Presentación del modelo GESCON

The findings of this study showed that the risk management process is cyclic and sequential. The framework developed in this study is based on the relationship of the main themes that were generated from the findings of this study. The main themes of this study represent the components of the governance framework for ITSPRM, which consist of governance, development of an ITO risk profile, auditing the ITSP, treat risks and risk assurance policies, as illustrated in Figure 5-12. The sub-themes of the Governance theme, which include constituting a Risk Committee, documentation, and

communication, are integrated into the holistic model to manage ITO risks effectively, specifically the risks of the ITSP. The components of the framework and their relationship with one another are discussed below.

Constitute a Risk Committee – the findings of this study showed that organisations must set up a Risk Committee who will be responsible for the risk management of ITO risks. The Committee must be multidisciplinary. Some of the responsibilities of the Risk Committee will be to ensure that appropriate risk management approaches, methods and tools are used to identify, assess and treat ITSP’s risks. Ensure the integration of risk management practices and ITO practices.

Develop ITO risk profile – The findings of this study showed that at the initial stage of an ITO initiative, organisations must develop a risk profile of the initiative. This risk profile would present the risk exposure of outsourcing the proposed IT service to an ITSP. From the findings of this study, to develop ITO risk profile, Risk Committees must establish ITO risk context, conduct capacity assessment of potential ITSPs and develop ITO risk register. The process of developing an ITO risk profile would allow the Risk Committee to identify inherent risks of the ITSP; select the low-risk potential ITSP; and establish the assessment criteria, parameters and scope for an IT audit exercise.

ITSP audit – From the findings of this study, it was established that the next step after developing a risk profile is to audit the selected ITSP. This is the process of examining the appropriateness and effectiveness of the ITSP’s control in managing inherent risks. From the findings of this study, to audit the ITSP, Risk Committees must compare the ITSP risk register with the ITO risk register, measure control effectiveness, conduct analysis on likelihood and impact of risk, and develop a RACM. The audit process would allow the Risk Committee to identify the current risks of the ITSP in the order of severity. The outcome of the audit process would then guide the Risk Committee on risk response strategies to adopt in addressing the current risks of the ITSP.

Treat risk – It was understood from the findings of this study that the next step after auditing the ITSP is to treat the current risks of the ITSP. This stage requires that the Risk Committee is familiar with the risk tolerance and appetite of the organisation. This is because the process of treating risks involves adopting and implementing appropriate risk response strategies to manage the current risks of the ITSP based on the tolerance and appetite of the organisation. The risk response strategies applicable are risk acceptance,

mitigation, transference and avoidance. Considering that, risks cannot be totally eliminated and that risk changes, Risk Committees must identify residual risks, which must be monitored continuously.

Risk assurance – from the findings of this study, it was understood that risks change due to changes in the business. It is necessary that after treating risks, Risk Committees must make provision for continual monitoring of risks. As such, Risk Committees must incorporate assurance policies in the ITO contract. These policies should include processes such as periodic audit, periodic testing of contingency plans, and periodic meetings and reviews, as identified in this study. These processes would allow Risk Committees to check the compliant status of the ITSP, check that residual risks are still tolerable, and identify potentially new risks on a regular basis. The Risk Committee through regular meetings and reviews are then expected to update the ITO risk profile.

5.4 Conclusion

This chapter presented the findings of this study at the same time how the research objectives were achieved. The objectives of this study were highlighted and the findings relating to each of them were presented. Addressing the primary objectives of this study shows that organisations identify ITSP’s risks through information gathering and capability analysis. The identified risks are assessed by examining control effectiveness and evaluating the probability of occurrence and impact of risks using techniques such as maturity assessment and BIA. The assessed risks are treated by adopting risk response strategies based on the assessment outcome and organisation tolerance/ appetite. The findings of the study also show that appropriate governance of the risk management activities facilitates effective identification, assessment and treatment of ITSP’s risks.

This chapter also presented the findings on the impacts of the four common ITO risks and the controls to mitigate these risks. The findings show that the four common ITO risks are severe enough to cause reputational damage and loss in revenue to outsourcing organisations. However, mitigating controls such as contract obligation, contingency plans, risk resolution plans and E2EE could be used to attenuate the probability of occurrence and impact of ITSP’s risks. Lastly, based on the findings on the primary objectives of this study, a governance Framework for managing the risks of ITSPs was developed and presented. The Framework was developed to facilitate the effective

on the procedures and tools to effectively manage the risk of ITSP throughout the contract period of ITO engagement.

CHAPTER 6: CONCLUSION