Risk analysis on IT outsourcing in banking sector: Based on two commercial banks located in Amsterdam

(1)

Risk analysis on IT outsourcing in

banking sector

Based on two commercial banks located in Amsterdam

Ruoxi Xu

Student number: 11066415

Faculty of Science

Information Studies

Track Business Information Systems

(2)

Abstract

In the wake of the financial crisis, financial service providers—including commercial banks— are facing increasing regulatory and market pressure. To cope with the challenges that the financial sector is currently faced with, information technology outsourcing became

regarded as an essential tool by researchers. Because of the requirements of confidentiality, banking has strict regulations on information system security. Before conducting an IT outsourcing project, commercial banks need to carefully assess potential risks in order to avoid possible losses. This paper focuses on which risks are most critical to an IT outsourcing programme in a commercial bank and provides a methodology to assess the risk within the lifecycle of a programme. Based on the case of a commercial bank located in Amsterdam, a risk matrix is generated and the Borda method is applied to rank IT outsourcing-related risks. Then, another case of a commercial bank is provided, in order to verify the model. Based on the results of the banks, the model is adjusted and some suggestions are provided.

1. Introduction

Since the 1990’s, IT outsourcing (ITO) has emerged in the financial service sector.

Commercial banks, insurance companies, and securities institutions started outsourcing IT systems, and the scale of the ITO projects grew. In 2002, the Development Bank of Singapore (DBS) signed a 10-year outsourcing agreement with IBM to outsource IT services and

infrastructure in Singapore and Hong Kong. The nominal value of the agreement amounted to 679 million US dollars. In 2005, ABN AMRO signed an ITO contract worth 1.8 billion US dollars with IBM, and in 2014 this agreement was extended for the next 10 years. Per Gartner Inc., worldwide spending on ITO services was $251.7 billion USD in 2012, a 2.1% increase from $246.6 billion USD in 2011[ CITATION Sam14 \l 2052 ]. Research and Markets has announced in its recent report that it is predicted that the global ITO market will grow at a CAGR of 5.84% over the period 2015-2019[CITATION Res16 \l 2052 ].

The financial crisis in 2008 profoundly influenced the global economy. Thus, the financial sector faces not only greater regulatory pressure from supervisory authorities, but also a decreased volume of investors who now worry about asset depreciation [ CITATION Gon13 \l 2052 ]. Led by increasing regulatory and competitive pressure, financial service providers are now more attentive to advances in technology as well as the demands of cost control. They demand technological solutions capable of improving their service quality and enlarging the scope of services they offer, while also reducing costs to improve profitability [ CITATION Gon13 \l 2052 ][ CITATION Ise07 \l 2052 ]. In order to achieve this goal, financial service providers not only seek greater efficiency and lower costs, but also try to specialise in their limited number of core businesses [ CITATION McI08 \l 2052 ]. However, due to the

management paradox, it is difficult for organisations to both extend the variety of services to operate with newest technologies, while simultaneously limiting excess variety to comply

(4)

with financial constraints [ CITATION Int97 \l 2052 ]. Looking for IT vendors with better technological support might be a cost-effective way for organisations to respond to this situation; appropriate IT support can allow financial service providers to focus on and develop the required competitive competencies for their core business [ CITATION Abd12 \l 2052 ] [ CITATION McI08 \l 2052 ].

However, ITO projects are not always successful. For example, in 2002, J. P. Morgan signed a 7-year ITO agreement with IBM valued at more than 5 billion US dollars. J. P. Morgan

cancelled the contract only two years later, as its merger with the Bank One Corporation caused J. P. Morgan to reconsider its business and IT strategy, and the capacity of its technology infrastructure.

The case of J. P. Morgan and IBM is not isolated. A survey by Lacity, Willcocks, and Feeny indicates that—of 162 responses—more than 60% of companies do not have a formal outsourcing strategy, and only half of the companies use multiple stakeholders to define outsourcing contracts. In most of the companies, the only stakeholder is the IT

manager[ CITATION Wil96 \l 2052 ]. According to the ITO performance and satisfaction study by KPMG, 54% of the organisation said that the ITO project partly met their

expectations[ CITATION KPM15 \l 2052 ]. ITO in the financial sector has developed for decades. Due to increasing dependency on ITO suppliers and increasing project scale, ITO is presenting new risks to bank’s operation and development.

Risk is inherent in almost any business decision, which is defined as ‘the possibility of loss or injury’[ CITATION Boe91 \l 2052 ]. Any risk events during ITO implementation may affect the outcomes of ITO projects, which may lead to the failure of an ITO project, or the damage of the profit or reputation of the bank. Regulatory institutions emphasise risk management in commercial banks due to the fundamental nature of the banking sector and economic decline. Chinese supervision in 2009 exemplifies this emphasis where the Guidelines for the Risk Management of Commercial Banks’ Information Technology were formulated by CBRC (CBRC, 2009). In 2016, CBRC then issued Guidelines on Comprehensive Risk Management of Banking Institutions, which is the strictest regulation on risk management in banking sector since the establishment of the CBRC. The latest guidelines warn that the transformation of the banking structure is inevitable, which requires commercial banks to focus on and specialise in their core business. However, for non-core businesses, commercial banks shall use various approaches such as outsourcing to reduce costs, improve profit margin, as well as improve core competences. The trend of focusing on core business presents

opportunities for ITO out of banks.

The failed outsourcing projects described above demonstrate that companies often change what they outsource and put themselves in a new situation. During the outsourcing process, if a key person has left the project team and has not been replaced, problems arise in response to the extremely detail-oriented requirements of the team during this. As

(5)

outsourcing is merely an instrument, the outcome of outsourcing is determined by how it is managed [ CITATION Cul06 \l 2052 ].

As a result, seriously considering IT strategy, managing ITO supplier, and ensuring the quality of the ITO project is critical to controlling project risks, avoiding losses, and ensuring ITO projects yield the desired outcomes. As the primary risks may shift during an outsourcing relationship, risk assessment factors will be structured due to the different phase of the so-called outsourcing lifecycle[ CITATION Wei08 \l 2052 ]. Similarly, ITO in the banking sector is a process of project management, which begins at initiation, progresses to maturity, and then terminates in decay. Graham and Kaye[ CITATION Gra061 \l 2052 ] note that the risk profile varies throughout the lifecycle of an outsourcing arrangement, and consequently, organisations should ensure that risks are assessed at each significant phase of the process. Researchers employ different approaches to divvying up the outsourcing lifecycle. Power et al. [ CITATION Pow06 \l 2052 ] define the outsourcing lifecycle in assessment, transition, and operation phases. Momme et al. divide the outsourcing lifecycle into four phases:

identification and assessment, audit and approval, project execution, and performance management [ CITATION Mom02 \l 2052 ]. Similarly to Momme et al., de Boer et al. describe four phases of an outsourcing lifecycle: initiation, evaluation, management, and outcome [ CITATION deB06 \l 2052 ]. To find a balance between coverage on process stages from initiation to future improvement, and simplicity on nominating each stage, the model drawn by de Boer et al. is applied in this paper. Those four stages of outsourcing lifecycle and descriptions are shown in the Table 1-1 below.

Stages Description

Initiation The stage of the strategic decision-making process: whether or not to outsource

Evaluation Design of the project, evaluation on supplier options, contract formulation Managemen

t

The implementation of the project, including assets and human resources transfer

Outcome Reflection of the project, the outsourcing contract might be terminated, continued, or renewed. It is also the basis of final payment.

(Table 1-1)

As sequential working processes, each phase must be managed separately, and a risk manager shall identify the responsibilities of related persons or departments. As mentioned before, taking the outsourcing lifecycle into account is vital; the outsourcing lifecycle serves as the timeline for the project management because risk changes in each different stage of

(6)

the outsourcing process. ITO risk management can be reached with flexible and rapid risk monitoring and reporting processes.

2. Problem statement

A European Central Bank (ECB) survey demonstrated that the prime motive of ITO for EU banks is cost reduction; however, nearly 75% of the surveyed banks indicated a potential risk arising from the loss of control, and about 40% are concerned about potential operational risks[ CITATION Eur04 \l 2052 ] arising from ITO projects. Aubert et al. consider that

outsourcing is a risky business venture, risk assessment and risk management are important contributors to the success of an ITO project (Aubert, Patry, & Rivard, 1998)[ CITATION Rao96 \l 2052 ].

Since the work of Loh et al. [ CITATION Loh92 \l 2052 ], many researchers have investigated ITO risks. Most of the studies identify domestic ITO risks, offshore risks, business process outsourcing risks, and risks related to vendors and for vendors. The outsourcing lifecycle is a widely-used concept in ITO research; however, in most of the research, the ITO lifecycle is not a separate topic. The subject is always integrated with other topics rather than being the central topic of final models[ CITATION deB06 \l 2052 ][ CITATION Wei08 \l 2052 ][ CITATION Cho09 \l 2052 ]. Additionally, even though the commercial banking sector is an emerging market for ITO business, as stated in the previous chapter, there is limited research available regarding ITO risks in the banking sector, and only a few studies linked ITO risks with the outsourcing lifecycle. This could be due to the limitations of implementing an outsourcing risk analysis model to banking cases.

A concrete model of integration could therefore add value to the risk analysis framework in the commercial banking sector by removing the gap between framework and

implementation, where an integrated model of risk events and lifecycle stages is applied to a real-life case. In this thesis, risk events are integrated with each stage of the outsourcing lifecycle, then the model is applied to an actual commercial bank case. A research question and some sub-questions are proposed in the next section to address this model.

2.1 Research question

This thesis aims to build an integrated model by linking risk events arising from three risk resources with outsourcing lifecycle stages. This is achieved by applying the model in the commercial banking domain, which tests the integrated model with a real-life case. Therefore, the following research question is answered in this thesis:

What kind of model can be built to assess the ITO risks in commercial banks during the outsourcing lifecycle?

(7)

 Which theories can be used to build the model?

 How should the outsourcing lifecycle integrate with risk events arising from risk factors?  How can the integrated model be adjusted to fit commercial banks?

 How can the integrated model be applied to commercial banks?

 Verification: How can the results of the case study be determined to be reliable?

2.2 Research design

The research uses a qualitative approach to answer the research question. This approach utilises interviews, for example, as a data collection technique [ CITATION MNK03 \l 2052 ] [ CITATION Cre03 \l 2052 ]. The research sub-questions are answered consecutively, with the answers to each question from the previous sub-question. In this paper, firstly some

definitions regarding ITO and related aspects are provided, followed by introductions of related theories that were used to explain ITO, in order to provide a general view and a basic model for readers. Then, the situation of current commercial banking sector is introduced, and the general model is adjusted and specified to fit commercial banking sector. Next, the model is applied to a real-life case and further verified by another case. The last chapters delineate the limitations of this thesis, and the conclusion.

To answer the sub questions described in section 2.2, following research methods are used:  Before answering sub question 1, some definitions regarding ITO are provided. Then,

how and why the selected theories are used to describe outsourcing is explained to answer sub question 1.

 After the work of sub question 1, situations involving the commercial banking sector are introduced, and the model built in sub question 1 is expanded and detailed, which answers sub-question 2.

 The next section builds a framework based on the outsourcing lifecycle framework by de Boer as well as a risk resources framework per Aubert et al. to answer sub question 3. In this section, the risk events that arise from the three risk resources in a bank’s operation are elaborated. Next, risk events are classified into categories in order to prepare for data collection in the case study.

 For sub question 4, the results from the case study are compared with the framework built in sub question 3.

 For sub-question 5, another bank case study is used to verify previous case study results and enhance the quality of the research.

(8)

3. State of knowledge on definitions and theories

In this chapter, a literature review of ITO and a theoretical foundation which consists of core competences, transaction cost theory, and agent theory is elaborated as theoretical

background. Additionally, possible risk resources which may influence the performance of ITO projects are explained.

3.1 IT outsourcing definitions

According to the Basel Committee on Banking Supervision, ‘outsourcing’ is defined as: ‘a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future’ [CITATION The05 \l 2052 ]. However, as outsourcing has been widely researched, it has been defined in several different ways at different stages of research. The table 3-1 below offers some definitions of outsourcing that were used in previous research:

[ CITATION Loh92 \l 2052 ]

External suppliers provide physical or labour resources to accomplish the entire or part of information functions in user’s organisation

(Lacity & Hirschheim, 1993)

An organisation transfers part or entire of information system functions to external suppliers. Organisational assets, such as equipment and people, might be managed by external suppliers or become a department of the supplier’s organisation.

[ CITATION Alt94 \l 2052 ]

ITO is a form of activity where an organisation transfers part of or entire IT functions to external suppliers, and suppliers manage the IT business of the organisation.

[ CITATION Che95 \l 2052 ]

An organisation contracts part, or all, of its information system functions to external service suppliers.

[ CITATION Alp951 \l 2052 ]

An organisation signs mid- to long-term contracts with one or multiple independent external suppliers, in return suppliers provide different information system services continuously during the period of contracts.

[ CITATION Gil00 \l 2052 ]

ITO is an asset transfer from the client—which is the organisation that wishes to outsource—to external service providers who provide professional information services.

[ CITATION Bar011 \l 2052 ]

ITO is the process wherein an organisation transfers its information functions to external service providers, which might combine the IT asset transfer to external suppliers.

[ CITATION Ker01 \l 2052 ]

ITO is the process in which an organisation contracts or sells its IT assets, people, or activities to a third party. In return, the third party provides and manages IT assets and services on an ‘agreed costs’ basis during the contract period.

[ CITATION Lee012 \l 2052 ]

An organisation contracts part, or all, of its IT assets, people, and activities to one or more external suppliers.

(9)

Llopis, 2005) resources to external suppliers who provide professional IT services.

(Table 3-1, partly based on the work of Isern & Bendixen, 2007)

The table above demonstrates that most of the definitions have some common elements; for example, most of the definitions state that outsourcing refers to contracts with third parties who provide and manage services and products. Additionally, the shift of direct control over these operations from the client to external service supplier is a feature of outsourcing. The external service suppliers might have multiple organisational structures, such as an intra-group company, independent third party, or a joint venture with an independent third party [ CITATION Eur04 \l 2052 ]. In the early stage of research, the primary motivation of outsourcing is believed to be operational cost saving [ CITATION DiR98 \l 2052 ], but more recently, the primary motivation appears to have shifted to the

improvement of strategic business performance[ CITATION Cur01 \l 2052 ][ CITATION DiR98 \l 2052 ]. Furthermore, before Cheon et al., few studies analysed the interaction between the organisation which conducts outsourcing project and the external supplier, but gradually, the contractual relationship has been added to the scope of research on ITO. Due to recent changes in the IT environment, and IT’s profound influence on organisational strategies, the dynamics of contractual relationships have begun to resemble partner relationships that emphasise cooperation.

To summarise, ITO involves an organisation contracting part or all of its organisational IT functions—including assets, resources, and activities—to external IT service providers with an ‘agreed fees’ arrangement during the contract period. The external provider then develops, manages, and provides IT services and products such as: hardware/software maintenance, programme development, system analysis, user training and support, system purchase and operation, network services, and information security.

3.2 IT outsourcing incentives

A survey by The Outsourcing Institute indicates that IT-related services are the most frequently outsourced activities, accounting for 55% of all outsourced activities; the Joint Forum members' own experience corroborates such numbers [CITATION The05 \l 2052 ]. As mentioned previously, firms opt to outsource for various reasons, such as to improve

company focus, reduce and control operational costs, free resources for other projects, gain access to world class capabilities, and accelerate reengineering benefits. Sometimes, firms choose outsourcing passively due to external or internal environments. For example,

companies may outsource work when resources are not available internally at the moment, or in the foreseeable future [ CITATION The05 \l 2052 ].

Similarly, financial services providers concern outsourcing to enhance competitiveness and to survive. Studies by the European Central Bank suggest that the prime motivation for outsourcing by EU banks is cost reduction, accounting for 90% of responses. Around 60% of the banks are concerned with accessing better technology, infrastructure, and professional

(10)

management of the services, and are also concerned with the organisational strategy of focusing on core business [ CITATION Eur04 \l 2052 ].

(Figure 3-1)

3.3 Theoretical foundation of IT outsourcing

ITO is based on extensive organisational theories, which include resource-based theory, resource-dependency theory, transaction cost theory, core competence theory, agency theory, among others. Researchers explain the incentives of ITO from different perspectives according to different theories, which assist in explaining the phenomenon of ITO. In the 1995 work of Cheon et al. [ CITATION Che95 \l 2052 ], they proposed that there are three theories set the foundation of ITO, namely resource-based theory, resource-dependency theory, and transaction cost theory. In the work of [ CITATION Han99 \l 2052 ], they

supplement Cheon et al.’s framework with core competence theory and partnership theory. In Aubert et al. (Aubert, Rivard, & Patry, 1996), the authors also prove the correctness of applying transaction cost theory in explaining ITO. After reviewing the literature, three theories are selected to build the theoretical framework in this paper, namely, core competence theory, transaction cost theory, and agency theory. Reasons why these three theories are selected are elaborated in each following section, which answers sub-question 1. A model is built based on this section to answer sub-question 2.

(11)

3.3.1 CORECOMPETENCETHEORY

Core competence theory is widely used for explaining the activities of outsourcing in existing research. The term ‘core competence’ was proposed by Prahalad & Saharia in 1990

[ CITATION Pra90 \l 2052 ]. The authors state that core competence is the ability to

harmoniously combine multiple resources, technologies, and skills to assist the organisation to an outstanding place in the market and competitive sphere. The essential element of core competency is to develop this ability with lower costs and shorter time than rivals. In

existing literature, researchers define core competence from different perspectives, but it is agreed that core competence should be defined by specific criteria. If a capability is

valuable, rare, costly to imitate, and cannot be substituted, it fulfils the criteria of a core competence [ CITATION Ver13 \l 2052 ]. Core competence is the resource that ensures the sustainable development and competitive advantages of an organisation.

The reasons why core competence theory is chosen in this paper are as follows. Core competence theory was predominantly used to develop and test outsourcing decision frameworks[ CITATION Wil95 \l 2052 ][ CITATION Per07 \l 2052 ], and researchers argued that core activities and business should be remained internal[ CITATION Pin95 \l 2052 ]. This is not only the essence of core competence theory, but also the regulators’ requirement, since they note that only non-core businesses can be outsourced. Meanwhile, the core competence of an organisation may change. Old core competencies could become peripheral and invaluable, while other competencies become critical and turn into new competencies. After decision-making process, an organisation subcontracts their marginal competence and business to an external supplier, but the business outsourced must be the core competence of external outsourcing suppliers[ CITATION Bad00 \l 2052 ]. Thus, using core competence theory in outsourcing decision-making, deciding outsourcing scope, identifying outsourcing business demands, selecting proper outsourcing providers in the initiation stage of ITO lifecycle is important for the success of outsourcing [ CITATION Lee012 \l 2052 ]. Therefore, the organisations could not only focus on the development of core competence with limit resources, but also transfer their disadvantages and risks, enhance competitive advantages, as well as service quality and efficiency. The development or reflection on core competence is an important measurement in the outcome stage of the outsourcing lifecycle, since core competence theory could assess whether the project is successful, whether the core business of client is damaged [ CITATION Pat05 \l 2052 ]. Some researches on how core competence theory explains outsourcing can be found below:

[ CITATION Pin95 \l 2052 ]

IT development is creating new firm relationships in the IS domain. Managers commonly seek cost-effective IT functions, but it is rare that core competences of the business or competitive advantages are outsourced.

[ CITATION Wil95 \l 2052 ]

Core competence is one of the modern academic focuses in organisations, while business pressure with a focus on core

(12)

competences helps to explain the move to ITO.

[ CITATION Bad00 \l 2052 ]

The value chain changes, old critical core competencies could become peripheral, and other competencies become new core competencies. Thus, firms are taking advantages of core competencies with each other.

[ CITATION Lee012 \l 2052 ]

Ability to focus on core business is one of the most critical measurement factors of outsourcing.

[ CITATION Pat05 \l 2052 ]

Strategic business values can be achieved by IT development, which will lead to sustained competitive advantages in return. Focusing on core business competencies enhances core competence.

(Table 3-2)

Core competence theory focuses on decision-making and project reflection issues, such as whether to outsource, what should be outsourced, who should be selected as supplier, and whether the core competence of the company has improved after the outsourcing project. Thus, the theory lacks an explanation of costs and profit analysis, despite the fact that cost is an important factor in outsourcing. Therefore, transaction theory is used to explain the relationship between costs and profits in an outsourcing programme.

3.3.2 TRANSACTIONCOSTTHEORY

Transaction cost theory was proposed by Coase in his introspective work on neoclassical economics, where he states that costs are inherent to trade in the market. Firms take the place of markets because the inside trading within firms could reduce trading costs

[ CITATION Coa37 \l 2052 ]. Williamson developed the theory of transaction costs, pointing out that trades need costs, and there are three critical factors leading to the costs in trade, namely bounded rationality, opportunistic behaviour, and asset specificity [ CITATION Wil73 \l 2052 ]. Because the existence of bounded rationality and opportunism may lead to uncertainty and complexity of trading activities, it is necessary for firms to establish

regulations and select the optimal trading form. Asset specificity indicates that the investments of the firm include sunk costs, thus the higher asset specificity means higher transferring costs, which could have serious impacts on firms and their counterparties. Therefore, it is easier for firms with lower asset specificity to find an external ITO supplier in the market; in contrast, the outsourcing costs will increase and the bargaining power of outsourcing supplier will increase accordingly, which may lead to opportunistic behaviours of the supplier.

Transaction theory is chosen in this paper for the following reasons. When conducting an IT project, organisations consider several strategies, such as outsourcing, insourcing, or marketing. If the organisation considers which options to choose, the resource allocation costs of each option must be calculated. If cost is lower than income, it is wise to outsource (Aubert, Rivard, & Patry, 1996). When accounting for the outsourcing lifecycle stages,

(13)

transaction theory is important to both the initiation and evaluation stages. Transaction theory is used in the initiation stage because it decides whether to outsource and assesses if an asset is favourable to be outsourced due to its transaction costs, which is included in the primary decision-making process (Aubert, Rivard, & Patry, 2004). It is also critical in the evaluation stage, since organisations must find a balance between costs and control over suppliers [ CITATION Uls96 \l 2052 ][ CITATION Vin99 \l 2052 ].Transaction theory is also used to design outsourcing contracts, which belong to evaluation stages of an outsourcing

lifecycle (Barthélemy & Geyer, 2005). (Lacity &

Willcocks, 1995)

Transaction theory clarifies sourcing decisions, which means whether to produce internally or purchase externally. It also indicates that organisations make sourcing decisions based on economic rationale. (Aubert, Rivard, &

Patry, 1996)

Firms and market are alternative governance mechanisms, which should be used by society to minimise transaction costs. Transaction cost theory explains outsourcing at two levels: it investigates the role of assets specificity, measurement problem, and frequency of

explaining the choice of outsourcing; based on the issues at the first level it investigates the contract between the firm and its outsourcer.

[ CITATION Uls96 \l 2052 ]

According to transaction cost theory, Od for lower financial risks and weaker incentives in uncertainty and asset specificity from the

supplier’s side. When specific asset values reach the level higher than the agreed costs with supplier, external contracting (outsourcing) is replaced by internal contracting (insourcing).

[ CITATION Vin99 \l 2052 ]

Research results demonstrated that, due to contractees’ lower costs, outsourcing has the potential to lower the purchase price of the products.

(Aubert, Rivard, & Patry, 2004)

Bounded rationality and opportunism are two assumptions of transaction costs. Transactions require specific assets able to bear higher transactions costs, thus, assets with higher transaction costs are more likely to be retained internally.

(Barthélemy & Geyer, 2005)

Due to the economies of scale, suppliers have lower production costs. However, when asset specificity, uncertainty, and frequency are high, transaction costs from negotiating, monitoring, and enforcing

contracts are also high. Thus, firms choose outsourcing when

production cost is higher than transaction cost in market relationships.

(Table 3-3)

Transaction cost theory explains the costs and profits element of the outsourcing project. However, transaction theory in outsourcing projects only focuses on one party, either the

(14)

client or the supplier. Activities of the other party and the interactions between the two parties need to be elaborated to better understand potential problems arising from the project. Therefore, agency theory is introduced.

3.3.3 AGENCYTHEORY

Agency theory is an important part of contracting cost theory, which is also known as the ‘principal-agent problem’, ‘agency dilemma’ or ‘agency problem’ [ CITATION Ver13 \l 2052 ]. These terms refer to one or multiple entities (the principal) assigning or employing other entities (the agent) to serve them according to agreements, and pay fees according to the service quality and quantity provided by the agent [ CITATION Jen76 \l 2052 ]. Benefitting from the advantages of contracts and agreements, while coordinating the relationship between principal and agent and avoiding the agency dilemma are important parts of agency theory. According to agency theory, transaction risks come from information asymmetry, and constraint by contractual obligation is the main solution.

Agency theory is selected in this paper for several reasons. Firstly, in ITO activities, the relationship between commercial banks and external suppliers is a typical principal-agent relationship. According to agency theory, the income of the outsourcing supplier is strongly connected to the profits of banks. The increased cost of ITO of the bank means increased incomes of outsourcing suppliers, which means that the bank and supplier do not share interests[ CITATION Hal06 \l 2052 ]. Because of opportunism of the principal and agent, it is possible that risks such as adverse selection and moral hazard may arise (Aubert, Patry, & Rivard, 1998). Even though the balance between client and supplier could be ensured by a qualified contract—which belongs to the evaluation stage—opportunism, moral hazard, and hidden behaviour in the implementation stage is difficult for a client to monitor (Barthélemy, 2003). Therefore, agency theory could explain some aspects of ITO projects, cautious

selection of outsourcing supplier, and effective outsource contract design are remarkable solutions to mitigate the risks in outsourcing projects.

(Barthélemy, 2003) The balance of power between client and supplier can be ensured by contract quality.

[ CITATION Got05 \l 2052 ]

Outsourcing functions when the agent and the principal have common goals and interests, as well as degree of risk appetite. For the principal, it is far preferred if it is easy and inexpensive to monitor the actual activities of the agent. Additionally, the principal can use outcome- and behaviour-based incentives to prevent and reduce the opportunism of the agent.

[ CITATION Hal06 \l 2052 ]

Since the principal and the agent may have different interests, agency theory helps to understand risk, relationship failures and incentives involved in an outsourcing contract.

(15)

(Table 3-4)

After elaborating related theories and stating whether those theories are chosen, a simple model is built for further research. The four columns refer to four stages of the outsourcing lifecycle. From left to right, the columns are the initiation stage, evaluation stage,

implementation stage, and outcome stage. In each column, there are some labels that refer to possible problems or problems that must be taken into account at each stage. Labels are displayed in different colours, which refer to different theories: core competence theory, transaction cost theory, and agency theory. Arrows refer to the link between problems and related theories. For example, decision-making is a representative problem in the initiation stage, and it can be explained by core competence theory; thus, there is an arrow linking decision-making and core competence theory. Decision-making can also be explained by transaction theory, thus there is also an arrow linking decision-making and transaction theory. In this model, some representative problems could be explained by two theories, while some can be explained by only one theory. Opportunism lies in both the evaluation stage and implementation stage, because it affects outsourcing activities in these two stages. This model is the answer to sub-question 2.

4. Risk management on IT outsourcing in banking sector

The aim of this chapter is to answer sub-question 3. According to the changes in operational and regulatory environments, IT management and IT risk management in the banking sector develops and evolves continuously to follow the updates of industrial standards. As an important part of technological risk, ITO risks must be addressed in order to ensure the performance of the organisation.

(16)

In this chapter, ITO and related risk management in the commercial banking sector is briefly introduced. Then, regulations about outsourcing management in the banking sector are presented to emphasise the importance of risk control in ITO projects. After the introductory section, the model from the previous chapter is expanded by identifying risk sources in each outsourcing lifecycle stage, and adjusting the risk sources to fit in the commercial bank domain. The model aims to analyse which risk events arising from risk resources must be more closely considered in each period in the outsourcing lifecycle within the banking domain. The results are arranged to inform interviews in case studies in the following sections.

4.1 Overview of IT risk management in banking

The first aim of this section is to present a risk management scheme in the commercial banking sector. Risk control is one of the most critical topics in the banking sector, and it is believed that there are more regulations and guidelines in this industry than in any other. Thus, the second aim of this section is to emphasise the importance of analysing ITO risks in banking by presenting current risk management in banking. This aim supports the scientific relevance of doing this research.

4.1.1 IT RISKSANDMANAGEMENT

Due to the increasing integration and alignment of IT and business, businesses face not only higher levels of efficiency and sustainable competitiveness, but also more varied risks. Therefore, IT risks have been the subject of increased scrutiny by organisations. However, IT risk and the management on IT risk are controversial concepts.

There are many definitions of risk. IIA (The Institute of Internal Auditors) defines risk as ‘the possibility of an event occurring that will have an impact on the achievement of objectives’ and risk is measured by impact and likelihood [ CITATION IIA09 \l 2052 ], while in ISO guide 73, risk is defined as the ‘effect of uncertainty on objectives’ [ CITATION ISO09 \l 2052 ]. Based on different definitions on risk, there are many definitions of IT risks. In ISACA (Information systems Audit and Control Association), IT risk is defined as ‘the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise’ [ CITATION ISA09 \l 2052 ]. In the Symantec report, IT risks are divided into security risks, availability risks, performance risks, and compliance risks [ CITATION Sym07 \l 2052 ].

To summarise, IT risks include the risks of system, people, and IT investments. The function of IT is to support the business operation and routine management, and IT risks refer to the potential risks caused by IT systems that might be harmful to business and operational goals. 4.1.2 IT RISKFEATURESIN BANKING

(17)

Commercial banks are financial institutions that earn revenue by taking risks, so risk management is the main theme in the banking sector. The Basel Committee classified risks faced by banking into eight categories, namely credit risk, market risk, operational risk, liquidity risk, national risk, reputational risk, legal risk, and strategic risk[ CITATION The05 \l 2052 ].

In commercial banks, client information and financial information are highly centralised, physical networks are widely spread, and the services provided by commercial banks are strongly connected with individuals. Commercial banks also play an important role in the social and national economy, thus, compared with other industrial sectors, commercial banking is uniquely vulnerable to certain IT risk features. Firstly, IT risks in commercial banks spread rapidly. The development of digitalisation facilitates the transfer of funds through banking networks instantaneously. The use of IT systems is, on one hand, convenient; on the other hand, IT system use spreads financial risks and even leads to large fluctuations in financial markets. Secondly, IT risks in commercial banks have broader fields of influence. The centralisation of IT systems enhances service quality and management of banks. However, once the core system or network crashes, a chain reaction could lead to the collapse of the banking business. Thirdly, IT risks in banking are difficult to anticipate. In commercial banking, IT risks take various forms and relate to several counterparties, or are strongly linked to third party suppliers. Problems in any one entity or market segment may cause crashes, thus the risks are difficult to monitor through normal approaches. Finally, with the increasing market share of electronic trade, banking business is freed from the constraints of time and geography. Trading processes and objectives become less transparent, which causes information asymmetry between banks and regulators, and increases the supervisory burden on banks.

When risk events shut down information system services, it is not simply the profits and reputation of the bank that are damaged—even national politics and the economy are influenced. In order to control the risks in the banking sector, worldwide regulators have implemented a series of regulations. For example, CBRC (China Banking Regulatory Commission) formulated ‘the Guidelines on the Risk Management of Commercial Banks’ Information Technology’ in 2009. The guidelines also defined the goals of information system risk management: to establish an effective mechanism that can identify, measure, monitor, and control IT risks in commercial banks; ensure commercial banks have a safe, sustainable, stable operational environment; improve the core competitiveness; and improve capacity for sustainable development of commercial banks (CBRC, 2009). 4.1.3 IT RISKMANAGEMENTINCOMMERCIALBANKS

According to the guidelines, IT risk management in commercial banks is comprised of seven sections, namely information security classification, system development, testing and maintenance, IT operation and maintenance, access control, physical security, personnel security, Business Continuity Planning, and Crisis and Emergency Management procedure.

(18)

Currently, under the supervision of CBRC, IT risk management activities in Chinese commercial banks are classified into three categories: IT audit, IT internal control, and IT governance (CBRC, 2016)

The objective of IT audit is the structure of information systems. The design, development, use, and maintenance of IT systems are examined and evaluated from a third-party

perspective. The process of an IT audit involves the entire lifecycle of an information system, as well as its related external environment.

IT internal control includes pre-event prevention, progressing control, and post-event monitoring. IT internal control also involves IT internal audit activities, which could prevent IT risk events in some cases if the control measures are properly implemented.

IT governance is a constant process. As part of corporate governance, IT governance sets the direction for IT strategies and ensures proper use of IT resources, IT system management, and IT risks monitoring. ITO is a widely-used technological strategy, and ITO risks run throughout every stage of the supply chain including technology, products, service, operation, and maintenance. The management of ITO risk covers most types of IT risk management. Once the risk management of IT risks collapses, IT systems in commercial banks are damaged. Therefore, implementing ITO risk management strategies is an important part of IT governance.

4.1.4 SUPERVISIONON IT OUTSOURCINGRISKSINBANKINGSECTOR

Regulators have recognised that outsourcing is relevant at both a national and international level. On an international level, the Joint Forum suggests that there are seven high-level principles of ITO for commercial banks [ CITATION The05 \l 2052 ]:

 Financial entities willing to outsource should have comprehensive assessment policies regarding outsourcing activities to ensure that the activities are outsourced properly. Senior management should be responsible for outsourcing policy and for ensuring that the outsourcing activities are compliant with the policy.

 A comprehensive outsourcing risk management scheme should be established, including both outsourcing activities and the relationship with the outsourcing supplier.

 The outsourcing contract should not diminish the financial firm’s obligations to customers, or prevent effective supervision by regulators.

 Appropriate due diligence should be conducted when selecting third-party service providers.

 Written contracts should be provided to clearly describe every material aspect in the outsourcing arrangement, including the rights, obligations, responsibilities, and expectations of all parties.

(19)

 Contingency plans should be established and maintained by financial firms and their service providers, including a plan for disaster recovery and the periodic testing of backup facilities.

 Financial firms should take appropriate steps to ensure that service providers protect all confidential information belonging either to the regulated entity or to its clients from intentional or inadvertent disclosure to unauthorised persons.

In addition, theEuropean Central Bank [ CITATION Eur04 \l 2052 ] cites nine concerns about the negative effects of outsourcing in banks operating within EU countries: issues of control, operation, supplier, and compliance are the most frequently addressed. In order to regulate domestic outsourcing activities and mitigate risks within the financial services market on a national level, some regulators promulgate standards and legislation to control and manage outsourcing. The table below illustrates a few actions that EU regulators have taken in this respect[ CITATION The05 \l 2052 ], [ CITATION FCA16 \l 2052 ]:

Belgium CBFA (Banking, Finance and Insurance Commission) issued a common guideline about the banking and investment service sector in June 2004, which was then expanded and implemented in the insurance sector. France New provisions regarding internal control in credit institutions and

investment firms were introduced in 2005. The provisions constrained requirements for outsourcing core activities. They also set a format for outsourcing contracts and disclosure standards for outsourcing activities. Germany Guidelines regarding all credit institutions and financial services were

issued in 2001 to set specific requirements for outsourcing at the same time, including the orderliness of such business or services, managers’ responsibility to monitor, and The Federal Financial Supervisory Authority (BaFin)’s right to audit and supervise.

Netherlands De Nederlandsche Bank (DNB) issued the Regulation on Organisation and Control in 2001, defining outsourcing as ‘business processes’. In 2004, Pensioen- & Verzekeringskamer (PVK) widened the scope of the Regulation on Outsourcing to include insurance companies.

Switzerland The Swiss Federal Banking Commission (SFBC) issued ‘Outsourcing

Guidelines’ for banks and security firms in 1999, and implemented annual external audits to evaluate whether firms are in compliance with the guidelines.

United Kingdom

The UK Financial Conduct Authority (FCA) set guidelines for banks in the FCA handbook. In the chapter on High Level Standards, in section ‘SYSC Senior Management Arrangements, Systems and Controls’, there is a sub-section that covers outsourcing, including general outsourcing

requirements and guidance on outsourcing portfolio management.

(20)

(Figure 4-1)

4.2 IT risk analysis in commercial banking sector

The aim of risk analysis is to identify the degree of influence of risk factors on an outsourcing project, to control such risks, and to ensure successful implementation of the project. In this section, an adjusted model is formulated to fit the commercial banking sector, and the result is arranged for the following case studies.

4.2.1 RISKRESOURCES

According to [ CITATION Aub98 \l 2052 ], there are three sources of ITO risk: the agent, the principal, and the transaction. Agency theory is concerned with ‘the coordination and motivation issues that are inherent in a relationship between a principal (the client) and an agent (the outsourcer)’ [ CITATION Aub98 \l 2052 ]. The principal itself is a source of risk factors. Earl and Lacity et al. identify the lack of experience or expertise of the principal with the activity to be outsourced as a major risk factor. The transaction is an important risk factor that spans several dimensions. Aubert et al. summarise main concerns from the perspectives of the agent, the principal, and the transaction [ CITATION Aub98 \l 2052 ]. Applying their theory to commercial banks, ITO risk resources in a bank are suppliers of outsourcing products or services, commercial banks themselves, and transactions,

separately. An ITO project for a commercial bank should be evaluated based on whether it is mutually beneficial for both bank and outsourcing provider, which aims at implementing the

(21)

project successfully. As an important part within outsourcing activities, risks from the supplier’s perspective must also be analysed.

Risks from suppliers

Firstly, opportunism is an important risk factor in an outsourcing contract [ CITATION Aub98 \l 2052 ]. Before signing the outsourcing contract, the possibility of information asymmetry may mean that suppliers are aware of information that might be harmful for— but not known to—banks. Accordingly, suppliers may conceal some such information from banks, which may lead to adverse selection, where banks may choose unsuitable suppliers. After signing the contract, if a supplier cannot fulfil demands of the bank, banks may incur higher than expected costs.

Secondly, outsource suppliers may offer different services and products according to bank’s requirements, which generate different costs. Supplier requires a profit margin in their contract; therefore, an accurate budget is important for supplier to claim a reasonable profit margin. If supplier has a biased cost budget, their profit margin might be affected and their service quality would be influenced.

Thirdly, since the bank cannot observe the behaviour of the supplier, the supplier may be hiding some of its activities. For example, the supplier may assign inexperienced personnel to the outsourcing project as it is difficult for banks to evaluate the abilities and effectiveness of the outsourcing supplier staff, or they may apply soft/hardware which is at the end of its lifecycle in order to reduce costs. Such activities are not easily detectable to banks, but they nonetheless affect the value and outcome of an outsourcing project. In other words, it is difficult for banks to monitor a supplier’s activities from a management and business perspective.

Fourthly, during the implementation of an outsourcing project, the supplier may have access to a bank’s information system, which often inherently grants the supplier access to

restricted and sensitive data. If the bank and supplier have not clarified this information security issue, a supplier may disclose a bank’s core competence-related information. If such sensitive information is obtained by competitors, the bank may lose competitive advantages. Fifthly, both the bank and supplier may have different understandings of the project’s demands. For example, if a supplier and bank do not partake in a detailed and

comprehensive discourse, the supplier may not gain an accurate understanding of the bank’s demands, and the service might therefore be inadequate. If the IT system does not align with business demands, the bank’s strategic and business objectives may be put at risk. Further, if outsourcing suppliers are more familiar with technological aspects, but lack the requisite experience and knowledge of processes and business demands within banks, the quality of the supplier’s service may further deteriorate.

(22)

Firstly, outsourcing may give rise to strategic risks. In terms of strategy, the decision-making process for an ITO project involves senior management, and the decisions made indicate the organisational culture and values. An ITO project strategy should consider the bank’s internal and external environment as well as IT demands, and only after a series of such evaluations and analyses should a bank then proceed with outsourcing. There are various risks during the decision-making process, and the process is crucial for the success of ITO project. Secondly, from the management perspective, selecting a supplier is also risky. If a bank realises that they have chosen an unsuitable supplier during the implementation process, it is difficult to correct their course without any loss. There are several causes of incorrect selection of suppliers, such as lack of a mature evaluation system for ITO service providers, information asymmetry, and focusing on details instead of considering the project as a whole. Inappropriate supplier selection may cause the bank to lose control of the project, and may affect the bank’s business operation. Further, if key members of the supplier team change during the project and the supplier does not provide a backup plan in time, the outsourcing service performance could plunge rapidly.

Thirdly, the bank’s ability to independently utilise technology may decrease. With the enlargement of ITO scope and scale, banks may increase their dependence on outsourcing suppliers as employees in banks are less and less involved in IT system development, maintenance, and ITO management. In this way, a bank’s competences in IT product R&D and evaluation of IT projects may decrease, weakening their bargaining power against the ITO provider. In other words, ITO projects may represent increasing costs each year as the bank becomes more dependent on the supplier, since the bargaining power of the bank is decreased. Meanwhile, from a technological perspective, a high level of dependence on the supplier may lead to system security and maintenance problems. When IT personnel in the bank participate less in system development, maintenance, and management activities, the risks of security problems and other risks of applying new technology may arise as

employees in the bank become unfamiliar with the system and their IT skill is undermined by dependence on outsourcing.

Fourthly, supervision of the outsourcing supplier during project implementation is crucial to preventing risks. Although the bank and supplier align their interests via the outsourcing contract, they are still agent and principal. According to agent theory, without effective monitoring measures, the risk of increasing costs and information disclosure may rise.

Risks from transactions

Firstly, risks may arise from the centralisation of ITO. If the degree of ITO centralisation in a bank becomes too high, the bank may rely too heavily on one single outsourcing supplier or a supplier group. From the perspective of risk control, if the ITO supplier becomes

monopolistic for banks, the balance between the banks and the ITO provider is broken, which may lead to unbalanced communication, cooperation, and operation within the bank

(23)

and supplier relationship. Centralisation may also result in a series of risk control issue within banks, thus increasing the bank’s expenditure on risk control.

Furthermore, reacting to market demands swiftly is one of the motivations for conducting an ITO project for banks. However, due to ongoing changes in market policies and the bank’s operational environment, as well as the time gap between decisions, it is possible that banks lose their market opportunities after or during ITO implementation. From a bank’s

perspective, it is then no longer necessary to realise the project. In addition, because of the rapid development of IT, a signed service contract may lose competitive advantages during or before implementation, or fail to bring about expected profits. If these risks materialise, banks may suffer losses.

Moreover, as the service industry in the financial sector is significantly influenced by market fluctuations, banks must react swiftly to market changes and client demands. However, if the processing procedure of the system does not align with the business and transaction

processes, the firm’s reaction speed and efficacy may be affected Lastly, the design of the outsourcing contract is crucial to the outsourcing process. The contract clarifies responsibilities, obligations, and incentives in order to protect rights and interests on both sides, and avoid extra costs in contractual disputes. Further, if the bank is an overseas branch with its headquarters in another country, the legal and regulatory differences should be closely observed to avoid any compliance issues. Simultaneously, outsourcing contracts should have some degree of flexibility. When unexpected problems arise, both sides should have guidelines for their reaction, so specifying such in the contract can assist in the avoidance of extra costs.

4.2.2 RISKANALYSISINEACHSTAGEOF IT OUTSOURCINGLIFECYCLE

In this section, the model from sub-question 2 is expanded and defined by applying the concept of risk resources from Aubert et al., as presented in the previous section. The aim of this section is to identify risk events arising from banks, suppliers, and transactions in each outsourcing lifecycle stage. This section is the central part of answers to sub-question 3. Although there are various available definitions of the ITO lifecycle, the framework by de Boer et al. is used in this paper. In practice, monitoring, adjusting and improving the ITO project run through the entire outsourcing lifecycle. ‘Monitoring’ in this capacity can be divided into two aspects. The first aspect involves monitoring the project process, risk control, and service quality provided by outsourcing supplier. The other aspect of ‘monitoring’ involves supervision of the project’s compliance from the initiation to end stages. The adjustment and improvement may be reflected in future projects instead of in the original project.

(24)

In medium- and large-sized commercial banks, standardised organisational structures and operational procedures are now common, and the operations during outsourcing lifecycle are the focuses of internal and external audit. However, due to the differences in IT governance levels, ITO performance may differ.

At each stage of an ITO lifecycle, risk events may emerge from each of the three risk sources. In order to mitigate and control risks, the project team must identify the risks. Before further research, a framework on ITO risk events must be drawn. The table below shows risk

resources and outcomes during ITO lifecycle, which integrates the ITO lifecycle framework by de Boer et al., and risk resources framework by Aubert et al., which is so called ‘draft

lifecycle-risk resource model’.

The ‘draft lifecycle-risk resource model’ below divides the simple model from sub-question 2 into four sections, where each stage of the outsourcing lifecycle is depicted in an

independent table. Each table shows what risk events arise from banks, outsourcing suppliers, and transactions, as well as possible outcomes.

Initiation stage:

Risk events from banks

Outcomes Risk events from suppliers

Outcomes Risk events from transactions Outcomes Uncertainty of feasibility: market changes and technological development Project cannot achieve expectations Swift market changes, possible lack of shared credit evaluation systems Information asymmetry which influences banks’ decisions Lack of information for decision-making Information asymmetry which influences banks’ decisions Irreversibility of initiating project Sunk value cannot be drawn back

(Table 4-2: Risk events in initiation stage) Evaluation stage:

(25)

Risks events from banks

Outcomes Risk events from transactions Outcomes Business regulations are not clear Service quality might be affected, leading to increasing costs Opportunism: suppliers may have information that banks are unaware of, but which is harmful to banks; such asymmetry may lead to adverse selection Improper supplier is selected Supplier cannot deliver outcomes as contractually agreed Increasing costs or project failure Contract clauses are not clear Contractual conflicts, the project cannot continue Human resources: lack of personnel or communication Increasing costs for both banks and supplier Lack of communication Affects IT service quality Lock-in: banks rely on a certain service provider in a long-term Banks lose bargaining power

Lack of budget Affects IT service quality Uncertainty of demands, lack of technology Increasing costs for supplier

(Table 4-3: Risk events in evaluation stage) Management stage:

Outcomes Risk events from transactions Outcomes Frequent change on Increasing costs

Moral hazard Lower service

(26)

demands incurred to revise contract, may lead to conflicts and legal fees quality Managerial risks: unreasonabl e internal process, lack of coordination, lack of risk control Problems in any stage lead to higher human resource costs for supplier Leakage of bank information Damage to banks’ reputation, and economic, and competitive advantages High level of centralisation Supplier cannot provide qualified service as agreed in contract Rely-on supplier Loss of IT resource capabilities, undermining of IT innovation Incomplete understanding of bank’s demands Costs increase Service quality declines Higher costs for banks

(Table 4-4: Risk events in management stage) Outcome stage:

Outcomes Risk events from transactions Outcomes Lock-in: banks rely on outsourcing supplier Innovative capability undermined High transferring costs must be paid if no future Cannot provide services as agreed in contract Increased costs for banks

(27)

cooperation Ability of IT personnel decrease Loss of competitiveness

(Table 4-5: Risk events in outcome stage)

The tables above illustrate possible ITO risk events arising in each of the outsourcing lifecycle stages within the commercial banking domain, categorised by risk source. However, the tables demonstrate that there are no risk events arising from suppliers in the initiation stage, and no risk events arising from the transaction stage. The same risk event may also occur in more than one lifecycle stage. For example, ‘lock-in’ occurs both in the evaluation stage and the outcome stage, and ‘rely-on supplier’ in the implementation stage is effectively a form of lock-in.

In the tables above, risk events arising from banks can be summarised as business risks and managerial risks, since most of the risk events arising from the bank arise internally.

However, these two types of risks—business and managerial—are fundamentally different because business risks focus on the strategic level, whereas managerial risks focus on the operational level of the banking sector. Risk events arising from transactions focus on the external environment, which cannot be changed by a single bank. Thus, transaction risks related to market, legislation, and policy shifts are classified as external environment risks. Due to the influence of core competencies, banks and external outsourcing suppliers must have different levels of technological abilities, and technological development may enlarge this gap. Thus, technological risks belong in a separate category. Classification can be found below:

Technological risks system security risk; use of new technology risk; system operation and maintenance risk; lock-in (reliance on supplier)

Business risks IT system does not align with business demands; business information leakage; transaction procedure is not aligned with business

Managerial risks selecting outsourcing supplier; monitoring; contract; increasing costs Supplier risks biased understanding of demands; credit risks; supplier change risk;

information leakage External

environment risks

market information; policy risks; legal risks

(Table 4-5)

(28)

(Figure 4-2)

5. Methodology

This research uses a qualitative approach to answer sub-question 4, which utilises interview as a data collection technique in the case study. Employees from a commercial bank are interviewed in order to obtain information about ITO project management within the bank. The model from sub-question 3 is the foundation of this case study.

5.1 Case selection

In this paper, two cases are selected.

The first case focuses on Bank A, which has a branch in Amsterdam. As an international bank, Bank A has a subsidiary in Europe that manages branches in the Netherlands, Spain, Germany, France, Belgium, and Italy. The Amsterdam branch was built in 2011. Currently, the branch plans to outsource IT systems to the Documentation Centre in Beijing, which is directly supervised by the head office of the bank. Bank A is selected as the first case for the following reasons. Firstly, Bank A is one of the global market leaders in the banking industry, covering 42 countries and regions, with a net income of RMB 277.72 billion (USD 42.77B). Secondly, the organisational structure of the bank is the typical hierarchical international banking structure, where the head office is in its home country, and other branches are regional subsidiaries and local branches, thus the bank itself is representative. Thirdly, the

(29)

bank is listed on both the Shanghai Stock Exchange and the Stock Exchange of Hong Kong Limited, thus the authenticity of the public information can be ensured.

To enhance reliability and validity, a second case study on Bank B is used as validation—a research technique called a ‘two-case study’ [ CITATION Yin03 \l 2052 ]. The reasons for selecting Bank B are as follows. Firstly, Bank B is also an international bank, covering more than 50 countries and regions. Secondly, Bank B was established in the late 17th_century,

which lends it rich experience in the banking industry, together with its innovative abilities such as the invention of credit cards and ATM. Thirdly, similarly to Bank A, Bank B has a branch in the Netherlands, and IT functions were outsourced. Unlike Bank A, Bank B only outsourced maintenance functions to an external supplier.

5.2 Setting

Both cases use interviews as a qualitative method to have a picture of the important issues within the ITO projects. For data collection, in-depth interviews with employees from the branch are used, since in-depth interviews are ‘optimal for collecting data on individuals’ personal perspectives and experiences, particularly when sensitive topics are being explored’ [ CITATION Mac05 \l 2052 ].

During the interviews with Bank A, possible risk events and the degree of impact of these events within Bank A are suggested by interviewees. The statistical results are also used to map out a view of the research question and to provide the themes or areas for

investigation in more depth during the interviews[ CITATION Gre08 \l 2052 ]. In the interview with Bank B, information about an ITO project is gathered. Then the findings are compared with the results from Bank A.

In order to reflect more deeply on the interview contents and nuances in both cases, initial coding—which was named ‘open coding’—is used to analyse interview transcripts. Initial coding also facilitates understanding of the basic themes and issues of each question asked in the interview [ CITATION Sal09 \l 2052 ].

After analysing the results from interviews, the findings are discussed and final conclusions are drawn.

5.3 Participants

In the case of Bank A, employees from the Risk Management Department, IT Department and Legal & Compliance Department are interviewed. Because the Risk Management

Department takes the lead in the implementation of overall risk management of Bank A, the Legal & Compliance Department conducts the legal and compliance function independently and co-ordinates with the Head of Compliance of the bank. These two departments are also end users if the ITO system is realised. The IT Department maintains current information systems and introduces new systems if necessary. If an ITO project is considered, the IT Department will be the leading department.

(30)

In the case of Bank B, an employee from the IT Department is interviewed. Unlike the case of Bank A, this employee is the only interviewee in the case of Bank B. However, this interviewee is very representative and experienced. The interviewee participated in the entire ITO project, including project proposal, evaluation, and monitoring supplier’s activities.

6. Case study

In this chapter, the analytical process and results are presented to answer sub-question 4, and to apply the model from chapter 4 in a commercial bank.

6.1 Methods

After interviewing participants from Bank A, data obtained is analysed by a risk matrix, then ranked by Borda Count to determine which risks require more attention. A risk matrix is a structured approach that identifies which risks are most critical to a programme, and provides a methodology to assess the potential impacts of a risk, or set of risks across the lifecycle of a programme. The acquisition re-engineering team at the Air Force Electronic Systems Center devised this approach in 1995 [ CITATION Gar98 \l 2052 ]. When building a risk matrix, according to [ CITATION Gar98 \l 2052 ], some key index must be identified, namely risk impact (I), probabilities of occurrence (P), and risk rating (R). Risk impact (I) is used to assess the impact the risks could have on the programme, namely critical, serious, moderate, minor, and negligible. The different impact degrees have specific definitions in cases of ITO projects in banks.

Critical: an event if it occurred, would cause ITO project failure, related business could not operate.

Serious: an event would cause major costs and the timeline of the ITO project increases significantly; related businesses could not operate normally.

Moderate: an event would cause moderate costs and schedule of ITO project increase; some related business of the bank could not continue, but some business could still operate normally.

Minor: an event would incur only minor costs and the timeline of the ITO project would only slightly increase. Related business may be affected, but the core business of the bank is not influenced.

Negligible: an event would not affect related business.

The probabilities of occurrence assess the possibility that a risk will occur. There are 5 scales: 0-10%: very unlikely to occur

(31)

11%-40%: unlikely to occur

41%-60%: may occur about half of the time 61%-90%: likely to occur

91%-100%: very likely to occur

According to [ CITATION Gar98 \l 2052 ], risk rating (R) can be determined by mapping the levels of risk impact (I) and probabilities of occurrence (P) pair into the matrix table shown below. Risk ratings can be described as low, medium, and high:

I P

Negligible Minor Moderate Serious Critical

0-10% Low Low Low Medium Medium

11%-40% Low Low Medium Medium High

41%-60% Low Medium Medium Medium High 61%-90% Medium Medium Medium Medium High 91%-100% Medium High High High High

(Table 6-1)

6.2 Results

From the interviews and discussion with participants, information about their experiences from previous IT projects and current situation was acquired. Using this insight, a risk matrix of this ITO project was generated. Table 6-2 below presents a summary of the questions asked and answers received. Questions are asked based on five group-potential risk events that are summarised in the end of Chapter 4. Due to the limitation of the table format, questions and answers are edited for brevity. In the case of some questions, editor’s notes also provide a brief introduction of the current situation within the branch. Then, based on the discussions, added notes also assign a risk impact and probability of occurrence based on their experiences to each risk event. The risk rating is also listed in Table 6-3.

Risk events (Questions)

Occurrence Remarks (Answers)

Technological risks

Risk analysis on IT outsourcing in banking sector: Based on two commercial banks located in Amsterdam