in a network (Lee and Kim, 2000). Figure 4
illustrates the structure and relative supermatrix in a network. A node represents a
component (or cluster) with elements inside it; a straight line/or an arc denotes the
interactions between two components; and a loop indicates the inner dependence of
elements within a component (Chung et al., 2005). When the elements of a component
‘goal’ depend on another component ‘criteria’, we represent this relation with an arrow
from component ‘goal’ to ‘criteria’. The corresponding supermatrix of the hierarchy with
three levels of clusters is also shown in Figure 5.

Figure 4 The general form of the supermatrix


Managing risk in information technology outsourcing 225

Figure 5 (a) A hierarchy and (b) a network

(a) (b)

In Figure 5, W21 is a vector that represents the impact of the ‘goal’ on the ‘criteria’; and
W32 is a matrix that represents the impact ‘criteria’ on each item of the ‘alternatives’. W22
represents interdependency, and the supermatrix of the elements in a component or
between two components (Saaty, 1996). W21 and W32 are obtained from pair wise
comparisons but W22, or inner dependences, are calculated by fuzzy DEMATEL method.
Since there is inner dependency among clusters in a network, the sum of columns in the
supermatrix is usually more than one and called unweighted supermatrix. The columns of
unweighted supermatrix must be normalised first to make it stochastic, it means, each
column of the matrix sums should be equal to 1. The result of this normalisation is the
weighted supermatrix. To achieve a convergence on the obtained weights, the weighted
supermatrix is raised to the power of 2p + 1; where p is an arbitrarily large number, and
this new matrix is called the limited supermatrix. The property of the limited supermatrix
is that nonzero columns of this matrix have the equal value correspondingly. Eventually,
having the limited supermatrix, the final priorities of all the elements (alternatives,
criteria, and sub criteria) can be obtained (Chung et al., 2005).
Because the real world is actually full of ambiguities or in one word is fuzzy, several
researches have combined fuzzy theory with ANP. Dagdeviren and Yuksel (2010)
measure the sectoral competition level (SCL) of an organisation within the framework of
Porter’s five forces analysis using Fuzzy analytical network process (F-ANP) technique.
Chen and Chen (2010) proposed model and applied F-ANP for support system for
Taiwanese higher education. Liu and Wang (2010) analysed quality function deployment
(QFD) model based on F-ANP approach. Some researchers, such as Vinodh et al. (2011),
Yang et al. (2011), Kang (2011), Chang et al. (2011), Huang and Chu (2011) and so on
with using of F-ANP analysed their model. Due to the network structure of framework of
risk factors presented in this paper, F-ANP is used for prioritising of risk factors in ITO
projects.

4.2 Providing suitable questionnaire


The risk level evaluation of project risks is a complex subject including uncertainty
(Tueysuz and Kahraman, 2006). To deal with ambiguity of human thought, Zadeh (1965)
226 A. Keramati et al.

first introduced the fuzzy set theory, which can effectively describe imprecise knowledge
or human subjective judgment by linguistic terms. The linguistic terms that people use to
express their feelings and judgment are vague. Because linguistic terms merely
approximate the subjective judgment of decision makers, the widely adopted triangular
fuzzy number technique is used to represent the vagueness of these linguistic terms
(Lin, 2010).
In this regard, for gathering the experts’ opinions, a questionnaire including 25 pair
comparisons in a nine-piece scale that applied linguistic variables can reflect different
aspects of human judgments, was used (see Table 4). Structure of questionnaire is similar
to Tueysuz and Kahraman’s (2006) paper. This questionnaire was distributed among
13 project managers that work in ITO field in eight organisations. These organisations
had outsourced some or all IT operations (the organisations outsourced their information
system) to an external supplier or whether they were involved in the outsourcing
decision.
Table 4 Saaty’s (1996) scale

Intensity of Definition
Explanation
importance (linguistic terms)
1 Equal importance Two activities contribute equally to the
objective
3 Moderate Experience and judgment slightly favour one
importance over another
5 Strong importance Experience and judgment strongly favour one
over another
7 Very strong Activity is strongly favoured and its dominance
importance is demonstrated in practice
9 Absolute importance Importance of one over another affirmed on the
highest possible order
2, 4, 6, 8 Intermediate values Used to represent compromise between the
priorities listed above
Reciprocal of above If activity i has one of the above non-zero numbers assigned to it when
non-zero numbers compared with activity j, then j has the reciprocal value when compared
with i

Table 5 Converting linguistic terms to triangular fuzzy number

Linguistic terms Triangular fuzzy number


Equal importance (1, 1, 1)
Moderate importance (2, 3, 4)
Strong importance (4, 5, 6)
Very strong importance (6, 7, 8)
Absolute importance (8, 9, 9)
Intermediate values (X – 1, X, X + 1)
Reciprocal of above non-zero numbers (1 / (X + 1), 1 / X, 1 / (X – 1))
Source: Tesfamariam and Sadiq (2006)
Managing risk in information technology outsourcing 227

4.3 Analysing questionnaire


For converting linguistic terms to triangular fuzzy number, Tesfamariam and Sadiq’s
(2006) paper was used (see Table 5).
In this paper the CFCS method is applied to deffuzify fuzzy numbers in pair wise
comparisons. To address uncertainties, Zadeh (1965) for the first time introduced and
then used fuzzy sets theory. A fuzzy set A is a subset of a universe of discourse X, which
is a set of ordered pairs and is characterised by the membership function μ A ( x)
representing the mapping μ A ( x) → [0,1]. The function value of μ A ( x) for the fuzzy set
A is called the membership value of x in A , which represents the degree of truth that x
is an element of the fuzzy set A . It is assumed that μ A ( x) ∈ [0,1], where μ A ( x) = 1
reveals that x completely belongs to A , while μ  ( x) = 0 indicates that x does not belong
A

to the fuzzy set A where μ A ( x) is the membership function and X = {x} represents a
collection of elements x.
In this paper, triangular fuzzy numbers are used as the membership function, which is
illustrated in Figure 6. Triangular fuzzy numbers are used, since they help the decision
maker to make easier decisions (Kaufmann and Gupta, 1988). The membership function
of a triangular fuzzy number can be found in equation (1) and is usually notated by the
triplet (l, m, r).

⎧ 0 x<l
⎪ x−l
⎪ 1≤ x ≤ m

μ ( x A) = ⎨ m − l
 (1)
⎪r−x m≤x≤r
⎪r − m
⎪ 0 x≥r

Figure 6 A triangular fuzzy number

Various defuzzification methods exist, and the method adopted in this study was derived
from the converting fuzzy data into crisp scores (CFCS) defuzzification method
developed by Opricovic and Tzeng (2003) for performing fuzzy aggregation. The CSCF
method can clearly express fuzzy perception, which is based on the procedure of
228 A. Keramati et al.

determining the lower and upper scores by fuzzy min and fuzzy max, and the total score
is determined as a weighted average according to the membership functions (Lin, 2010).
The main features of the CFCS defuzzification method are:
• can be used for a MCDM model with a mixed set of crisp and fuzzy criteria
• is applicable for converting fuzzy numbers into crisp scores
• converting by considering membership function and relative location on the x-axis
• uses membership function as a weighting function within conversion (Opricovic and
Tzeng, 2003).
The steps of CSCF method are described as follow:
Step 1 Normalisation

rimax = max j rij , limin = min j lij (2)

Δ max
min = ri
max
− limin (3)

(
xij = lij − limin ) Δ max
min (4)

(
xmj = mij − limin ) max
Δ min (5)

(
xrj = rij − limin ) max
Δ min (6)

Step 2 Computing lower (ls) and upper (us) normalised value:

xlsj = xmj (1 + xmj − xij ) (7)

x rsj = xrj (1 + xrj − xmj ) (8)

Step 3 Computing total normalised crisp value:

⎣ ( ⎦ )
xijk = ⎡ xlsijk 1 − xlsijk + xrsijk ⎤ ⎡⎣1 − xlsijk + xrsijk ⎤⎦ (9)

Step 4 Computing crisp value:

Z ijk = min lijk + xijk Δ max


min (10)

These steps should be followed separately for k evaluators.


In the state that we have several decision makers, like what we face in maintenance
strategy selection, after all steps of CFCS method is done for each evaluator pair wise
comparisons, to aggregate different opinion of decision makers equation (11) should be
calculated.

Z ij =
k
(Z 1
ij × Z ij2 × " × Z ijk ) (11)
Managing risk in information technology outsourcing 229

In this equation, Zijk is a crisp value of evaluation between the criteria or alternative i and
j of the kth evaluator that should be calculated through CFCS method. Also, zij is the
aggregated crisp value of evaluations between the criteria or alternative i and j.
Using equation (11) different crisp evaluation of several decision makers will be
converted into one aggregated crisp value. After calculating the aggregated crisp value of
all evaluators, the final weight of each criteria or alternative can be calculated through
equation (12) which is introduced by Saaty (1980) and is known as geometric mean
method in AHP.
⎛ n ⎞

⎜ ∏ Z ij ⎟1/ n

Wi = ⎝j =1 ⎠ i, j = 1, 2," , n (12)
n ⎛ n ⎞
∑∏ ⎜

i =1 ⎝ j =1
Z ij ⎟1/ n


In this equation ‘n’ is the number of decision criteria or alternative in pair wise
comparisons table.
According the analysis of Csutora and Buckley (2001), let R = [rij ] be a fuzzy
judgment matrix with triangular fuzzy number, rij = (αij , βij , γij ) and form [ ] R = [βij].
If R is consistent, then R is consistent. By using this definition consistency ratio
(CR) for each pair wise comparison matrix for each one experts was considered. If
subjective judgments of the experts were inconsistent, the author asked them to repeat the
pair wise comparison process until the consistency index got valid. After being sure about
CR, the questionnaires were analysed.
The ANP is composed of four major steps (Yuksel and Dagdeviren, 2007):
Step 1 Model construction and problem structuring: the problem should be stated
clearly and be decomposed into a rational system, like a network.
Step 2 Pair wise comparison matrices and priority vectors: similar to the comparisons
performed in AHP, pairs of decision elements at each cluster are compared with
respect to their importance towards their control criteria. The clusters
themselves are also compared pair wise with respect to their contribution to the
objective. In addition, interdependencies among elements of a cluster must also
be examined pair wise.
Step 3 Supermatrix formation: the supermatrix concept is similar to the Markov chain
process (Saaty, 1996). To obtain global priorities in a system with
interdependent influences, the local priority vectors are entered in the
appropriate columns of a matrix. As a result, a supermatrix is actually a
partitioned matrix, where each matrix segment represents a relationship between
two clusters in a system.
Step 4 Selection of the best alternatives: If the supermatrix formed in Step 3 covers the
whole network, the priority weights of the alternatives can be found in the
column of alternatives in the normalised supermatrix (Yuksel and Dagdeviren,
2007). After entering the normalised values into the supermatrix, the
230 A. Keramati et al.

supermatrix is then raised to sufficient large power until convergence occurs.


The current supermatrix reached convergence and attained unique eigenvector
that provides the final limit matrix (Wu et al., 2009). The alternative with the
largest overall priority should be selected, as it is the best alternative as
determined by the calculations made using matrix operations (Yuksel and
Dagdeviren, 2007).
As a mention above, after selecting and defining the evaluative criteria and establish an
ANP model (Step 1), with applying CFCS method experts’ judgment were analysed.
Analysing the first expert’s judgment for level 1with CFCS method is as following
(see Tables 6 to 10):
Table 6 Fuzzy judgment matrix with respect to level 1 of expert 1

Level 1 C1 C2 C3
C1 (1, 1, 1) (4, 5, 6) (1/4, 1/3, 1/2)
C2 (1/6, 1/5, 1/4) (1, 1, 1) (1/8, 1/7, 1/6)
C3 (2, 3, 4) (6, 7, 8) (1, 1, 1)
λmax = 3.064; CI = 0.032; RI = 0.58; CR = 0.056

Table 7 Normalised fuzzy judgment matrix with respect to level 1 of expert 1

Level 1 C1 C2 C3
C1 (0.111, 0.111, 0.111) (0.492, 0.619, 0.746) (0.0159, 0.026, 0.048)
C2 (0.005, 0.01, 0.016) (0.111, 0.111, 0.111) (0, 0.002, 0.005)
C3 (0.238, 0.365, 0.492) (0.746, 0.873, 1) (0.111, 0.111, 0.111)
lmin = 0.125, rmax = 8, Δ = 7.875

Table 8 Computing lower (ls) and upper (us) normalised value with respect to level 1 of
expert 1

Level 1 C1 C2 C3
C1 (0.111, 0.111) (0.549, 0.662) (0.026, 0.047)
C2 (0.009, 0.016) (0.111, 0.111) (0.002, 0.005)
C3 (0.324, 0.437) (0.775, 0.887) (0.111, 0.111)

Table 9 Computing total normalised crisp value with respect to level 1 of expert 1

Level 1 C1 C2 C3
C1 0.111 0.616 0.027
C2 0.01 0.111 0.002
C3 0.368 0.866 0.111

Table 10 Computing crisp value with respect to level 1 of expert 1

Level 1 C1 C2 C3
C1 1 4.979 0.339
C2 0.2 1 0.143
C3 3.024 6.933 1
Managing risk in information technology outsourcing 231

After applying CFCS method for all of experts and then using geometric average for
aggregate experts’ judgment, the result show in Tables 11 to 14 (Step 2).
Table 11 Weight of risk factors

Risk factor Weight of risk factor Risk factor Weight of risk factor
(level 1) (level 1) (level 2) (level 2)
C1 0.113 C11 0.303
C12 0.120
C13 0.243
C14 0.204
C15 0.130
C2 0.513 C21 0.260
C22 0.439
C23 0.302
C3 0.374 C31 0.178
C32 0.584
C33 0.125
C34 0.114

Table 12 Inner dependence matrix of the risk factors with respect to ‘transaction’

Transaction C2 C3 Relative importance weights


C2 1 2.430 0.708
C3 0.415 1 0.292

Table 13 Inner dependence matrix of the risk factors with respect to ‘client’

Client C1 C3 Relative importance weights


C1 1 0.483 0.326
C3 2.069 1 0.674

Table 14 Inner dependence matrix of the risk factors with respect to ‘supplier’

Supplier C1 C2 Relative importance weights


C1 1 0.263 0.209
C2 3.77 1 0.791

After applying Steps 1 and 2, the supermatrix was formed that shown in Table 15
(Step 3).
Finally, the overall priority of the risk factors by using of weighted supermatrix and
limited supermatrix that shown respectively in Tables 16 and 17, were calculated
(Step 4). The ANP results indicate that Supplier’s lack of expertise with an IT operation
is the main risk factors with an overall priority value of 0.103 (see Table 18).
232 A. Keramati et al.

Table 15 The supermatrix

C1 C2 C3 Goal
C1 0 0.326 0.209 0.113
C2 0.708 0 0.791 0.513
C3 0.292 0.674 0 0.374
C11 0.303 0 0 0
C12 0.120 0 0 0
C13 0.243 0 0 0
C14 0.204 0 0 0
C15 0.130 0 0 0
C21 0 0.260 0 0
C22 0 0.439 0 0
C23 0 0.302 0 0
C31 0 0 0.178 0
C32 0 0 0.584 0
C33 0 0 0.125 0
C34 0 0 0.114 0

Table 16 Weighted supermatrix

C1 C2 C3 Goal
C1 0 0.163 0.104 0.113
C2 0.354 0 0.396 0.513
C3 0.146 0.337 0 0.374
C11 0.151 0 0 0
C12 0.060 0 0 0
C13 0.122 0 0 0
C14 0.102 0 0 0
C15 0.065 0 0 0
C21 0 0.130 0 0
C22 0 0.219 0 0
C23 0 0.151 0 0
C31 0 0 0.089 0
C32 0 0 0.292 0
C33 0 0 0.062 0
C34 0 0 0.057 0
Managing risk in information technology outsourcing 233

Table 17 Limited supermatrix

C1 C2 C3 Goal
C1 0.107 0.107 0.107 0.107
C2 0.216 0.216 0.216 0.216
C3 0.177 0.177 0.177 0.177
C11 0.033 0.033 0.033 0.033
C12 0.013 0.013 0.013 0.013
C13 0.026 0.026 0.026 0.026
C14 0.022 0.022 0.022 0.022
C15 0.014 0.014 0.014 0.014
C21 0.056 0.056 0.056 0.056
C22 0.095 0.095 0.095 0.095
C23 0.065 0.065 0.065 0.065
C31 0.031 0.031 0.031 0.031
C32 0.103 0.103 0.103 0.103
C33 0.022 0.022 0.022 0.022
C34 0.020 0.020 0.020 0.020

Table 18 Prioritising of ITO risks

Subcriteria Weight Rank


C11 0.0325 5
C12 0.01289 12
C13 0.02607 7
C14 0.02188 9
C15 0.01394 11
C21 0.05604 4
C22 0.09467 2
C23 0.06512 3
C31 0.03141 6
C32 0.10332 1
C33 0.02204 8
C34 0.02011 10

5 Model validation

The importance of testing the validity of models that are developed in operation research
studies is a well-known fact. However, it can be seen that the validity of the theoretical
234 A. Keramati et al.

base (Saaty, 1996) of the suggested ANP model has been neglected and specific criteria
for testing it have not been developed. The present study has faced some limitations and
difficulties with testing the validity of the suggested model.
The first of these difficulties stems from the fact that the factors in the ANP model are
not quantitative by nature. ANP is a technique that is used in solving multiple-criteria
decision-making problems where there is dependency between factors that are both
qualitative and quantitative in nature. Moreover, problems that are modelled by the ANP
pair wise comparison matrices used to determine the priority values for the factors are
determined by the judgment of experts. However, it is not always possible to objectively
assign numerical measurements to the elements in a decision-making problem, nor is it
possible to come up with the same results each time. This is because the data used in pair
wise comparison matrices may change depending on the subjective views of the experts.
Thus it is impossible to arrive at the same results using data obtained from different case
studies. However, this limitation is embedded in the very nature of decision-making
problems. Likewise, it is a well-known fact that different preferences are made under
different conditions. Consequently, the fact that the values of the pair wise comparative
factors change depending on the views of experts should not be a reason for rejecting the
validity of studies using the suggested ANP model.
Another problem that is encountered when testing the validity of the model is that the
model has not been analysed using past data, due to the unavailability of past data for the
particular management case under study. This problem, however, should not be viewed
as a significant shortcoming when evaluating the validity of the model. The comparison
matrices that are the inputs to the suggested model are defined under known conditions.
Thus it is possible to achieve different results since different pair wise comparison
matrices may be obtained at different points in time.
In consideration of the problems mentioned above, the validity of the proposed model
in this study was debated and evaluated in three ways. First, the results from the proposed
model were compared with AHP model. According to the ANP analysis, supplier’s lack
of expertise with an IT operation is the main risk factor. The same example is analysed
with hierarchical model. By assuming there is no dependence among the factors. In the
AHP analysis, the client’s lack of expertise with an IT operation is found to be the main
risk factor, with an overall priority value of 0.225. When dependence among the risk
factors taken to account, both the risk priorities and the ranking order of the risk factors
changes. The results obtain from the AHP and ANP analyses are comparatively list in
Table 19.
In cases where dependency among the risk factors is established, ANP analysis can be
performed in order to determine the alternative priorities so that organisations are able to
make correct decision. AHP analysis can be used in situations that there is no dependency
among factors or where the level of this dependency can be neglected.
The results obtained using the proposed model is presented in Section 3.3. Different
results are obtained when the ANP and AHP methods are implemented. However, such a
difference is expected because AHP does not take in to account dependencies among
factors while ANP does. For this reason, the ANP method is better able to model real
world situations as compared to the AHP method. Weight of ANP and AHP methods can
be seen in Figure 7.
Managing risk in information technology outsourcing 235

Table 19 Weight and ranking of the strategies with AHP and ANP model

Ranking in ANP Weights in ANP Ranking in AHP Weights in AHP


C11 5 0.033 8 0.034
C12 12 0.013 12 0.014
C13 7 0.026 9 0.028
C14 9 0.022 10 0.023
C15 11 0.014 11 0.015
C21 4 0.056 4 0.133
C22 2 0.095 1 0.225
C23 3 0.065 3 0.155
C31 6 0.031 5 0.066
C32 1 0.103 2 0.218
C33 8 0.022 6 0.047
C34 10 0.020 7 0.043

Figure 7 The comparisons weight of ANP and AHP methods (see online version for colours)

The second criterion for model validity in this study was the views of managements. The
managements of the organisations on which the case study was conducted have said that
they have found the results obtained from the suggested model to be meaningful and
useful.
Another parameter that verifies the validity of the model is the CR of the pair wise
comparison matrices. The CR in the pair wise comparison matrices is calculated using the
consistency index and the random index (Lin, 2010). The consistency index (CI) of a
matrix of comparisons is given by CI = (λmax − n) / (n − 1). Here, λmax is the maximum
eigen value and n is the size of matrix. The CR is obtained by forming the ratio of the CI
and the random index (RI). The value of the CR calculated using AHP and ANP must be
less than 0.1. Upon examination of all the calculated CRs, it can be seen that all the
236 A. Keramati et al.

values are less than 0.10. Given these CRs, we may be confident of the appropriateness of
the pair wise comparison matrices used in this study.

6 Conclusions

This study first provided a list of ITO project risk based on the literature. Lack of such a
comprehensive checklist was highly tangible in the literature of ITO risk projects. Risk
factors were extracted according to Bahli and Rivard (2005), advantages of using this
method is as the following these three points:
• The main purpose of this paper is validating measure of ITO risks, as result shows
that the outcome of these factors are validate.
• The main purpose of outsourcing is decreasing the cost,so transaction cost theory
have been used for introducing and categorising ITO risks in this article. We have to
point out that the main reason for selection of this theory is adoption of the
assumption to the real condition.
• The risks of this paper include the majority risks of other papers.
Second, it provides useful insights into which risk factors is the most important. The
former frameworks have focused on considering some proposed risks factors or
measuring their effects on the performance in ITO projects. Also, the former researches
have mainly investigated other aspects of ITO such as success/failure factors, relationship
between client and supplier in ITO, contracts, etc. But we can do this using the proposed
structure that considers dependency among risks according to some experts’ judgments.
Being simpler, more complete and more comprehensive are some advantages of this
structure. The results of this framework can easily be used in every firm willing to use
and implement ITO projects. Third, identifying and evaluating risk factors are the most
important steps of risk management process. Hence, the proposed framework of this
research can give suitable understanding of the present obstacles in successful
implementation of information technology projects and prioritising of these obstacles to
organisations that want to outsource this kind of projects. In addition, the proposed
framework can show appropriate strategies able to tackle with these obstacles to those
organisations.

7 Managerial implementations

According to the results obtained from this research, managers of outsourcing IT projects
have known ‘supplier’s lack of expertise with an IT operation’ as the most important
factor in success and failure of outsourcing of information technology projects. Factor
‘client’s lack of expertise with an IT operation’ with a little difference is the next most
important factor. After these factors, ‘Inadequate user involvement’ is the third most
important factor with a significant gap with the second most important factor. The two
factors, ‘lack of expertise of the client with outsourcing’ and ‘uncertainty’, are of fourth
and fifth place. The high importance of two factors ‘supplier’ and ‘client’ caused that
three sub-factors of these factors, ‘supplier’s lack of expertise with an IT operation’,
‘client’s lack of expertise with an IT operation’, and ‘inadequate user involvement’, are
Managing risk in information technology outsourcing 237

the three most important factors in outsourcing of information technology projects. The
less significance of factor ‘transaction’ caused risk factor ‘relatedness’ has the lowest
priority among risk factors in outsourcing of IT projects.
It is obvious that if the supplier lacks enough skill in information technology
operations, it cannot supply the employer requirements which will make negative effects
in the project performance. In addition, if the client lacks sufficient skill in information
technology and outsourcing operations and cannot supervise the project well, project
advancement will be endangered. The risk factor ‘relatedness’ has the lowest priority
among 12 risk factors because project managers try to outsource some parts of the
projects that have the lowest dependency with other parts and other projects.
After prioritising of risks present in outsourcing of IT projects, following five factors
as the most important ones have been assessed and policies and strategies that should be
used for successful implementation of outsourcing of information technology projects
have been mentioned.
1 Supplier’s lack of expertise with an IT operation
Selecting the supplier with enough skill by technical and qualitative evaluation of
suppliers before contracting through experienced expert teams.
2 Client’s lack of expertise with an IT operation
Preferment of technical knowledge of related personnel using internal and external
educations and consultant companies with enough technical knowledge for
collaboration in information technology projects.
3 Inadequate user involvement
Project management structure should be implemented based on PMBOK standard for
information technology projects.
4 Lack of expertise of the client with outsourcing
Preferment of technical knowledge of financial and trading departments’ personnel
related to increase in skills of projects outsourcing or preferment of technical
knowledge related to evaluation of suppliers of information technology projects.
5 Uncertainty
Use of experienced consultants in contracting of information technology projects
with considering all technical and legal issues of these kinds of agreements.

8 Limitations and future research

Like all research, ours has its limitations. First, our study does not examined other aspects
of point of view such as supplier perspective in the state of offshore outsourcing and
compare its results with this study. So, as one future research line, considering different
combinations of views and approaches for risk management of outsourcing of
information technology projects would be a potential proposal. Second, the ANP
approach illustrated in this paper has a few limitations as well. For example, the outcome
of the model is dependent on the inputs provided by the decision-maker(s). The
238 A. Keramati et al.

possibility of the decision maker’s biasness towards any particular alternative cannot be
ruled out while applying this model. So, using methods other than ANP for prioritising of
risk factors of outsourcing of information technology projects and comparison of
achieved results from those methods with the results of ANP is proposed for future
research.
Third, the number of criteria and their related sub-criteria can affect on the
applicability of fuzzy ANP method as the decision-maker(s) might have to make great
deal of judgments in constructing pair wise matrices.
Additionally, the present research has been carried out by using information
technology project managers’ opinions in May 2010 when these projects only were
outsourced to domestic companies for information system’s project. Using the proposed
framework in this research and implementation of that for prioritising of risk factors and
selecting the best strategy to respond to these risk factors in other fields (e.g., in a country
other than Iran or in a special organisation or industry) or doing similar research in the
future and comparing their results with current research results would be a research line
which present research has started.

Acknowledgements

The authors are grateful for the valuable comments and suggestion from the respected
reviewers. Their valuable comments and suggestions have enhanced the strength and
significance of our paper. The authors would like to acknowledge the financial support of
the University of Tehran for this research under Grant Number 7314812/1/04.

References
Abdullah, L.M. and Verner, J.M. (2009) ‘Outsourced strategic IT systems development risk’,
Research Challenges in Information Science, RCIS 2009, Third International Conferences,
pp.275–286.
Adeleye, B.C., Annansingh, F. and Nunes, M.B. (2004) ‘Risk management practices in IS
outsourcing: an investigation into commercial banks in Nigeria’, International Journal of
Information Management, Vol. 24, No. 2, pp.167–180.
Aghazadeh, S.M. (2011) ‘The risks and benefits associated with global outsourcing’, International
Journal of Services, Economics, and Management, Vol. 3, No. 2, pp.232–249.
Akomode, O.J., Lee, B. and Irgens, C. (1998) ‘Constructing customised models and providing
information to support IT outsourcing decisions’, Logistics Information Management, Vol. 11,
No. 2, pp.114–127.
Alaghehband, F.K., Suzanne, R., Shikui, W. and Sylvain, G. (2011) ‘An assessment of the use of
Transaction Cost Theory in information technology outsourcing’, Journal of Strategic
Information Systems, Vol. 20, No. 2, pp.125–138.
Alchian, A.A. and Demsetz, H. (1972) ‘Production, information cost and economic organisation’,
American Economic Review, Vol. 62, No. 1, pp.777–792.
Alsudairi, M. and Dwivedi, Y.K. (2010) ‘A multi-disciplinary profile of IS/IT outsourcing
research’, Journal of Enterprise Information Management, Vol. 23, No. 2, pp.215–258.
Aubert, B.A., Patry, M. and Rivard, S. (1998) ‘Assessing IT outsourcing risk’, Proceedings of the
31st Hawaii International Conference on System Sciences, Kohala Coast, HI, pp.6–9.
Aubert, B.A., Rivard, S. and Patry, M. (1996) ‘Development of measures to assess dimensions of
IS operation transactions’, Omega, Vol. 24, No. 6, pp.661–680.
Managing risk in information technology outsourcing 239

Aundhe, M.D. and Mathew, S.K. (2009) ‘Risks in offshore IT outsourcing: a service provider
perspective’, European Management Journal, Vol. 27, No. 6, pp.418–428.
Bahli, B. and Rivard, S. (2005) ‘Validating measures of information technology outsourcing risk
factors’, Omega, Vol. 33, No. 2, pp.175–187.
Barzel, Y. (1982) ‘Measurement cost and the organisation of markets’ Journal of Law and
Economics, Vol. 25, No. 1, pp.27–48.
Bhattacharya, S., Behara, S. and Gundersen, D.E. (2003) ‘Business risk perspectives on
information systems outsourcing’, Information Systems, Vol. 4, No. 1, pp.75–93.
Blumenberg, S., Wagner, H.T. and Beimborn, D. (2009) ‘Knowledge transfer processes in IT
outsourcing relationships and their impact on shared knowledge and outsourcing
performance’, International Journal of Information Management, Vol. 29, No. 5, pp.342–352.
Boholm, A. (2010) ‘On the organizational practice of expert-based risk management: a case of
railway planning’, Risk Management, Vol. 12, No. 4, pp.235–255.
Brandas, C. (2010) ‘Risks and audit objectives for IT outsourcing’, Informatica Economica,
Vol. 14, No. 1, pp.113–118.
Burkeh, R. (1999) Project Management Planning & Control Techniques, John Wiley & Sons,
Pennsylvania State University.
Chang, C.W., Horng, D.J. and Lin, H.L. (2011) ‘A measurement model for experts
knowledge-based systems algorithm using fuzzy analytic network process’, Expert Systems
with Applications, Vol. 38, No. 10, pp.12009–12017.
Chen, J.K. and Chen, I.S. (2010) ‘Using a novel conjunctive MCDM approach based on
DEMATEL, fuzzy ANP, and TOPSIS as an innovation support system for Taiwanese higher
education’, Expert Systems with Applications, Vol. 37, No. 3, pp.1981–1990.
Chou, D.C. and Chou, A.Y. (2009) ‘Information systems outsourcing life cycle and risks analysis’,
Computer Standards & Interfaces, Vol. 31, No. 5, pp.1036–1043.
Chung, S.H., Lee, A.H. and Pearn, W.L. (2005) ‘Analytic network process (ANP) approach for
product mix planning in semiconductor fabricator’, International Journal of Production
Economics, Vol. 96, No. 1, pp.15–36.
Clark, T.D., Zmud, R.W. and McGray, G.E. (1995) ‘The outsourcing of information services:
transforming the nature of business in the information industry’, Journal of Information
Technology, Vol. 10, No. 4, pp.221–237.
Csutora, R. and Buckley, J.J. (2001) ‘Fuzzy hierarchical analysis: the Lambda-Max method’, Fuzzy
Sets and Systems, Vol. 120, No. 2, pp.181–195.
Currie, W.L. (2003) ‘A knowledge-based risk assessment framework for evaluating web enabled
application outsourcing projects’, International Journal of Project Management, Vol. 21,
No. 3, pp.207–217.
Dagdeviren, M. and Yuksel, I. (2010) ‘A fuzzy analytic network process (ANP) model for
measurement of the sectoral competition level (SCL)’, Expert Systems with Applications,
Vol. 37, No. 2, pp.1005–1014.
De Looff, L. (1997) Information Systems Outsourcing Decision Making: A Managerial Approach,
Idea Group Publishing, London.
Dey, D., Fan, M. and Zhang, C. (2010) ‘Design and analysis of contracts for software outsourcing’,
Information Systems Research, Vol. 21, No. 1, pp.93–114.
Earl, M.J. (1996) ‘The risks of outsourcing IT’, Sloan Management Review, Vol. 37, No. 3,
pp.26–32.
Faisal, M.N. and Banwet, D.K. (2009) ‘Analysing alternatives for information technology
outsourcing decision: an analytic network process approach’, International Journal of
Business Information Systems, Vol. 4, No. 1, pp.47–62.
Gefen, D., Wyss, S. and Lichtenstein, Y. (2008) ‘Business Familiarity as risk mitigation in software
development outsourcing contracts’, MIS Quarterly, Vol. 32, No. 3, pp.531–551.
240 A. Keramati et al.

Genus, A. (1997) ‘Unstructuring incompetence: problems of contracting, trust and the development
of the channel tunnel’, Technology Analysis and Strategic Management, Vol. 9, No. 4,
pp.419–436.
Gonzalez, R., Gasco, J. and Llopis, J. (2010) ‘Information systems outsourcing reasons and risks:
a new assessment’, Industrial Management & Data Systems, Vol. 110, No. 2, pp.284–303.
Goo, J., Kishore, R., Rao, H.R. and Nam, K. (2009) ‘The role of service level agreements in
relational management of information technology outsourcing: an empirical study’,
MIS Quarterly, Vol. 33, No. 1, pp.119–145.
Grossman, S. and Hart, O. (1986) ‘the costs and benefits of ownership: a theory of vertical and
lateral integration’, Journal of Political Economy, Vol. 94, No. 4, pp.691–719.
Hahn, E. D., Doh, J. P. and Bunyaratavej, K. (2009) ‘The evolution of risk in information systems
offshoring: the impact of home country risk, firm learning, and competitive dynamics’,
MIS Quarterly, Vol. 33, No. 3, pp.597–616.
Heide, J.B. (1994) ‘Interorganizational governance in marketing channels’, Journal of Marketing,
Vol. 58, No. 1, pp.71–85.
Huang, C.C. and Chu, P.Y. (2011) ‘Using the fuzzy analytic network process for selecting
technology R&D projects’, International Journal of Technology Management, Vol. 53, No. 1,
pp.89–115.
Jiang, B., Yao, T. and Feng, B. (2008) ‘Valuate outsourcing contracts from vendors’ perspective: a
real options approach’, Decision Sciences, Vol. 39, No. 3, pp.383–405.
Kahraman, C., Engin, O., Kabak, O. and Kaya, I. (2009) ‘Information systems outsourcing
decisions using a group decision-making approach’, Engineering Application of Artificial
Intelligence, Vol. 22, No. 6, pp.832–841.
Kang, H.Y. (2011) ‘A multi-criteria decision-making approach for capacity allocation problem in
semiconductor fabrication’, International Journal of Production Research, Vol. 49, No. 19,
pp.5893–5916.
Kaufmann, A. and Gupta, M.M. (1988) Fuzzy Mathematical Models in Engineering and
Management Science, Elsevier Science Inc. New York, NY, USA.
Klein, B., Crawford, G. and Alchian, A. (1978) ‘Vertical integration, appropriable rents, and the
competitive contracting process’, The Journal of Law and Economics, Vol. 21, No. 2,
pp.297–326.
Lacity, M.C., Khan, S.A. and Willcocks, L.P. (2009) ‘A review of the IT outsourcing literature:
Insights for practice’, Journal of Strategic Information Systems, Vol. 18, No. 3, pp.130–146.
Lee, J.W. and Kim, S.H. (2000) ‘Using analytic network process and goal programming for
interdependent information system project selection’, Computers and Operations Research,
Vol. 27, No. 4, pp.367–382.
Lin, H.F. (2010) ‘An application of fuzzy AHP for evaluating course website quality’, Computers
& Education, Vol. 54, No. 4, pp.877–888.
Liu, H.T. and Wang, C.H. (2010) ‘An advanced quality function deployment model using fuzzy
analytic network process’, Applied Mathematical Modelling, Vol. 34, No. 11, pp.3333–3351.
Mani, D., Barua, A. and Whinston, A. (2010) ‘An empirical analysis of the impact of information
capabilities design on business process outsourcing performance’, MIS Quarterly, Vol. 34,
No. 1, pp.39–62.
Mathew, S.K. (2011) ‘Mitigation of risks due to service provider behavior in offshore software
development: a relationship approach’, Strategic Outsourcing: An International Journal,
Vol. 4, No. 2, pp.179–200.
Nakatsu, R.T. and Iacovou, C.L. (2009) ‘A comparative study of important risk factors involved in
offshore and domestic outsourcing of software development projects: a two-panel Delphi
study’, Information & Management, Vol. 46, No. 1, pp.57–68.
Ngwenyama, K.O. and Bryson, N. (1999) ‘Making the information systems outsourcing decision:
a transaction cost approach to analyzing outsourcing decision problems’, European Journal of
Operational Research, Vol. 115, No. 2, pp.351–367.
Managing risk in information technology outsourcing 241

O’Looney, J.A. (1998) Outsourcing State and Local Government Services: Decision-making
Strategies and Management Methods, Quorum Books, Westport, CT.
Opricovic, S. and Tzeng, G.H. (2003) ‘Defuzzification for a fuzzy multi-criteria decision model’,
International Journal of Uncertainty, Fuzziness and Knowledge-based Systems, Vol. 11,
No. 5, pp.635–652.
Osei-Bryson, K.M. and Ngwenyama, O.K. (2006) ‘Managing risks in information systems
outsourcing: an approach to analyzing outsourcing risks and structuring incentive contracts’,
European Journal of Operational Research, Vol. 174, No. 1, pp.245–264.
Pearlson, K.E. (2001) Managing and Using Information Systems: A Strategic Approach, Wiley,
Chichester.
Peng, Y., Kou, G., Wang, G., Wang, H. and Ko, F.I.S. (2009) ‘Empirical evaluation of classifiers
for software risk management’, International Journal of Information Technology & Decision
Making, Vol. 8, No. 4, pp.749–767.
Pfohl, H.C., Kohler, H. and Thomas, D. (2010) ‘State of the art in supply chain risk management
research: empirical and conceptual findings and a roadmap for the implementation in
practice’, Logistics Research, Vol. 2, No. 1, pp.33–44.
Pilling, B.K., Crosby, L.A. and Jackson, D.W. (1994) ‘Relational bonds in industrial exchange: an
experimental test of the transaction cost economic framework’, Journal of Business Research,
Vol. 30, No. 3, pp.237–251.
Ponisio, L. and Vruggink, P. (2011) ‘Effective monitoring and control of outsourced software
development projects’, Proceedings of the 18th International Conference on Information
Systems Development, pp.135–147.
Project Management Institute Standards Committee (2004) A Guide to the Project Management
Body of Knowledge, 3rd ed., Project Management Institute, Standards Committee, Newtown
Square, PA.
Rai, A., Maruping, L.M. and Venkatesh, V. (2009) ‘Offshore information systems project success:
the role of social embeddedness and cultural characteristics’, MIS Quarterly, Vol. 33, No. 3,
pp.617–641.
Rustagi, S., King, W.R. and Kirsch, L.J. (2008) ‘Predictors of formal control usage in it
outsourcing partnerships’, Information Systems Research, Vol. 19, No. 2, pp.126–143.
Ruzzier, J., Sohal, A.S., Katna, P. and Zingier, S. (2008) ‘Success and failure in IT outsourcing by
government agencies: two Australian case studies’, International Journal of Business
Information Systems, Vol. 3, No. 2, pp.107–119.
Saaty, T.L. (1980) The Analytic Hierarchy Process, McGraw-Hill, New York.
Saaty, T.L. (1996) Decision Making with Dependence and Feedback: The Analytic Network
Process, RWS Publications, Pittsburgh, Pa.
Slater, G. and Spencer, D. (2000) ‘The uncertain foundations of transaction cost economics’,
Journal of Economic Issues, Vol. 36, No. 1, pp.61–87.
Smith, A.D. (2009) ‘Change management and outsourcing in information technology-intensive
organisations’, International Journal of Business Information Systems, Vol. 3, No. 2,
pp.126–150.
Tesfamariam, S. and Sadiq, R. (2006) ‘Risk-based environmental decision-making using
fuzzy-analytic hierarchy process (F-AHP)’, Stochastic Environmental Research and Risk
Assessment, Vol. 21, No. 1, pp.35–50.
Tueysuz, F. and Kahraman, C. (2006) ‘Project risk evaluation using a fuzzy analytic
hierarchy-process: an application to information technology projects’, International Journal of
Intelligent Systems, Vol. 21, No. 6, pp.559–584.
Van der Vegt, G., Emans, B. and Van de Vliert, E. (1998) ‘Motivating eLects of task and outcome
interdependence in work teams’, Group and Organisation Management, Vol. 23, No. 2,
pp.124–43.
242 A. Keramati et al.

Varajao, J., Trigo, A., Figueiredo, N., Barroso, J. and Bulas-Cruz, J. (2009) ‘Information systems
services outsourcing reality in large Portuguese organisations’, International Journal of
Business Information Systems, Vol. 4, No. 1, pp.125–142.
Vinodh, S., AneshRamiya, R. and Gautham, S.G. (2011) ‘Application of fuzzy analytic network
process for supplier selection in a manufacturing organization’, Expert Systems with
Applications, Vol. 38, No. 1, pp.272–280.
Willcocks, L.P., Lacity, M.C. and Kern, T. (1999) ‘Risk mitigation in IT outsourcing strategy
revisited: longitudinal case research at LISA’, Journal of Strategic Information Systems,
Vol. 8, No. 3, pp.285–314.
Williams, L., Collins, A. E., Bauaze, A. and Edgeworth, R. (2010) ‘The role of risk perception in
reducing cholera vulnerability’, Risk Management, Vol. 12, No. 3, pp.163–184.
Williamson, O.E. (1985) The Economic Institutions of Capitalism, Free Press, New York.
Wu, C.R., Lin, C.T. and Chen, H.C. (2007) ‘Integrated environmental assessment of the location
selection with fuzzy analytical network process’, Quality& Quantity, Vol. 43, No. 3,
pp.351–380.
Wybo, D.M. and Goodhue, L.D. (1995) ‘Using interdependence as a predictor of data standards:
theoretical and measurement issues’, Information and Management, Vol. 29, No. 6,
pp.317–329.
Yang, M., Khan, F.I. and Sadiqc, R. (2011) ‘Prioritization of environmental issues in offshore oil
and gas operations: A hybrid approach using fuzzy inference system and fuzzy analytic
hierarchy process’, Process Safety and Environmental Protection, Vol. 89, No. 1, pp.22–34.
Yuksel, I. and Dagdeviren, M. (2007) ‘Using the analytic network process (ANP) in a SWOT
analysis – a case study for a textile firm’, Information Sciences, Vol. 177, No. 16,
pp.3364–3382.
Zadeh, L. A. (1965) ‘Fuzzy sets’, Information and Control, Vol. 8, No. 3, pp.338–353.

View publication stats

You might also like