ARTICLE IN PRESS

International Journal of Information Management 24 (2004) 167180

Risk management practices in IS outsourcing: an investigation into commercial banks in Nigeria

Bunmi Cynthia Adeleye, Fenio Annansingh, Miguel Baptista Nunes*
Department of Information Studies, University of Shefeld, Shefeld, UK

Abstract This research work focuses on the risk management practices adopted by Commercial Banks in Nigeria that are related to the outsourcing of information systems (IS). The need for the research emerged from the lack of studies addressing these problems in developing countries in general and in this country in particular. The research reported in this paper shows that despite the globally increasing trend of IS outsourcing in the sector, Nigerian commercial banks are lacking in both strategic and operational risk management practices. Consequently, they are especially prone to the adoption inappropriate IS solutions and are vulnerable to IS failure and fraud. The research is empirically based drawing on an extensive literature and case study review as well as an extensive survey of banks in Nigeria. The main method of data collection was a questionnaire sent to 15 commercial banks, which was aimed at respondents in three distinct categories: executive management, systems managers and users. The analysis of the data included both a quantitative and an inductive qualitative approach. The latter was used to draw inferences on the current situation. The ndings revealed that managers of commercial banks understand the nature of IS outsourcing and that they all agreed that adopting risk management practices is important. Nevertheless, the situation is critical. A signicant proportion of the commercial banks have no documented and structured outsourcing strategy or policy; consequently no programme or procedural guidance is available at any level. The study also discovered that contrary to practice in developed countries, the regulatory authorities in Nigeria have not formulated substantive guidelines or procedural rules to be adopted nationally by commercial banks. r 2004 Elsevier Ltd. All rights reserved.
Keywords: Information systems outsourcing; IS risk management; IS strategic thinking; Commercial bank

*Corresponding author. E-mail address: j.m.nunes@shefeld.ac.uk (M.B. Nunes). 0268-4012/$ - see front matter r 2004 Elsevier Ltd. All rights reserved. doi:10.1016/j.ijinfomgt.2003.10.004

ARTICLE IN PRESS
168 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180

1. Introduction and background of study In Nigeria, all banks are licensed by the Central Bank of Nigeria (CBN) and incorporated under the companies and Allied Matters Act of 1990. The intermediation role of banks in a country with an estimated population of 120 million inhabitants results in a pressing need to develop or acquire, install, deploy and maintain top rated information systems (IS). The systems so deployed are expected to be efcient, effective, robust and uid in order to respond and adapt to current and future operational needs. IS plays an important role in the business of any bank. These systems are at the core of the information management of the organisation and allow it to operate efciently and maintain its competitive advantage. According to OBrien (1996, p.7), if information systems do not properly support the strategic objectives, business operations, or management needs of an enterprise, they can seriously damage its prospects for survival and success. This paper further enumerates three vital roles of IS:
* * *

Support of business operations. Support of managerial decision making. Support of strategic competitive advantage.

Consequently and as proposed by Drucker (1995), in todays knowledge-based society information is the framework around which organisations are formed. Banks are no exception as they are expected to make continuous use of the rapid changes in technology in order to improve customer service and to handle new business processes. As banks broaden their services, widen their customer base and extend their services into new geographies, IS plays an important role in this drive to differentiate and compete. Information systems provide better data distribution, integrated business processes, and networked communications, and enable banks to improve customer relationships, as well as streamline overhead costs. (Sun Microsystems, 2001). A number of well-known authors have stressed the critical nature of information systems to banks. Scott (2000) proposes that introducing computer-based information systems will enable most banks to cope with instability in the business environment. Boiney (1999) noted that the role of information systems is being transformed: todays information systems must truly add value to the organisation through the creation, capture, distribution, application, and leveraging of knowledge. On the other hand, White (2002) wrote that the advances in Information and Communications Technology (ICT) are no doubt bringing nancial innovations that are undermining, or may soon undermine, many of the restrictions faced by most commercial banks on clearing houses issues. In agreement, Broady-Preston and Hayward (2001) state that in the current turbulent business environment, quality information is required to ensure that companies achieve competitive advantage by using such information to make decisions more rapidly than their rivals. Similarly, West (1996) suggests that institutions should take advantage of technology so that they will not be left behind in our market economy. Nigerian Banks are no different from other banks in the world. They depend on IS to guarantee differentiation and competitive advantage. However, IS design and development lies outside the basic scope of core retail banking. Thus, most commercial banks in Nigeria resort to outsourcing for the provision and maintenance of their IS. So the success of the organisation itself often

ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180 169

depends on the ability of the given organisation to manage the risks associated with this process of outsourcing.

2. IS outsourcing Generically outsourcing can be dened as the transfer of previously in-house activities to a third party (Lonsdale, 1999). De Looff (1997, p. 30) dened IS outsourcing as the commissioning of part or all of the information systems activities an organisation needs, and/ or transferring the associated human and other IS resources, to one or more external IS suppliers. From reviewed literature, the idea of outsourcing IS seems to have started in 1989 when Eastman Kodak turned over its entire data centre, network and microcomputer operation to three IS external parties (Loh & Venkatraman, 1992). However, Willcocks and Lacity (1998) are of the view that the nature of information systems outsourcing has since evolved. They distinguished complete outsourcing, facility management, systems integration, time-sharing, rental, installation and procurement, and maintenance and programming. More concisely, (Mylott, 1995; Pearlson, 2001; Butler et al., 2001) distinguished two forms of outsourcing, namely: full outsourcing and selective outsourcing. In full outsourcing, all the services are outsourced to the vendor. This is an extreme outsourcing strategy because the entire department information systems duties are assigned to the outsourcing partner as in the case of Eastman Kodak. This, according to Pearlson (2001), happens when an organisation does not see IT as a strategic advantage that should be developed internally. Arguments for full outsourcing usually involve the allocation of organisational resources to areas that can add greater value to the organisations value chain or reduce cost per transaction due to economies of scale. In selective outsourcing, only a range of services is selectively outsourced or contracted to a third party. It often results in greater exibility and better services (Pearlson, 2001). The decision to outsource an organisations activities often results from a careful study of the supply chains Lonsdale (1999). The problem of what to outsource is the most critical decision an organisation has to make in relation to IS. The need for outsourcing has grown over the last two decades due to numerous factors. These include an increase in:
* * * * * * *

global competition, downsizing, the move to atter organisations, the need to reduce cost, improved quality, service and delivery, improved organisational focus, and increase exibility which facilitate change and the emphasis on core competencies (Atkinson, 1985; Dyer & Ouchi, 1993; Huber, 1993; Fan, 2000).

In the banking sector, outsourcing has been a common practice in the last 20 years. Fleck (2002) argues that some of the Swiss banks have realised the demand and are attempting to do what will give them a better chance to serve clients, outsourcing asset management and allocation. Recent examples are the outsourcing facilities management at Sovereign Bank (USA), human resource

ARTICLE IN PRESS
170 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180

outsourcing in Bank of America (USA), the outsourcing agreement between AT&T and IBM at Bank One and the $44 million outsourcing agreement between Coop Bank and Computer Science Corporation also in Switzerland (CSC, 2000). Despite the optimism about benets associated with outsourcing, there is evidence that this process may incur some signicant risks (McFarLan & Nolan, 1995; Lacity & Hirschheim, 1993).

3. Risks associated with IS outsourcing Risks and costs involved in outsourcing are often forgotten when considering the more obvious benets. These risks, however, must be understood in order to make informed decisions which may be of crucial importance for the success of the organisation. This awareness of the possible risks incurred when outsourcing, will enable decision makers and stake holders to take informed decisions and draw contingency and mitigation strategies. Management needs to assess and evaluate the risks and their impact at strategic, tactical and operational levels in a consistent way (Ward & Grifths, 2001). The process of risk assessment in outsourcing is focused on the probability of the occurrence of adverse events such as:
* * * * * *

not achieving the planned benets, not meeting agreed deadlines, using more resources than initially foreseen, change in functional and procedural requirements, budget overrun, and decient change over of systems and nally problems associated with the operation and maintenance of these systems.

If the outsourcing process is not preceded by careful strategic planning and thorough risk assessment it may result in considerable nancial loss, decreased shareholder value, damaged company reputations, the dismissal of senior management, and in some cases the destruction of the business itself (DeLoach, 2000). Vital to the organisations success and survival are active assessment and monitoring of risks, the organisations ability to exibly respond to the occurrence of these adverse events and its ability to mitigate these risks (DeLoach, 2000).

4. The study There is little or no formal research work or body of literature related to IS outsourcing trends in Nigeria. This does not in any way prevent organisations in the country from actually outsourcing some of their operations, and there is sufcient evidence that outsourcing is an emerging way of undertaking business operations in the country. Service offers by reputable multinationals in Nigeria, such as PricewaterhouseCoopers (PwC), Phillips Consulting, Andersen Consulting and Aptech, often mention outsourcing as one of their key deliverables. Banks in Nigeria have, for a very long time, wholly or partly outsourced services such as training, security services, marketing and Information Technology. Schlumberger Omnes, British Telecommunications, and 21st Century Technologies Ltd. are only a few of the current vendors of

ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180 171

IS and platforms outsourced by commercial banks. It is expected that this trend will continue to prevail in the near future. This means that developing countries, like Nigeria, are following trends emerging from different social and economic contexts without the benet of formalised or organised national support structures, policies and guidelines. This need for regulation, strategic thinking and guidelines is particularly important in a country as populous as Nigeria (around 126 million people), where both IS and banking are listed on the Stock Exchange as two vibrant industry sectors (The Nigerian Stock Exchange, 2001). The Central Bank of Nigeria (CBN) is the national organisation that licenses all banks that meet stipulated conditions. The role of CBN is primarily formulating and monitoring the banking system to ensure that operators comply with monetary, credit, and foreign exchange guidelines. There is also the Nigerian Deposit Insurance Corporation (NDIC) that insures the deposits of banks customers and also carries out periodic reviews to ensure the solvency of banks. Nevertheless, the banking system in Nigeria is fairly open. There are over 120 banks in Nigeria in three categories: Commercial, Merchant, Industrial or Development Banks. Currently, there is a trend towards Universal Banking. This allows any interested bank to substitute its license for a universal banking license, which enables it to provide full range of banking and nancial services. Due to economic instability and despite Nigeria being the 6th largest world producer of oil, the banking industry is facing some important problems. Jason (1998) states that fewer than 50 of the over 120 banks are solvent. Five have been liquidated and a further forty-two are in serious difculties. Another 26 were slated for liquidation when the government changed its mind. Consequently, bank watchers say that the future of banking in Nigeria will be tough and competitive. Technology will be the driving and differentiating force, as reported by Baranshamaje et al. (1995): The information revolution offers Africa a dramatic opportunity to leapfrog into the future, breaking out of decades of stagnation or decline [y] If African Countries cannot take advantage of the Information Revolution and surf this great wave of technological change, they may be crushed by it. 4.1. Aims and objectives Despite these facts, the vibrancy and competitive nature of the banking sector and the trend for IS outsourcing in the sector, there is no evidence of signicant literature or theoretical discussion on the risks involved in this practice. This research behind this paper aimed at identifying, understanding and criticising the practices adopted by Nigerian commercial banks when outsourcing there IS. Explicitly, this study aimed at accomplishing a number of goals specically intended to:
*

* * *

acquire a deeper understanding of the current status of IS outsourcing in commercial banks in Nigeria; identify whether policies and guidelines for risk management are available and are followed; identify how the risks associated with IS outsourcing are managed and mitigated; and contribute to the limited body of research literature on IS outsourcing available in Nigeria.

ARTICLE IN PRESS
172 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180

4.2. Research methodology This research was undertaken to study the view of commercial banks on risks management practices in their outsourcing activities, outsourcing strategies, role of users, and disaster recovery procedures. The main objective of the research was to explore the risks involved in outsourcing and the management of these risks. In order to achieve these objectives, a questionnaire-based survey research methodology was used. These questionnaires explored a broad spectrum of questions. The research was conducted in two phases. The rst phase involved preliminary face-to-face discussions with about 20 bank executives, from 30 best of the banks in the Agusto & Co (2001) ranking. These interviews aimed to explore initial assumptions and ascertain institutional willingness to participate in the survey. The initial interviews were then analysed and 15 suitable banking institutions were selected. The second phase involved the preparation and deployment of the main questionnaires. These were designed using the results of the preliminary interviews and the available literature on IS, risk, risk management and outsourcing. The core data of this study were obtained by mailing questionnaires in July 2002 to the 15 banks selected. The target respondents were chosen to encompass a wide range of decision makers in the three broad categories of: executive and senior management, IS/IT managers and IS users. Seven (7) out of the fteen (15) banks responded appropriately to the survey (response rate of 46.6%), including twenty one (21) individual responses (three per bank). The questionnaire used in this study was divided into six sections containing closedended and openedended questions, allowing for data triangulation and validation and hopefully avoiding biased and top-of-the-mind choices. The purpose of the rst two sections was to understand the specic outsourcing strategies and the impacts of outsourcing in the banks. The third section investigated the roles of users and stakeholders in the decision making process. The next two sections aimed to identify risk management procedures and guidelines and investigate how outsourcing risks are managed in these banks. The last section investigated the disaster recovery practices that are adopted by the respondent banks. Each questionnaire was sent with a covering letter explaining the purpose of the study. The length of the questionnaire was taken into consideration and the terms used in the questionnaires were not technical, so no explanations were needed. 4.3. The ndings 4.3.1. Outsourcing strategies From the responses to the questionnaire it became apparent that all seven banks were using computer based IS since they commenced operations and that all of them were engaged in IS outsourcing. However the unique nature of Nigeria has lent a different character to these same practices. In fact, as emerged quite clearly from the responses, the two key regulatory agencies for banks in the country are very slow at keeping up with international standards and best practices, notwithstanding the increasing globalisation of nancial markets and institutions. The country also lacks necessary policy and institutional frameworks from the regulatory authorities. At rst, outsourcing practice seemed to consist of the reactive acquisition of off-the-shelf generic software to resolve particular needs. Current practice has since evolved and seems now to

ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180 173

be based on integrated banking solutions such as GLOBUS, PHOENIX, BANKMASTER RS, FINACLE, MIDAS EQUATIONS, as illustrated in Fig. 1. The outsourcing practices by banks involve considerable amounts of risks and resources and seem to be based on an Everest Syndrome type approach. This refers to the attitude among managers that IS solutions are to be acquired and used for the same reason the British climber George Mallory gave in 1924 when he was asked why he wanted to climb Mount EverestBecause it is there. This is probably a direct consequence of another nding from this study: only the executive management or board of directors make the decisions that usher any process of outsourcing. Given the level of IS implementation in Nigerian banks and the generally adopted practice of outsourcing, it was surprising to nd that six of the banks surveyed do not have explicit outsourcing strategies. Even for the one bank that did have such strategies, it was obvious that these were only scarcely documented and still in the process of being developed. More curiously, one executive manager from another bank declared the existence of such guidelines, but neither the IS manager nor the user were aware of it. However, 43% intend to put in place an outsourcing strategy, while 33% have no idea whether they would be adopting such strategies and 24% stating that they have no intention of doing so (Fig. 2). Nonetheless, when asked if they intend to outsource new systems in the near future all respondents answered yes.
40 35 30

Response (%)

25 20 15 10 5 0 SAP Bankmaster Globus Finacle Phoneix Others

Fig. 1. Banking software currently being used.

Yes 43% No Do not know 24%

33%

Fig. 2. Banks intending to put in place an outsourcing strategy.

ARTICLE IN PRESS
174 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180
Training and education

0% 3% 3% 19% 0% 0% 24%
Data communication networks Support operations (equipment maintenance/ service) Disaster recovery Software development Software maintenance

16%
Telephone support of customers

19% 16%
Development of a fully integrated system (hardware, software or networking) Data centre (computer) operation Other (please describe)

Fig. 3. IS functions currently being outsourced.

This survey also identied that from all respondents who stated that they were outsourcing, 96% stated they were doing it selectively, while 4% do third party maintained. This can be considered as very good practice, since selective outsourcing often results in greater exibility and better services. Fig. 3, shows how different IS functions (that is software development, software maintenance, data communication networks, support operations, training and education) are distributed in terms of outsourcing: training and education (24%), software development (16%), software maintenance (16%), and both support operations and data communication networks (19%). By contrast telephone support of customers and disaster recovery rank as the lowest (3%). This comes as no surprise since customer support is paramount to guarantee customer satisfaction and acceptance and constitutes a core competence of the organisation. Similarly, disaster recovery is also of crucial importance since the costs of disaster are not only of a nancial nature, but have also high visibility and high image and reputation risks. Therefore, banks tend to ensure that both of these services are kept in-house. Furthermore, this research conrms that the banks do see organisational data as a strategic advantage that must be operated and maintained done internally. In fact, all banks surveyed stated that they operated their data centre internally. This is in line with current practice in the banking sector worldwide. On the other side, training and education seemed to be frequently outsourced and this is possibly due to the fact that most of the software is bought from vendors and this often includes training clauses in the contracts.

ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180 175

4.3.2. Impact of outsourcing The decision behind outsourcing is strongly inuenced by high expectations of strategic and operational benets. Different banks may outsource for different reasons, therefore it is important to recognise these differences when assessing the impact of outsourcing in organisations. The banks surveyed stated a number of reasons: improved customer relationships (68.5%), improved management information system (60%) and greater efciency in business processes (65.7%), as well as better utilisation of staff (60%) and improved security (54.2%). Other benets mentioned are: specialisation and the need to adopt new management strategies and procedural methods; technology infusion through contact with new systems; staff skills improvements; reduced overhead costs; slimmer work force; avoidance of investment in areas other than the core business and guaranteed technical support (Fig. 4). In terms in drawbacks, banks referred to a very disparate set of factors:
* *

* * * *

lack of and reduced security; difculty in retaining loyalty of existing staff after organisational changes, which became necessary by the introduction of the outsourced systems; difculty in maintaining motivation of existing staff due to the perception that everything related to IT and IS is the responsibility of the vendors; vendors unwillingness to transfer knowledge related to the outsourced IS; running, maintenance and training cost; difculties with the interface with the outsourced systems; increasing dependency on the contractor, that is not always prompt, or even willing, to attend to possible problems and meet deadlines;
100 90 80 Response (%) 70 60 50 40 30 20 Greater efficiency e.g. speed, in business Inproved customer relationships Better utilisation of staff Improved management information systems Improved security e.g. in respect of payment Reduced errors e.g. statements errors 68.5 60 65.7 60 60 54.2

Fig. 4. Impact of outsourcing in banks bank.

ARTICLE IN PRESS
176
*

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180

* *

threaten security, namely in what concerns guaranteeing the loyalty and condentiality of vendor and vendors staff; threats of having overall performance dependent on vendor; and introducing buck passing resulting from the lack of clear assignment of responsibilities over IS tasks and processes shared between in-house and vendors staff.

These results show that there is a clear awareness of the benets and drawbacks of outsourcing in banks in Nigeria, which represents the realisation of this researchs rst objective. Managers, IS staff and users seem to be aware of the majority of problems and risks associated to the practice of outsourcing as reported in the literature in the eld. So they are well informed and outsourcing decisions are well supported. The next question in this research was to investigate if this knowledge of risk is expressed in terms of appropriate risk management strategies and policies. 4.3.3. Risk management practices When asked if the organisation had any explicit risk management procedures or guidelines for IS outsourcing, all of the banks admitted that they had none in place. Furthermore and possibly even more surprisingly, none of the banks accepted third party guidelines be it from vendors or other banks. This situation was however not totally unexpected, since some of the risk management methods could be embedded in general management best practice. So this research tried to determine if any of these were actually occurring in the outsourcing process, although not explicitly recognised as risk management. In fact, the process of risk management is usually divided into risk identication, risk analysis, risk response planning and risk monitoring and control (Hillson, 2002). These steps are sometimes iterative and not always taken in sequence. For the purpose of this research it was necessary to express these steps in terms of activities and methods undertaken in the organisation while outsourcing their IS. Once these activities were identied, it was then possible to question banks regarding their usage. The following methods were identied from the literature review on risk management for outsourcing:
* * * * * * * *

circulation of list of existing problems; identication of the risks in outsourcing a service/function; examination of the impacts of risk on outsourcing; review of documentation of existing system; interviews with appropriate in-house users and managers; documentation of transaction ows; joint meetings of systems people, operators and end users of reports; and recommendations designed to avoid or prevent risk from occurring.

The banks surveyed were asked to rank, using a scale of 5 (highest frequency) to 1(lowest frequency), the observance and adoption of these risk management activities during outsourcing. The results of this part of the questionnaire are shown in Fig. 5. Interviews with appropriate supervisory and clerical staff as means of identifying risks and problems were found to take place 68.5% of the cases. Documentation of transaction ow, and having joint meetings with systems department people, auditors and end users is also common in

ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180
80

177

68.5

60

Responses (%)

60

57.1 54.2 48.5

57.1

42.8

42.8

40

20 Documentation of transaction flows Review of documentation of existing system Identification of risks Circulation of list of problems Joint meetings of all stake holders Planning for risk occurrence Interviews with staff Examining the impacts of risk

Fig. 5. Risk management.

these organisations during outsourcing (57.1%). 6 of the banks make sure that joint meetings with systems staff, internal control, and users occur regularly. Five of the banks circulate list of existing problems in the different departments and use these to justify decisions for change and outsourcing. However, only 42.8% of the respondents declared to have departmental plans to avoid the occurrence of risks and its impacts and only 1 bank had strategic and global risk control plans. Similarly, only 2 banks considered identication of the risks in outsourcing as a major component of their decision making process. On the positive side, 71.4% of the respondents stated that their organisation had a disaster recovery plan in place, which is reviewed periodically. The study revealed that different banks have different reasons for adopting a disaster recovery plan. For example in Fig. 6, 55% of respondents said that the plan covers responsibilities of specic individuals. All respondents stated that there are provisions for uninterrupted power supply. All respondents also said their disaster recovery plans cover procedures for protecting integrity of data and information. Again, 100% of respondents said these plans include alternate procedures in the event that an outsourced IS breaks down. This was to be expected since the Basel Committee on Banking Supervision (BCBS) (1998) imposed the need for adequate preventive measures that help minimising the probability that negative events occur. The BCB also proposes that management should ensure that adequate systems of containment measures are put in place in order to help detect and limit the effects on the business of events, which may bypass preventive controls and threaten banks operations.

ARTICLE IN PRESS
178 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180
120

100 100 Response (%)

100

100

80 71.4 71.4

60

55

40 Written down disaster prevention master plan that describes Provision of alternate facility in the event that the banks outsourced Copies of all master files, transaction files, and programs Have in place insurance that covers cost of reconstructing destroyed files installed uninterrupted power supply in the event of power failure Covers responsibilities of specified indiduals

Fig. 6. Disaster recovering plan.

5. Conclusion and future work This exploratory empirical study investigating the risk management practices in the outsourcing of IS in commercial banks in Nigeria has led to several important conclusions. While some of these have conrmed initial assumptions, others have been contrary to ordinary intuition. The survey showed that in spite of the lack of regulations and infrastructures in the country, outsourcing is now a common practice and has achieved some considerable degree of success. However, it is evident that banks are taking a reactive approach to outsourcing risk management that may make them vulnerable to a number strategic and operational risks, which may have considerable nancial and reputation costs. In order to avoid these, a more proactive management attitude is required including the adoption of well-dened and structured risk management guidelines, policies and procedures. Although the sample size is representative of the population of banks in Nigeria, and the results provide valuable insights into the risk management practices in the outsourcing process, the need for further work in this area is strongly recommended. Future research efforts should expand the body of literature, but also critically examine, document and recommend the role of managers in banks and regulatory and supervisory bodies in enforcing the adoption and adaptation of global best practices.

References
Atkinson, J. (1985). The exibility factor, Institute for Manpower Studies, Sussex University, Sussex.

ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180 179

Agusto & Co (2001). Rated Banks Nigeria and bank prole. [Online] http://www.agusto.com/pub1/default.html [Accessed August 11 2002]. Baranshamaje, E., Boostrom, E., Brajovic, V., Cader, M., Clement-Jones, R., Hawkins, R., Knight, P., Schware, R., & Sloan, H. (1995). Increasing Internet Connectivity in Sub-Saharan Africa: issues, options, and World Bank Group role, [Online] http://www.uneca.org/eca resources/publications/disd/old/padis/telemat/africa03.htm [Accessed August 11 2002]. Basel Committee on Banking Supervision (1998). Operational risk management: Basel Committee Publications No. 42, [Online] http://www.bis.org/publ/bcbs42.htm [Accessed July 10 2002]. Boiney, G. L. (1999). Knowledge is Power: but knowledge management requires organizational change. Journal of Contemporary Business Practice, Spring 1999, [Online] http://gbr.pepperdine.edu/992/infotech.html [Accessed July 1 2002]. Broady-Preston, J., & Hayward, T. (2001). Strategy, information processing and scorecard models in the UK nancial services sector. Information Research, 7(1), [Online] http://InformationR.net/ir/7-1/paper122.html [Accessed July 4 2002]. Butler, M., Holt, M., Menzies, K., Jones, G., Jennings, T., Jagger, E., Smith, E., Newman, J., Jones, T., & Gibbes, K. (2001). Strategic sourcing: Effective alternatives for the enterprise. Butler Group, Technology Infrastructure, Research and Advisory Services. Computer Sciences Corporation (CSC) (2000). CSC enters outsourcing agreement with Swiss bank, [Online] http://www.csc.com/newsandevents/news/221.shtml. [Accessed June 11 2002]. DeLoach Jr., J. W. (2000). Enterprise-wide risk management: Strategies for linking risk and opportunity. London: Financial Times. De Looff, L. (1997). Information systems outsourcing decision making: A managerial approach. London: Idea Group Publishing. Drucker, P. F. (1995). Managing in a time of great change. New York: Truman Talley Books. Dyer, J. F., & Ouchi, W. G. (1993). Japanese-style partnership: giving companies competitive edge. Sloan Management Review, 4(16), 5163. Fan, Y. (2000). Strategic outsourcing: Evidence from British companies. Marketing Intelligence and Planning, 18(4), 213219. Fleck, F. (2002). Clients left out in cold by Swiss private bank mergers, [Online] http://www.milleniumassociates.com/ PDF/Complinet%20Clients%20left%20out%202Jul2002.pdf. [Accessed July 4 2002]. Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management, 20, 235240 [Online] www.elsevier.com/locate/ijproman. [Accessed 20 July 2002]. Huber, R. L. (1993). How Continental Bank Outsourced its Crown Jewels. Harvard Business Review, 31(1), 7784. Jason, P. (1998). Turn around in Nigeria banking: New Africa Market. NEWAFRICA [Online] April. http://dspace.dial.pipex.com/town/terrace/lf41/na/apr98/namb0406.htm. [Accessed July 20 2002]. Lacity, M. C., & Hirschheim, R. (1993). Information systems outsourcing: Myths, metaphors and realities. London: Wiley. Loh, L., & Venkatraman, N. (1992). Diffusion of information technology outsourcing: Inuence sources and the Kodak effect. Information Systems Research, 3, 334358. Lonsdale, C. (1999). Effectively managing vertical supply relationships: A risk management model for outsourcing supply chain management. An International Journal, 4(4), 176183. McFarlan, F., & Nolan, R. (1995). How to Manage an IT Outsourcing Alliance. Sloan Management Review, 36(2), 923. Mylott III, T. R. (1995). Computer outsourcing: Managing the transfer of information systems. Eaglewood Cliffs, NJ: Prentice Hall. OBrien, J. A. (1996). Management information systems: Managing information technology in the networked enterprise. Boston: McGraw-Hill. Pearlson, K. E. (2001). Managing and using information systems: a strategic approach. Chichester: Wiley. Scott, S. V. (2000). IT-Enabled Credit Risk Modernisation: A revolution under the cloak of normality. Accounting, Management and Information Technology, 10(3), 221255.

ARTICLE IN PRESS
180 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167180

Sun Microsystems (2001). Sun in nancial services. Santa Clara, California: Sun Microsystems, [Online] http://www.sun.com/nance/overview.html [Accessed August 2 2002]. The Nigerian Stock Exchange (2001). The quoted companies. [Online] http://www.thenigerianstockexchange.com/ exchange frame. [Accessed June 20 2002]. Ward, J., & Grifths, P. (2001). Strategic planning for information systems. Chichester: Wiley. West, T. W. (1996). Leveraging technology. Educom Review, 31(3), 3435. White, L. H. (2002). In what respects will the information age make central banks obsolete? An Interdisciplinary Journal of Public Policy Analysis, 21(2), [Online] http://www.cato.org/pubs/journal/cj21n2/cj21n2-7.pdf [Accessed July 16 2002]. Willcocks, P. L., & Lacity, M. C. (1998). IT outsourcing in insurance services: Risk, creative contracting and business advantage. Information Systems Journal, 9, 163183. Bumni Adeleye, Pg.Dip., B.Sc., M.Sc. is currently a Business Risk Manager at Heineken Africa in Nigeria. She holds a B.Sc. in Computer Science and an M.Sc. in Information Systems. She is currently involved in designing and establishing risk management practices in her company. Fenio Annansingh, A.Sc., B.Sc., M.Sc., is a Researcher in Information Systems at the Department of Information Studies, University of Shefeld. She holds a B.Sc. in Professional Management and an M.Sc. in Information Systems. She is currently investigating risk management associated with projects involving intensive knowledge management issues and possible loss of intellectual property. She is also engaged in completing a Ph.D. in information Studies. As a member of the Data Management and Information Systems Research Group, she has been involved in research in information systems risk and database design. Jos! Miguel Baptista Nunes, Lic. MatApl, M.Sc., Ph.D., ILTM, FIMIS, is a Lecturer in Information Management at e the 5A Department of Information Studies, University of Shefeld. He holds an M.Sc. in Applied Mathematics, an M.Sc. in Information Management and a Ph.D. in Information Studies. As a Member of the Data Management and Information Systems Research Group, he has been involved in research in information System modelling, database design and social informatics.