IT outsourcing of business critical and business specific IT services: risks and risk mitigation practices

(1)

(2)

(3)

1 Introduction

This chapter explains the context and motivation of this research and the approach that was taken to reach the desired aims. It starts off with an introduction to some of the concepts relating to IT outsourcing, such as reasons to outsource IT and risks of IT outsourcing. The purpose of this research is framed in a specific problem statement, from which four research questions are derived. After the research questions are introduced, the approach by which the research questions are answered is explained and the scientific and practical relevance of this research is pointed out. In conclusion, the chapter ends with an overview of the thesis set-up.

1.1 Context and Motivation

Looking at the current trends towards software as a service, cloud computing and outsourcing, IT executives these days have to be able to argue why an IT service or system1 is still operated by the internal IT department. As outsourcing is often seen as a cost reduction strategy by business executives (Lacity, Khan & Willcocks, 2009), and due to recent activities concerning the economic recession, the question to outsource IT is situated high on the agenda. Even if cost cutting is not the main objective of a firm, a firm may still consider to partner with external service providers for other motives, such as improving performance (Dhar & Balakrishnan, 2006), increasing flexibility in terms of capacity (Gonzales, Gasco & Llopis, 2010), or to gain access to knowledge and expertise (Seddon, Cullen & Willcocks, 2007).

Combining all the benefits of IT outsourcing will sketch an optimistic image about its possible outcomes. The other side of the coin, however, is filled with risks that may occur (years) after the IT service has left the borders of the internal IT department. Perhaps the service provider will not be able to comply with the determined service levels, or it may be unable to realize enough efficiency to reach the expected cost reductions. Risks of IT outsourcing have been investigated

extensively in recent years (Lacity et al., 2009).

During the decision making process about whether or not to outsource an IT service, potential risks can be important input factors. These risks may vary depending on characteristics of the IT service, such as business criticality, or whether it is a standard off the shelf product or more specific to the business. In order to lower the likelihood of IT outsourcing risks, scholars have proposed risk mitigation practices.

The goal of this research is to provide scholars, as well as practitioners with insights into the relations between the concepts of business criticality, business specificity, IT outsourcing risks, risk mitigation practices, and IT outsourcing satisfaction. These insights should contribute to the existing body of research on IT outsourcing risks, as well as serve practitioners with valuable input for the decision making process on whether to outsource or not to outsource certain IT services.

1.2 Problem Statement and Research Questions

In the midst of the trend to outsource IT, companies face difficult considerations concerning which IT services to keep, and which to outsource. It is safe to assume that, generally speaking, standard IT services are more likely to be outsourced than IT services that are specific to the organization. For specific IT services, additional effort concerning knowledge transfer may be required and the amount of service providers may be limited. Equally, one may assume that business critical IT systems are less likely to be outsourced than non-critical IT systems, since the organization will require full monitoring control over the system. Without the possibility of direct monitoring, risks such as non-compliance with service levels may lead to devastating outcomes with critical IT systems. However, the question remains whether such assumptions apply to daily practice.

The main objective of this research is to investigate the intuitive statement that business criticality and business specificity of an IT service leads to higher risks and a lesser chance of IT outsourcing success. By investigating the issue, insight will be gained into the following problem statement:

● Can business critical and business specific IT services be successfully outsourced to external service providers?

1

the terms IT services and IT systems will be used interchangeably throughout this paper, refer to Appendix E for a list of terms that are used interchangeably

(5)

The above problem statement is split up into three groups of research questions, that each apply to different parts of the problem.

The first direction to determine whether business critical and business specific IT services can successfully be outsourced, is to investigate whether these characteristics have a correlation with IT outsourcing success, or whether it correlates with IT outsourcing risks. This leads to the following four questions:

RQ 1a) How does business criticality relate to IT outsourcing risks? RQ 1b) How does business criticality relate to IT outsourcing success? RQ 1c) How does business specificity relate to IT outsourcing risks? RQ 1d) How does business specificity relate to IT outsourcing success?

Next to the above questions, it may be relevant to know whether outsourcing risks have an impact on IT outsourcing success. In other words, another interesting factor to decide which IT services can be outsourced, is whether the likely risks will impact the success of the outsourcing arrangement. This leads to the following research question:

RQ 2) How do IT outsourcing risks relate to IT outsourcing success?

Lastly, with a picture of the relation between outsourcing risks and success, it may be useful to have insight into how these risks can be mitigated. A list of possible risk mitigation practices can be retrieved from previous research. It is then interesting to know whether in practice, such strategies lower the risks, or have an influence on the success of the IT outsourcing arrangements. This leads to the following two questions:

RQ 3a) How do risk mitigation practices relate to IT outsourcing risks? RQ 3b) How do risk mitigation practices relate to IT outsourcing success? 1.3 Research Approach

An extensive literature study plays a pivotal role in shaping the concepts discussed in this research. The literature review was conducted to determine the definitions for business criticality, business specificity and IT outsourcing success. Furthermore, a list of IT outsourcing risks and risk mitigation practices was extracted from earlier research. Following the literature study, a conceptual framework was set up to illustrate the relations between the different concepts. The

strengths and directions of the relations in the conceptual framework were verified by means of a survey that was sent to IT managers and CIO’s of large organizations active in The Netherlands using a cross-sectional approach (i.e. data is collected at a single point in time). By using several statistical methods, key lessons and conclusions were drawn from the results of the survey in order to answer the research questions.

1.4 Relevance and Contribution

This research has both scientific and practical implications. The relevance to the body of research in the IT outsourcing field is at least two-fold. First, findings of this research may shed light on new conceptual relations, and encourage researchers to address existing concepts from different angles. For example, by assessing the relationship between business criticality and business specificity with IT outsourcing risks, an issue is addressed that was previously unexplored. Additionally, existing literature does not address the direct relation between the lists of IT outsourcing risks as used in this research, and IT outsourcing success. The findings concerning such possible relations can help enhance the motivation of scholars to investigate specific risks with high impact in greater depth. Similarly, the findings related to the risk mitigation practices and their influence on IT outsourcing success may encourage researchers to more fully investigate those mitigations practices that appear to be strong indicators of a successful IT outsourcing arrangement.

Second, the quantitative nature of this research makes it perfectly suitable for comparisons and repetition of the study. In other words, it can be used as a benchmark for different purposes. For example, the same study can be conducted in another country, with smaller firms, or at a later point in time.

The practical relevance of this research pertains to the findings from the literature study and data analysis, and are many-fold. The findings can be used in business environments. For example, IT executives can be aided during the decision

(6)

6

research highlights which IT outsourcing risks are most strongly related to IT outsourcing success or failure, and what risk mitigation practices are most strongly related with bringing down the risks and increasing success. The findings also show whether or not business criticality and business specificity should be important factors during the decision to outsource.

1.5 Thesis Structure

This section gives a brief overview of the thesis structure.

Chapter 1 outlined the context, motivation and problem statement of the study. The research questions were presented and the research approach was described. Special attention was given to point out the relevance and contribution of this research to both scientific and practical ends.

Chapter 2 contains the theoretical background on which the study builds. This chapter defines the concepts that were subsequently investigated through a quantitative analysis. The definitions are based on previous scientific studies on the subject of IT services and IT outsourcing.

Chapter 3 presents the conceptual framework that depicts the relations between the concepts described in the theoretical background. These relations are shown in diagrams that give a visual representation of the research questions.

Chapter 4 describes in more detail what research approach has been taken to investigate the relations within the conceptual framework. The survey design is discussed in this chapter. Lastly, the choices for the statistical methods are explained.

Chapter 5 contains the data analysis. It presents the results of the survey, and contains structured arguments and

explanations about the relations that were (not) found, for each research question. The findings of the study are combined with previous research from the literature study, in order to provide insights into the research questions.

Chapter 6 aggregates the findings from Chapter 5 to formulate conclusions and answer the research questions. It also contains a discussion of the limitations and possibilities for future work.

(7)

2 Theoretical Background

This chapter draws on research findings from existing literature to describe the main concepts relating to IT outsourcing and the aims of this research. Section 2.1 will first explain the concepts relating to the practice of IT outsourcing including the motives to outsource IT systems, the associated risks, and risk mitigation practices. It will concludes with a review of literature discussing IT outsourcing success. Section 2.2 and 2.3 work towards a definition of business critical IT systems, and business specific IT systems. Building on this literature study, a later chapter will present the research model used to investigate which risks are associated with what types of IT systems and other relations between concepts.

2.1 IT Outsourcing

In 1990, Eastman Kodak made a revolutionary move that marked the starting point of an IT outsourcing trend that would continue for years. Before that time, outsourcing had already been explored by managers for system development and facility management (Earl, 1996). However, Eastman Kodak’s decision to outsource their core IT systems, provided the business world with a radically new lens of looking to the IT department.

At the same time, the academic world arose and caught the opportunity to emerge themselves into an unexplored research area. Motivated by strong practical implications, scholars had soon published valuable insights into the what and how of IT outsourcing (e.g. Grover, Cheon & Teng, 1996; Klepper & Jones, 1998; Lacity & Willcocks, 1998).

It did not take long before businesses realized and experienced the potential risks of transferring IT control and

responsibility to another party. Instead of considering whether it would be beneficial to outsource an IT system or service, some researchers started to argue for a mind shift that would lead IT managers to first ask the question “why should we not insource IT services?” (Earl, 1996, p. 2). An undesirable, but rather frequent outcome of IT outsourcing was the

manifestation of unanticipated hidden costs. Researchers stated that, without sufficient economies of scale at the side of the service provider, the internal IT department can reduce costs on its own (Hirschheim & Lacity, 2000). The risk of escalating costs, and other risks were investigated in years to come.

Making definite statements concerning when to outsource, and when not to outsource IT systems is a hard, and perhaps, an impossible endeavor. For example, the complex nature of IT systems, and the required expert knowledge and

experience about technology may limit the ability to predict whether an outsourcing undertaking will be successful or not. Functional and qualitative requirements of IT services can change over time, making it a substantial effort to be clear about future expectations. Furthermore, the very notion of IT outsourcing success itself is a rather subjective concept, often depending on a weighing between the expected benefits against the realized benefits and perceived satisfaction. These complexities are only a few examples that make IT outsourcing such an intriguing and relevant research area. Consequently, scholars have continued to devote their time and energy to the practice of IT outsourcing for the last 20 years (Lacity et al., 2009).

Building on the work of others, the rest of this section will explain multiple concepts of IT outsourcing. The overview will give the reader insight into the findings of earlier IT outsourcing research. These insights, such as the identification of many possible IT outsourcing risks, are later used as given constructs in the research model that is investigated.

2.1.1 IT Outsourcing Forms

IT outsourcing arrangements can vary in level of engagement. A company may decide to outsource the entire set of IT operations, or decide to outsource a selected range of IT services. The first option is referred to as total IT outsourcing. Such a decision may seem very dramatic, but has nevertheless been pursued by companies in the past (Greyer & Barthelemy, 2004). The latter option is called selective sourcing. Through selective sourcing, companies can specifically choose what services to outsource to pursue the best sourcing strategy (Rouse & Corbitt, 2003). A company may, for example, decide to keep any IT service that requires specific business knowledge within its own control whilst outsourcing the more generic IT services.

(8)

8

Similar to the organization-wide scope of selective IT outsourcing just described, IT systems themselves may also be completely, or partially handed over. Organizations may choose to outsource, for example, one, or a combination of software development, infrastructure, service management, or application management.

2.1.2 IT Outsourcing Motives

Organizations can have various reasons to outsource IT systems. Previous studies have focused on identifying the motives that lie at the basis of the outsourcing decision. Based on multiple such studies (e.g. Seddon et al., 2007; Lacity et al., 2009; Gonzales et al., 2009), this section provides a list of the most common IT outsourcing motives.

Focus on strategic issues

Firms can engage in IT outsourcing because they do not see the supporting IT systems as their primary business process or source of competitive advantage. Rather than allocating time and attention to the managing of IT, firms may focus on more strategic issues or competencies that are central to their services. Multiple studies have shown that the desire to focus on strategic issues is a common motive to outsource IT systems. For example, Gonzales et al. (2010) investigated the main reasons for IT outsourcing among more than 300 Spanish companies. They found that the focus on strategic issues was the most common motive to outsource. Bergstra et al. (2011) came to the same conclusion in their study on IT motives within Dutch companies. Survey results published by Seddon et al. (2007) lead to comparable findings among a sample set of approximately 200 Australian companies. In a case study among a large organization, Dhar & Balakrishnan (2006) found that a strong driver of outsourcing portions of the firms IT, was to focus on its core competencies. The firm wanted its best and brightest resources on projects that focused on core processes and strategic endeavors.

Cost savings

IT systems are often outsourced with the intention to decrease costs. Lacity et al. (2009) reviewed the body of outsourcing literature at that time, and found that reducing or controlling IT costs was the number one most mentioned motive in scientific articles. However, the mere fact that researchers focus so much on cost savings does not necessarily mean that it is the main motive for organizations to outsource IT. For example, in almost half of the cases, reduced costs were not a reason in the study by Seddon et al., 2007. Of course, this depends on contextual factors, such as firm size and industry. For example, small firms have limited resources and systems to outsource, and shall primarily outsource for reasons such as access to knowledge and expertise. Cost savings however, can be a strong driver of IT outsourcing for (larger) firms, as exemplified by the two cases studied by Dhar & Balakrishnan (2006).

Cost savings can be realized when suppliers make efficient use of economies of scale. For example, a certain IT system may require specific investments (e.g. technology, expertise) that cannot be used to other ends within that company. If multiple organizations need that same service, a specialized supplier can invest in the required technology and expertise to serve multiple clients, thus indirectly spread the investment among them. In other cases, external suppliers already possess the technology and skills that would otherwise have to be acquired by the outsourcing company.

Increased flexibility

IT outsourcing is said to positively influence flexibility in terms of fluctuations in IT workloads (Gonzales et al. 2010). For example, IT outsourcing may provide flexibility through scaling the system capacity when needed. Additionally, room for negotiations can be included in the contract to adapt service levels in response to changing business circumstances. Seddon et al., (2007) however warn that switching costs for the IT services are high, which may affect flexibility benefits from outsourcing.

Improved performance

Specialized IT firms can provide improved quality of IT services, which can be a driving factor for outsourcing (Dhar & Balakrishnan, 2006). IT firms can, for example, have access to more advanced technology, more experienced personnel or more efficient management systems (Gonzales et al. 2010). Improved IT services are seen as a result of the expert knowledge and skills of the service provider, referred to as specialization by Seddon et al. (2007).

Technology reasons

Another motive of outsourcing is to gain access to more advanced technology without having to make the initial

investments. With the current pace of technology improvements, the risk exists that technology becomes obsolete within a few years (Gonzales et al. 2010).

(9)

Access to knowledge and expertise

An outsourcing company may not always possess the personnel with the right knowledge, skills or experience that a specialized IT firm does possess. Seddon et al. (2007) report that this motive is often a primary reason of IT outsourcing.

Other motives

Less often mentioned motives for IT outsourcing are, among others, access to international markets, political reasons, cost predictability, headcount reduction, and temporary solutions (Seddon et al., 2007; Lacity et al., 2009).

2.1.3 IT Outsourcing Risks

The previous section outlined some of the reasons why organizations have outsourced their IT systems. As illustrated, IT outsourcing can lead to many benefits. However, IT outsourcing also inherits certain risks. For example, It is possible, and perhaps probable, that not all the expected benefits are realized. Moreover, outsourcing IT systems may have additional consequences, such as a loss of innovative capacity, or greater security risks.

A considerable amount of research has been conducted to investigate the risks of IT outsourcing. This section presents an overview of the IT outsourcing risks that have been identified in earlier studies. The findings from the various studies taken together give an illustration of the IT outsourcing risks landscape. Researchers have also considered possible risk mitigation practices that are helpful to prevent or lower the risks. The last part of this section will review risk mitigation practices proposed in literature.

Definition of IT outsourcing risks

Before the list of IT outsourcing risks is given, a line will be drawn concerning the scope of what constitutes an IT outsourcing risk. Depending on the definition of risks, certain risks can be included or excluded from the analysis. For example, some scholars present a cultural misfit as a risk of IT outsourcing, but also as a cause (i.e. factor) that may lead to other negative outcomes (e.g. unexpected management costs). Unexpected management costs itself is also a risk of IT outsourcing. In line with the definition proposed in a study by Aubert, Patry and Rivard (2002), it is chosen to refer to risks as undesirable outcomes rather than causes. This distinction allows for a simplistic yet effective representation of IT outsourcing risks that can be communicated to managers and used in follow-up research.

Overview of IT outsourcing risks

What follows now is a description of the possible undesirable outcomes (from now on referred to as risks) based on the findings presented in the paper by Aubert et al. (2002) and enriched by findings from other, often more recent, scholarly articles. Table 2.1 gives a summary of each IT outsourcing risk identified from this literature review and the description. Refer to Appendix A for an explanation of the methodology through which Table 2.1 is created.

Table 2.1. Overview of IT outsourcing risks and their definitions.

Lower service delivery quality

One of the risks often feared by clients is the possibility of a quality reduction of the system. In their research on sourcing success, Bergstra et. al (2011) found that the risk of a drawback in service levels was seen as the greatest risk by organizations that were outsourcing IT systems or services. The cases studied by Willcocks, Lacity & Fitzgerald (1995) illustrate the fact that after outsourcing IT, degradation of the services can surely occur. In their study, such service degradation was often the result of vendor opportunism. In some other cases, clients’ needs are not completely met or the wrong priorities are given because the vendor does not completely understand the business of the client (Gonzales et al., 2010).

Loss of organizational competencies and learning

Loss of knowledge.

One of the main challenges for the firms studied by Bergstra et al. (2011) is the loss of specific IT knowledge on the client side. In addition to the general problem of loss of

knowledge, they refer to the risk that specific IT knowledge at the client fades faster than the vendor is able to build. Gonzales et al. (2010) refer explicitly to the knowledge that is acquired by the vendor during the outsourcing

arrangement, of which a large proportion may not be transferred to the client. Dhar & Balakrishnan (2006) highlighted the importance of knowledge to the firms they studied, and stated that loss of knowledge was seen as a high risk to the IT managers.

Loss of innovative capacity

(10)

10

and loss of intellectual property. Earl (1996, p. 7) states that innovation needs “slack resources, organic and fluid organizational processes, and experimental and

intrapreneurial competences - all attributes that external sourcing does not guarantee”.

Vendor lock-in

Difficulty to switch suppliers

Vendor lock-in occurs when the purchaser has no option but to continue with an unsatisfactory arrangement (Rouse & Corbitt, 2003). Bergstra et al. (2011) state that during their study, this risk was mentioned by fewer IT managers than expected. As a possible explanation, they conclude that the market maturity level for IT services could have grown to such level that it is easier to switch to another supplier (no distinction was made between types of IT systems).

Irreversibility of the decision

There exists a risk that back-sourcing the IT system cannot be done without considerable effort and expenses. Three reasons for this are high costs to reconstruct the IS

department, difficulty to (re-)attract the necessary staff, and the time required (Gonzales et al., 2010). Along these lines, according to Barthelemy (2003), one of the seven deadly sins of outsourcing is a failure to plan an exit strategy.

Inflexibility

Technology renewal

As stated by Rouse & Corbitt (2003), IT outsourcing may lead to problems concerning adaptations to the IT system due to contractual constraints or prohibitive amendment costs. Tafti (2005) points out that clients may be unable to exploit emerging technologies because as long as the vendor meets the SLAs defined in the contract, the client cannot expect to receive better technology. This can be especially

problematic due to the difficulty of predicting the advances in technology that will occur in the next several years (Tafti, 2005).

Changing requirements

Even though future requirements and opportunities can be taken into account in the contract, a new business direction or new technological opportunities can come unanticipated (Earl 1996). Whereas an internal team can be steered rather effectively by IT managers, having a contracted external party can pose difficulties in terms of flexibility concerning system changes.

Communication challenges

When a process is supported by multiple IT vendors, communication overhead may increase because of the problem of technological indivisibility that relates to the question of who is responsible for what, as explained by Earl (1996).

Unexpected cost escalation

Although cost reduction is one of the main motives of IT outsourcing, research has shown that it is not a given. On the contrary, unexpected costs are seen as one of the major risks (Dhar & Balakrishnan, 2006)

Transition costs

Earl (1996) and Tafti (2005) mention the often unanticipated hidden costs that companies face due to longer-than-expected handoff or parallel costs, relocation costs, redeployment costs and management resources and time. In-house management costs

According to case studies by Willcocks et al. (1995), in-house management costs (in terms of new roles, time and effort) were frequently higher than expected. The firms under study by Dhar & Balakrishnan (2006) report the underestimation of effort that goes into managing the vendor relationship. Willcocks et al. (1995) mentioned contractual factors as causes of the unanticipated costs explained above, including ambiguities in the contract, inflexible contracts and weak contract management. Rouse & Corbitt (2003) furthermore mention unforeseen costs of ensuring compliance, negotiation and litigation. As estimated by Barthelemy in 2001, the average search process may cost hundreds of thousands euro’s (Barthelemy, 2001).

Personnel related issues

Transfer of key personnel

Research has shown that the motive to gain technical expertise through outsourcing is not always reached because the vendor commonly acquires some of the IT workers from the client, resulting in the same capacity as before (Tafti, 2005). Perhaps more problematic is the possible decision by the vendor to transfer key IT personnel to other customers (Tafti, 2005; Gonzales et al., 2010). Staff issues

Tafti (2005) refers to the risk that key IT employees may feel uncomfortable or threatened by the newly signed

outsourcing agreement. Gonzales et. al (2010) furthermore mention the potential staff problems with adjusting to new company culture. For outsourcing in general, many cases are known where personnel had a negative attitude towards the decision to outsource (Barthelemy, 2003). Barthelemy warns for lower morale of employees that are transferred to the vendor. Staff issues may also arise due to the changing role of the retained IT department (Gewald & Helbig, 2006) that will be focused much more on governance, relationship management and demand management.

(11)

Security issues

As mentioned by Rouse & Corbitt (2003), possible security issues can relate to the failure of a vendor to protect records. Kliem (2004) outlines the risk of unauthorized access of personal data. Especially concerning global IT outsourcing projects, privacy and data security complications may occur due to diverse governmental regulations and cultural differences (Tafti, 2005).

2.1.4 IT Outsourcing Risk Mitigation Practices

As illustrated in earlier sections, IT outsourcing can lead to worthwhile benefits, but inherits risks as well. Scholars have not only investigated the IT outsourcing risks that a company may face, but have also identified and developed practices to decrease the chance, or lower the impact of such risks. The first few practices outlined below are based on the meta analysis of IT risk mitigation practices performed by Bahli & Rivard (2003). In their IT outsourcing risk assessment framework, the authors included seven different mitigation mechanisms that they extracted from other academic papers. After the seven practices from Bahli & Rivard (2003), a few additional practices are listed which were taken from other research.

Co-investments

Especially relevant in the context of specific assets, mutual hostaging ensures a mutually advantageous exchange through co-investments (Koss and Eaton, 1997). Both the client and supplier share investments expenses in assets that are specific to that particular IT outsourcing deal.

Dual or multi-sourcing

As the name already implies, dual sourcing, or multi-sourcing, refers to engaging in a relationship with multiple service providers for the same service. Such a strategy may encourage competition relating to performance levels and quality among competing vendors (Ngwenyama and Bryson, 1999) and counter power asymmetries between vendor and client (Kern, Willcocks & Lacity, 2002). However, in a study by Rouse & Corbitt (2003, p. 936) the participants reported that “complexity increased substantially when the number of points of responsibility increased”. They stated that managerial complexity and transaction costs increased when multiple vendors were involved.

Sequential contracting

Bahli & Rivard (2003) propose a sequential relationship as a mitigation mechanism. In such strategy, procedures are present that enable sequential decision making in an ongoing relationship between the client and provider. This may be specifically useful in uncertain environments where sudden changes may strongly impact the need for, and shape of, the outsourcing arrangement. A similar approach is suggested by Kern et al. (2002) where sourcing is done incrementally. This way, the right capabilities to successfully outsource can be acquired during the process, if necessary in small steps.

Contract flexibility

Contract flexibility is often mentioned as a mitigation practice for IT outsourcing (e.g. Saunders, Gebelt & Hu, 1997; Kern et al., 2002; Tafti, 2005). Changes in the environment may result in different needs or opportunities (e.g. technology advances, shifting market dynamics). With a flexible contract certain points in the contract can be left open, or re-evaluated during planned renegotiation. Examples are flexibilities in price, contract provisions for renegotiation, termination of the contract, and shortening the contract period (Bahli & Rivard, 2003).

Soft measures

Clan mechanisms, as a possible enhancement of control mechanisms are means to induce desirable behavior through soft measures such as shared goals, values and norms (Bahli & Rivard, 2003). Such mechanisms build on trust and interpersonal respect between client and supplier.

Use of external expertise

Hiring external consultants may help to avoid unforeseen management and transition costs and prevent common pitfalls. Research shows that clients perform better when they have experience in outsourcing IT (Lacity et al., 2009). Thus,

(12)

12

governance structures and monitoring. However, the additional costs may affect the original business case (Rouse & Corbitt, 2003).

Alternative methods of dispute resolution

Alternative methods of dispute resolution can help avoid costly legal proceedings and reputation loss that are possible consequences of unsuccessful outsourcing deals (McLaughlin & Peppard, 2006). Bahli & Rivard (2003) propose two options, namely arbitration and mediation. Arbitration resembles litigation in that it concerns a neutral third party to investigate the case and give a legally binding ruling. The difference however is that arbitration is less formal and generally less costly and time consuming (Bahli & Rivard, 2003). Mediation on the other hand, aims to settle the conflict and lead to a result that is acceptable to both client and supplier. For mediation, a neutral third party gives assistance during the mediation process and the court and public press do not need to become aware.

Tight contracts

Saunders et al. (1997) performed a content analysis and conducted telephone interviews about 34 IT outsourcing deals that were announced in popular press at that time. They investigated the role of the contract and its influence on outsourcing success. According to their case study findings, a tight contract is a major success factor for IT outsourcing. The authors found that most outsourcing arrangement (even concerning core IT functions) that had a tight contract, were successful. On the other hand, most outsourcing arrangements that had failed, had loose contracts. Based on the experiences of the interviewees, the authors suggest a few contractual strategies for success. First, it is advised to specify all aspects of the contract clearly such as nonperformance clauses, baseline measures, and other constructs. Kern et al., (2002) propose similar mitigation tactics that ensure a detailed contract to also clearly portrays the right expectations of the client. Tafti (2005) similarly argues that every detail in the outsourcing arrangement should be spelled out in the contract and Gellings (2007) shows the importance of a detailed contract for IT outsourcing success in the context of German banks. Second, Saunders et al., (1997) suggest to treat every deal by itself, since not all outsourcing arrangement needs the same clauses. And third, external legal experts may be hired to help write and negotiate the contract.

Short contract period

Due to the uncertain nature of business and technology environments, signing long term contracts can be risky. Research has found that short-term contracts, of approximately 4 years, lead to better cost efficiencies than long-term contracts (Tafti, 2005). One possible explanation for this is that the supplier has more reason to prove itself in order to ensure contract renewal.

Sharing risks and rewards

Saunders et al., (1997, p. 65) found that outsourcing arrangements where the client and supplier formed strategic partnerships were more likely to be successful than mere client-supplier relationships. The authors defined strategic partnerships as “long term commitments that allow firms to share risks and rewards and to better manage complex relationships”.

Vendor selection

The success of IT outsourcing is largely dependent on the right choice of service provider (Gonzales et al., 2010). Risk mitigation practices can be carried out during the vendor selection process. A best practice found by Kern et al. (2002) as a result of their case studies, is the selection of service providers with proven track records. The authors furthermore propose to select suppliers with sound financial positions, stable customers and stable strategic partners.

Systematic contract monitoring

After having established a proper contract, companies can ensure proper execution over time by means of setting up contract monitoring routines (Kern et al., 2002). Examples are the role of contract managers, who are concerned with the legal aspects of the contract, and service coordinators, who focus primarily on the specific service level performance (Gewald & Helbig, 2006).

Data protection

To prevent security breaches, companies can encrypt data or adopt other data protection measures (Kern et al., 2002). Tafti (2005) propose corporate privacy and data security policies, as well as auditing and control functions to mitigate the risks of security and privacy concerns.

Contingency plans

(13)

rebuild the in-house capabilities for that IT service in the future. Next to renegotiation with the current service provider and switching to another vendor, a well-planned exit strategy would provide a third option at the time of contract renewal (i.e. taking the service back in-house).

Frequent client-supplier contact

Based on their literature review, Gonzales et al. (2010) identified a list of IT outsourcing determinants for success, amongst which they mention frequent client-supplier contact. According to the authors, frequent contact can aid in different ways including increased trust and confidence in the relationship, a better understanding of the other firm’s culture, effective communication, and enabling better anticipation of future (required) changes. Gellings (2007) specifically addresses the importance of meetings between key account managers of both companies. Concluded from the case studies amongst three German banks, the author states that regular communication between key management of both parties is a success factor.

Joint committees

In the multiple case study approach by Dhar & Balakrishnan (2006), a joint committee was seen as a driver of success for the IT outsourcing arrangement. In the same year, Gewald and Helbig (2006) proposed the usage of joint committees across multiple organizational levels (e.g. operational, functional, strategic) as a way to govern the outsourcing relationship.

2.1.5 IT Outsourcing Success

Even though the expected benefits of IT outsourcing are not always achieved, IT outsourcing remains a widely adopted practice and an increasing trend (Qi & Chau, 2012). Perhaps, despite the fact that some benefits have not been achieved, organizations may continue to look at the outsourcing arrangement as being worthwhile. This section will briefly visit the literature on IT outsourcing success and show how IT outsourcing success has been measured in earlier studies.

Existing literature has evaluated IT outsourcing success on the basis of two factors: satisfaction and achieved benefits (Gonzales et al., 2010). These interrelated concepts have been assessed in surveys by asking correspondents to provide feedback on statements using a 1 to 7 Likert scale. Satisfaction has been investigated by looking at the general level of satisfaction about the adoption of outsourcing within the IT department (Susarla, Barua & Whinston, 2003; Koh, Ang & Straub, 2004; Seddon, Cullen & Willcocks, 2007; Gonzales et al., 2010b). To assess outsourcing success in terms of achieved benefits, researchers have presented their participants with a list of possible benefits of IT outsourcing and asked to indicate to what extent those benefits have been realized. A number of studies categorized the benefits into economic, strategic and technological benefits (e.g. Han, Lee & Seo, 2008, Gonzales et al., 2010; Qi & Chau, 2012). Saunders et al. (1997) used another measure of satisfaction by asking the client company about their desire to switch suppliers.

Although the focus on achieving benefits of IT outsourcing is important, this dimension is not used in the current study. The first reason that the achievement of benefits is left out, is because it would require accurate knowledge about the expected benefits in the pre outsourcing state. The expected benefits could then be compared to the realized benefits to assess whether the original aims were reached. However, for the scope and duration of this study, such measures are infeasible. The approach in this study cannot guarantee sufficient experience and background knowledge of the participant about the pre outsourcing state. Moreover, it seems that assessing success based solely on the achievement of benefits falls short in incorporating the trade-offs that are sometimes made (Rouse, Corbitt & Aubert 2001). For example, through outsourcing, an IT service may show improved service levels, but the overall satisfaction may be insufficient due to escalated costs. It is therefore chosen to measure success based on satisfaction2 about the current situation, which by itself includes a tacit calibration of costs and benefits (Gonzales et al., 2010).

In this study, satisfaction will be assessed using four indicators, based on the study by Rouse et al. (2001). Besides measuring the overall satisfaction with the benefits from outsourcing that was used in a survey by Grover, Cheon & Teng (1996), Rouse et al. (2001) proposed to evaluate satisfaction based on two additional indicators: satisfaction with vendor performance, and satisfaction with value for money. The latter can be split into satisfaction concerning added value, and satisfaction concerning costs.

(14)

14 2.2 Business Critical IT Services

In order to assess which IT outsourcing risks apply strongly to business critical systems, a definition about what constitutes business (or mission) critical is necessary. The term business critical has been used by academics from different fields, such as in the research conducted by Prahalad & Krishnan (1999) about the influence of business critical software on competitive advantage. Prahalad & Krishnan (1999, p. 115) give an example of the consequences when such business critical software fails: “There can be serious business consequences if a retailer’s supply-chain management system breaks down during the holiday season or if an electronic trading house experiences glitches with its application software during peak trading hours”. Dhar & Balakrishnan (2004) studied IT outsourcing in the context of a large firm, and stated that the firm outsourced it’s non-critical jobs to vendors. Non-critical for that firm referred to jobs that were not related to the core business, business creation activities, its enterprise resource planning systems, and supply chain management systems. No further explanation was given. A clear definition of business critical IT systems was not found during the analysis of literature.

Drawn from the area of business continuity planning (BCP), processes can be characterized according to their consequences when they fail. Those consequences can be catastrophic, major, moderate or minor (Lam, 2002). As part of a business continuity plan, the business impact analysis (BIA) is conducted before doing the risk assessment and formulating the continuity strategy (Salmela, 2008). Within such a BIA, for each application it is determined what would be the estimate daily loss (or another time unit) if that system is no longer running. Multiple types of losses were listed by Salmela (2008) including lost revenues, loss of competitive or confidential information, and reputational damage (see Appendix B for the complete list). The NASA has defined mission critical systems, as systems that jeopardize an entire sol of operations in case of failure (Norris, 2004).

Based on the above descriptions, the definition of business critical that is used during this research is the following:

Business critical IT systems are systems that have major or catastrophic consequences when they fail, due to severe damage to the company such as, but not limited to, current or future operative losses, revenue losses, reputational damage and issues concerning confidential information.

Within the borders of this definition, room for different interpretations remains possible. It is left to the practitioner or researcher to make the final determination based on contextual factors such as company size, industry, and core

competencies. For example, a mobile application to conduct surveys for flight passengers to assess their satisfaction can be critical to company A, and not to company B. Schiphol airport for example can continue its everyday processes even if such an application fails. A market research company however, might be too dependent on the information that is retrieved by the app, due to promises, deliverables and deadlines to their clients.

2.3 Business Specific IT Services

Intuitively, the notion of specific IT systems is rather straightforward. However, similar to the concept in the previous section, a clear cut definition for specific IT systems was not found during the literature analysis. We will therefore work towards a definition based on implications from transaction costs theory and the perspective of knowledge transfer.

A widely applied theory to study IT outsourcing concepts is the transaction cost theory (Dibbern, Goles, Hirschheim & Jayatilaka, 2004). Concerned with the make or buy decision, the transaction cost theory (TCT) takes an economical perspective to decide on the appropriate way of accumulating a product or service. Of the different factors that play a role in TCT, asset specificity has been deemed to be most important (Alaghehband, Rivard, Wu & Goyette, 2011) and defined as “the degree to which the assets used to conduct an activity can be redeployed to alternative uses and by alternative users without sacrifice of productive value” (Williamson, 1996, p. 105). Furthermore, three sources of asset specificity exist: specificity relating to geographical location, specificity relating to equipment and tools, and specificity relating to employees’ knowledge and experience (Alaghehband et al., 2011).

Although the construct of asset specificity has been widely applied, Lacity, Willcocks & Khan (2011) suggest to discard asset specificity as a research construct because it has not been empirically robust (i.e. mixed results were published in

literature). They also suggest IT outsourcing researchers to develop their own endogenous theory, possibly derived from existing theories. Alaghehband et al. (2011) however, investigated why the TCT theory produced mixed results and found that the theory was often carried out inappropriately, leaning towards the argument that it can still be a valid construct.

(15)

Following both arguments, this research will incorporate asset specificity together with other terms to form a definition of a specific IT system.

Another perspective of looking at specificity is from the angle of knowledge transfer. Knowledge has been seen as one of the most important assets of a firm (Liebeskind, 1996). As mentioned by Zander & Kogut (1995), firm-specific technology requires differentiated knowledge about specific applications. The challenge herein lies in the speed of transfer or accumulation of this knowledge due to the inherent difficulty of knowledge transfer. Especially in the case of un-codified knowledge, and knowledge related to people (e.g. tacit knowledge and experience), knowledge transfer is problematic (Argote & Ingram, 2000). Applied to the case of specific IT systems, transferring such system would result in difficulties concerning the need for knowledge transfer between the two entities.

Lastly, The Oxford dictionary has been consulted for a finishing touch on the subject. The dictionary defines the term specific as “belonging or relating uniquely to a particular subject” and the term unique is defined as “being the only one of its kind; unlike anything else” (Ofxorddictionaries.com, n.d.). Following these definitions, an IT system is business specific if it uniquely relates to the business and if it is the only of its kind.

Justified by the debate on asset specificity, we have taken the freedom, for the purpose of this study, to adapt the

definition of a specific asset based on insights from a knowledge transfer perspective, nuanced by the dictionary definitions of the terms specific and unique. As a result, this research will use the following definition of a specific IT system:

A specific IT system is an IT system that relates uniquely to the current business, cannot be transferred to another context, and for which site, equipment or labor (e.g. tacit knowledge & expertise) specific investments are made that are difficult to transfer.

Three important factors are incorporated in this definition: a unique applicability of the system to that business, the necessity to invest in specific assets, and the difficulty of transferring the assets that pertain to the system. By including tacit knowledge (and experience), this definition focuses on systems that require people for the knowledge transfer process (and not merely documentation). For example, a website specifically designed for Schiphol Airport is not considered a specific IT service because the website developers are not dependent on any form of tacit knowledge about Schiphol Airport or its website. On the other hand, a mobile application that provides navigational aid throughout the airport (e.g. localization of shops, routes, average walking/ travel time) could require substantial effort to get to know the site and investments into required resources (i.e. Wi-Fi hotspots, or Bluetooth beacons, electronic maps).

(16)

16

3 Conceptual Framework

This chapter presents the conceptual framework that was constructed during this research. It shows the relations between the different variables that are analyzed. The concepts within the framework have been explained in the theoretical background. Section 4.1 first summarizes the theoretical underpinnings of the framework after which the framework is presented in Section 4.2.

3.1 Theoretic Underpinning

The conceptual framework is based on scientific insights from earlier studies. The previous chapter has covered both general as well as specific concepts relating to IT outsourcing. These concepts help to understand the context within which this research is conducted. However, not all of them were directly used in subsequent stages of this research. The following five concepts were used to address the research questions of this paper: IT outsourcing risks, IT outsourcing risk mitigation practices, IT outsourcing success, the definition of business criticality, and the definition of business specificity. Table 3.1 gives a description of the relevance of each concept and how they were formulated.

Table 3.1. Information about the use and formulation of the concepts that were used in the conceptual framework.

IT outsourcing risks In order to determine what risks businesses face while outsourcing IT services, a list of known IT outsourcing risks was created based on a review of multiple research papers on IT outsourcing risks. The resulting list of IT outsourcing risks was used in the survey design.

IT outsourcing risk mitigation practices

Researchers have investigated how to mitigate IT outsourcing risks. Based on multiple research papers that discussed risk mitigation practices, a list of practices was established. The list of risk mitigation practices was used in the survey to identify relations between certain risks, risk mitigation practices, and outsourcing success.

Business criticality The focus of this research lies on business critical and business specific IT systems and services. In order to assess whether a service is critical, a definition was established and used throughout the research. The definition of business critical systems was based on the perspective of business continuity planning (BCP) and business impact analysis (BIA).

Business specificity Next to business criticality, the research similarly puts a focus on specific IT services. The definition of business specific IT services was based on insights from the transaction cost theory, the knowledge based view and dictionary definitions of specific and unique.

IT outsourcing success As part of this research, one of the research questions aimed to answer whether the

characteristics of criticality and specificity of IT services have an influence on the success of the outsourcing deal. In this research design, similar to other research, outsourcing success has been measured based on client satisfaction.

Even though it seems reasonable to assume that critical or specific IT systems have greater outsourcing risks, the relation between these characteristics and IT outsourcing risks has not yet been investigated. In other words, none of the research papers read or discussed in the literature review have categorized IT systems based on criticality or specificity to investigate the differences of IT outsourcing risks between different types of IT systems. Similarly, the influence of criticality and specificity on IT outsourcing success has not been investigated previously. Another topic of interest is the question about which risk mitigation practices can be used to overcome IT outsourcing risks. Based on (single) case studies, scholars have presented several strategies that organizations employ. An additional purpose of this study is to determine which risk mitigation strategies are predominantly used in practice, based on insights from many large organizations.

The current research aims to shed light on all of these areas. The conceptual framework in the next section presents a graphical overview of the purpose of this study.

3.2 Variable relations

The conceptual framework consists of six models, that each build on some of the theoretic underpinnings presented earlier. Each of the parts represent a specific purpose of this research (i.e. address one of the research questions). After the six

(17)

models are explained, they are combined into the overall framework.

3.2.1 Business Criticality, Business Specificity, and IT Outsourcing Risk

The first model depicts the potential influence that criticality and specificity have on a certain IT outsourcing risks, as shown in Figure 3.2.1. It relates to the first research question in Section 1.2. It is sought to assess the relation between the variables criticality and specificity, and each IT outsourcing risk derived from the literature analysis. This way, it can be determined which risks are influenced by criticality or specificity, and which risks are independent of those variables. As shown in Figure 3.2.1, the variables of criticality and specificity may also overlap. In subsequent stages of this research, IT systems that are both critical and specific will be referred to as vital.

Figure 3.2.1 The influence of criticality and specificity on IT outsourcing risks.

3.2.2 Business Criticality, Business Specificity, and IT Outsourcing Success

The second part of the conceptual framework is concerned with the influence that criticality and specificity have on IT outsourcing success and also relates to the first research question (see Section 1.2). For example, it is possible that in practice generic IT systems are often successfully outsourced, whilst business critical systems are not. Figure 3.2.2 depicts this relation graphically. Equal to the previous section, the combination of both variables is also investigated, as shown by the overlapping area in Figure 3.2.2.

Figure 3.2.2 The influence of criticality and specificity on IT outsourcing success.

3.2.3 IT Outsourcing Risk and IT Outsourcing Success

Whereas in the first model, the IT outsourcing risks are the dependent variables, it can also be investigated whether it has a direct relation with IT outsourcing success. Based on the literature review, it seems reasonable to assume that the presence of certain risk types have high impact on the success factor of an IT outsourcing arrangement. Figure 3.2.3 depicts the relation between risks and success. This model relates to the second research question in Section 1.2.

Figure 3.2.3 The influence of IT outsourcing risks on IT outsourcing success.

(18)

18

The model in Figure 3.2.4 is used to illustrate the possible relations between IT outsourcing risks, and risk mitigation practices that are proposed in literature, thereby providing insight into research question three (see Section 1.2). It is investigated what risk mitigation practices practitioners employ to reduce each IT outsourcing risk.

Figure 3.2.4 The relations between IT outsourcing risks and risk mitigation practices.

3.2.5 Risk Mitigation Practices and IT Outsourcing Success

The last model (shown in Figure 3.2.5) depicts the relation between risk mitigation strategies and IT outsourcing success and is used to provide insights for research question three in Section 1.2.

Figure 3.2.5 The influence of risk mitigation practices on IT outsourcing success.

3.2.6 Overall Conceptual Framework

The models explained above are interrelated and can be combined into a single framework to give a better overview of the purpose of this research. First, an additional step is performed to categorize IT services based on criticality and specificity. In order to do this, the criticality and specificity variables from the first two models are used as axes of a square that is split into 4 parts as shown in Figure 3.2.6.1. As a result, four groups emerge that reflect generic IT services, critical (but not specific) IT services, specific (but not critical IT services) and vital (critical and specific) IT services. Section 5.3.2 in the data analysis explains how the IT systems were categorized.

(19)

The overall conceptual framework is shown in Figure 3.2.6.2. In brief, the framework is used to investigate whether (and how) the IT system type influences IT outsourcing risks and IT outsourcing success, and to determine what risk mitigation practices are used to counter IT outsourcing risks and increase IT outsourcing success.

Figure 3.2.6.2 The overall conceptual framework that displays the relations between specificity and criticality of IT systems, IT outsourcing

risks, risk mitigation practices, and IT outsourcing success.

The relations between the constructs are indicated by arrows. There are arrows missing because it is possible that not every risk type is influenced by the characteristics of the IT service, or that not every risk mitigation practice is used by

organizations to counter an IT outsourcing risk. The IT system type is the independent variable for the IT outsourcing risk and IT outsourcing success constructs, which are the dependent variables. Next to being a dependent variable, IT outsourcing risk itself is an independent variable for outsourcing success. Risk mitigation practices serve as independent variables for IT outsourcing risks, and IT outsourcing success. The next chapter will explain how the precise relationships will be found.

(20)

20

4 Methodology

The conceptual framework from the previous chapter shows the relations between IT outsourcing risks, IT outsourcing success, IT service criticality, IT service specificity and risk mitigation practices. The arguments made in Chapter 1 (i.e. the motivation of this research), as well as the findings in Chapter 2 (i.e. the literature review) form a strong foundation to assume the validity of the proposed model. However, this validity cannot be claimed without a thorough validation approach. This section explains how the conceptual framework was validated and explored by means of a survey that was spread among IT professionals. The survey set-up is explained in the next section, followed by a description of the data sampling process, the data collection process, and the approach of data analysis.

4.1 Survey Design

A survey was sent out to IT professionals to investigate the relations between the concepts in the conceptual framework (refer to Appendix C for the survey). The questions in the survey were inspired by the findings from previous research and similar to survey questions used by other academics. The survey consisted of 5 parts. Each part will be briefly explained in this section. The survey was evaluated by multiple individuals and finally pre-tested on a sample of 10 IT professionals before it was sent out to the participating organizations.

In the first part of the survey, the participant was asked about the organizations name and size, job title, and whether the organization is a client or supplier of IT services. This information was collected as a possible source of additional insights during the interpretation of the results.

Part two of the survey contained questions about the IT service under study. For example, the participant had to agree or disagree with a set of statements to determine the criticality and specificity of the service (these items were based on the definitions in Sections 2.2 and 2.3). The Likert scale was selected inspired by the methodology of other research papers previously published (Koh et al., 2004; Seddon et al., 2007; Gonzales et al., 2010b), as well as on the basis of a pilot test among IT professionals. The pilot test evaluated the ease of use and effectiveness of a slider scale from 1 - 100, and of a 7 point Likert scale. Participants unanimously agreed that the 7 point Likert scale was easier to fill in and more familiar, and more correctly captured their opinions.

Part three of the survey assessed to what extent the 13 risks defined in Section 2.1.3 had occurred during the outsourcing arrangement under study. Participants could indicate on a 7 point Likert scale to what degree they had experienced each risk. The statements of the Likert scale were drawn from the explanations of the risks in Section 2.1.3. In order to cope with survey fatigue, the 13 risks were randomized for each participant.

The fourth part of the survey presented the participants with the list of risk mitigation practices outlined in Section 2.1.4, with the exception of the mitigation practice of alternative methods of dispute resolution. In the context of this research, alternative methods of dispute resolution are not a mechanism to prevent risks from happening, but rather a method to lower the impact after a problem has occurred. For the remaining risk mitigation practices, the participant could indicate on a 7 point Likert scale to what extent they had adopted each risk mitigation practice for that IT system. Also, soft measures were measured by a focus on trust. Risk mitigation practices were not measured by multiple items, for that would make the survey undesirably long. Risk mitigation practices were presented in random order for each participant to cope with possible survey fatigue.

Finally, the participant was asked four questions concerning the IT department’s satisfaction with the outsourcing arrangement. Three questions related to satisfaction about the performance of the service provider, the added value and costs of the outsourcing arrangement, and the overall satisfaction (see Section 2.1.5. for a review of outsourcing success and how to measure it).

After the creation of the initial survey, it was reviewed independently by a market research practitioner, an IT specialist, and a university professor familiar with IT outsourcing. After incorporating their feedback, the survey was evaluated by 4 IT professionals to judge what scale to use (i.e. a scale from 1 - 100, or a 7 point Likert scale). This initial test was performed to ensure the accuracy of the answers of the participants in order to claim validity of the results. Next, a pretest was

(21)

the data analysis, and to determine the length of the survey. To assess the clarity and effectiveness of the questions, an evaluation sheet was filled out by each test participant. The evaluation sheet is based on the checklist of concerns by Iarossi (2006) about the survey’s purpose and questions. Based on the evaluations, the necessary adjustments were made.

Next to the pretests and item randomization, in order to ensure the reliability of the responses and the appropriateness of the scales, participants were given the option to skip statements if they did not completely understand what was being asked. Overall, this option was not widely taken.

4.2 Sample and Population

The survey was distributed among 2 platforms for IT professionals in The Netherlands, the CIO platform Nederland and the Ngi-NGN platform for IT-professionals, and two associations for IT architects, namely the Nederlands Architectuur Forum (NAF) and the Genootschap voor Informatie Architecten (GIA).

It is argued that the sample dataset is of high quality and properly represents the population of interest. The population of interest is defined as IT services with varying intensities of criticality and specificity. These characteristics are argued to be context independent in that the concepts of criticality and specificity apply to IT services in large as well as in medium or small organizations. Equally, they can be applied to IT services used in different industries independent of the service’s specific purpose. Thus, the choice of organization or industry should not diminish the high validity of the sample set. The organizations that participated in the study were large to medium-sized.

To ensure reliability of the research findings, it was carefully monitored that only client organizations participated in the study, preventing any biased or opportunistic opinion towards possible risks or success of IT outsourcing by service providers or consultant companies. Second, each survey applied to a running service or application that was outsourced, thus reflecting real experience and not merely a hypothetical situation. Third, the survey was specifically aimed at IT managers, architects and CIOs, who were considered to be the right audience for this survey because they are assumed to be less emotionally attached to the system than service or technical coordinators. It is furthermore assumed that the IT managers take a more general strategic, technical and economic perspective than employees who are directly responsible for the SLAs of the system.

4.3 Data Collection

The data was collected through online survey software and spread via an email announcement on the CIO platform and placed on the website of Ngi-NGN. Ngi-NGN, NAF and GIA included a description of the research project and a link to the survey in their newsletters. A call for respondents was furthermore made on the LinkedIn pages of Ngi-NGN, GIA and NAF. Participants were also encouraged to spread the survey in their professional networks. A total of 50 complete surveys were returned, filled in by 37 organizations active in The Netherlands.

4.4 Data Analysis

A data analysis was performed on the responses of the survey. By means of correlation coefficients, significance tests and analysis of variances, the relations described in the conceptual framework were investigated.

The Shapiro-Wilk test was used to determine whether the variables under study followed a normal distribution. It was found that in almost all cases, the null hypothesis was rejected due to a significance level below 0.05. Thus, the assumption of normality needed for parametric statistical tests did not hold. Due to this finding, it was chosen to employ

non-parametric tests for the analysis.

The first step of the data analysis relates to part one of the conceptual framework (see Section 3.2). Using the Spearman correlation, it was determined which IT outsourcing risk is correlated with criticality and/ or specificity and what kind of correlation exists (e.g. positive or negative). The value of the Spearman coefficient is a measure of the relationship between two variables. Values of r vary between -1 and 1, where values above zero indicate a positive correlation and values below zero indicate a reverse correlation. The Spearman coefficient is tested on significance using the two-tailed test.

(22)

22

The same procedure indicated above is also followed to assess the correlation between IT service characteristics and IT outsourcing success for which the dependent variable risk is replaced by success. Correlations between IT outsourcing risks, risk mitigation practices and IT outsourcing success were also measured by means of the Spearman correlation.

In order to investigate differences between the groups generic, specific, critical, and vital, the Mann-Whitney U Test and Kruskal-Wallis tests were used to find significant differences between each group. These tests were also used to find differences between failed and successful outsourcing arrangements.

The above procedures should provide thorough supporting evidence of the possible correlations and patterns in the data. The next chapter will present the results of each statistical method.

IT outsourcing of business critical and business specific IT services: risks and risk mitigation practices

Table of Contents

1 Introduction

2 Theoretical Background

3 Conceptual Framework

4 Methodology