Guidelines for identifying risk vulnerabilities associated with ICT sourcing

As organizations broaden their organizational boundaries with sourcing practices, it is imperative to identify risk vulnerabilities from a wider perspective than before. Specifically, organizations that make substantial use of ICT suppliers need to understand the risk vulnerabilities associated with ICT sourcing partnerships. Unfortunately, due to vulnerabilities being addressed from different levels of erudition, an inclusive list of risk vulnerabilities, associated with ICT suppliers, does not exist within the ICT industry. This article not only address ICT risk management discrepancies and the importance of ICT supplier management, but in drawing on the collective knowledge contained in diverse sources, two distinct lists containing risk vulnerabilities, from the customer organization’s perspective, are generated, all, in order to accelerate the understanding of exposure when dealing with ICT suppliers.


Introduction
After the September 11 th 2001 terrorist attack in the USA, risk management received renewed attention as a means of avoiding being placed in jeopardy by an event that might seem unlikely, impossible or even incomprehensible (Anderson, 2001).That tragic event sounded alarm bells for many organizations about the necessity not only to consciously manage risk, but also to be in a position to identify and understand vulnerabilities 1 with regard to risk.
According to the King Report (Institute of Directors, 2002), ICT has had a major impact on the way business is conducted, especially with traditional value chains disintegrating and organizational boundaries becoming blurred.Hunter and Bloch (2003) argues that due to the shift in the importance of ICT, stakeholders should not only understand what constitutes ICT risks, but also need reassurance that ICT risks are managed in an effective and efficient manner.As far back as 1998, Leenders and Blenkhorn argued that ensuring successful technological risk management necessitates a strong focus on supplier relationships.Porter (2001) concurs with this idea, maintaining that few (if any) organizations are totally selfsufficient, relying on suppliers to optimize their value 1 A vulnerability is a weakness that exposes an organization to hurt, harm or attack and enables the risk to have impact.(Oxford, Kliem 1999).chains. Du Rand (2003) agrees, adding that Information Technology Organizations (ITOs) depend on suppliers to provide technology services and assist in managing technology risks.ICT risks therefore need to be managed across the entire supply chain, from suppliers to customers, placing special emphasis on the transition from ICT suppliers and Outsource Partners to the Internal IT Organisation, Support Divisions and/or Line of Business.
In agreement with the King Report (Institute of Directors, 2002: 81) recommending2 that organizations develop a 'demonstrable system of dynamic risk identification as part of their risk management strategy', Naidoo (2002) asserts that the days of intuitive risk management are over and suggests that in future any such endeavours will be considered poor corporate governance practice.Due to ICT risk management becoming a legal matter, rather than just a managerial necessity, Clemons (2003), at a conference on strategic sourcing, asked whether there are any support and monitoring systems available to manage risk and rewards with regard to strategic ICT sourcing.Coles and Moulton (2003) points out that as a rule, traditional ICT risk assessment is approached from within a systems or a business process methodology.Most risk assessment models, for example those in use by KPMG, Cobit and others, therefore consider risk in its totality and do not provide specific guidelines for the identification of risk vulnerabilities associated with sourcing, supplier organizations or supplier relationships.Unfortunately this leaves the organization with a biased view of risk, especially with regard to sourcing and supplier vulnerabilities, complicating the formulation of a combined risk strategy.
Vulnerabilities associated with supplier relationships are not new and many clues, hints and points of advice are available from numerous disparate sources, for example project management practices, capability maturity models, software development, project sourcing, outsourcing, etc.However, these are typically employed in an ad hoc manner on an operational or tactical level, and not synergised to give a broader, comprehensive view of only those vulnerabilities associated with suppliers.In the quest to identify ICT sourcing and supplier vulnerabilities, Anderson (2001) argues that it might be possible to instinctively identify many of these vulnerabilities from within the perspective of ITOs, especially when supplier relationships are actively managed with open communications and information sharing.
The aim of the article is therefore to generate guidelines for the identification of risk vulnerabilities, from a customer organization's perspective, in order to accelerate understanding of possible exposure when dealing with ICT suppliers.This study includes an analysis of an ITO where ICT is considered to be an integral part of the business.The proposed guidelines are not necessarily exhaustive, but they do collate suggestions scattered across a number of disparate sources -suggestions which, when viewed in a holistic manner, render one capable of identifying the most important risk vulnerabilities associated with ICT sourcing.
In order to achieve the above-mentioned objective, the scope of the research covers the following topics:

•
The importance of ICT supplier management • ICT risk vulnerabilities identified in the case study.
The article ends with a short summary of the primary findings.

Methodology
The research scope was limited to two areas expounded upon in the ICT environment, namely supplier management and risk management.The substantial literature review drawn from accredited academic journals, accepted industry best practice, commercial research institutions and media articles introduces work already done on the abovementioned topics, thus confirming the pertinence of the topic.Analysis of the literature (exploratory research) led to the identification of a generic list of ICT risk vulnerabilities.However, since organizations across the world do not as a rule publish or make available all vulnerabilities, the validity of using only a literature review to formulate an inclusive list of risk vulnerabilities was questioned3 .Moreover, in order to adhere to the principle proposed by Anderson (2001) 'that it might be possible to instinctively identify many ICT vulnerabilities from within the perspective of ITOs', further insight was sought through harvesting vulnerabilities instinctively identified by an ITO.Unfortunately, information used to manage suppliers is for the most part considered confidential by companies, and therefore any elaboration on information contained in company-confidential documentation was minimised as far as possible to include only the gist of arguments proposed and/or lessons learned.Similarly, opinions expressed by interviewees were only included when they added new insight to the line of reasoning.At all times company sources were treated as extremely confidential.Although this placed a limitation on the value of the study, the authors are of the belief that when viewed holistically, the case study provided enough insight to enhance the literature findings.
The organization chosen for the case study forms part of the financial services industry (including banking) with wellestablished e-business channels.
Technology plays a strategic role in the organization and is managed by a large and mature ITO that provides traditional and inventive ICT services to the organization.The ITO has been practising supplier management for over three years and has collected valuable and unique information during this time.Previously unknown data was therefore collected using its supplier relationship management tool developed in-house to form a supplier management model, as well as minutes of meetings and periodic supplier evaluations.ICT supplier risk vulnerabilities were deduced from these sources and organized in the same categories as the list developed from ICT industry sources (i.e. the literature review).Via structured in-depth personal interviews with senior ITO participants4 involved in managing key ICT supplier relationships, risk vulnerabilities were further scrutinized to try and identify the most applicable ones.In matching and comparing the vulnerabilities identified in literature with the vulnerabilities identified in the case study5 , valuable insight was gained into the management of ICT supplier risk vulnerabilities.The research method followed thus formed the basis for a grounded theory approach, consisting of three phases namely (1) identifying research areas of focus, (2) deciding on the most appropriate research design and (3) elaborating on research results (refer to Figure 1 2001) is of the opinion that current assumptions about and approaches to assessing risks may no longer be appropriate.This is primarily due to risks previously thought of as impossible, now becoming a reality.Deloach therefore advises organizations to refine their risk management approach to cost-effective and strategic risk management activities by developing capabilities to aggregate risk information to evaluate the risk in the organisation more broadly, i.e. also to identify vulnerabilities.The King Report (Institute of Directors, 2002:97) describes Risk Management as being '…the identification and evaluation of actual and potential risk areas (therefore also vulnerabilities) as they pertain to the company as a total entity, followed by a process of either termination, transfer, acceptance (tolerance) or mitigation of each risk'.In a similar manner, Suh and Han (2002) describe the purpose of risk management as an effort to minimise expected loss, and risk analysis as the basis on which (these) risk decisions should be made.
Recently, although not specifically focusing on ICT, the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2003) provided practical guidance to assist an organisation in building effective programmes to identify, measure, prioritize and respond to risks.Of interest is the fact that the framework, like the King Report (Institute of Directors, 2002), includes the identification of vulnerabilities and suggests that risks need to be identified in internal and external factors.Internal factors proposed are infrastructure, personnel, process and technology, while external factors are believed to comprise economic, business, natural environment, political, social and technological matters.In order to control and manage risk, the COSO framework encourages the identification of what they consider to be 'risk events'.In essence, according to the COSA framework, a risk event (RE) occurs when a threat (T) exploits a risk vulnerability (V).
A risk event (RE) occurs when a threat (T) exploits a risk vulnerability (V), thus T + V = RE With regards to ICT Risk management, the high rate of development and obsolescence in ICT makes decisions on ICT expenditure particularly difficult.
Traditionally, management was not able to apply cost/value principles to ICT as easily as in other areas of business.This led to the perception that ICT expenditure is motivated by strategic instinct rather than sound commercial principles.According to Coles and Moulton (2003), traditional ICT risk analysis methodologies therefore wrongly focus on addressing only the possible impact on operations and systems.Risk management models, for example the KPMG IT risk management assessment model, are therefore not holistic in nature, only assessing risk from an internal point of view, and/or assuming that supplier risks are addressed when various risk categories, e.g.reliability, business focus, IT skills and resources, etc., are evaluated.In a similar manner, risk assessment and managerial tools, as listed by the Institute of Internal Auditors (1998), do not specifically supply detail with regard to identifying vulnerabilities associated with ICT suppliers.

The importance of ICT supplier management
According to Ford (1998), changes in the ICT industry, global economic slowdown, as well as local and international regulatory requirements, are all altering the ICT supplier management landscape.Ford is of the opinion that these changes are raising the risk stakes, pushing supplier management to a strategic level.Fernandez (1995) earlier described the characteristics of a strategic supplier relationship as commitment to partnership, early involvement in decision making, mutual trust and crisis management.In agreement with Fernandez, Ford (1998) describes strategic relationships as substantial and maintains that it is not easy to change them quickly without incurring significant costs both in terms of disruptions and developing new relationships.Ford therefore asserts that strategic relationships are important assets and without them organisations cannot operate or even exist.He adds that an organization's performance does not only depend on its own actions and wishes, especially when interdependencies are present.
Hutt, Stafford, Walker and Reingen (2000) supports this thinking, stating that both communication and the pro-active exchange of information strengthen relationships.In similar vein, Leonard (2000) argues that building and maintaining a sound relationship creates alignment between parties.Lacity ( 2002) adds yet another dimension to the line of reasoning by arguing that collaborative interactions occur when both sides share similar goals and comments.However, Lacity stresses the fact that the best relationships embrace mutual dynamics, with each party aiming for fairness, not domination or exploitation.Cooray and Ratnatunga (2002) also believes that through relationship management, successful long-term relationships can be developed despite substantial differences between firms.Melymuka (2003) concurs, and argues that even though not all suppliers have the same importance to an organization, supplier management (and the risks associated with it) is now becoming a core competency.

ICT risk vulnerabilities identified in literature
The quest to identify a holistic list of risk vulnerabilities associated with ICT sourcing, led to the identification of a number of holistic categories6 in literature (refer to Table 1 and Appendix A: ICT supplier vulnerabilities identified in literature).The section that follows is a summary of vulnerability categories, as presented in appendix A.
The Cobit guidelines, Cosgroe (2003), Lehman (2003), Berinato (2004), Kliem (1999), Kern, Willcocks and Lacity (2002) and KPMG (2000 and2003) all agree that in an attempt to minimize risks, formal supplier contracts need to be entered into.All these sources warn of typical flaws when contracts are poorly formulated and/or badly understood and managed.Some vulnerabilities were identified that specifically relate to service contracts and the management thereof, for example Service Level Agreements (SLAs) not in place or not agreed upon, only technical metrics, undefined procedures, etc. Lacity (2002) describes numerous vulnerabilities in her discussion of ICT outsourcers, putting forward the theory that the very nature of outsourcing agreements and their formalization in legal contracts creates risk.Lacity also maintains that poor understanding of the organization's ICT portfolio propagates poor vendor practices, thereby increasing risk.Watkins and Bazerman (2003) asserts that suppliers should be chosen and managed objectively and not on the basis of personal relationships.Watkins also believes that good communications counter vulnerability between the contracting parties and soften internal organizational obstacles, e.g.silos create risk vulnerabilities.
Lehmann (2003 (Part 1)) expresses concern about defective monitoring of actual service delivery, while Kliem (1999) highlights the notion that risk vulnerability might also be seated in the inappropriate reporting of delivered services.Cobit (IT Governance Institute 2002) agrees that both these service delivery issues need to be controlled.In addition, Lacity (2002) mentions poor availability and reliability of systems and the Internet from service providers, which might hurt business performance.Cosgroe (2003) and Desmond (2003) state that purchasing inappropriate or poor quality software makes the organization vulnerable to further ICT expenses.Coles and Moulton (2003) confirms that some of these vulnerabilities might be the result of an inherent flaw in the software product, e.g.poor security.
Lehmann (2003 (Part 1)), supported by Mphasis (2002), is concerned about the factors that influence a supplier, for example merger and acquisitions, and lawsuits that spill over to affect the organization.According to Mphasis (2002), suppliers' ability to survive is influenced by a number of market factors, forces that can expose an organization's supply chain.Steenstrup et al (2003) and Lehmann (2003a and b) agree, adding that financial health factors might also pose a threat to the supplier's ability to survive.Cobit in IT Governance Institute (2002) and the King Report (Institute of Directors, 2002) are more specific about suppliers' non-compliance with legal and regulatory requirements, which might expose the organization, for example insider trading.Naidoo (2002) adds that suppliers can possibly use confidential organizational or client information illicitly.
The King Report, together with others (Lehmann, 2003;Siegil, 1996;Cosgroe, 2003;Mphasis, 2002;Goodwin, 2003;and Kern et al., 2002), all stress that when suppliers do not disclose or share important internal information with the organization, this leaves the organization vulnerable to poor service, for example poorly selected sub-contractors, high percentage of inexperienced personnel, etc. Varon (2003) also points out that vendors cannot respond well to risks if they under-price.Throughout the literature on the subject it is therefore evident that poor relationships form a breeding ground for vulnerabilities.Kern et al. (2002) and Ford (1998), supported by the Software Engineering Institute (SEI).2003 andCobit (IT Governance Institute, 2002), therefore contend that relationships need to be nurtured and not only managed.(2003), a high level of dependency on technology creates vulnerabilities relating to the dependency on a supplier.

ICT risk vulnerabilities identified in the case study
In order to adhere to the proposition put forward by Anderson (2001) that it might be possible to instinctively identify many ICT vulnerabilities from within the perspective of ITOs, and Yin's (2003) argument that the sources and nature of many ICT supplier vulnerabilities are only identifiable through confidential sharing of strategic information, further insight was sought through examining vulnerabilities instinctively identified by the ITO 7 .Numerous risk vulnerabilities were identified in the case study documents (refer Appendix B: Case Study ICT Supplier Key Relationship Vulnerabilities).In matching the industry and case study lists of vulnerability dimensions, it was found that only 14% of vulnerability dimensions were exact matches (see Figure 2).This was primarily due to sources addressing vulnerabilities from either a strategic or a detailed (operational) perspective, especially with regard to the level of erudition.
Careful scrutiny of vulnerability dimensions from a holistic perspective, however, again confirmed the notion that vulnerability dimensions are in fact related.Viewing vulnerability dimensions as interdependent entities, i.e. vulnerability categories, therefore not only proved to be extremely valuable when it came to drawing comparisons between case study documents and literature findings, but 7 Company A: 1999 -2004.Various confidential documents relating to risk management and strategic supplier management were analysed.Confidential source list consisted of 146 documents.For legal and competitive reasons these documents are not publicly available and Company A confidential.also in guiding the structured interview process that followed (see Table 2).
Of interest is that although case study documents, like literature findings, place strong emphasis on vulnerabilities associated with flawed relationships, vulnerabilities caused by financial exposure, incompetence and integrity are also emphasized.In grouping vulnerability dimensions into vulnerability categories, three new categories could therefore be identified namely: (1) Large financial exposure on the part of the supplier, (2) Supplier incompetent service delivery and (3) Supplier compromises its integrity.The eight senior managers interviewed (participating in strategic ICT supplier management), not only confirmed that the vulnerability categories (as identified in the literature, and case study documents) are applicable and can definitely help organizations to successfully identify risk vulnerabilities associated with strategic ICT sourcing, but also provide practical insight into the successful management of ICT risk vulnerabilities.According to managers interviewed:

•
'Most vulnerabilities are within the organization's control and a small percentage are within the supplier's control'.
• 'Poor project management and internal control are the root causes of supplier vulnerabilities'.
• 'Be careful of "not authenticating vendor's sales hype" vs. the "true ability" to deliver'.
• 'Supplier management process must be end-to-end and not built around individuals (personalities)'.• 'Be careful of manage-by-contract syndrome'.In predictable demand, exact contracting is possible, but with unpredictable demand, non-exact contracting must be done.Not all eventualities can be contracted for as contracts become difficult to manage or change'.

Industry
• 'Strategic relationships can create reciprocity that does not make business sense'.
• 'An organization's image/reputation might be compromised when using a supplier that is not trusted in the market.' • 'Appropriate criteria need to be considered in identifying strategic ICT relationships'.
With reference to Table 2, in analysing the frequency of occurrence 8 , it became apparent that; (1) Poor contracts and the management thereof, (2) Flawed outsourcing partnerships, (3) Not nurturing the quality of the relationship, (4) Relationships yielding low economic value (5) Supplier's lack of enterprise risk assessment and ( 6) Undisclosed information about the supplier's internal operations can be considered the 'more important' risk vulnerability categories identified.However, even though senior managers interviewed all agreed that the different categories and vulnerability dimensions are all applicable, all rated the list of categories very differently and it seems that differences could be the result of the individual's experience, ability, skills and knowledge.
Most interviewees indicated that in viewing vulnerabilities from a holistic perspective, i.e. as interdependent vulnerability categories, the focus is primarily relegated to the managerial and tactical level.
Although most interviewees indicated that this might be good practice, a number of interviewees argued that on a strategic level, (due to the economic impact on the organization, either in the long term or due to large financial investment), vulnerabilities categories need to be unbundled to expose concealed dimensions and risks.As an example, one participant pointed out that the vulnerability category 'Poor service level agreements and the management thereof' should typically be controlled on an operational level for a specific service that the supplier has agreed to provide.Project or functional control should thus be allocated to the manager who is accountable for the management of the SLA, problem solving and reporting.In a large ITO with many projects, functions and supplier SLAs, 'poor service level agreements and the management thereof' escalates to a strategic level when the service levels of a particular supplier are consistently inadequate and/or unreliable.The collective economic impact on the organization is therefore much larger than normally anticipated, and requires a higher or strategic-level focus and intervention.In other words the problem becomes a strategic relationship issue, where specifics, especially with regard to dimensional flaws, become paramount. 8Literature and case study company confidential documentation.
Most interviewees were also of the opinion that the organizations own information, practices, processes and procedures can control most vulnerabilities encountered.However, some interviewees stressed that it is those dimensions that are under the control of the supplier, or mutually controllable by both parties, that are the most tedious to manage.Interviewees therefore emphasised that vulnerabilities cannot be mitigated through influence, staying abreast and informed of the supplier's state of affairs and through collaboration alone.A robust relationship with suppliers is seen as a key success factor in identifying and influencing risk vulnerabilities.As one interviewee states 'organisations need to ensure that ICT supplier relationships are of a sound nature, and managed at a strategic level in order to lessen risk vulnerabilities escalating beyond the operational level, thus becoming a strategic concern'.

Conclusion
In this article it is argued that identifying risk vulnerabilities associated with ICT suppliers is becoming a legal necessity.Unfortunately, due to vulnerabilities being addressed from different levels of erudition, an inclusive list of risk vulnerabilities associated with ICT suppliers does not exist within the ICT industry.Drawing on the collective knowledge contained in diverse sources, the main thrust of the article is the formulation of two distinct lists of risk vulnerabilities, grouped into risk categories (appendixes A and B) associated with ICT suppliers.However, even though the knowledge contribution is specific in that it not only offers guidelines for identifying risk vulnerabilities associated with ICT sourcing, but also provides insight into risk identification, measures to combat risk vulnerabilities still need to be adapted to suit the specific needs of the individual organizations, and also the specific circumstances surrounding each and every risk vulnerability.

Figure
Figure 1: Research methodology Fig 2: Exact matches of vulnerability dimensions