| This study addresses the issue of risk assessment by proposing a conceptual definition for information technology IT outsourcing risk. In addition to an examination of the literature on IT outsourcing, risk research literature in different domains such as finance, economics, insurance, medicine, operations research, software engineering and, information systems was reviewed. As a result of this review, a conceptual definition of IT outsourcing risk was adopted from engineering reference discipline, originally proposed by Kaplan and Garrick (1981). Risk is defined as a set of triplets composed of risk factors, their associated scenarios and, the actual outcomes due to these scenarios.; Moreover, drawing from previous work on IT outsourcing in general and on IT outsourcing risk in particular (Aubert, Patry, Rivard, 1999, 2000, 2001), as well as on transaction cost and agency theory research (Williamson, 1985, Eisenhardt, 1989), this study, then, proceeds to applying the proposed definition of risk to the particular context of IT outsourcing. Hence, a model for assessing Risks of information technology outsourcing is established. A review of the IT outsourcing literature and of transaction cost and agency theory literature led to the identification of the source of risk, that is, the transaction, the client and, the supplier (s) related risks factors; the scenarios that may emerge due to one or a combination of these risk factors. These scenarios may lead to undesirable outcomes but they are certainly not “acts of God”. They are within the limits of “feasible” control by the client. Thereby, they can be acted upon by using risk mitigation mechanisms that help avoid them all together.; This study defines conceptually and operationally each of these constructs. Several of them were first developed in this research. To test the research model, a large survey of Canadian companies was conducted and Partial Least Squares, as a data analysis method, was used to analyse the collected data.; The main idea underlying this research is that risk should not be limited to a probability number but, instead, a set of triplets composed of scenarios (what can happen?), the likelihood of each scenario or risk factors (how is it likely to happen?), risk mitigation mechanisms (what may avoid this scenario of happening?) and the consequences of each scenario (if this scenario happens, what are the undesirable consequences?). (Abstract shortened by UMI.)... |
