ARTICLE IN PRESS

International Journal of Information Management 24 (2004) 167–180

Risk management practices in IS outsourcing: an investigation

into commercial banks in Nigeria
Bunmi Cynthia Adeleye, Fenio Annansingh, Miguel Baptista Nunes*
Department of Information Studies, University of Sheffield, Sheffield, UK

Abstract

This research work focuses on the risk management practices adopted by Commercial Banks in Nigeria
that are related to the outsourcing of information systems (IS). The need for the research emerged from the
lack of studies addressing these problems in developing countries in general and in this country in
particular. The research reported in this paper shows that despite the globally increasing trend of IS
outsourcing in the sector, Nigerian commercial banks are lacking in both strategic and operational risk
management practices. Consequently, they are especially prone to the adoption inappropriate IS solutions
and are vulnerable to IS failure and fraud.
The research is empirically based drawing on an extensive literature and case study review as well as an
extensive survey of banks in Nigeria. The main method of data collection was a questionnaire sent to 15
commercial banks, which was aimed at respondents in three distinct categories: executive management,
systems managers and users. The analysis of the data included both a quantitative and an inductive
qualitative approach. The latter was used to draw inferences on the current situation.
The findings revealed that managers of commercial banks understand the nature of IS outsourcing and
that they all agreed that adopting risk management practices is important. Nevertheless, the situation is
critical. A significant proportion of the commercial banks have no documented and structured outsourcing
strategy or policy; consequently no programme or procedural guidance is available at any level. The study
also discovered that contrary to practice in developed countries, the regulatory authorities in Nigeria have
not formulated substantive guidelines or procedural rules to be adopted nationally by commercial banks.
r 2004 Elsevier Ltd. All rights reserved.

Keywords: Information systems outsourcing; IS risk management; IS strategic thinking; Commercial bank

*Corresponding author.
E-mail address: j.m.nunes@sheffield.ac.uk (M.B. Nunes).

0268-4012/$ - see front matter r 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ijinfomgt.2003.10.004
 ARTICLE IN PRESS

168 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

1. Introduction and background of study

In Nigeria, all banks are licensed by the Central Bank of Nigeria (CBN) and incorporated
under the companies and Allied Matters Act of 1990. The intermediation role of banks in a
country with an estimated population of 120 million inhabitants results in a pressing need to
develop or acquire, install, deploy and maintain top rated information systems (IS). The systems
so deployed are expected to be efficient, effective, robust and fluid in order to respond and adapt
to current and future operational needs.
IS plays an important role in the business of any bank. These systems are at the core of the
information management of the organisation and allow it to operate efficiently and maintain its
competitive advantage. According to O’Brien (1996, p.7), ‘‘if information systems do not properly
support the strategic objectives, business operations, or management needs of an enterprise, they
can seriously damage its prospects for survival and success’’. This paper further enumerates three
vital roles of IS:

* Support of business operations.

* Support of managerial decision making.
* Support of strategic competitive advantage.

Consequently and as proposed by Drucker (1995), in today’s knowledge-based society

information is the framework around which organisations are formed. Banks are no exception as
they are expected to make continuous use of the rapid changes in technology in order to improve
customer service and to handle new business processes. As banks broaden their services, widen
their customer base and extend their services into new geographies, IS plays an important role in
this drive to differentiate and compete. Information systems provide better data distribution,
integrated business processes, and networked communications, and enable banks to improve
customer relationships, as well as streamline overhead costs. (Sun Microsystems, 2001).
A number of well-known authors have stressed the critical nature of information systems to
banks. Scott (2000) proposes that introducing computer-based information systems will enable
most banks to cope with instability in the business environment. Boiney (1999) noted that the role
of information systems is being transformed: ‘‘today’s information systems must truly add value
to the organisation through the creation, capture, distribution, application, and leveraging of
knowledge’’. On the other hand, White (2002) wrote that the advances in Information and
Communications Technology (ICT) are no doubt bringing financial innovations that are
‘‘undermining, or may soon undermine, many of the restrictions faced by most commercial banks
on clearing houses issues’’. In agreement, Broady-Preston and Hayward (2001) state that ‘‘in the
current turbulent business environment, quality information is required to ensure that companies
achieve competitive advantage by using such information to make decisions more rapidly than
their rivals’’. Similarly, West (1996) suggests that institutions should take advantage of technology
so that they will not be left behind in our market economy.
Nigerian Banks are no different from other banks in the world. They depend on IS to guarantee
differentiation and competitive advantage. However, IS design and development lies outside the
basic scope of core retail banking. Thus, most commercial banks in Nigeria resort to outsourcing
for the provision and maintenance of their IS. So the success of the organisation itself often
 ARTICLE IN PRESS

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 169

depends on the ability of the given organisation to manage the risks associated with this process of
outsourcing.

2. IS outsourcing

Generically outsourcing can be defined as ‘‘the transfer of previously in-house activities to a

third party’’ (Lonsdale, 1999). De Looff (1997, p. 30) defined IS outsourcing as ‘‘the
commissioning of part or all of the information systems activities an organisation needs, and/
or transferring the associated human and other IS resources, to one or more external IS
suppliers’’. From reviewed literature, the idea of outsourcing IS seems to have started in 1989
when Eastman Kodak turned over its entire data centre, network and microcomputer operation
to three IS external parties (Loh & Venkatraman, 1992). However, Willcocks and Lacity (1998)
are of the view that the nature of information systems outsourcing has since evolved. They
distinguished complete outsourcing, facility management, systems integration, time-sharing,
rental, installation and procurement, and maintenance and programming.
More concisely, (Mylott, 1995; Pearlson, 2001; Butler et al., 2001) distinguished two forms of
outsourcing, namely: full outsourcing and selective outsourcing. In full outsourcing, all the
services are outsourced to the vendor. This is an extreme outsourcing strategy because the entire
department information systems duties are assigned to the outsourcing partner as in the case of
Eastman Kodak. This, according to Pearlson (2001), happens when an organisation does not see
‘‘IT as a strategic advantage’’ that should be developed internally. Arguments for full outsourcing
usually involve the allocation of organisational resources to areas that can add greater value to the
organisation’s value chain or reduce cost per transaction due to economies of scale. In selective
outsourcing, only a range of services is selectively outsourced or contracted to a third party. It
often results in greater flexibility and better services (Pearlson, 2001). The decision to outsource an
organisation’s activities often results from a careful study of the supply chains Lonsdale (1999).
The problem of what to outsource is the most critical decision an organisation has to make in
relation to IS.
The need for outsourcing has grown over the last two decades due to numerous factors. These
include an increase in:
* global competition,
* downsizing,
* the move to flatter organisations,
* the need to reduce cost,
* improved quality, service and delivery,
* improved organisational focus, and
* increase flexibility which facilitate change and the emphasis on core competencies (Atkinson,
1985; Dyer & Ouchi, 1993; Huber, 1993; Fan, 2000).
In the banking sector, outsourcing has been a common practice in the last 20 years. Fleck (2002)
argues that ‘‘some of the Swiss banks have realised the demand and are attempting to do what will
give them a better chance to serve clients, outsourcing asset management and allocation’’. Recent
examples are the outsourcing facilities management at Sovereign Bank (USA), human resource
 ARTICLE IN PRESS

170 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

outsourcing in Bank of America (USA), the outsourcing agreement between AT&T and IBM at
Bank One and the $44 million outsourcing agreement between Coop Bank and Computer Science
Corporation also in Switzerland (CSC, 2000).
Despite the optimism about benefits associated with outsourcing, there is evidence that this
process may incur some significant risks (McFarLan & Nolan, 1995; Lacity & Hirschheim, 1993).

3. Risks associated with IS outsourcing

Risks and costs involved in outsourcing are often forgotten when considering the more obvious
benefits. These risks, however, must be understood in order to make informed decisions which
may be of crucial importance for the success of the organisation. This awareness of the possible
risks incurred when outsourcing, will enable decision makers and stake holders to take informed
decisions and draw contingency and mitigation strategies. Management needs to assess and
evaluate the risks and their impact at strategic, tactical and operational levels in a consistent way
(Ward & Griffiths, 2001). The process of risk assessment in outsourcing is focused on the
probability of the occurrence of adverse events such as:
* not achieving the planned benefits,
* not meeting agreed deadlines,
* using more resources than initially foreseen,
* change in functional and procedural requirements,
* budget overrun, and
* deficient change over of systems and finally problems associated with the operation and
maintenance of these systems.
If the outsourcing process is not preceded by careful strategic planning and thorough risk
assessment it may result in considerable financial loss, decreased shareholder value, damaged
company reputations, the dismissal of senior management, and in some cases the destruction of
the business itself (DeLoach, 2000). Vital to the organisation’s success and survival are active
assessment and monitoring of risks, the organisation’s ability to flexibly respond to the occurrence
of these adverse events and its ability to mitigate these risks (DeLoach, 2000).

4. The study

There is little or no formal research work or body of literature related to IS outsourcing trends
in Nigeria. This does not in any way prevent organisations in the country from actually
outsourcing some of their operations, and there is sufficient evidence that outsourcing is an
emerging way of undertaking business operations in the country. Service offers by reputable
multinationals in Nigeria, such as PricewaterhouseCoopers (PwC), Phillips Consulting, Andersen
Consulting and Aptech, often mention outsourcing as one of their key deliverables.
Banks in Nigeria have, for a very long time, wholly or partly outsourced services such as
training, security services, marketing and Information Technology. Schlumberger Omnes, British
Telecommunications, and 21st Century Technologies Ltd. are only a few of the current vendors of
 ARTICLE IN PRESS

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 171

IS and platforms outsourced by commercial banks. It is expected that this trend will continue to
prevail in the near future. This means that developing countries, like Nigeria, are following trends
emerging from different social and economic contexts without the benefit of formalised or
organised national support structures, policies and guidelines.
This need for regulation, strategic thinking and guidelines is particularly important in
a country as populous as Nigeria (around 126 million people), where both IS and banking
are listed on the Stock Exchange as two vibrant industry sectors (The Nigerian Stock
Exchange, 2001).
The Central Bank of Nigeria (CBN) is the national organisation that licenses all banks that
meet stipulated conditions. The role of CBN is primarily formulating and monitoring the banking
system to ensure that operators comply with monetary, credit, and foreign exchange
guidelines. There is also the Nigerian Deposit Insurance Corporation (NDIC) that
insures the deposits of banks’ customers and also carries out periodic reviews to ensure the
solvency of banks. Nevertheless, the banking system in Nigeria is fairly open. There are over 120
banks in Nigeria in three categories: Commercial, Merchant, Industrial or Development Banks.
Currently, there is a trend towards Universal Banking. This allows any interested bank to
substitute its license for a universal banking license, which enables it to provide full range of
banking and financial services.
Due to economic instability and despite Nigeria being the 6th largest world producer of oil, the
banking industry is facing some important problems. Jason (1998) states that fewer than 50 of the
over 120 banks are solvent. Five have been liquidated and a further forty-two are in serious
difficulties. Another 26 were slated for liquidation when the government changed its mind.
Consequently, bank watchers say that the future of banking in Nigeria will be tough and
competitive. Technology will be the driving and differentiating force, as reported by
Baranshamaje et al. (1995): ‘‘The information revolution offers Africa a dramatic opportunity
to leapfrog into the future, breaking out of decades of stagnation or decline [y] If African
Countries cannot take advantage of the Information Revolution and surf this great wave of
technological change, they may be crushed by it’’.

4.1. Aims and objectives

Despite these facts, the vibrancy and competitive nature of the banking sector and the trend for
IS outsourcing in the sector, there is no evidence of significant literature or theoretical discussion
on the risks involved in this practice. This research behind this paper aimed at identifying,
understanding and criticising the practices adopted by Nigerian commercial banks when
outsourcing there IS.
Explicitly, this study aimed at accomplishing a number of goals specifically intended to:

* acquire a deeper understanding of the current status of IS outsourcing in commercial banks in

Nigeria;
* identify whether policies and guidelines for risk management are available and are followed;
* identify how the risks associated with IS outsourcing are managed and mitigated; and
* contribute to the limited body of research literature on IS outsourcing available in Nigeria.
 ARTICLE IN PRESS

172 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

4.2. Research methodology

This research was undertaken to study the view of commercial banks on risks management
practices in their outsourcing activities, outsourcing strategies, role of users, and disaster recovery
procedures. The main objective of the research was to explore the risks involved in outsourcing
and the management of these risks. In order to achieve these objectives, a questionnaire-based
survey research methodology was used. These questionnaires explored a broad spectrum of
questions. The research was conducted in two phases.
The first phase involved preliminary face-to-face discussions with about 20 bank executives,
from 30 best of the banks in the Agusto & Co (2001) ranking. These interviews aimed to explore
initial assumptions and ascertain institutional willingness to participate in the survey. The initial
interviews were then analysed and 15 suitable banking institutions were selected. The second
phase involved the preparation and deployment of the main questionnaires. These were designed
using the results of the preliminary interviews and the available literature on IS, risk, risk
management and outsourcing.
The core data of this study were obtained by mailing questionnaires in July 2002 to the 15
banks selected. The target respondents were chosen to encompass a wide range of decision makers
in the three broad categories of: executive and senior management, IS/IT managers and IS users.
Seven (7) out of the fifteen (15) banks responded appropriately to the survey (response rate of
46.6%), including twenty one (21) individual responses (three per bank).
The questionnaire used in this study was divided into six sections containing closed–ended and
opened–ended questions, allowing for data triangulation and validation and hopefully avoiding
biased and top-of-the-mind choices. The purpose of the first two sections was to understand the
specific outsourcing strategies and the impacts of outsourcing in the banks. The third section
investigated the roles of users and stakeholders in the decision making process. The next two
sections aimed to identify risk management procedures and guidelines and investigate how
outsourcing risks are managed in these banks. The last section investigated the disaster recovery
practices that are adopted by the respondent banks.
Each questionnaire was sent with a covering letter explaining the purpose of the study. The
length of the questionnaire was taken into consideration and the terms used in the questionnaires
were not technical, so no explanations were needed.

4.3. The findings

4.3.1. Outsourcing strategies

From the responses to the questionnaire it became apparent that all seven banks were using
computer based IS since they commenced operations and that all of them were engaged in IS
outsourcing. However the unique nature of Nigeria has lent a different character to these same
practices. In fact, as emerged quite clearly from the responses, the two key regulatory agencies for
banks in the country are very slow at keeping up with international standards and best practices,
notwithstanding the increasing globalisation of financial markets and institutions. The country
also lacks necessary policy and institutional frameworks from the regulatory authorities.
At first, outsourcing practice seemed to consist of the reactive acquisition of off-the-shelf
generic software to resolve particular needs. Current practice has since evolved and seems now to
 ARTICLE IN PRESS

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 173

be based on integrated banking solutions such as GLOBUS, PHOENIX, BANKMASTER RS,

FINACLE, MIDAS EQUATIONS, as illustrated in Fig. 1. The outsourcing practices by banks
involve considerable amounts of risks and resources and seem to be based on an ‘‘Everest
Syndrome’’ type approach. This refers to the attitude among managers that IS solutions are to be
acquired and used for the same reason the British climber George Mallory gave in 1924 when he
was asked why he wanted to climb Mount Everest—’’Because it is there’’. This is probably a direct
consequence of another finding from this study: only the executive management or board of
directors make the decisions that usher any process of outsourcing.
Given the level of IS implementation in Nigerian banks and the generally adopted practice of
outsourcing, it was surprising to find that six of the banks surveyed do not have explicit
outsourcing strategies. Even for the one bank that did have such strategies, it was obvious that
these were only scarcely documented and still in the process of being developed. More curiously,
one executive manager from another bank declared the existence of such guidelines, but neither
the IS manager nor the user were aware of it. However, 43% intend to put in place an outsourcing
strategy, while 33% have no idea whether they would be adopting such strategies and 24% stating
that they have no intention of doing so (Fig. 2). Nonetheless, when asked if they intend to
outsource new systems in the near future all respondents answered yes.

40

35

30
Response (%)

25

20

15

10

0
SAP Bankmaster Globus Finacle Phoneix Others

Fig. 1. Banking software currently being used.

Yes
33%
43%
No

Do not
know
24%

Fig. 2. Banks intending to put in place an outsourcing strategy.

 ARTICLE IN PRESS

174 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

Training and education

0%
Software development
0%
3%
0% Software maintenance
3%
24%
Data communication networks
19%
Support operations (equipment maintenance/
service)

Disaster recovery

16%
Telephone support of customers
19%
Development of a fully integrated system
16% (hardware, software or networking)

Data centre (computer) operation

Other (please describe)

Fig. 3. IS functions currently being outsourced.

This survey also identified that from all respondents who stated that they were outsourcing,
96% stated they were doing it selectively, while 4% do third party maintained. This can be
considered as very good practice, since selective outsourcing often results in greater flexibility and
better services. Fig. 3, shows how different IS functions (that is software development, software
maintenance, data communication networks, support operations, training and education) are
distributed in terms of outsourcing: training and education (24%), software development (16%),
software maintenance (16%), and both support operations and data communication networks
(19%). By contrast telephone support of customers and disaster recovery rank as the lowest (3%).
This comes as no surprise since customer support is paramount to guarantee customer satisfaction
and acceptance and constitutes a core competence of the organisation. Similarly, disaster recovery
is also of crucial importance since the costs of disaster are not only of a financial nature, but have
also high visibility and high image and reputation risks. Therefore, banks tend to ensure that both
of these services are kept in-house.
Furthermore, this research confirms that the banks do see organisational data as a strategic
advantage that must be operated and maintained done internally. In fact, all banks surveyed
stated that they operated their data centre internally. This is in line with current practice in the
banking sector worldwide. On the other side, training and education seemed to be frequently
outsourced and this is possibly due to the fact that most of the software is bought from vendors
and this often includes training clauses in the contracts.
 ARTICLE IN PRESS

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 175

4.3.2. Impact of outsourcing

The decision behind outsourcing is strongly influenced by high expectations of strategic and
operational benefits. Different banks may outsource for different reasons, therefore it is important
to recognise these differences when assessing the impact of outsourcing in organisations. The
banks surveyed stated a number of reasons: improved customer relationships (68.5%), improved
management information system (60%) and greater efficiency in business processes (65.7%), as
well as better utilisation of staff (60%) and improved security (54.2%). Other benefits mentioned
are: specialisation and the need to adopt new management strategies and procedural methods;
technology infusion through contact with new systems; staff skills improvements; reduced
overhead costs; slimmer work force; avoidance of investment in areas other than the core business
and guaranteed technical support (Fig. 4).
In terms in drawbacks, banks referred to a very disparate set of factors:
* lack of and reduced security;
* difficulty in retaining loyalty of existing staff after organisational changes, which became
necessary by the introduction of the outsourced systems;
* difficulty in maintaining motivation of existing staff due to the perception that everything
related to IT and IS is the responsibility of the vendors;
* vendors unwillingness to transfer knowledge related to the outsourced IS;
* running, maintenance and training cost;
* difficulties with the interface with the outsourced systems;
* increasing dependency on the contractor, that is not always prompt, or even willing, to attend
to possible problems and meet deadlines;

100

90

80

68.5
70 65.7
Response (%)

60 60 60
60 54.2

50

40

30

20
utilisation of
efficiency e.g.
relationships

in respect of
security e.g.
management

statements
errors e.g.
information

Reduced

Improved
customer

Improved

payment
Inproved

speed, in
business
systems

errors

Better
Greater

staff

Fig. 4. Impact of outsourcing in banks bank.

 ARTICLE IN PRESS

176 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

* threaten security, namely in what concerns guaranteeing the loyalty and confidentiality of
vendor and vendor’s staff;
* threats of having overall performance dependent on vendor; and
* introducing ‘‘buck passing’’ resulting from the lack of clear assignment of responsibilities over
IS tasks and processes shared between in-house and vendor’s staff.
These results show that there is a clear awareness of the benefits and drawbacks of outsourcing
in banks in Nigeria, which represents the realisation of this research’s first objective. Managers, IS
staff and users seem to be aware of the majority of problems and risks associated to the practice of
outsourcing as reported in the literature in the field. So they are well informed and outsourcing
decisions are well supported. The next question in this research was to investigate if this
knowledge of risk is expressed in terms of appropriate risk management strategies and policies.

4.3.3. Risk management practices

When asked if the organisation had any explicit risk management procedures or guidelines for
IS outsourcing, all of the banks admitted that they had none in place. Furthermore and possibly
even more surprisingly, none of the banks accepted third party guidelines be it from vendors or
other banks.
This situation was however not totally unexpected, since some of the risk management methods
could be embedded in general management best practice. So this research tried to determine if any
of these were actually occurring in the outsourcing process, although not explicitly recognised as
risk management. In fact, the process of risk management is usually divided into risk
identification, risk analysis, risk response planning and risk monitoring and control (Hillson,
2002). These steps are sometimes iterative and not always taken in sequence. For the purpose of
this research it was necessary to express these steps in terms of activities and methods undertaken
in the organisation while outsourcing their IS. Once these activities were identified, it was then
possible to question banks regarding their usage.
The following methods were identified from the literature review on risk management for
outsourcing:
* circulation of list of existing problems;
* identification of the risks in outsourcing a service/function;
* examination of the impacts of risk on outsourcing;
* review of documentation of existing system;
* interviews with appropriate in-house users and managers;
* documentation of transaction flows;
* joint meetings of systems people, operators and end users of reports; and
* recommendations designed to avoid or prevent risk from occurring.
The banks surveyed were asked to rank, using a scale of 5 (highest frequency) to 1(lowest
frequency), the observance and adoption of these risk management activities during outsourcing.
The results of this part of the questionnaire are shown in Fig. 5.
Interviews with appropriate supervisory and clerical staff as means of identifying risks and
problems were found to take place 68.5% of the cases. Documentation of transaction flow, and
having joint meetings with systems department people, auditors and end users is also common in
 ARTICLE IN PRESS

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 177

80

68.5

60
60 57.1 57.1
Responses (%)

54.2

48.5

42.8 42.8

40

20
Documentation
documentation

Circulation of
Identification of

Joint meetings

risk occurrence
Interviews with

Examining the
impacts of risk
of transaction

Planning for
of all stake
of existing

problems
Review of

holders
system

list of
flows
staff

risks

Fig. 5. Risk management.

these organisations during outsourcing (57.1%). 6 of the banks make sure that joint meetings with
systems staff, internal control, and users occur regularly. Five of the banks circulate list of existing
problems in the different departments and use these to justify decisions for change and
outsourcing.
However, only 42.8% of the respondents declared to have departmental plans to avoid the
occurrence of risks and its impacts and only 1 bank had strategic and global risk control plans.
Similarly, only 2 banks considered identification of the risks in outsourcing as a major component
of their decision making process.
On the positive side, 71.4% of the respondents stated that their organisation had a disaster
recovery plan in place, which is reviewed periodically. The study revealed that different banks
have different reasons for adopting a disaster recovery plan. For example in Fig. 6, 55% of
respondents said that the plan covers responsibilities of specific individuals. All respondents stated
that there are provisions for uninterrupted power supply. All respondents also said their disaster
recovery plans cover procedures for protecting integrity of data and information. Again, 100% of
respondents said these plans include alternate procedures in the event that an outsourced IS
breaks down.
This was to be expected since the Basel Committee on Banking Supervision (BCBS) (1998)
imposed the need for ‘‘adequate preventive measures’’ that help minimising the probability that
negative events occur. The BCB also proposes that management should ensure that ‘‘adequate
systems of containment measures’’ are put in place in order to help detect and limit the effects on
the business of events, which may bypass preventive controls and threaten banks’ operations.
 ARTICLE IN PRESS

178 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

120

100 100 100

100
Response (%)

80
71.4 71.4

60 55

40
master plan that

in the event that

alternate facility

power supply in

responsibilities
destroyed files
reconstructing
insurance that
covers cost of

uninterrupted
Have in place
Written down

power failure
Copies of all
master files,
Provision of

the event of

of specified
outsourced

transaction
prevention

describes

the banks

programs

indiduals
files, and

installed
disaster

Covers
Fig. 6. Disaster recovering plan.

5. Conclusion and future work

This exploratory empirical study investigating the risk management practices in the outsourcing
of IS in commercial banks in Nigeria has led to several important conclusions. While some of
these have confirmed initial assumptions, others have been contrary to ordinary intuition. The
survey showed that in spite of the lack of regulations and infrastructures in the country,
outsourcing is now a common practice and has achieved some considerable degree of success.
However, it is evident that banks are taking a reactive approach to outsourcing risk management
that may make them vulnerable to a number strategic and operational risks, which may have
considerable financial and reputation costs. In order to avoid these, a more proactive management
attitude is required including the adoption of well-defined and structured risk management
guidelines, policies and procedures.
Although the sample size is representative of the population of banks in Nigeria, and the results
provide valuable insights into the risk management practices in the outsourcing process, the need
for further work in this area is strongly recommended. Future research efforts should expand the
body of literature, but also critically examine, document and recommend the role of managers in
banks and regulatory and supervisory bodies in enforcing the adoption and adaptation of global
best practices.

References

Atkinson, J. (1985). The flexibility factor, Institute for Manpower Studies, Sussex University, Sussex.
 ARTICLE IN PRESS

B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 179

Agusto & Co (2001). Rated Banks Nigeria and bank profile. [Online] http://www.agusto.com/pub1/default.html
[Accessed August 11 2002].
Baranshamaje, E., Boostrom, E., Brajovic, V., Cader, M., Clement-Jones, R., Hawkins, R., Knight, P., Schware, R., &
Sloan, H. (1995). Increasing Internet Connectivity in Sub-Saharan Africa: issues, options, and World Bank Group role,
[Online] http://www.uneca.org/eca resources/publications/disd/old/padis/telemat/africa03.htm [Accessed August 11
2002].
Basel Committee on Banking Supervision (1998). Operational risk management: Basel Committee Publications No. 42,
[Online] http://www.bis.org/publ/bcbs42.htm [Accessed July 10 2002].
Boiney, G. L. (1999). Knowledge is Power: but knowledge management requires organizational change. Journal of
Contemporary Business Practice, Spring 1999, [Online] http://gbr.pepperdine.edu/992/infotech.html [Accessed July 1
2002].
Broady-Preston, J., & Hayward, T. (2001). Strategy, information processing and scorecard models in the UK financial
services sector. Information Research, 7(1), [Online] http://InformationR.net/ir/7-1/paper122.html [Accessed July 4
2002].
Butler, M., Holt, M., Menzies, K., Jones, G., Jennings, T., Jagger, E., Smith, E., Newman, J., Jones, T., & Gibbes, K.
(2001). Strategic sourcing: Effective alternatives for the enterprise. Butler Group, Technology Infrastructure,
Research and Advisory Services.
Computer Sciences Corporation (CSC) (2000). CSC enters outsourcing agreement with Swiss bank, [Online]
http://www.csc.com/newsandevents/news/221.shtml. [Accessed June 11 2002].
DeLoach Jr., J. W. (2000). Enterprise-wide risk management: Strategies for linking risk and opportunity. London:
Financial Times.
De Looff, L. (1997). Information systems outsourcing decision making: A managerial approach. London: Idea Group
Publishing.
Drucker, P. F. (1995). Managing in a time of great change. New York: Truman Talley Books.
Dyer, J. F., & Ouchi, W. G. (1993). Japanese-style partnership: giving companies competitive edge. Sloan Management
Review, 4(16), 51–63.
Fan, Y. (2000). Strategic outsourcing: Evidence from British companies. Marketing Intelligence and Planning, 18(4),
213–219.
Fleck, F. (2002). Clients left out in cold by Swiss private bank mergers, [Online] http://www.milleniumassociates.com/
PDF/Complinet%20Clients%20left%20out%202Jul2002.pdf. [Accessed July 4 2002].
Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management,
20, 235–240 [Online] www.elsevier.com/locate/ijproman. [Accessed 20 July 2002].
Huber, R. L. (1993). How Continental Bank Outsourced its Crown Jewels. Harvard Business Review, 31(1),
77–84.
Jason, P. (1998). Turn around in Nigeria banking: New Africa Market. NEWAFRICA [Online] April.
http://dspace.dial.pipex.com/town/terrace/lf41/na/apr98/namb0406.htm. [Accessed July 20 2002].
Lacity, M. C., & Hirschheim, R. (1993). Information systems outsourcing: Myths, metaphors and realities. London:
Wiley.
Loh, L., & Venkatraman, N. (1992). Diffusion of information technology outsourcing: Influence sources and the
Kodak effect. Information Systems Research, 3, 334–358.
Lonsdale, C. (1999). Effectively managing vertical supply relationships: A risk management model for outsourcing
supply chain management. An International Journal, 4(4), 176–183.
McFarlan, F., & Nolan, R. (1995). How to Manage an IT Outsourcing Alliance. Sloan Management Review, 36(2),
9–23.
Mylott III, T. R. (1995). Computer outsourcing: Managing the transfer of information systems. Eaglewood Cliffs, NJ:
Prentice Hall.
O’Brien, J. A. (1996). Management information systems: Managing information technology in the networked enterprise.
Boston: McGraw-Hill.
Pearlson, K. E. (2001). Managing and using information systems: a strategic approach. Chichester: Wiley.
Scott, S. V. (2000). ‘IT-Enabled Credit Risk Modernisation: A revolution under the cloak of normality. Accounting,
Management and Information Technology, 10(3), 221–255.
 ARTICLE IN PRESS

180 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180

Sun Microsystems (2001). Sun in financial services. Santa Clara, California: Sun Microsystems, [Online]
http://www.sun.com/finance/overview.html [Accessed August 2 2002].
The Nigerian Stock Exchange (2001). The quoted companies. [Online] http://www.thenigerianstockexchange.com/
exchange frame. [Accessed June 20 2002].
Ward, J., & Griffiths, P. (2001). Strategic planning for information systems. Chichester: Wiley.
West, T. W. (1996). Leveraging technology. Educom Review, 31(3), 34–35.
White, L. H. (2002). In what respects will the information age make central banks obsolete? An Interdisciplinary
Journal of Public Policy Analysis, 21(2), [Online] http://www.cato.org/pubs/journal/cj21n2/cj21n2-7.pdf
[Accessed July 16 2002].
Willcocks, P. L., & Lacity, M. C. (1998). IT outsourcing in insurance services: Risk, creative contracting and business
advantage. Information Systems Journal, 9, 163–183.

Bumni Adeleye, Pg.Dip., B.Sc., M.Sc. is currently a Business Risk Manager at Heineken Africa in Nigeria. She holds a
B.Sc. in Computer Science and an M.Sc. in Information Systems. She is currently involved in designing and establishing
risk management practices in her company.

Fenio Annansingh, A.Sc., B.Sc., M.Sc., is a Researcher in Information Systems at the Department of Information
Studies, University of Sheffield. She holds a B.Sc. in Professional Management and an M.Sc. in Information Systems.
She is currently investigating risk management associated with projects involving intensive knowledge management
issues and possible loss of intellectual property. She is also engaged in completing a Ph.D. in information Studies. As a
member of the Data Management and Information Systems Research Group, she has been involved in research in
information systems risk and database design.

Jos!e Miguel Baptista Nunes, Lic. MatApl, M.Sc., Ph.D., ILTM, FIMIS, is a Lecturer in Information Management at
the 5A Department of Information Studies, University of Sheffield. He holds an M.Sc. in Applied Mathematics, an
M.Sc. in Information Management and a Ph.D. in Information Studies. As a Member of the Data Management and
Information Systems Research Group, he has been involved in research in information System modelling, database
design and social informatics.