ANALYSIS OF RISK DYNAMICS IN INFORMATION

7/30/2019 ANALYSIS OF RISK DYNAMICS IN INFORMATION

1/11

European and Mediterranean Conference on Information Systems 2009 (EMCIS2009)

July 13-14 2009, Crowne Plaza Hotel, Izmir

Ozge Nazimoglu, Yasemine Ozsen

Analysis of Risk Dynamics in Information Technology Service Delivery

1

ANALYSIS OF RISK DYNAMICS IN INFORMATIONTECHNOLOGY SERVICE DELIVERY

zge Nazmolu, Process Specialist, IBM Global Services ve Teknoloji Hizmetleri ve Tic.Ltd. ti. (IGS), Turkey

[email protected]

Yasemine zen, Compliance Specialist & Process Coordinator, IBM Global Services veTeknoloji Hizmetleri Tic. Ltd. ti. (IGS), Turkey

[email protected]

This study has begun within the context of Centers for Advanced Studies (CAS) Istanbul at Services

Sciences projects and has been developed.

Abstract

This paper is prepared for defining, analyzing and managing risks within Information Technologies

(IT) in Service Delivery. Therefore understanding the concept of service delivery correctly is a veryimportant issue. After defining service delivery, some specific risks which appear in IT service deliveryand the relationships between risks will also be defined. This project has been prepared by taking the

Information Technologies Infrastructure Library (ITIL) as basis, which is a standard in IT.International Business Machines (IBM) maintains its own processes by taking its standards. The main

purpose of the study is to define the effects of the specific risks on specific processes related with ITIL.The risks have been determined by reviewing the processes in IBM, ITIL and with the help of the ITSM(Information Technology Service Management) Metrics Model. The remaining part of this report is

structured as the necessary background for ITIL and IBM service delivery, the possible sources andanalysis of IT service delivery risk and the concluding remarks.

Keywords: InformationTechnologies, Service Delivery, Risks.

1 INTRODUCTIONToday, no one would dispute that IT has become the backbone of commerce. It underpins theoperations of individual companies, ties together far flung supply chains and increasingly, links

businesses to the customers they serve (Carr, 2003). During the period when the significance of IT wasundisputable, the companies period to outsource IT services. Outsourcing is defined as being one ofallocating or reallocating business activities from an internal source to an external source. Any

business activity can be outsourced. All or part of any of the unique business activities in a functionalarea, like management information systems, which have been historically in sourced can beoutsourced today (Schniederjans, Schniederjans & Schniederjans, 2007).

The most important commercial development of the last 50 years is information technology. It isbeginning an inexorable shift from being an asset that companies own in the form of computers,software and myriad related components to being a service that they purchase from utility providers.After pouring millions of dollars into in house data centers, companies may soon find that its time tostart shutting them down. IT is shifting from being an asset companies own to a service they purchase(Carr, 2005).

An explanation for why IT might lead to firms is that IT might allow firms to "outsource" more oftheir activities. That is, the use of IT might lead firms to "buy" rather than "make" more of the

components and services needed to make their primary products (Brynjolfsson, Malone, Gurbaxani,


2/11





2

Kambil, 1993). While companies came into being to outsource their Information TechnologyDepartment, the concept of IT service delivery has become important.

Business can be competitive only if the risks of IT service delivery are managed (Garbani and Mendel,2004). If the proposed services are not delivered on time, this can have serious impact on IBMs

profits, reputation and its competitive advantage. IBMs service delivery team enables clients tomanage the relationship between people, process, technology and information in order to run the

business more efficiently. These business benefits are as follows; increasing revenues with the help ofbringing new applications faster to market, reducing costs by solving business problems, ability topredict the impact of changes before they occur and usage of IT tracking and auditing tools forcompliance.

While company provides outsourcing service, it needs to have some standards. ITIL is a library whichdefined as Information Technologies Infrastructure Library. Today almost every company whichrelated with IT is consistent with ITIL. As a result of these developments, the management of the risksthat effect or may affect the service became an important issue. The undisputable significance of riskmanagement occurred following phases.

2 A BRIEF OVERVIEW OF SERVICE DELIVERY FOR INFORMATIONTECHNOLOGIES

2.1 The Importance of ITTraditionally, the IT-related activities of organizations have been divided into three types; systemsdevelopment and maintenance, systems operations, and systems administration. Systems developmentand maintenance activities are necessary for both the development of new systems and themaintenance of existing ones (feasibility studies, systems analysis, systems design, programming, usertraining, testing, and systems evaluation). Systems operations activities are related to the operation ofexisting systems (data entry, job scheduling, output production and distribution and database

operations). Systems administration activities involve managing both systems development andsystems operation activities (policy setting, personnel management, and planning) (Tavakolian, 1989).

Figure 1. The New View - Business touch the world through IT (Grady, Robert B.1997)

IT is involved in every interaction between the business and the "real world." IT buffer represents theincreasing use of IT for interaction between the business and the outside world. At the most obviouslevel, it is the sale of products over the Internet and email communication with employees andcontractors. At another level, it is the capture of incoming information, such as invoices, into digitalform as soon as they arrive in the office. Today, even many very small transactions become records ina point-of-sale system or stock control system. A small failure or improvement of IT can have a

dramatic effect on the business' ability to operate and perhaps to influence its profitability (Harris,


3/11





3

Herron, Iwanicki, 2008). IT is an issue that is related with business, that is aware of the developmentsand affects all the systems. The quality of the outputs that are composed of the received inputs isclosely related with the efficiency of the IT.

IT can provide employees with knowledge of industry best practices, information on relevant leading

edge technologies, and the goings on at professional associations relevant to their work. In short,access to such rich boundary spanning information makes opportunities more salient (Dewett andJones, 2000).

Since 1990, organizations are increasingly focusing on learning and knowledge creation. Thisindicates that an organization should utilize its intellectual capacity and improve knowledge flowsamong its members to achieve a competitive advantage. The influence of global competitiveness anddevelopment in IT has led to the recognition that knowledge and the capacity to develop knowledgeare the resources that have tremendous impact on achieving a sustainable competitive advantage(Gunasekaran, Khalil, Rahman, 2003).

2.2 ITIL (Information Technologies Infrastructure Library)ITIL best practices were first developed in the 1980s by the British government's Office ofGovernment Commerce (OGC) formerly called the Central Computer and TelecommunicationsAgency. ITIL is a collection of best practices that have become widely observed in the IT serviceindustry and a detailed framework of a number of significant IT practices, with comprehensivechecklists, tasks, procedures, and responsibilities that are designed to be tailored to any ITorganization. ITIL suggests that any IT operation should have some form of help desk where users ofIT can ask questions or resolve problems. ITIL describes recommended best practices such as how toinvestigate and solve reported problems called into the operations help desk. These are the best

practices and processes that are necessary for IT to process its applications in an efficient, controlledenvironment (Moeller, 2008).

ITIL adoption rates have been on the rise. The CIO executive board reported in 2004 that 30 percentof global companies with more than $1 billion in revenues evaluated the potential of implementingITIL, and approximately 13 percent were moving forward with ITIL implementation. Adoption isexpected to increase to 60 percent of global companies with more than $1 billion in revenue by 2008(Harris, Herron, Iwanicki, 2008).

ITIL version 3 is made up of five books, referred to as the ITIL core. These books are ServiceStrategy, Service Design, Service Transition, Service Operation and Continual Service Improvementas follows;

2.2.1 Service StrategyService Strategy focuses on how to transform service management into a strategic asset. Providersbenefit from seeing the relationships between various services, systems, or processes they manage andthe business models, strategies, or objectives they support (Bajada, Stephen, 2008). It helps a companyto plan for implementing IT service management strategies. Service Strategy allows companies todefine new IT services and helps ensure that the currently defined IT services meet the businessrequirements of the company (SkillSoft Press, 2006).

2.2.2 Service DesignService Design means "The design of new or changed services for introduction into the liveenvironment". It involves using a holistic approach to determine the impact of the introduction ofchanges upon the existing infrastructure services and management processes. New or changed

services, processes, and technology should not be implemented in isolation. Service Design is requiredto enable the continuation of all current operational aspects, considering the impact of changes


4/11





4

(Bajada, Stephen. 2008). Service Design helps create policies, architectures, and designs for ITservices to meet the current and future requirements of a company (SkillSoft Press, 2006).

2.2.3 Service TransitionService Transition helps manage and control the changes in IT services that are implemented in theworking environment of a company. Service Transition ensures continuity of IT services whenchanges occur (SkillSoft Press, 2006). It provides guidance for the development and improvement ofcapabilities for transitioning new and changed services into operations. It also provides on transferringthe control of services between customer and service providers (OGC, 2008).

2.2.4 Service OperationService Operation is where the value is seen. Service value is modeled in Service Strategy. The cost ofthe service is designed, predicted and validated in Service Design and Service Transition. Measuresfor optimization are identified in Continual Service Improvement. But Service Operation is where anyvalue is actually realized. Until a service is operational, there is no value being delivered (Bajada, and

Stephen, 2008).

2.2.5 Continual Service Improvement (CSI)CSI aims to promote the fact that quality is key to being able to achieve and maintain high levels ofservice provision. The processes throughout the lifecycle need to be reviewed and analyzed andimproved where it would lead to increased efficiency and effectiveness in how the service is provided.Cost will also be important and there must be a balance between this and what will lead to customersatisfaction. CSI objectives are achieved by reviewing what is happening, analyzing findings and

producing recommendations for improvement. CSI covers processes throughout the Lifecycle-Strategy, Design, Transition, Operation (Bajada and Stephen, 2008).

Figure 2. ITIL Version 3 Processes (Harris, Herron, Iwanicki, 2008)

Figure 2 helps to have an understanding of the ITIL service management process areas and where theyfit in the ITIL version 3 books. There is an important point such as Request Fulfillment is the processfor dealing with service requests; it also includes the functions of service desk.


5/11





5

2.3 IT Service DeliveryA service is a means of delivering value to customers by facilitating outcomes customers want toachieve without the ownership of specific costs and risks (Best Management Practice, 2007). In orderto define service delivery, it is important to understand what a service is. IT service delivery is whatas an outsourcing company does for companies in order to help them to find the optimal integration

between IT and business. By providing this service, it enables clients to manage the relationshipbetween people, process, technology and information in order to run the business more efficiently.These business benefits are as follows; increasing revenues with the help of bringing new applicationsfaster to market, reducing costs by solving business problems, ability to predict the impact of changes

before they occur and usage of IT tracking and auditing tools for compliance.

Most services cannot be counted, measured, inventoried, tested, and verified in advance of sale toassure quality. Service performance varies from producer to producer, from customer to customer, andfrom day to day (Parasuraman, Zeithaml, Berry, 1985). For that reason it is really important tounderstand and ascertain the notion of service delivery. IT Service at IBM has some phases includedas follows;

Figure 3. The Lifecycle of IT Service at IBM

At Engagement Phase, services and products or combination of both are provided to meet customersrequirements, and services are determined to be delivered to customer. Baselines, service levels andother technical and non-technical schedules are created. The approach and plan are defined as well as a

timeframe. At the end of this phase business requirement will be defined.

Transition and Transformation Phase can be defined as a one phase. Transition & TransformationPhase is responsible for transferring of any in-scope staff and validation of the service baselineenvironment. There some knowledge transfers from the client and setting up of the programmanagement system. Workflow defined and policies are defined. Evolving from the customersexisting environment to the environment required for company to achieve its agreements. This phasecan vary from contract to contract. Transformation phase can be occurred simultaneously with thetransition process. Executive ownership established and also procedures are defined.

At the Steady State Phase, measurement and continuous improvement plans and procedures defined.The existing environment is stable. The goal of this phase is to improve process and also control is

provided. Processes and procedures are working without problem. This phase can be defined asservice delivery phase. This study explains the risks which can occur at the service delivery phase assteady state.

2.4 ITIL and IBM Service Delivery ProcessIBM has its own implementation of ITIL for IT service management. The service starts as soon as thecontract is signed between the customer and IBM. Service delivery and service support team takecontrol after contract is signed. IBM uses its own processes in order to deliver the services agreedcontractually. IBM staff has to be familiar with these processes in order to deliver the services with outany problem. These processes are standard and consistent across the globe for IBM and they are

collected under different folders at IBM. These can be thought as related processes defined in ITIL


6/11





6

collected under different titles. When these processes interact with each other, risk may arise due tomiscommunication and misunderstanding.

Service delivery procedure can be defined as a set of integrated processes describing the how of aservice delivery. In order to define the processes there are documents which consist of template

processes for covering all types of service delivery activity for any customer in any part of the world.IBM service delivery team configures these documents to reflect specific customer requirements,while still maintaining consistency and an auditable link to global best practices like ITIL. IBM

procedures are confidential and cannot be described. However, working at IGS, an affilate of IBM,was a good opportunity for understanding inner processes and procedures of the company to see the

possible sources of risk. After working at IGS for a while, change, service level management (SLM)and service desk can be the main sources of risk.

3 RESEARCH METHODOLGY3.1 Research ObjectivesThe main aim of the study reported in this paper was to identify, explore and find out the relationship

between specific risks in IT service delivery. As part of this process of risk assessment, the researchaimed to explore the impacts of risks according to related ITIL processes.

3.2 Research DesignITSM Model (Steinberg, 2006) is used for this study, as comment in short ITSM Model is; filled theoperational metrics with the historical data which can be obtained from related systems or somerelated reports. Values of KPIs (Key Performance Indicators) occur with the operational metrics byusing formulas. Formulas are determined by the help of relationship between KPIs and operationalmetrics. KPIs have some risks levels; HIGH, MEDIUM or LOW according to determined targetand warning levels. In order to specify the risks, taken the risks from the model is used. Specific risksand the relationships between them and KPIs are determined. The relationship between risks and KPIsis found out and used for the model. In order to confirm attributes at the relationship, someobservations are done at IGS. Delay times for each risk on the process are taken from the MetricsModel. According to observations at IGS, decided which risks will be analyzed. After definingspecific risks and the relationship between processes, the effect of risks is defined with the help ofassumptions.

This study searches the effects of the determined risks on Service Desk, Change Management andService Level Management. Service Desk is a process within Service Operation, Service LevelManagement is a process within Continual Service Improvement and Change Management is a

process within Service Transition. In order to analyze the risk in IT service delivery, various ITILdisciplines are studied. After carefully studying ITIL and IGSs internal processes the main risk may

arise from following disciplines;

Service Desk is the place where exist the receipt and resolution of service requests, technicalguidance, communication, etc. The central contact point between users and IT staff (Steel, 2008). Alsoit is the first place that the customer contacts when they have a problem or any request. If theserequests and problems are not handled immediately this can cause trust issues between customer andthe service provider. Service Desk activities are managing control, communication & promotion and

providing management information.

Change Management is responsible for ensuring changes are evaluated, approved, controlled,tracked and implemented safely without side effects to the quality of the service itself (Steel, 2008). Itaims to minimize risks to IT environment when changes are made. However, after a change is made


7/11





7

upgrades, patches, new technologies or systems there is a big risk of customer dissatisfaction if theyare not adequate.

Service Level Management (SLM) ensures that the agreed services are delivered when and wherethey are supposed to be delivered. SLM is a very important concept concentrating on value which is

an intangible concept. If this value is destroyed by breaching any part of the Service LevelAgreements (SLAs), it can have some negative consequences for the service provider as the customerwill be dissatisfied.

SLM plan, coordinate, draft, agree, monitor and report on SLA (Steel, 2008). SLA is a contractbetween two parties that specifies performance and quality metrics of an infrastructure/applicationservice offering and the consequences of what happen when those metrics are not met (Bhattacharya,Behara, S. Ravi, Gundersen, 2003).

4 RISK ASSOCIATED WITH SERVICE DELIVERY4.1 Risk ManagementRisk is the net negative impact of the exercise of vulnerability, considering both the probability andthe impact of occurrence. Risk management is the process of identifying risk, assessing risk, andtaking steps to reduce risk to an acceptable level (Stoneburner, Goguen, 2002).

With the help of risk management, organizations try to ensure that risks to which they are exposed arethe risks to which they think they are and need to be exposed to operate their primary business. Riskmanagement is thus the process by which firms identify their risks and then take any actions requiredto control deviations of actual risk exposures from predefined tolerances to those risks (Culp, 2002).

Risk identification is the most significant issue in the risk management. Before risks can be managed,they must be identified. Risk identification aims to find the major risks before they adversely affect a

program. Risk analysis is the next element in the risk management. Risk analysis is the conversion of

risk data into risk management information. Each risk must be understood sufficiently to allow amanager to make decisions. Risk analysis sifts the known risks, and places the information in thehands of the decision maker. Analysis provides the information that allows managers to work on theright risks (Scoy, 1992).

Everyone agrees that risk arises from uncertainty, and that risk is about the impact that uncertainevents or circumstances could have on the achievement of goals. A risk is any uncertainty that, if itoccurs, would have an effect on achievement of one or more objectives. Traditionally risk has been

perceived as bad; the emphasis has been on the potential effects of risk as harmful, adverse, negative,and unwelcome. In fact risk has been considered synonymous with threat (Hillson, Simon, 2007).

Risk management practices in many of the world's largest organizations tend to be based around anarrow definition of the word risk. In the past, many risk managers were tasked with focusing onmanaging the downside aspects of risk. Consequently, the focus has often been on managing orcontrolling hazards fraudulent behavior, security breaches, theft, compliance breaches, damage to

property, and so on. While these are important, they need to be complemented by an approach thatviews risk in its upside potential (Frost, Allen, Porter, Bloodworth, 2001).

The purposes of the Risk Management in service delivery are handling the effects of the risks,reducing the negative effects of the risks, and accepting some, or all, of the consequences of a

particular risk. Risk management is a structured approach to managing uncertainty through, riskassessment, developing strategies to manage it, and mitigation of risk using managerial resources.


8/11





8

4.2 Specific Risks Related With Service DeliveryOutsourcing IT operations has been recognized to have important potential benefits, including costreduction, improved quality of service, and access to technological expertise. Researchers and

practitioners also recognize that, in some circumstances, IT outsourcing entails risk, and that itsometimes leads to undesirable consequences that are the opposite of the expected benefits (Bahli,Rivard, 2004). Risk in IT service management can be defined as; not delivering the services whichwere agreed contractually with the customer. Risk can also be defined as any situation that leads touncertainty. The aim of this study is to identify these risks that lead to this uncertainty according toITSM Model. Below are some important specific risks;

Rework: Any disruption in a process creates a hole in time that travels across the entire system andadds a great deal of cost. The total cost incurred is very difficult to quantify, and the impact reworkextend throughout the internal process and the external process (Carreira, Trudell, 2006). When awork is not done properly, the risk of rework could emerge. As a result, the cost could increase and

because of a rework the employees morale could be lower.

Delayed Solutions: The risk can be defined as solution did not apply to a problem at the requiredtime because of any reason. As a result there could be a risk over the systems or processes. In general

this risk brings on some defaults on going processes.

Fines and Penalties: In general these risks are related with Service Level Agreements and theypresent when the work done is not conforming to the contract. Considering the case, the penalty of theemployee concerned could increase; even the employee could lose his/her job.

Legal Exposure: Legal exposure for companies in the intellectual property arena is infringing theintellectual property rights of another person or company. A technology lawyer will need to determinewhether a client is using a brand name or term that is too much like the trademark of another person oris capitalizing on work someone else owns. The flip side is it also presents a risk of exposure; clientsneed to protect their own intellectual property. At a very high level, there are three areas of legal

exposure for companies: compliance, reliance, and security (Inside the Minds Staff, 2004). Service Outages: Refers to any time a service recipient does not receive service within theconditions set by a Service Level Agreement or preset expectations (Kozak, 2006). As a result ofservice outage becomes the most critical and directly affects service delivery. Revenue loss andrestoration costs accumulate during an outage.

Waste: If an activity adds cost and generates no revenue, it is considered waste but if an activitygenerates revenue, it is not waste. Wastes are non value added, they do not contribute to a morecomplete product or service, and the customer is unwilling to pay for these activities (Carreira,Trudell, 2006).

Security Breaches: Security breaches have more importance when it is about technical services.When there must be a change, security control analysis must be taken. Low Employee Morale: When employees have a low morale, there could be negative effects onthe work done. The probability that the employee makes a mistake could increase. Especially when itis about end user services, this risk is important for the ones that have directly contact with clients.

Dissatisfied Customers: This is one of the most important risks, because service deliverys firstobjective is customer satisfaction. As a consequence of this risk, the customer could outsource itsservice from another firm as a result of its complaints. Customer loss is the least wanted situation in aservice delivery firm.

After process analyses, it is seen that the three most risky processes are Change Management, ServiceLevel Management and Service Desk. Below can be founded how the relationships between specific

risks and processes according to ITSM Model. In order to determine different levels of risks in the


9/11





9

ITSM Model, only these three most important processes have been analyzed. Then these delay timeshave been weighted at Table 1, taken from Metrics Model.

Delay Times for Each Process Service Desk ChangeManagement

Service LevelManagement

Rework 2 9 6Delayed Solutions 5 9 9Fines and Penalties 0 6 3Legal Exposure 0 3 3Service Outages 0 3 0Waste 8 9 9Security Breaches 0 3 0Low Employee Morale 6 6 9Dissatisfied Customers 11 6 11

Table 1. Loss of time in ITSM Model

If the percentage is up to 35%, the risk is defined as High, if it is between 25% and 35%, the risk is

defined as Medium, if it is lower than 25 %, and the risk is defined as Low. For example for therisk named Rework, change management have a weight of 9/ (2+9+6) =0, 53>0, 35, so its level isdetermined as High as shown at Table 2.

Risk Level Service Desk ChangeManagement

Service LevelManagement

Rework Low High MediumDelayed Solutions Low High HighFines and Penalties None High MediumLegal Exposure None Medium MediumService Outages None High NoneWaste Medium Medium MediumSecurity Breaches None High None

Low Employee Morale Medium Medium HighDissatisfied Customers High Medium High

Table 2. Level of risks for each process

For confirming these attributes, observations have been made during a week. According to theseobservations, in 90% of the cases the risk defined is actually seen, in 6% of the cases the risk seen isone grade upper or lower of the defined risk, in 4% of the cases the risk seen is two grades upper orlower of the defined risk. If the level of the risk defined is Medium, the probability that the risk seenis seen Low or High is 5 %. To digitize these data, they have been weighted with the 1-5 scale (1-low). To be able to analyze them a sample with 5 observations has been taken. At the end, the table

below has been created at Table 3 (only one calculation is shown).Risk Weights Service Desk Change

Management

Service Level

ManagementRework 1,25 4,69 2,55Delayed Solutions 1,25 4,69 4,69Fines and Penalties None 4,69 2,55Legal Exposure None 2,55 2,55Service Outages None 4,69 NoneWaste 2,55 2,55 2,55Security Breaches None 4,69 NoneLow Employee Morale 2,55 2,55 4,69Dissatisfied Customers 4,69 2,55 4,69

Table 3. Weight of risks for each process (scale 1-5)

For the same example:Rework risk for Change Management weight = 0, 90*5, 00 + 0, 06*2, 50 + 0, 04*1, 00 = 4, 69.


10/11





10

To sum up, the most important risk that should be eliminated about the Service Desk is the risk ofDissatisfied Customer. One of the most significant points in this table is that some risks are noteffective on some processes. Other than reviewing the processes separately, the following pie graphcan be reviewed in order to understand the effectiveness of each risk. Figure 4 shows impact of risksto Steady State Service Quality.

Figure 4. Impacts of Risks

The effect of the customer over service delivery is inevitable. Because, the main purpose of servicedelivery is to maximize the customer satisfaction. The risk of Dissatisfied Customers is the mostsignificant risk that affects all the processes. The delay of the solutions in IT delivery can bearunexpectable results. Thus, this risk should also be reviewed. Since one of the most significant factors

that ensure that the processes operate without problems, inevitable damages may occur due to thereluctance or unhappiness of the employees. Service quality in steady state phase depends on the mostthese three criteria, which means that the failure in those topics is appearing as most influent risk toservice quality in the proposed model.

5 CONCLUSIONFinding the effects of the risks on the processes can be deemed as the first step in increasing thequality of service delivery. The risks that are determined to have high effect will be reviewedseparately and the main purpose will be to remove or minimize the effects of risks. These risks can beincreased by conducting more researches. In further studies, hypothesis tests could be done over thisstudy to make it more sensitive. Furthermore the sample size could be enlarged so that studies would

be more appropriate to reality.The study has several important conclusions. All of nine risks defined from a metrics model, butespecially three of them really important at IT service delivery. Conducting studies on the risks thathave more effects will decrease the issues that prevent great losses or processes. Each of them should

be a research topic for further studies. On the other hand, which ITIL process is more risky is founded.The most risky process is the Change Management and the less risky process is the Service DeskManagement.

As a result of this study, the most important risk that has an impact on all processes is DissatisfiedCustomers. The second one is Delayed Solutions and the third one is Low Employee Morale. Inorder to minimize the risks in all the processes, works should be conducted to increase customersatisfaction, the methods for not delaying the solutions should be searched and the morale of the

employees should be kept high.


11/11





11

References

Bahli B and Rivard S. 2004. Validating Measures of Information Technology Outsourcing RiskFactors, Strategic Management of Information Technology.

Bajada S. 2008. ITIL v3 Foundation Certification Training, GTS Learning.

Bhattacharya S, Behara S, Gundersen D. 2003. Business Risk Perspectives on Information SystemsOutsourcing,International Journal of Accounting Information Systems.

Brynjolfsson E, Malone T, Gurbaxani V, Kambil A. 1993. An Empirical Analysis of the RelationshipBetween Informaiton Technology and Firm Size,MIT New York University.

Cameron T I, Raman R. 2005. Process Systems Risk Management,Elsevier Science and TechnologyBooks, Inc.

Carr, G N. 2003. IT Doesnt Matter,Harvard Business Review.Carr, G N. 2005. The End of Corporate Computing,MIT Sloan Management Review.Carreira B, Trudell B. 2006. Lean Six Sigma that Works: A Powerful Action Plan for Dramatically

Improving Quality, Increasing Speed, and Reducing Waste,Amacom.Culp L C. 2002. The ART of Risk Management: Alternative Risk Transfer, Capital Structure, and the

Convergence of Insurance and Capital Markets,John Wiley & Sons.Dewett T and Jones R G. 2000. The Role of Information Technology in the Organization: A Review,

Model, and Assessment,Journal of Management.Frost C, Allen D, Porter J, Bloodworth P.2001.Operational Risk and Resilience,PricewaterCoopers.Garbani J P and Mendel T. 2004. Forrester Research GigaWorldEurope.Grady R B. 1997. Successful Software Process Improvement,Prentice Hall.Gunasekaran A, Khalil O, Rahman M S.2003. Knowledge and Information Technology Management:

Human and Social Perspectives,IGI Publishing.Harris D M, Herron E D, Iwanicki S. 2008. The Business Value of IT: Managing Risks, Optimizing

Performance and Measuring Results,Auerbach Publications.Hillson D, Simon P. 2007. Practical Project Risk Management: The ATOM Methodology,

Management Concepts.

Inside the Minds Staff. 2004. Inside the Minds: The Laws Behind Technology: Leading Lawyers OnThe Legal Aspects Of Patents, Software Licensing, Telecommunications, & More, AspatoreBooks.

Kozak M. 2006. Avoiding Project Disaster: Titanic Lessons for IT Executives, Multi MediaPublications.

Moeller R R. 2008. Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, andITIL,John Wiley & Sons.

Office of Government Commerce. 2008. Service Transition, OGC.Parasuraman A, Zeithaml A V, Berry L L. 1985. A Conceptual Model of Service Quality and Its

Implications for Future Research,Journal of Marketing.Schniederjans J, Schniederjans M, Schniederjans G. 2007. Outsourcing Management Information

Systems,IGI Publishing.

Scoy V L and Roger. 1992. Software Risk Management Program, Software Engineering Institute,Carnegie Mellon University.

SkillSoft Press. 2006. Managing Infrastructure Using ITIL, SkillSoft Press.Steel C A. 2008. Information Technology Governance and Service Management: Frameworks and

Adaptations,IGI Publishing.Steinberg A R. Measuring ITIL, Trafford Publishing.Stoneburner G, Goguen A, Feringa A. 2002. Risk Management Guide for Information Technology

Systems,National Institute of Standards and Technology.Tavakolian, H. 1989.Linking the Information Technology Structure With Organizational Competitive

Strategy: A Survey,MIS Quarterly.

Documents

ANALYSIS OF RISK DYNAMICS IN INFORMATION