IT OUTSOURCING PROJECT RISKS: FROM CLIENT AND

VENDOR PERSPECTIVES

Abstract
This study examines the risk factors of IT outsourcing projects from client and vendor perspective, and
compares their difference. The quasi-Delphi study which consisted of three ranking rounds was
conducted. A number of 41 client project managers and 21 vendor project managers were participated.
This study identifies one of the top three risks ranked by the client has been considered to be of little
importance by the vendor. The findings reveal that the client and vendor have different perceptions on
project risks.
Keywords: Delphi study, Risk identification, IT outsourcing; IT project risk.

INTRODUCTION

Organizations have adopted IT outsourcing to develop its IT or raise its IT capacity for some
beneficial reasons over the last two decades. However, despite the benefits that companies can achieve
from IT outsourcing, outsourcing projects contend with numerous problems. IT outsourcing involves
risks of undesirable outcomes; for example, the difficulty of management and IT control (Choudhury
and Sabherwal, 2003), cost escalation (Bahli and Rivard, 2013), and ensuring IT security (Khalfan,
2004).
IT outsourcing projects involve two types of organization: clients and vendors. The client desires a
reliable product to be delivered on schedule, without defects and under budget. The vendor desires a
high-profit project to be accomplished on time with no overrunning costs or surprises. Based on their
agency relationship, the vendor may perceive project risks in ways that vary from those of the client
(Taylor, 2007). The situation signifies the need for a comprehensive understanding of both the clients
and vendors perceptions of risk.
This study explored the perception gaps regarding project risks between the client and the vendor. A
quasi-Delphi study was conducted to produce a rank-order list of risk factors. The results of the survey
were subsequently compared to identify differences between the client and vendor perceptions of risk.
The study revealed that the client and vendor have different perceptions on project risks.

BACKGROUND

IT outsourcing involves the use of external technological or IT professional resources (Loh and
Venkatraman, 1992). Studies seeking to help companies implement outsourcing have explored the

knowledge of selecting vendors (Barthelemy, 2001; Khan et al., 2011), managing relationships
(Grover et al., 1996; Qi and Chau, 2012), and establishing contracts (Aubert et al., 2005; Osei-Bryson
and Ngwenyama, 2006), and identifying potential risks (Natovich, 2003; Willcocks et al., 1999).
Although IS researchers, such as Natovich (2003), Taylor (2007), Nakatsu and Iacovou (2009), and
Aundhe and Mathew (2009), have extensively explored the risks of IT outsourcing projects, their
investigations have been limited to a single perspective, of either the client or the vendor.
Previous research has indicated a gap of expectations and perceptions of project outcomes among
multiple stakeholders (Jiang et al., 2002). The gap leads to user dissatisfaction with project product or
service. Different stakeholders may have different opinions regarding potential risk factors, and their
opinion would influence the plan of risk control (Keil et al., 2002). Therefore, the perception gap of
risks has drawn researchers' attention. Reconciling the stakeholders perceptions of project risks has
become a common thread through much of the IT literature (Liu et al., 2010; Schmidt et al., 2001). To
manage IT project successfully, project managers and users must have agreement on risks and threats,
and reconcile their viewpoints on the risk assessment. Previous attempts to compare the perspectives
of stakeholders have been limited to general IT projects. The current study is the first to examine the
differences in how the client and vendor prioritize outsourced IT project risks.

DATA COLLECTION

This study adopted a modified version of the Delphi method (Schmidt et al., 2001) because it has been
used extensively in information systems (IS) research to yield reliable risk rankings. The panelists in
this study were experienced IT project managers from organizations that have been involved in IT
outsourcing activities for several years. The sampling frame was gathered from the members of the
Project Management Institute (PMI) and multiple organizations from Taiwan and Indonesia. A total of
62 project managers initially agreed to participate in the first round: 41 on the client panel and 21 on
the vendor panel. Table 1 shows the demographical characteristics of the sample. Three indicators are
used to assess their experience: years of IT experience, the total number of projects, and the total
number of outsourced IT projects that have been managed by the panelist over their career. On
average, panelists have 8 years of IT experience and have managed at least two outsourced IT projects.
The panelists work in different organizations which include a wide range of industries.

Client panel

Work experience (years)

No. of projecta
No. of outsourced project
IS employees in company

Vendor panel

Mean

Max

Min

Mean

Max

Min

7.5
15.5
4
42

25
30
6
300

2
2
2
10

8.8
16.9
7.5
190

25
41
16
500

2
6
2
10

Size of panel
Gender: Male
Female
Org. industry : IT Service
Manufacturing
Distribution
Government
Financial services
Medical
Others

Table 1.

Number
41
38
3
15
9
4
2
3
3
5

%
92.7
7.3
36.6
22
9.8
4.9
7.3
7.3
12

Number
21
15
6
19
2

%
71.4
28.6
90.5
9.5

Panel demographics
a
= all IT projects, including in-house and outsourced projects

This study employed a variation of the Delphi survey method developed by Schmidt (1997). The
quasi-Delphi survey consisted of two phases. The first phase was designed to assemble a list of risks in
IT outsourcing projects from IS literature. The second phase, consisting of three rounds, was designed
to rank the identified risks. Data were distributed using paper-based questionnaires, electronic mail,
and online survey tools. In Phase 1, a list of 34 risk items assembled from the literature was presented
to several panelists. The risks occurred at a frequency of 50% or higher were retained for the next
phase. As a result, all 34 risk factors were remained.
In Phase 2, the panels were separated into clients and vendors, allowing each panel to participate in
three ranking rounds independently. The ranking rounds were complete when an acceptable level of
consensus (Kendalls W > 0.5) was reached following (Schmidt, 1997). In addition, the inversion to
the ranking of risk factors is performed to compute Kendalls W. In this phase, the panelists were also
asked to add extra critical risk items but none provided additional ones.
In the first round, each panel was presented a list of 34 risk factors derived from Phase 1. Panelists
were asked to rank and rate each risk factor on a 7-point Likert scale (1=not important, 7=most
important). The rating was used in separate analysis, that is, to show the rating differences between the
vendor and client. A mean rank for each risk factor was computed at the end of each round (round 1 to
round 3). Subsequently, the 20 risk factors with higher mean rank were selected for each panel. In the
second round, each panel was presented a list of 20 risk factors derived from the first round. The
results were summarized and subsequently sent to the panelists as part of round 3s questionnaire. In
the third round, the panelists were asked to rank their top 10 risk factors from a list of 20.

RESULT AND ANALYSIS

The quasi-Delphi survey resulted in a moderate level of consensus among panelists (Kendalls W >
0.5). The final round resulted in a Kendalls W of 0.638 on the client side, and a Kendalls W of 0.572
on the vendor side. According to Schmidt (1997), Kendalls rank-order correlation coefficient (T) was

computed to test the agreement between the two panels, and T = .289 was obtained. Consulting a table
of exact probabilities for T (Siegel and Castellan (1988), p. 362) show that the one-tailed probability is
p = .146, suggesting that the two panels viewed risk perception differently. The analysis results
indicate that there are regions of consistency and inconsistency among the client and vendor
perceptions of risk factors. Table 2 lists the comparison between risks ranked as most important by the
client and the vendor.
Risk factors
A. Lack of communication between client-vendor
B. Incomplete contracting
C. Lack of vendor commitment
D. Lack of top management support
E. Lack of schedule and budget management
F. Inadequate planning
G. Vendor financial instability
H. Poor vendor selection criteria and process by client
I. Requirements misunderstanding (or unclear)
J. Lack of experience and expertise with project activities
K. Inadequate staffing
L. Failure to consider all costs
M. Poor change management
N. Lack of active management of the vendor on contract and relationship
O. Lack of knowledge transfer
P. Biased portrayal by vendor
Q. Customization of product
R. Lack of documentation management
S. Lack of project management know-how
T. Lack of audit and control from client
U. Lack of effective development methodology
V. Client readiness
W. Improper definition of roles and responsibilities
X. Lack of team morale
Y. Conflict between client and vendor

Table 2.

Client
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Vendor
2
1
10
5
4
9
8
6
3
17
19
7
12

20
16
11
13
14
15
18

Comparison of the client and vendor rankings

The analysis results show that the clients and vendors agreed that only five of the same risk factors
were important (score > 3 on average). These risks include: lack of communication between the client
and the vendor, incomplete outsourcing contract, lack of top management support of the project, lack
of schedule and budget management and inadequate project planning. In addition to the consistency,
the results also reveal that there were disagreements between the clients and vendors. The clients
ranked two important risk factors that are not considered important by the vendor: lack of vendor
commitment to the project, and poor vendor selection criteria and process. The vendors perceived two
risk factors as important that the clients did not: unclear requirements (or requirement
misunderstanding), and lack of experience and expertise with project activities. Lack of vendor
commitment is the third most important risk factor from the clients perspective.

CONCLUSION

This study emphasizes the similarities and differences in the perceptions of two groups, clients and
vendors, regarding the importance of outsourced IT project risks. Based on a literature review, we
assembled 34 risk factors of outsourced IT projects. By conducting a quasi-Delphi study, we analysed
data from the separate perspectives of client panelists and vendor panelists, comparing the findings
from both panels. We subsequently identified a consistent zone containing risk factors on which the
two panels agreed, as well as inconsistent zones representing risk factors that were ranked as important
by the clients but not by the vendors (or vice versa). The results indicate five important risk factors on
which both clients and vendors agree. However, two of the seven important risks ranked by the client
panel were not considered important (average score of less than 3) by the vendor panel. The study
results provide the evidence that the clients and vendors perceived the importance of project risks
differently, particularly those that stem from the opposite side. The results of identifying and

comparing risk perceptions broaden the understanding of IT outsourcing project risk, and
provide insights that may help facilitate the success of IT outsourcing.

Acknowledgment
This study is supported by NSC 102-2410-H-155-036-MY2

References
Choudhury, V. and Sabherwal, R. (2003). Portfolios of control in outsourced software development
projects. Information Systems Research, 14 (3), 291-314.
Natovich, J. (2003). Vendor related risks in IT development: A chronology of an outsourced project
failure. Technology Analysis & Strategic Management, 15 (4), 409-419.
Bahli, B. and Rivard, S. (2013). Cost escalation in information technology outsourcing: A moderated
mediation study. Decision Support Systems, 56, 37-47.
Khalfan, A.M. (2004). Information security considerations in IS/IT outsourcing projects: a descriptive
case study of two sectors. International Journal of Information Management, 24 (1), 29-42.
Taylor, H. (2007). Outsourced IT projects from the vendor perspective: different goals, different risks.
Journal of Global Information Management (JGIM), 15 (2), 1-27.
Loh, L. and Venkatraman, N. (1992). Determinants of information technology outsourcing: a crosssectional analysis. International Financial Services Research Center, Sloan School of Management,
Massachusetts Institute of Technology.
Barthelemy, J. (2001). The hidden costs of IT outsourcing. Sloan management review, 42 (3), 60-69.

Khan, S.U., Niazi, M. and Ahmad, R. (2011). Barriers in the selection of offshore software
development outsourcing vendors: An exploratory study using a systematic literature review.
Information and Software Technology, 53 (7), 693-706.
Grover, V., Cheon, M.J. and Teng, J.T. (1996). The effect of service quality and partnership on the
outsourcing of information systems functions. Journal of Management Information Systems, 12 (4),
89-116.
Qi, C. and Chau, P.Y. (2012). Relationship, contract and IT outsourcing success: Evidence from two
descriptive case studies. Decision Support Systems, 53 (4), 859-869.
Aubert, B.A., Patry, M. and Rivard, S. (2005). A framework for information technology outsourcing
risk management. ACM SIGMIS Database, 36 (4), 9-28.
Osei-Bryson, K.-M. and Ngwenyama, O.K. (2006). Managing risks in information systems
outsourcing: An approach to analyzing outsourcing risks and structuring incentive contracts.
European Journal of Operational Research, 174 (1), 245-264.
Willcocks, L.P., Lacity, M.C. and Kern, T. (1999). Risk mitigation in IT outsourcing strategy revisited:
longitudinal case research at LISA. The Journal of Strategic Information Systems, 8 (3), 285-314.
Nakatsu, R.T. and Iacovou, C.L. (2009). A comparative study of important risk factors involved in
offshore and domestic outsourcing of software development projects: A two-panel Delphi study.
Information & Management, 46 (1), 57-68.
Aundhe, M.D. and Mathew, S.K. (2009). Risks in offshore IT outsourcing: A service provider
perspective. European Management Journal, 27 (6), 418-428.
Jiang, J.J., Klein, G. and Discenza, R. (2002). Perception differences of software success: provider and
user views of system metrics. Journal of systems and software, 63 (1), 17-27.
Keil, M., Tiwana, A. and Bush, A. (2002). Reconciling user and project manager perceptions of IT
project risk: a Delphi study1. Information Systems Journal, 12 (2), 103-119.
Liu, S., Zhang, J., Keil, M. and Chen, T. (2010). Comparing senior executive and project manager
perceptions of IT project risk: a Chinese Delphi study. Information Systems Journal, 20 (4), 319355.
Schmidt, R., Lyytinen, K., Keil, M. and Cule, P. (2001). Identifying software project risks: an
international Delphi study. Journal of management information systems, 17 (4), 5-36.
Schmidt, R.C. (1997). Managing Delphi Surveys Using Nonparametric Statistical Techniques.
Decision Sciences, 28 (3), 763-774.
Siegel, S. and Castellan, N. (1988). Nonparametric statistics for the behavioral sciences McGraw-Hill,
New York.