SciELO - Scientific Electronic Library Online

vol.8 issue3Understanding the subject's behavior in the interaction with a decision support system under time pressure and missing informationMetamodels of information technology best practices frameworks author indexsubject indexarticles search
Home Pagealphabetic serial listing  

JISTEM - Journal of Information Systems and Technology Management

On-line version ISSN 1807-1775

JISTEM J.Inf.Syst. Technol. Manag. vol.8 no.3 São Paulo Sept./Dec. 2011 

Risk analysis in information technology and communication outsourcing


Análise de risco na terceirização da tecnologia de informação e comunicação



Edmir Parada Vasques Prado

Escola de Artes, Ciências e Humanidades - University of São Paulo, Brazil

Address for correspondence




This research aims at evaluating the risk analysis process in Information Technology and Communication (ICT) outsourcing conducted by organizations of the private sector. The research is characterized by being a descriptive, quantitative and transversal type study, which was used the survey method. Data were collected through questionnaire, the sample is not random and we used a convenience sampling process. The research made contributions to understanding the risk analysis process in ICT services outsourcing, and identified statistically significant relationships between risk analysis, organization's size and its industry, and between risk analysis and diversity of outsourced services.

Keywords: Information Technology; Outsourcing; Risk Analysis, Private Sector; Survey.




In today's globalized world, organizations make use of ICT to optimize processes, save costs and gain competitive advantage. Within this context, outsourcing is particularly important because it allows for global sourcing of ICT resources as a way to extend the possibilities of sourcing (Goodman & Ramer, 2007).

The importance of ICT outsourcing is also a reality in Brazil. Moreover, Brazil has a special position, because its ICT market is the largest among Latin American countries with an annual income of about $ 21 billion in products and services (King, 2008). Its domestic market is dynamic and, despite being a developing country, the income generated by services reaches 38% of gross domestic product (GDP), comparable to developed country markets. Other publications, like Computerworld (2008), have highlighted the growth of the outsourcing market and the emergence of new services with higher added value.

Constant change in organizations' environment, innovation and shortening of technological cycles has become a risk factor of great influence in the business environment (Sauso, 2003). The risks have also been studied in relation to outsourcing. According to Willcocks and Lacity (1999), the growth in importance and size of outsourcing deals has resulted in an increased concern with the management of ICT service providers, and most notably the issue of risk mitigation. Therefore, the study of outsourcing risk becomes important because it reduces material and monetary loss in organizations. For Cohen and Young (2006), organizations need to understand the strategies of ICT outsourcing and its importance in this overall outsourcing process, which can provide a competitive advantage.

Risk analysis process is important for organizations which purchase ICT services, as well as for those which provide such services. The analysis of this process helps to identify specific organizational characteristics that are associated with an inadequate risk assessment, which increases the probability of organizations not obtain the desired return.

This study aims at evaluating the risk analysis process in ICT services outsourcing, conducted by organizations that purchase outsourcing services. To achieve this overall objective two specific goals were defined. These specific goals aim to identify relationships between risk analysis and specific organizational characteristics, and between risk analysis and heterogeneity, represented by the diversity of services, components and activities outsourced.



Organizations are motivated to outsource ICT services by factors such as cost saving, focus on organization's core business, improvement of technology and service quality, and access to knowledge and technology that the organization does not have, among others (Prado & Takaoka, 2002). As a result, outsourcing projects have become more common, and currently a project may involve several organizations globally distributed. This increased the risk involved in outsourcing processes, since outsourcing has increased the number of people and computerized networks that store and manipulate the organization's information. Given this scenario, the risks involved in managing outsourcing projects have grown in importance in recent years (Goodman & Ramer, 2007; Taylor, 2007).

This literature review addressed three topics commonly presented in outsourcing literature: outsourcing services, types of outsourcing models, and risks related to ICT outsourcing.

2.1 Outsourcing Services

There are several ways of classifying ICT resources and activities. This is because ICT is present in most organizational activities and is an integral part of their processes. Additionally, the increasing technological developments have made available new technology to organizations and, as a consequence, suppliers have diversified the services offered to organizations. This diversity allows us to classify the services from several viewpoints. Many authors have classifies ICT services (Kliem&Ludin, 2000; Leite, 1995). The outsourcing annual edition (2009) classifies ICT services based on ICT supply market. Smith, Mitra and Narasimhan (1996) classify services in terms of resources used and project features, and Looff (1997) classifies services as a function of information systems, their components and activities. Table 1 shows, based on these studies, the classification of ICT services adopted in this research.



2.2 Types of Outsourcing Models

The outsourcing models can be classified in several ways. Leite (1994) classified the models of outsourcing based on the number of suppliers involved. For this author, depending on the outsourcing strategy, the organization may choose to outsource ICT to a single vendor (homogeneous model), or multiple vendors (heterogeneous model). In the first model the organization is very dependent on the supplier, thereby increasing their vulnerability. Moreover, it will be easier to integrate the various outsourced services, in addition to the reduced cost of coordination, since it will manage only one vendor. The second model, called heterogeneous, consists of contracting multiple vendors. In this model the organization seeks to gain access to better skills and abilities. For this reason, it delegates the management of ICT services to many suppliers by selecting those that offer better conditions for each activity. Although this choice may seem beneficial, it can reach a level of great diversity, making it difficult to manage technical and administrative activities.

Cohen and Young (2006) identified eight different models of outsourcing, which are shown in Figure 1:

a) Internal delivery. The ICT service is provided by organization internal staff, and can also be considered as homogeneous;

b) Shared Services. It creates, in essence, an internal department to provide services to the organization as a whole;

c) Independent Company. This model represents a step forward compared to the Shared Services model, because it created a new company that will offer ICT services not only for the corporation but also for the ICT market;

d) Total Outsourcing. In this model the organization outsources, through a single contract, with a single outside vendor, most of ICT activities;

e) Prime Contractor. In this model the organization hires one vendor to provide a range of services, but allows this vendor to subcontract other providers that have better skills to delivery specific services;

f) Best-of-breed consortium. In this model, different from the Prime Contractor Model, the client chooses the best providers for each ICT service, and after that, choose a vendor to manage all the suppliers;

g) Selective outsourcing. In this case, the organization selects and manages all suppliers. The organization chooses the most appropriate suppliers to perform each service that is necessary;

h) Joint Venture. It is the creation of a new business organization by two or more partners.



2.3 Risks Related to Information and Communication Technology (ICT)

One of the most important factors to consider in the outsourcing process is risk. There are many definitions of risk in the literature, but in this work will be adopted the definition of The Institute of Risk Management (IRM, 2002), which defines risk as the combination of the probability of an uncertain event with its consequences. Every risk has a cause, or a risk factor. Similar definitions can be found in other studies (Aron, Clemons &Reddi, 2005; PMI, 2004, Westerman& Hunter, 2008).

There are different types of risks, which may originate from internal organization activities or from organization environment. Environment risk factors such as the changing business environment and the shortening technological cycles have become a risk factor of great influence to organizations (Rovai, 2005).

The understanding that man has about the universe that surrounds him and that it is limited and imperfect. His perception depends on cultural factors, knowledge and accumulated life experience, which changes over time, among other factors. When an appraiser has no previous experience with a certain risk factor, it tends to overestimate the probability of occurrence, as well as the impact to the organization. This shows the importance of risk analysis within the context of organizations. This view is also shared by Willcocks, Lacity and Kern (1999) when it comes to the outsourcing of ICT. According to these authors, the growth in importance and size of outsourcing deals has resulted in an increase in concerns with outsourcing and, especially, the issue of reducing the risks associated with outsourcing.

This reality makes risk management an important element in the organizational context. For IRM (2002) risk management should be a continuous process, because it is necessary to analyze all the risks inherent to past and present activities, and especially the future activities of an organization. Figure 2 illustrates the process of risk management applied to business risks analysis.



Risk management process comprises several sub processes which are executed in a sequential manner. One of these sub processes is the Enterprise Risk Analysis, which consists of three steps:

a) Risk identification. Identifies and classifies an organization's exposure to a risk factor. To identify the risk factor it is necessary a deep knowledge of the organization and the market in which it operates. After identification, the risk should be classified as: (1) strategic, that deals with objectives related to the long term; (2) operational, related to everyday life with which the organization is facing as it strives to achieve its strategic objectives; (3) financial, related to the effective management and control of the organization's finances; (4) knowledge management, that regards the management and control of resources related to organizational knowledge, such as intellectual property, competitive technologies and loss of key personnel; and (5) compliance, which is related to security, environment, data protection, regulatory issues, among others;

b) Description of Risk. Presents identified risks in a structured format. Facilitates risk assessment, by description of possible improvement actions, nature of risk, identification of protocols and monitoring of risk;

c) Risk estimation. In this step a qualitative and quantitative risk analysis is performed. After the risk estimation is complete, you can prioritize risks, and emphasize those that have the greatest amount of exposure.

The lack of an adequate analysis of the risks involved in outsourcing can have serious consequences for organizations. Leite (1994) published one of the first works that addressed risk of outsourcing in Brazilian organizations. His study showed some risk involved in the process and its consequences:

a) Loss of autonomy and control. The outsourcing process can lead the organization to a lean structure. However, the organization has the risk of losing part of its autonomy, since it may not have internal team to discuss technical issues related to technology strategies. In extreme cases, there may be a total loss of control, with no way to validate suppliers' bids. Moreover, it is difficult, time consuming and expensive to regain control of unsuccessful ICT outsourcing;

b) Rising costs. In some cases, the costs of outsourcing of ICT services can move to very high levels and, consequently, transforming the organization into a supplier's hostage;

c) Confidentiality. This is one of the most serious risks facing organizations, because there is confidential information that can compromise the organization success if they become public or if the competition has access to it.



The research model is shown in Figure 3 and is designed to meet the objectives of the research. The constructs in the research model were defined from the literature review mentioned in section two of this work and aim to provide a conceptual and operational definition that allows the measurement of variables. The model consists of three constructs:

a) Organizational characteristics. This construct aims to describe the organizational general characteristics that are relevant to the analysis of outsourcing (Prado & Takaoka, 2006);

b) Heterogeneity. Describes the degree of diversity and complexity of outsourced services (Kliem&Ludin, 2000; Leite, 1995; Looff, 1997);

c) Risk analysis. This construct represents the process of risk analysis considered in outsourcing, according to the work of Schmidt and Prado (2008).



The constructs presented in the research model consist of 11 variables, which are described in Table 2. Two hypotheses were developed based on the research model. The first hypothesis (H1) establishes a relationship between organization characteristics and outsourcing risk analysis, and can be described by the following statement: "organizational characteristics, such as size, industry and level of ICT investment, are associated with appropriate risk analysis of ICT outsourcing." And the second hypothesis (H2), establishes a relationship between heterogeneity and risk analysis in ICT outsourcing, and presents the following statement: "high degree of heterogeneity is associated with more formal analysis of risks in outsourcing".




This section describes procedures and methods used in the research. The first item classifies the type of research. The following items describe aspects related to population and sampling, data collection and procedures for data analysis.

4.1 Type of Research

The research proposed in this paper is characterized as a descriptive study, according to Wrightman, Cook and Selltiz (1976). This type of study aims to determine the frequency in which some phenomenon occurs and discover or verify the link between variables. This is a quantitative and transverse type research, because the information was collected once (Malhotra, 2009).

4.2 Population and Sampling

The definition of the target population should contain information about the elements of the sample, and its scope (Aaker, Kumar & Day, 2004). In this research the unit of analysis is the risk assessment made by the organizations, and the unit of observation is the organizations' ICT department. The research scope covers large and medium-sized private organizations that have at least one ICT service outsourced.

We adopted the Fischer's Exact Test statistical technique to analyze the data. This technique applies to the contingency tables that have sparse or unbalanced cells and thus applies to small samples. We opted for a non-random sample, with a convenience sampling procedure. According to Aaker et al. (2004) these characteristics are suitable for obtaining information with less cost. We obtained a sample of 54 organizations.

4.3 Data Collection

The data collected were classified as primary data, i.e., are those that were not collected before. The people interviewed are those responsible for the ICT department in organizations.

A structured questionnaire as an instrument of data collection was adopted in this study. The advantage of this instrument is the cost reduction of the research and the uniformity of measurement. Malhotra (2009) also points out the questionnaire as the best way of gathering information from a large number of respondents. Data were collected in the second half of 2008.

4.4 Data analysis procedures

Data analysis was performed in three stages. In the first stage we used descriptive statistics, which include frequency and contingency tables. The goal of this stage is to describe the sample and learn about the features presented in the research model. In the second stage we made an analysis of the reliability of measurement scales using factor analysis technique. In the last stage we used Fischer's Exact Test in order to verify the research hypotheses.



Data analysis and results are presented on two topics: (1) Reliability of Scales, and (2) Test of Research Hypotheses. The sample consisted of 54 organizations and their characteristics are presented in Table 3. The size of the organization was measured by the number of employees of the organization. The sample comprised 77.8% (46.3% + 31.5%) of large organizations with more than 500 employees, and 96.3% (74.2% + 22.1%) of them invest more than 1.0% of gross annual revenues in ICT. Therefore, the sample is composed mostly of large companies with good investments in ICT, which is appropriate for the purposes of this research.



5.1 Reliability of Scales

We conducted an analysis to improve existing scales, by evaluating the reliability of scales defined in the research model. The heterogeneity is represented by three variables (V1, V2 and V3). The application of factor analysis reduced these three variables to only two: diversity of services (V12) and number of suppliers (V13). These two new variables account for 90.47% of the variance of the three previous variables. With this change the Cronbach's Alpha increased from 0.539 to 0.642.

Likewise, risk analysis is represented by five variables (V7, V8, V9, V10 and V11). The application of factor analysis reduced these five variables to only three: the degree of outsourcing (V7), the selection process (V14) and the hiring process (V15). These two new variables account for 82.14% of the variance of the four previous variables. The research model, simplified by the application of factor analysis, is shown in Figure 4. With this change the Cronbach's Alpha increased from 0.510 to 0.640.



5.2 Test of Research Hypotheses

We analyzed the relationships between variables of the research model according to research hypotheses. Table 4 presents the results of applying Fischer's Exact Test and highlights the relationships considered statistically significant, i.e., with statistical significance level less than or equal to 5%.



A total of 12 relationships ware analyzed, each research hypothesis included analysis of six relations. The results showed that the hypothesis H1, which suggests a relationship between organizational characteristics and risk analysis process, had two statistically significant relationships: (1) the relationship between industry and the risk analysis in the suppliers' selection process; and (2) the relationship between organizational size and risk analysis in the suppliers' hiring process.

Analyzing hypothesis H2, which suggests a relationship between heterogeneity and risk analysis process, we found three statistically significant relationships between the diversity of services and: (1) risk analysis associated with the size of outsourcing, (2) risk analysis in the process of vendor selection, and (3) risk analysis in the hiring process.

We made a detailed analysis of the statistically significant relationships and the results are presented in Table 5:

a) Selection process with industry. Manufacturing companies make an inappropriate risk analysis in the suppliers' selection process, while services companies make a good analysis of this type of risk.

b) Hiring process with size of organizations. Medium-sized companies make almost no risk analysis in the suppliers' hiring process, while companies with more than 1,000 employees and with annual revenues exceeding $ 1 billion, ranked as Corporation, make a good analysis of this type of risk.

c) Degree of outsourcing with risk analysis. The greater the degree of diversity of outsourced services, the more elaborate the risk analyses are in the suppliers' selection and hiring processes.

d) The Suppliers' selecting process and service diversity. Just as in the previous relationship, the greater the diversity of outsourced services, the more elaborate the risk assessments associated with suppliers' selection process are. That was the relationship that had the highest level of statistical significance, as shown in Table 4.

e) The Suppliers' hiring process and service diversity. This was the only relationship in which the association was negative, i.e., services with lower diversity were associated with more elaborate risk analysis in the suppliers' hiring process.




The aim of this paper was to evaluate the process of risk analysis in ICT service outsourcing. This goal was achieved through a survey that analyzed 54 private sector organizations. We tested three hypotheses regarding the risk analysis in ICT outsourcing. Two hypotheses were confirmed and are the main contributions of this research.

a) Association between risk analysis in ICT outsourcing and organizational characteristics. The organizational characteristics considered in this study were the organization's size and its industry. The analysis showed that large organizations make better risk analysis of ICT service outsourcing, and also that organizations that belong to the service industry make better analyses than those in the manufacturing industry. This result is consistent with the case studies conducted by Schmidt and Prado (2008) who found that large corporations, working in the service industry, perform better outsourcing risk analyses.

b) Association between outsourcing risk analysis and heterogeneity. This association was the strongest evidence found in this study. The diversity of outsourced services, one characteristic of heterogeneity, had significant association with all variables that represent risk analysis: degree of outsourcing, selection process and hiring process. The association between degree of outsourcing and the selection process was positive, i.e., the greater the diversity of outsourced services, the greater the risk analyses conducted by organizations in the suppliers´ selection process and in highly outsourced environments. This result also concurs with other studies (Leite, 1994; Schmidt; Prado, 2008). However, the diversity of outsourced services had a negative association with risk analysis in the hiring process, that is, the greater the diversity of outsourced services, the lesser the risk analyses in the hiring process. This result may be associated with the degree of formality, which is a component of risk analysis in the hiring process. Kishore Rao, Nam, Rajagopalan and Chaudhury (2003) found that organizations with higher outsourcing culture establish relationships with suppliers based more on aspects of trust than on formal contracts.

The concept of heterogeneity is similar to the concept of idiosyncrasy used by the Transaction Cost Theory (TCT) described by Williansom (1975). For the TCT, organizations should outsource assets frequently used and with high specificity (idiosyncratic). This research supports the recommendations of TCT in the specific case of ICT outsourcing, showing that ICT services with a high degree of heterogeneity (idiosyncratic) should be outsourced, but with an appropriate risk assessment.

The results of this study should be considered according to their limitations. Among them, there is that associated with the research method used. A non-random sample obtained through a convenience sampling process does not allow generalization of results. Therefore, we recommended the development of new researches, based on the propositions of this study. Possible alternatives include the following: replicate this research using a random sample and extend the study to the commercial industry, to allow a better comparison between the various industries.



Aaker, David. A., Kumar, V., & Day, George.S. (2004). Marketing research, 7th edition. New York: John Wileys & Sons.         [ Links ]

Alencar, J. A., & Schmitz, E. A. (2006). Análise de risco em gerência de projetos. Rio de Janeiro: Brasport.         [ Links ]

Aron, R, Clemons, E. K.,&Reddi, S. (2005). Just right outsourcing: understanding and managing risk. In: Proceedings of the 38th Hawaii International Conference on System Sciences, Hawaii, 2005.         [ Links ]

Cohen, L., & Young, A. (2006). Multisourcing: moving beyond outsourcing to achieve growth and agility. Boston: Harvard Business School Press.         [ Links ]

Goodman, S. E., & Ramer, R. (2007). Identify and mitigate the risks of global IT outsourcing, Editorial Preface. Journalof Global Information Technology Management, 10(4), 1-6.         [ Links ]

IDG Now (2008). Terceirização de infra-estrutura de TIC no Brasil triplicará até 2012. Recuperado em 15 de junho, 2009, de        [ Links ]

IRM (2002). The risk management standard. Recuperado em 18 de abril, 2008, de         [ Links ]

King, M. (2008). Brazil information technology report Q3. Recuperado em 22 de abril, 2008, de         [ Links ]

Kishore, R., Rao, H. R., Nam, K., Rajagopalan, S., &Chaudhury, A. (2003). A relationship perspective on IT outsourcing.Communications of the ACM, 46(12), 87-92.         [ Links ]

Kliem, R. L., &Ludin, I. S. (2000). The essentials for successful IT outsourcing.In J. Butler (Org).Winning the outsourcing game. (57-65). New York: Auerbach Publications.         [ Links ]

Lacity, M. C., Willcocks, L. P., &Feeny, D. (1995). IT Outsourcing: maximize flexibility and Control. Harvard Business Review, May/June, 84-93.         [ Links ]

Leite, J. C. (1994). Terceirização em informática. São Paulo: Makron Books.         [ Links ]

Leite, J. C. (1995). Terceirização em tecnologia no Brasil: investigação sobre a situação da terceirização em Informática no contexto brasileiro. Núcleo de Pesquisa e Publicações e Relatórios de Pesquisa, relatório nº 13. São Paulo: FundaçãoGetúlio Vargas.         [ Links ]

Looff, L. (1997). Information systems outsourcing decision making: a managerial approach. Hershey: Idea Group Publishing.         [ Links ]

Malhotra, Naresh K., & Birks, David F. (2009).Marketing research: an applied orientation, 6th edition. England: Pearson Education.         [ Links ]

Outsourcing (2009). Série estudos, edição anual, 6(6), Recuperado em 15 de setembro de 2009, de

Prado, E. P. V., &Takaoka, H. (2002). Os fatores que motivam a adoção da terceirização da tecnologia de informação: uma análise do setor industrial de São Paulo. Revista de Administração Contemporânea, 6(3), 129-147.         [ Links ]

Prado, E. P. V., &Takaoka, H. (2006). Arranjos contratuais na terceirização de serviços de TI em organizações do setor privado. Anais do 30º Encontro Anual da Associação Nacional dos Programas de Pós-graduação em Administração. Salvador.         [ Links ]

PMI (2004).A Guide to the Project Management Body of Knowledge - PMBOK Guide.3º ed. Newtown Square: PMI.         [ Links ]

Rovai, R. L. (2005). Modelo estruturado para gestão de risco em projetos: estudo de múltiplos casos. São Paulo. Tese de Doutorado - Escola Politécnica. Universidade de São Paulo, São Paulo.         [ Links ]

Sauso, R. (2003). Business and information technology alignment: research propositions related to enterprise architecture frameworks. Helsinki University of Technology.         [ Links ]

Schmidt, S. O., & Prado, E. P. V. (2008).Modelos organizacionais da terceirização da tecnologia de informação: um estudo de múltiplos casos. Monografia, Escola de Artes, Ciências e Humanidades, USP, São Paulo.         [ Links ]

Smith, A. M., Mitra, S., &Narasimhan, S. (1996). Offshore outsourcing of software development and maintenance: a framework for issues. Information &Managment, 31, 165-175.         [ Links ]

Taylor, H. (2007). Outsourced IT project from the vendor perspective: different goals, different risks. Journal of Global Information Management, 15(2), 1-27.         [ Links ]

Westerman, G., & Hunter, R. (2008). O Risco de TI: convertendo ameaças aos negócios em vantagem competitiva. São Paulo: M. Books.         [ Links ]

Willcocks, L. P., &Lacity, M. C. (1999). IT Outsourcing in insurance services: risk, creative contracting and business advantage. Information Systems Journal, 9, 163-180.         [ Links ]

Willcocks, Leslie P., Lacity, Mary C., & Kern, Thomas (1999). Risk mitigation in IT outsourcing strategy revisited: longitudinal case research at LISA. Journal of Strategic Information Systems, Sept., 8(3), 285-314.         [ Links ]

Williamson, Oliver E. (1975). Markets and hierarchies. New York: The Free Press.         [ Links ]

Wrightman, Lawrence S., Cook, Stuart W., &Selltiz, Claire.(1976). Research Methods in Social Relations. Publisher: Holt, Rinehart & Winston.         [ Links ]



Address for correspondence:
Edmir Parada Vasques Prado
Mestre e Doutor em Administração de Empresas com ênfase em Métodos Quantitativos e Informática (FEA/USP, 2000 e 2005)
Professor da Universidade de São Paulo (USP), na Escola de Artes, Ciências e Humanidades (EACH), do curso de Sistemas de Informação
Rua Arlindo Béttio, 1000 - Ermelino Matarazzo - CEP: 03828-000
Tel. (11) - 3091.8893
Link para currículo Lattes:

Manuscript first received: 21/12/2009
Manuscript accepted: 16/05/2011