THE ANALYSIS OF IT OUTSOURCING RISK IDENTIFICATION
ON PRINCIPAL-AGENT THEORY
Lin Qu and Zhongliang Guan
School of Economics and Management, Beijing Jiaotong University, Haidian District, Beijing 100044, China
Keywords: IT, Outsourcing, Risk.
Abstract: IT outsourcing as a strategic business innovation has been adopted by more and more enterprises. The
essence of IT outsourcing service is the Principal-agent relationship between enterprise and agent. As
between enterprise and agent, there is information asymmetry, information distortion, coupled with the
uncertainty of the market and the macroeconomic environment, resulting in IT outsourcing companies in the
implementation encounter various risks existing in the process. This paper discusses the causes of IT
outsourcing risk, and analyzes the losing control risk, uncertainty risk, cost risk and flexibility risk, and base
on this, combined with the comprehensive COSO risk management framework, proposes a model of IT
outsourcing risk identification.
1 INTRODUCTION
In 1989, the data center, network and computer
operations of Kodak which is the world famous
Image processing were outsourced to IBM, Digital
Equipment, and DEC (Zhang Yuanlin, 2008). Thus,
IT outsourcing industry is rapidly developing. So far,
IT outsourcing has become an essential systems
strategy of information field. However, there are
some risks during IT outsourcing. In the empirical
study, about one-third of IT outsourcing cases were
failed in the end (Christine Koh, 2007)
From late 1980s and early 1990s, the study for the
IT outsourcing has gone through several stages, in
the early stages, mainly for IT outsourcing motives
and decision-making analysis. With the further
development of IT outsourcing, more empirical
research for IT outsourcing management focus on
explaining the results of IT outsourcing,
summarizing the experiences of IT outsourcing, and
the study for risk of IT outsourcing is one of the hot
spot.
2 THE LITERATURE REVIEW
2.1 Principal-agent Theory
Principal-agent theory is the main part of the
contract theory in Institutional Economics. The main
research agency relationship is that one or more
actors, according to a ostensive or implied contract,
appoint or hire other actors, At the same time grant
certain right to the latter, and give the payment to the
latter as per quantity and quality of services
provided by latter.
Figure 1: Basic idea of Principal-agent Theory.
488
Qu L. and Guan Z..
THE ANALYSIS OF IT OUTSOURCING RISK IDENTIFICATION ON PRINCIPAL-AGENT THEORY.
DOI: 10.5220/0003617104880491
In Proceedings of the 13th International Conference on Enterprise Information Systems (EIT-2011), pages 488-491
ISBN: 978-989-8425-55-3
Copyright
c
2011 SCITEPRESS (Science and Technology Publications, Lda.)
In the traditional Arrow-Debreu system, the
enterprise is regarded as a "black box", which
absorbs all kinds of factor and take
profit-maximizing behavior within the budget
constraints. This view is too simple, which ignores
the internal information asymmetry and incentive
problems, and can not explain many behaviors of the
modern enterprise. Principal-agent theory goes deep
into the "black box" to research enterprise’s
information asymmetry and incentive problems,
together with transaction cost theory as an integral
part of modern business theory. Principal-agent
relationship is defined as a person or persons (the
client) commission others (agents) according to the
client’s interests and give agents grant to engaging
in certain activities and the corresponding decision,
which is also in IT outsourcing business. In IT
outsourcing, there are many inconsistencies in the
objectives between the agent and the principal.
Agency cost is the important aspect to be considered
of the outsourcing decision. As the complexity of IT
outsourcing, many scholars tried to build a
decision-making model by principal-agent theory for
IT outsourcing.
Zhang Mengjun
2005
2.2 IT Outsourcing Risk Analysis
(1) Hiding Information: it corresponds to the
"principal-agent" model of another very important
concept –“adverse selection”. It is before signing the
contract, the agent has already got some information
which clients do not know, and may be the principal
disadvantage for clients. Therefore, the agents
signed contracts with their advantage, while the
clients are in position against themselves because
they can not get the information, so vulnerable to
damage their own interests. This is opportunistic
behavior during the stage of signing a contract.
Hiding information problems is very universal in
process of outsourcing service provider selection.
Due to asymmetric information, agents understand
their credit and the real technical ability better than
clients, and to provide inadequate or false
information to clients (Yang, 2001).
(2) Hiding Action: it corresponds to another very
important concept of the "principal-agent" model-
"moral hazard", which means: Assuming the
information owned by the principal and the agents
can basically be considered as symmetrical, when
they sign the contract, but after reached a contract,
the client can not observe certain behavior, or
changes in the external environment can been
observed only by agent. In this case, under the
protection of the contract, the agent may take some
action against the client, to the detriment of the
client's interests. This is the opportunistic behavior
during the contract implementation phase. Hidden
action problem is also very universal in the
enterprise contract management process. Once the
outsourcing relationship between providers and
enterprises is fixed in the form of contract, the
enterprises can not understand the operation of the
whole process outsourcing sector as much as before.
When the internal information technology operations
and resources managed by external service providers,
enterprises can not control the outsourced content
directly, not get service from the outsourcer's direct
reports. If the rights and obligations of both parties
are not clearly defined in the contract, the risk of
loss of control is obvious. Such as service quality,
provide efficiency, flexibility to changes in demand
for services, cost control, business trade secrets and
inside information, as well as intellectual property
rights may be at risk (Yang, 2001).
3 CASE STUDY
AND SUGGESTION
3.1 Case Study
(1) The risk of Losing Control: Include, outsourcing
may lead to lose control of providing services on
time and guarantee quality of service; agent and its
staff may be permitted to access to confidential
information; intellectual property protection may be
at risk; any changes on demand must be permitted
by outsourcing agent; outsourcing agent cut its ways
of learning the latest information technology
development and application.(Wen Shaoguo, 2005)
(2) Uncertainty Risk, Include: If outsourcing the
system, companies are able to continue learning and
improving information technology to meet business
needs or not; the relation between software,
hardware, network and application is close and
interdependent, so that outsourcing any one of them
will lead to extreme confusion and uncertainty.
(3) The Cost Risk, Include: information systems
outsourcing may not reduce the cost, unforeseen and
unspecified changes usually bring about higher cost;
agent inherently focused more on profits from its
own interests, of course, want to do less; the
corporate culture between client and agent is
THE ANALYSIS OF IT OUTSOURCING RISK IDENTIFICATION ON PRINCIPAL-AGENT THEORY
489
different , which leads to conflict and inefficiency,
and increases costs (Lu Hong, 2007).
(4) Flexibility risk. The capacity of resource
reorganization, and the adaptability for changes in
business environment; the ability of reengineering
the business process and strategic, also includes
information technology (Lu Hong, 2007)
3.2 Analysis and Advices
The current theory of IT outsourcing risk analysis
and classification has been more perfect, but there is
no good solution for IT outsourcing risk
identification problems in the outsourcing process.
In view of this, the introduction of risk identification
framework is very important; COSO's
comprehensive risk management framework covers
the risk space of business operations better in three
dimensions, and able to do identify risks qualitative
analysis effectively. For some characteristics of IT
outsourcing risk, I modify the ERM framework:
Figure 2: Framework of COSO Risk Management.
The first dimension is the enterprise objectives of IT
outsourcing, including the strategic level objectives,
management level objectives and operational level
objectives; the second dimension is all the enterprise
levels, including the entire enterprise, the various
functional departments, business lines and
subsidiaries; the third dimension is the seven factors
in the IT outsourcing risk management, including
the internal environment, goal setting, risk
assessment, risk response, control activities,
information and communication, monitoring.
This paper modifies the third dimension of COSO,
and redefines the seven factors according to the IT
outsourcing characteristics and objectives to be
achieved; the following is the main content:
Figure 3: Framework of IT Outsourcing Risk
Identification.
1. Business ethics and staff competence, staff
training, management business model, distribution
of authority and the way responsibilities of IT
outsourcing agent, also includes the corporate
culture.
2. IT outsourcing business managers determine the
strategic business objective, identify relevant
sub-goals down to every level in the enterprise and
the implementation
3. Risk assessment can enable enterprises to
understand how the potential issues affect goals of
IT outsourcing. Managers should assess risk from
two aspects – the likelihood and impact of risk.
4. IT outsourcing managers can develop different
risk response schemes, consider how each scheme
impact the likelihood of matters and issues the
impact on enterprise under the risk tolerance and
cost-effective premise. Management should also
design and implement of risk response schemes.
5. Control activities are relevant policy and
procedure to help to ensure the correct
implementation of risk response programs, including
procedures and policies of approval, authorization,
adjustment and evaluation between IT contractor
and subcontractor which are used to execute the
program successfully. Control activity is part of the
process to achieve business goals, usually consists of
two elements: a policy to determine what should be
done and a series of processes influencing this
policy
6. Enterprise and IT contractors can communicate
effectively or not.
ICEIS 2011 - 13th International Conference on Enterprise Information Systems
490
7. Monitoring of enterprise risk management is a
process of assessing the content of risk management
elements, operation, and implementation quality for
a period. Enterprises have two ways to monitor risk
management - continuous monitoring and individual
assessment. Continuous monitoring and individual
assessments are used to ensure that enterprise risk
management continues to be implemented in the
enterprise management level and within the various
departments.
4 CONCLUSIONS
There are various risks during the cooperation
between the enterprise and subcontractor, due to
information asymmetry, information distortion,
outsourcing market maturity, the competitive
environment of uncertainty, technology updates,
political, economic, and legal and other factors. In
order to enable enterprises and contractor to achieve
win-win cooperation, both sides should take certain
measures to avoid risks, such as the establishment of
monitoring mechanisms, optimization the contract,
information sharing. The theoretical framework of
risk identification and control during the cooperation
between the enterprise and contractor is of great
significance, is also the focus of future research. In
this paper, combined with COSO comprehensive
enterprise risk management framework, I give the
idea that how to identify the IT outsourcing risk.
Combined with the framework, to identify the risk of
IT outsourcing from qualitative analysis to
quantitative analysis and continuous improvement is
the future work to be performed.
REFERENCES
Zhang Yuanlin (2008) "A Review in IT Outsourcing
Research", China Management Informationization,
2,75-80
Christine Koh 2007 Does IT Outsourcing Create
Firm Value
Liang Xinhong (2004) "The Cause and Risk Prevention of
IT Outsourcing", Science and Technology
Management Research, 1,64-69
Wang Chun (2008) " The Study Review of IT Outsourcing
Risk", Science and Technology Management
Research, 1,64-69
Zhang Mengjun (2005) " Avoid the IT Outsourcing Risk",
Software Engineer,8,45-46
Zhang Qin (2008) "The Review of Risk Management
Theory and Study", Financial Theory and
Practice,8,45-46
COSO2004bEnterprise Risk Management-Intergrated
Framework1-16
Yang Ying (2001) " IT Outsourcing in Enterprises and Its
Risk Analysis ", China Soft Science, 3,98-107
Wen Zhaoguo (2005) " The Risk and Control of IT
Outsourcing ", Economic Tribune,16,57-59
Lu Hong (2007) "The Risk and Solution of IT
Outsourcing", Enterprise Economics,6,49-52
THE ANALYSIS OF IT OUTSOURCING RISK IDENTIFICATION ON PRINCIPAL-AGENT THEORY
491