#### Abstract

With the great risk exposed in IT outsourcing, how to assess IT outsourcing risk becomes a critical issue. However, most of approaches to date need to further adapt to the particular complexity of IT outsourcing risk for either falling short in subjective bias, inaccuracy, or efficiency. This paper proposes a dynamic algorithm of risk assessment. It initially forwards extended three layers (risk factors, risks, and risk consequences) of transferring mechanism based on transaction cost theory (TCT) as the framework of risk analysis, which bridges the interconnection of components in three layers with preset transferring probability and impact. Then, it establishes an equation group between risk factors and risk consequences, which assures the “attribution” more precisely to track the specific sources that lead to certain loss. Namely, in each phase of the outsourcing lifecycle, both the likelihood and the loss of each risk factor and those of each risk are acquired through solving equation group with real data of risk consequences collected. In this “reverse” way, risk assessment becomes a responsive and interactive process with real data instead of subjective estimation, which improves the accuracy and alleviates bias in risk assessment. The numerical case proves the effectiveness of the algorithm compared with the approach forwarded by other references.

#### 1. Introduction

With IT outsourcing more and more popular as firms’ strategy choice, it has been a common sense that it will lead to outsourcing failure and unexpected hazard or even tremendous loss unless the involved risks are under effective management. Consequently, IT outsourcing risk management is becoming a promising field for both scholars and enterprises.

As the initial phase of risk management, risk assessment is critical for the effectiveness of risk management and is an important contributor to the success of an ITO venture, since an unreasonable risk assessment will undoubtedly lead to excessive bias and uncontrollable hazard in subsequent operations such as risk priority and monitor. Meanwhile, it is indeed necessary to develop a unified risk framework containing perceived risks in relation to ITO practice that affect the manageability of these risks.

Moreover, during the whole IT outsourcing process, risk involves a lot of uncertain, stochastic, dynamic information due to the characteristics of market environment, technology innovation, client requirement, and so on. A reasonable and common choice is, at the end of each phase of the project, the project team will reassess the risk situation with other experts. However, most of project teams do not have enough time to execute the complete process of risk identification and assessment. Therefore, it is critical and urgent for them to find a simpler, faster, and more effective approach, which could help them assess the main risks involved in the outsourcing process.

#### 2. Literature Review

Compared with the variety of approaches like intelligence technologies [1–3] in IT relative field [4–8], the approaches forwarded are still limited for IT outsourcing risk assessment to date. These studies include a knowledge-based risk assessment framework for evaluating web-enabled application outsourcing projects [9], a framework for risk assessment of offshore IT outsourcing [10], risk assessment algorithm based on failure mode and effect analysis (FMEA) [11], or extended DEMATEL method [12]. It is proposed that individual knowledge, experience, and intuitive judgment provide better assessment of risk than probabilistic approach, with fuzzy set theory for risk assessment for capturing the individual intuitive assessment [13]. A hierarchical ITO risk structure representation is also explored to develop a formal model for qualitative risk assessment [14]. The authors also provide an improved decision making method using fuzzy set theory and “Incentre of centroids method” with attempt for converting linguistic data into numeric risk ratings.

Transaction cost theory (TCT) is widely utilized in ITO field for its convenience to establish a framework for analyzing risks between stakeholders. For example, the role of service level agreements in relational management of IT outsourcing is examined [15]. Besides the framework, the risk exposure in ITO is assessed based on TCT [16]. Another paper has assessed ITO models in terms of faithfulness and concluded that the models hardly capture all the essential elements of TCT [17].

Actually, most approaches follow the classical risk exposure (RE) and its extension, where RE is the multiplication of the likelihood and loss of estimated hazard [18]. The approaches provide effective analysis and applicable tool for risk assessment; nevertheless, it should be considered as a limitation of their study in multifold aspects: either in subjective bias caused by the dependency on assessor’s experience and judgment or in inaccuracy from unclear insight into the interrelationship and mechanism of risks, as well as the incapability to deal with dynamic assessment.

In order to alleviate problems mentioned above, this paper proposes a new assessment algorithm. Based on the work [19, 20], it initially forwards an extended framework for risk analysis, which takes into consideration both the risk of IT capability decline and the risk consequence of IT business value reduction, and establishes three layers of transferring mechanism which is consisted of three risk factors, five risks, and three risk consequences. Based on preset transferring probability and impact among components in three layers, it then represents the relationship between risk factors and risk consequences in an equation group and discusses various cases of equation group and how to adjust preset values in order to find a unique solution. As long as the real data of three risk consequences is collected in each phase throughout the life cycle, the likelihood and the loss of each risk factor and that of each risk will be obtained. In this way, risk assessment is no longer merely relying on assessors’ subjective estimation. Instead, it becomes a responsive and interactive process with real data, which improves the accuracy and alleviates bias of risk assessment. Additionally, it enables the managing team to prioritize and control risk more efficiently and effectively, which will improve the performance of the whole IT outsourcing risk management process.

The paper is organized as below: Section 3 will illustrate the framework briefly, Section 4 will explain the algorithm in detail, Section 5 will give a complete numerical case and discussion, and Section 6 will summarize the work in this paper and instruct future study perspective.

#### 3. The Risk Mechanism

Based on agency theory and transaction cost theory, Bahli and Rivard [19, 20] suggest a mechanism of three layers, which is demonstrated as followed. The first layer is three major risk factors for IT outsourcing: “transaction,” including five factors such as asset specificity; “client” and “supplier,” both including expertise with the IT operation and expertise with outsourcing. The second layer is four main risks or scenarios that can be associated with outsourcing: “lock-in,” “costly contractual amendments,” and “unexpected transition and management costs,” as well as “disputes and litigation.” The third layer is risk consequence: “cost escalation” and “service debasement.” The mechanism corresponds to those identified in the literature on the IT outsourcing risk and provides a deep insight into IT outsourcing risk. However, there are some other factors worthy of consideration too.

As for risk, IT capability diminishing is the one that needs to be seriously treated due to its role in sustaining client’s performance and competitive advantage. Firms that are successful in creating superior IT capability in turn enjoy superior financial performance by bolstering firm revenues and/or decreasing firm costs. Firms that incur the costs of IT without developing an IT capability will be at a comparative disadvantage [21]. It is also investigated how to establish a conceptual framework on the quality-distinction (QD) model of IT capabilities with CMMi processes [22].

A firm’s IT capability is defined as its ability to mobilize and deploy IT-based resources in combination or copresent with other resources and capabilities. Key IT-based resources are classified in the following order: the tangible resource comprising the physical IT infrastructure components, the human IT resources comprising the technical and managerial IT skills, and the intangible IT-enabled resources such as knowledge assets, customer orientation, and synergy [21]. Among IT capability exposed to risk, the ability of control, organization learning, creation, and competing should be concerned particularly. Among the eleven risks discussed by [22], incapability to establish and maintain necessary internal ability and skills as well as the difficulty to construct and respond to fast changing business or technology environment [23, 24], could all be categorized to IT capability diminishing risk.

As for risk consequence, IT business value is the one necessary to pay serious attention to. IS researchers have also begun to employ the resource perspective to expand and deepen our understanding of IT business value [25]. Melville et al. derive an integrative model of IT business value that comprises three domains [25]: focal firm; competitive environment; and macroenvironment. Tallon finds a positive link between alignment and perceived IT business value in each of five primary processes in the value chain [26]. Shin argues that the business value of IT by the importance of complementarity between IT and strategy in firm performance is positively correlative [27]. Moreover, the mechanism of how IT business value is realized from IT at the firm level is also proposed [28–30]. Hence, if IT outsourcing risk is not under control, IT business value will be influenced and how much this value is descended can be estimated through the firm’s value descending, which provides a convenient and corrective way to observe IT outsourcing risk consequence directly from either stock market or firms’ fiscal indicators.

Therefore, extended three layers of risk mechanism (hereinafter “the mechanism”) are constructed and shown as Figure 1.

#### 4. The Algorithm

Denote the components of the risk mechanism in sequential order, respectively. For example, risk factor “transaction” is denoted by RF_{1}, risk “lock-in” is denoted by , and “cost escalation” is denoted by RC_{1}. Assume that the conditional likelihood by the risk factor which the leads to the risk is ; all the probabilities construct a matrix , where . Similarly, assume that the conditional likelihood by the risk which leads to the risk consequence is ; all the probabilities construct a matrix , where .

In order to improve the efficiency and objectiveness of assessment, only the impacts caused by each risk to each risk consequence are preset and fixed during the lifecycle. In other words, impact caused by each risk factor to will be obtained by calculation based on the transferring mechanism. Assume that the impact of the risk consequence caused by the risk is , the impact matrix is a matrix too, and then the impact matrix from to RC is

Initially we will discuss the assessment in one phase and then generalize it to the whole life cycle.

##### 4.1. Assessment in One Phase

In the three layers of risk transferring mechanism of the proposed algorithm, all the coefficients (e.g., conditional likelihood and preset impact) are fixed in the outsourcing process. Consequently, an equation group that links three risk factors and three risk consequences can be established as below: where is the actual loss obtained from reality.

Denote as the transferring coefficient matrix from risk factors to risk consequences. It is easy to know from the mechanism and the construction of the algorithm that

As long as the equation group is solved, the solution vector is the real likelihood of three risk factors.

Therefore, the equation group could also be denoted as

Whether the equation group can find a solution or not depends on . We all discuss all the possibilities of as below.

*(**1) ** Is Reversible.* If so, the equation group will find a unique solution:

*(**2) ** Is Not Reversible.* Herein is a redundant matrix and then the equation group will find either limitless solutions or no solution at all. Under such condition, the first task is to simplify the augmented matrix of the equation group. If is consistent, then the constraint relationship between risk factors will be obtained, which will aid the manage team to determine the value of risk factor and risk with reference to realistic situation. If is not consistent, then there is no solution for the equation group, which means needs adjusting. There are two options: one is to adjust values either in or and the other is to adjust values in . Generally, the latter one is preferred since transferring probabilities are comparatively stable during the outsourcing process, and just one or two minor adjustments on impact value will work actually. In practice, in order to enhance the accuracy and efficiency of assessment, it is reasonable to adjust impact estimation to ensure is reversible.

After the solution vector is obtained, the real likelihood of risk is where the real likelihood of the risk is

The real likelihood of the risk consequence is where the real likelihood of the risk consequence is

*(**3) Actual Loss.* After the real likelihood is obtained, the actual loss of risk factors and risks will be calculated. The actual loss of risk factor is
where the actual loss of the risk factor is

The actual loss of the risk is where the actual loss of the risk is

##### 4.2. Assessment in the Whole Life Cycle

*(**1) Real Likelihood.* For convenience, the dynamic conditions of the phases can be represented in a matrix. Assume that the solutions construct a matrix , the actual losses a matrix , the possibilities of a matrix , and the possibilities of a matrix ; then the equation group can be represented as

Similarly, solve the matrix directly, and then the real likelihood of each risk factor and each risk in the phases can be obtained. Denote the real likelihood of the risk factor in the phase as , and then the real likelihood of the risk factor in the phase will be where the real likelihood of the risk in the phase will be The real likelihood of the risk in the phase will be where the real likelihood of the risk consequence in the phase will be

*(**2) Actual Loss.* The actual loss of risk factor in the phase will be
where the actual loss of the risk factor in the phase will be

The dynamic actual loss of the risk in the phase will be where the actual loss of the risk in the phase will be

It should be noted particularly that, though the quantity of risk factors, risks, and risk consequences are three, five, and three, respectively, the algorithm itself is capable of handling any quantity of risk factors, risks, and risk consequences, as long as the transferring mechanism exists. In other words, when the quantity of risk factors is asymmetric with that of risk consequences, it is still feasible and helpful to construct an equation group as a complementary tool for studying the quantitative constraining relationship between risk factors.

#### 5. A Numerical Case

FSC is one of the biggest semiconductor companies in USA, about six billion dollars in annual revenue. This time, they want to develop a kind of embedded software, so they will outsource the software to a supplier in China, who has provided similar IT service for FSC. Since the outsourcing budget is over 10 million dollars and the duration is over one year, FSC treat it as one of the strategic projects for the future, which means the outsourcing failure is unacceptable and affordable. In order to safeguard the success of an outsourced project of embedded software development, a management team from IT and business departments in FSC carries out a dynamic risk assessment throughout the outsourcing process. The project is divided into eight phases, and the assessment in the process is shown as below.

##### 5.1. The Process of Assessment

First of all, the outsourcing management team constructs the conditional probability matrix between risk factor and risk and between risk and risk consequence, as well as the impact between risk and risk consequence. Since they are aware of the fact that this methodology is powerful and helpful in tracking the “source” of risks rather than the quantitative accuracy, they agree to value the matrix by comparing the importance of each risk involved, based on their own judgment instead of other complicated approaches such as AHP. For example, according to their own experience, almost one-third of disputes and litigation are led by the potential problems in transaction, so they give a number “0.35” to the conditional probability between risk factor “transaction” and risk “disputes and litigation.” On the other hand, risk factor “transaction” leads to a little more impact on the risk “costly contractual amendments” than the other three risks, namely, “lock-in,” “unexpected transition and management costs,” and “client capability diminishing.” Therefore, the conditional probability between risk factor “transaction” and the four risks is given as (0.15, 0.2, 0.15, and 0.15, resp.). Similarly, the complete conditional probability matrix could be constructed as shown, respectively, below:

According to formula (3), it can be obtained that

In accordance with formulas (16) and (18), the real likelihood of risk factor, risk, and risk consequence in each phase is shown as Table 1.

All the data of likelihood can be demonstrated as Figure 2.

In accordance with formulas (20) and (22), the actual loss of risk factor, risk, and risk consequence in each phase is shown as in Table 2.

Actual loss of risk factor and risk can be demonstrated as in Figure 3.

Actual loss of risk consequence can be demonstrated as in Figure 4.

##### 5.2. Discussion

It could be found in preset matrix that FSC emphasizes the risk of IT capability decline and risk consequence of IT business value decline, which is demonstrated by the given high weight and value. It is consistent with the serious concerned about capability, value, and the position of the company in the industry. Table 1 also demonstrates the change of the attitude and action of management team in the outsourcing life cycle: initially, they were cautious enough to cope with risk factor “transaction” (RF_{1}) and “supplier” (RF_{3}), accordingly the real likelihood of risk consequences is low. In the third phase, the team overlooked the situation, which implied the denial on the fact that its real likelihood of risk factor “transaction” (RF_{1}) was high. The main reason is that, in this phase, supplier felt the task of software development more difficult than the SLA and required to raise contract price. After the requirement was rejected, the relationship between two sides was not as friendly as before and the morale of supplier was affected to a great extent, which was demonstrated sufficiently in real likelihood and loss in phases three to five. When both sides realized the severity of problems, they communicated and handled the contradiction between two sides. Their effort led to the diminishing of risk consequences likelihood in subsequent phase and eventually the outsourcing task was fulfilled successfully.

It is also illustrated in Table 1 that the problems occurring in the third phase were observed by real data. The real likelihood of the risk “disputes and litigation” () in the third to fifth phases were extremely high and so is that of the risk factor “client” (RF_{2}). Accordingly, the loss caused by them is also the largest in the corresponding phase, which is clearly demonstrated in Table 2.

Another important issue can also be found in Table 2, namely, the loss caused by the risk “client ability diminishing” () is the largest in multiple phases. This phenomenon seems contradictory with the serious concern on IT capability. After the real likelihood of the risk is checked, we could find that they are all under the dangerous threshold, which naturally leads to the judgement that the high loss of “client ability diminishing” () results from the high given value. However, it should be noticed that the real likelihood of “client ability diminishing” () is not low enough. All these facts instruct the necessity for FSC to improve their expertise instead of just pushing supplier and avoiding risk in transaction.

It should be noticed from Figures 2, 3, and 4 that three risk consequences are keeping the same tendency and almost stable throughout the whole outsourcing process. However, both the loss and the likelihood of some risk factors are fluctuating greatly. The first of them is “supplier” (RF_{3}), which increases by almost eight times during phase 3 and phase 4. The cause has been illustrated above, and it is also a proof to demonstrate how the algorithm is recording the change “loyally.” The second is the risk factor “client” (RF_{2}), which increases greatly in phase 2 by likelihood and in phase 3 by loss. This “separation” between likelihood and loss is another real record in outsourcing practice. Another significant phenomenon of the risk factor “client” (RF_{2}) is that it is the only one that does not decrease as other risk factors do during phase 7 and phase 8. The cause is easy to understand: clients always pay attention to the problems of others rather than their own. Nevertheless, it should be a good lesson for FSC and other outsourcing clients that ignore risks from their intern might lead to hazard to the success of outsourcing, though this kind of hazard has not been turned into reality in this case.

It can be seen from Table 2 and Figures 2 and 3 that the risk consequence “cost escalation” (RC_{1}) and “quality debasement” (RC_{2}) are under control, which is illustrated by little fluctuation of loss. Meanwhile, the great fluctuation of “IT business value” (RC_{3}) results from the high given value. Additionally, the real condition of the whole life cycle is also illustrated in Figure 2, including the smooth two phases, difficulty caused by problems in phases three to five, and the final success achieved after solving problems.

##### 5.3. Comparison with the Approach by [16]

The approach is comprised of seven procedural steps.

*Step 1. *Identification of ITO risks and their influencing factors which have been used to develop a hierarchical risk assessment model.

*Step 2. *Selection of fuzzy linguistic classification scale for expressing both likelihood of occurrence and impact of risks and also choosing suitable membership functions for each variable.

*Step 3. *Linguistic data (in relation to likelihood of occurrence and impact of risk) for each risk factor have been collected from the experts. Thereafter, linguistic data have been translated into appropriate fuzzy numbers.

*Step 4. *Combined preferences (aggregated decision-making opinion) have been computed using fuzzy aggregation operators.

*Step 5. *Crisp risk rating corresponding to each risk influencing factor has been calculated using “Incentre of centroids method” [31] applicable for generalized trapezoidal fuzzy numbers in fuzzy logic theory.

*Step 6. *Categorization of risks has been carried out based on individual crisp risk ratings.

*Step 7. *An action requirement plan has been formulated with reference to different risk categories.

In order to strictly execute the seven steps mentioned above, FSC called for five experts from the Risk Management Team Lead, Risk Owner, Risk Committee, and Decision Team, who are abbreviated as DM1~5, respectively. At the first phase, they work out linguistic assessment for risk factors and risks; the likelihood of occurrence (L) is shown in Table 3 and impact of risk (I) in Table 4.

FSC also makes use of the commonly used, trapezoidal membership function [31] and “Incentre of centroids method” [32]. Finally, they attained the crisp ratings as shown in Table 5.

After they found it hard to distinguish the importance of risk factors and risks according to the approach, they complained about its inconvenience. Hence they are reluctant to keep assessing afterwards. Indeed, it will take more time and effort to accomplish the same seven procedures in every phase, while the result does not provide them a clear guidance on how to track the risk managerial emphasis. In other words, the advantage of the approach mentioned above is precise, while the disadvantage in both efficiency and practicability is also obvious.

#### 6. Conclusions

Methodologically, this paper enriches the approaches of risk assessment, particularly provides a new view point of risk assessment. Conventional risk assessment can more or less be their routines from “cause” to “effect.” The proposed algorithm, however, is reverse “backward” as “effect” to “cause.” Namely, it is based on the data of risk consequence that the likelihood and the loss of risk factors and that of risks are assessed.

It handles the complexity of risk mechanism and offers a comprehensive understanding on risks. It analyzes risk comprehensively instead of an isolated way, namely, in the three layers; risk factors, risks, and risk consequences are interconnected with each other; their impact on each other is quantitatively represented by transferring probability and impact; how much hazard an individual one causes to each component in another layer is also reflected by real likelihood and loss. In this way, the role of each component in the mechanism is clearly demonstrated, which provides rationale for risk study.

It provides an effective way to alleviate subjective bias and improve accuracy in assessment. Though preset transferring probability, impact, and IT business value still need estimation, the algorithm rely on real data more than personal judgment, which is inevitably incomplete and inaccurate in dynamic and complex environment. Since assessment on risk factors and risks is implemented on the real data of risk consequence, the methodology ensures the minimization of subjective bias.

It also improves the efficiency of risk assessment. As long as the real data of risk consequence is collected and obtained, all the relative condition of risk factors and risks are promptly displayed for managing team. Therefore, they do not have to repeat the conventional estimation in each phase any more, which undoubtedly enhances the efficiency not only for assessment, but also for the whole risk management process. Generally, the risk assessment approaches are fulfilled in a “clockwise” way: at the beginning of each phase, the project team makes a risk assessment and forecast according to their experience and feedback of information. Thus, there will be subjective bias undoubtedly affecting the risk assessment for the past, the present, and the future. Opposite to the traditional way, the algorithm proposed in this paper, accomplishes in a “reverse” way. That is, the project team will assess the risk factors and risks at the end of each phase based on real loss data collected, which assures the accuracy and reliability of assessment. In other words, a more reasonable risk assessment for the past leads to a better one for the present and the future. Additionally, the “attribution” to the relative risks and risk factors, which could more quickly and accurately track the specific sources that lead to certain loss and then more effective measures could be taken to control risk.

For IT outsourcing risk, the algorithm brings a new resolution into this field, which is very suitable for the characteristics of ITOR, such as dynamic, and uncertain information is involved. Moreover, it satisfies the particular requirement for accuracy and efficiency. With the algorithm, it is expected to implement subsequent risk management activities more effectively, which will lead to improved performance of the whole risk management process. Its effectiveness is demonstrated by the numerical case with comparison to the approach forwarded.

With the deep insight into risks provided in this paper, managing team can study cause-effect in risks more rationally and effectively. Since throughout the outsourcing life cycle, the algorithm enables them to position the real “black sheep” or track the potential “trouble-maker,” namely, the risk factors or risks that lead to most of the hazard, they can pay more attention to collecting real data and finding the most proper mitigation. It will be helpful for them to seek the integration of the algorithm with other tools and approaches in order to safeguard the success of IT outsourcing.

The algorithm can be further developed in three dimensions: the first is to further analyze the risk mechanism. For example, risk factors discussed in this paper are comprised of nine risk drivers such as “asset specificity,” which will be more rational to establish the relationship between risk drivers and risk consequence. If so, it will further improve assessment accuracy. The second is to integrate more mathematical assessment methods particularly the methods utilized in IT risk evaluation in order to enhance the coverage and fitness of evaluation methods; the third is to integrate the assessment with subsequent risk operation in risk management process in order to improve total efficiency and effectiveness of the process. In this way, the success of IT outsourcing will be safeguarded to ensure the benefit of IT outsourcing.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This research is supported by National Natural Science Foundation of China (Grant nos. 71401156), the Humanity and Sociology Foundation of Ministry of Education of China (Grants nos. 10YJC630034 and 11YJC630019) as well as the Zhejiang Provincial Natural Science Foundation of China (no. Y6110539).