CHAPTER 5: PRESENTATION AND DISCUSSION OF FINDINGS
5.2 Findings and discussion
5.3.6 Additional themes that emerged from the analysis of interviews
From the analysis of the interviews, two additional themes emerged. These themes are not related to the primary objective of this study; however, they are significant to the main objective of the study. These themes are presented below.
5.3.6.1 Constituting a Risk Committee
From the analysis of the interviews, many of the participants emphasised that organisations must set up a Risk Committee that will be responsible for managing ITO risks. The Committee should, according to a participant,
“…be in charge of identifying, assessing and establishing management controls of potential ITO risks in the organisation.” (ExPart1)
As explained by participants, the role of the Committee will be to establish adequate plans, and to execute and monitor the series of activities required to effectively identify, assess and treat ITSP’s risks. In a study on risk management of ITO, Syed et al. (2007) indicated that in the management of the risks of ITO, it is important to constitute a Risk Committee that will be responsible for the identification, assessment and treatment of risks.
Another point raised regarding constituting a Risk Committee is the composition of the Committee. Participants of this study indicated that it is important for the Risk Committee to be multidisciplinary. Similarly, in the Deloitte (2014c) Risk Committee resource guide, it is emphasised that the Risk Committee within an organisation should comprise of experienced staff members from different departments such as finance, operations, business improvement, and internal auditors. This is because the effective management of ITO risks require adequate experience and expertise to be able to identify possible risks, vulnerabilities and threats associated with the IT service to be outsourced. The experience and expertise of Risk Committee members is also highlighted in standards such as the Risk Management Standards (NIST, 2002) and organisational charters (IBC, 2015), where it is stated that Risk Committee members must have substantial level of experience and expertise in the principles and practices of risk management.
5.3.6.2 Assurance policies
From the interviews, the assurance policies theme emerged as a means of ensuring an effective and sustainable ITO risk management. As illustrated in Figure 5-10, three sub- themes emerged from this theme.
Figure 5-10: Assurance policies theme
Participants mentioned that risk changes over time, and this is often as a result of the changes in the business activities, processes and structures. Hence, tolerable risks could become intolerable over time. Participants indicated that organisations must identify residual risks of the ITSP by measuring the effectiveness of the risk response strategy implemented to address the current risks of the ITSP. Similarly, ISACA (2017) recommended that organisations must identify residual risks and continue to monitor the tolerance level of the risks on regular basis because of the changing nature of risk.
From the findings of this study, participants indicated that organisations must incorporate assurance policies into the outsourcing contract. These policies involve processes that would allow for the continuous monitoring of residual risks and identification of potentially new risks. As identified by the participants of this study, some of these processes are presented below.
• Periodic audit – many of the participants of this study indicated that organisations must ensure that they have the right to audit the ITSP on a periodic basis. This will grant the organisation access to check if ITSPs are complying with the contract terms and SLA; and to check the effectiveness of their controls on a periodic basis. In a study on third-party risk management, Vasant et al. (2017) emphasised that the Risk Committee must ensure that the right to audit, the audit scope, the audit process and frequency of audit are negotiated with the service provider and documented in the SLA. ISACA (2017) noted that it is essential to plan and conduct periodic IS audit. This is because periodic IS audit helps to identify potential risks, provide an objective review of the effectiveness and
appropriateness of current controls, and generates necessary information required to update the service provider’s risk profile.
• Periodic testing – some of the participants indicated that organisations must establish a plan that would allow for the periodic testing of controls and contingency plans. One of the participants of this study explained that,
“Organisations must make sure that the contingency measures that are put in place are tested on a regular basis to make sure that they are continuously effective.” (OpPart1)
Periodic testing is recommended as good practices in the Health Insurance Portability and Accountability Act (HIPAA) standard. This Standard, requires organisations to implement procedures for periodic testing and reviewing of contingency systems or plans in order to ensure the availability of user’s health information when disaster strikes (Hash et al., 2005).
• Periodic meetings – many of the participants indicated that Risk Committees must make provision for periodic meetings. The meeting could be daily, weekly or monthly depending on the criticality of the service. The agenda and purpose of this meeting, according to one of the participants should be to
“…review the performance of the service provider. The reviews should then be used as a justification to either continue with the ITSP, renegotiate the contract term or move on to another service provider.”
(OpPart6)
The need to make provision for regular meetings was also identified in the study of Case (2011), where Risk Committees are recommended to conduct regular SLA performance management meetings. According to Case (2011), at these meetings, the service performance should be assessed against the key performance indicators (KPI) as specified in the SLA, with the objective of identifying areas of the SLA that are not met, or that may require improvement and revision.