Managing Information Technology Outsourcing Risks: A Service Provider-Centric Approach

Organisations outsource information technology (IT) for strategic reasons. However, outsourcing IT comes with risks that must be identified, assessed and managed. While many studies use the project, vendor, and contract risk management approaches in managing IT outsourcing (ITO) initiatives, this study focused on the risk management of IT service providers (ITSPs) because these risks are external to the outsourcing organisations but have direct impacts and consequences on them. This paper contributes to the existing body of knowledge by presenting a conceptual ITSP risk management framework highlighting how to identify, assess, and treat ITSP risks from the lens of risk management experts in South Africa. Using a qualitative approach, interviews were conducted with twelve risk management experts, and thematic analysis was used in analysing the interview data. The main themes identified are ITO risk profiling, ITSP audit, ITSP risk treatment, ITSP risk assurance, and ITSP risk governance.