Professional Documents
Culture Documents
Adeleye2004 PDF
Adeleye2004 PDF
Abstract
This research work focuses on the risk management practices adopted by Commercial Banks in Nigeria
that are related to the outsourcing of information systems (IS). The need for the research emerged from the
lack of studies addressing these problems in developing countries in general and in this country in
particular. The research reported in this paper shows that despite the globally increasing trend of IS
outsourcing in the sector, Nigerian commercial banks are lacking in both strategic and operational risk
management practices. Consequently, they are especially prone to the adoption inappropriate IS solutions
and are vulnerable to IS failure and fraud.
The research is empirically based drawing on an extensive literature and case study review as well as an
extensive survey of banks in Nigeria. The main method of data collection was a questionnaire sent to 15
commercial banks, which was aimed at respondents in three distinct categories: executive management,
systems managers and users. The analysis of the data included both a quantitative and an inductive
qualitative approach. The latter was used to draw inferences on the current situation.
The findings revealed that managers of commercial banks understand the nature of IS outsourcing and
that they all agreed that adopting risk management practices is important. Nevertheless, the situation is
critical. A significant proportion of the commercial banks have no documented and structured outsourcing
strategy or policy; consequently no programme or procedural guidance is available at any level. The study
also discovered that contrary to practice in developed countries, the regulatory authorities in Nigeria have
not formulated substantive guidelines or procedural rules to be adopted nationally by commercial banks.
r 2004 Elsevier Ltd. All rights reserved.
Keywords: Information systems outsourcing; IS risk management; IS strategic thinking; Commercial bank
*Corresponding author.
E-mail address: j.m.nunes@sheffield.ac.uk (M.B. Nunes).
0268-4012/$ - see front matter r 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ijinfomgt.2003.10.004
ARTICLE IN PRESS
168 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
In Nigeria, all banks are licensed by the Central Bank of Nigeria (CBN) and incorporated
under the companies and Allied Matters Act of 1990. The intermediation role of banks in a
country with an estimated population of 120 million inhabitants results in a pressing need to
develop or acquire, install, deploy and maintain top rated information systems (IS). The systems
so deployed are expected to be efficient, effective, robust and fluid in order to respond and adapt
to current and future operational needs.
IS plays an important role in the business of any bank. These systems are at the core of the
information management of the organisation and allow it to operate efficiently and maintain its
competitive advantage. According to O’Brien (1996, p.7), ‘‘if information systems do not properly
support the strategic objectives, business operations, or management needs of an enterprise, they
can seriously damage its prospects for survival and success’’. This paper further enumerates three
vital roles of IS:
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 169
depends on the ability of the given organisation to manage the risks associated with this process of
outsourcing.
2. IS outsourcing
170 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
outsourcing in Bank of America (USA), the outsourcing agreement between AT&T and IBM at
Bank One and the $44 million outsourcing agreement between Coop Bank and Computer Science
Corporation also in Switzerland (CSC, 2000).
Despite the optimism about benefits associated with outsourcing, there is evidence that this
process may incur some significant risks (McFarLan & Nolan, 1995; Lacity & Hirschheim, 1993).
Risks and costs involved in outsourcing are often forgotten when considering the more obvious
benefits. These risks, however, must be understood in order to make informed decisions which
may be of crucial importance for the success of the organisation. This awareness of the possible
risks incurred when outsourcing, will enable decision makers and stake holders to take informed
decisions and draw contingency and mitigation strategies. Management needs to assess and
evaluate the risks and their impact at strategic, tactical and operational levels in a consistent way
(Ward & Griffiths, 2001). The process of risk assessment in outsourcing is focused on the
probability of the occurrence of adverse events such as:
* not achieving the planned benefits,
* not meeting agreed deadlines,
* using more resources than initially foreseen,
* change in functional and procedural requirements,
* budget overrun, and
* deficient change over of systems and finally problems associated with the operation and
maintenance of these systems.
If the outsourcing process is not preceded by careful strategic planning and thorough risk
assessment it may result in considerable financial loss, decreased shareholder value, damaged
company reputations, the dismissal of senior management, and in some cases the destruction of
the business itself (DeLoach, 2000). Vital to the organisation’s success and survival are active
assessment and monitoring of risks, the organisation’s ability to flexibly respond to the occurrence
of these adverse events and its ability to mitigate these risks (DeLoach, 2000).
4. The study
There is little or no formal research work or body of literature related to IS outsourcing trends
in Nigeria. This does not in any way prevent organisations in the country from actually
outsourcing some of their operations, and there is sufficient evidence that outsourcing is an
emerging way of undertaking business operations in the country. Service offers by reputable
multinationals in Nigeria, such as PricewaterhouseCoopers (PwC), Phillips Consulting, Andersen
Consulting and Aptech, often mention outsourcing as one of their key deliverables.
Banks in Nigeria have, for a very long time, wholly or partly outsourced services such as
training, security services, marketing and Information Technology. Schlumberger Omnes, British
Telecommunications, and 21st Century Technologies Ltd. are only a few of the current vendors of
ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 171
IS and platforms outsourced by commercial banks. It is expected that this trend will continue to
prevail in the near future. This means that developing countries, like Nigeria, are following trends
emerging from different social and economic contexts without the benefit of formalised or
organised national support structures, policies and guidelines.
This need for regulation, strategic thinking and guidelines is particularly important in
a country as populous as Nigeria (around 126 million people), where both IS and banking
are listed on the Stock Exchange as two vibrant industry sectors (The Nigerian Stock
Exchange, 2001).
The Central Bank of Nigeria (CBN) is the national organisation that licenses all banks that
meet stipulated conditions. The role of CBN is primarily formulating and monitoring the banking
system to ensure that operators comply with monetary, credit, and foreign exchange
guidelines. There is also the Nigerian Deposit Insurance Corporation (NDIC) that
insures the deposits of banks’ customers and also carries out periodic reviews to ensure the
solvency of banks. Nevertheless, the banking system in Nigeria is fairly open. There are over 120
banks in Nigeria in three categories: Commercial, Merchant, Industrial or Development Banks.
Currently, there is a trend towards Universal Banking. This allows any interested bank to
substitute its license for a universal banking license, which enables it to provide full range of
banking and financial services.
Due to economic instability and despite Nigeria being the 6th largest world producer of oil, the
banking industry is facing some important problems. Jason (1998) states that fewer than 50 of the
over 120 banks are solvent. Five have been liquidated and a further forty-two are in serious
difficulties. Another 26 were slated for liquidation when the government changed its mind.
Consequently, bank watchers say that the future of banking in Nigeria will be tough and
competitive. Technology will be the driving and differentiating force, as reported by
Baranshamaje et al. (1995): ‘‘The information revolution offers Africa a dramatic opportunity
to leapfrog into the future, breaking out of decades of stagnation or decline [y] If African
Countries cannot take advantage of the Information Revolution and surf this great wave of
technological change, they may be crushed by it’’.
Despite these facts, the vibrancy and competitive nature of the banking sector and the trend for
IS outsourcing in the sector, there is no evidence of significant literature or theoretical discussion
on the risks involved in this practice. This research behind this paper aimed at identifying,
understanding and criticising the practices adopted by Nigerian commercial banks when
outsourcing there IS.
Explicitly, this study aimed at accomplishing a number of goals specifically intended to:
172 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
This research was undertaken to study the view of commercial banks on risks management
practices in their outsourcing activities, outsourcing strategies, role of users, and disaster recovery
procedures. The main objective of the research was to explore the risks involved in outsourcing
and the management of these risks. In order to achieve these objectives, a questionnaire-based
survey research methodology was used. These questionnaires explored a broad spectrum of
questions. The research was conducted in two phases.
The first phase involved preliminary face-to-face discussions with about 20 bank executives,
from 30 best of the banks in the Agusto & Co (2001) ranking. These interviews aimed to explore
initial assumptions and ascertain institutional willingness to participate in the survey. The initial
interviews were then analysed and 15 suitable banking institutions were selected. The second
phase involved the preparation and deployment of the main questionnaires. These were designed
using the results of the preliminary interviews and the available literature on IS, risk, risk
management and outsourcing.
The core data of this study were obtained by mailing questionnaires in July 2002 to the 15
banks selected. The target respondents were chosen to encompass a wide range of decision makers
in the three broad categories of: executive and senior management, IS/IT managers and IS users.
Seven (7) out of the fifteen (15) banks responded appropriately to the survey (response rate of
46.6%), including twenty one (21) individual responses (three per bank).
The questionnaire used in this study was divided into six sections containing closed–ended and
opened–ended questions, allowing for data triangulation and validation and hopefully avoiding
biased and top-of-the-mind choices. The purpose of the first two sections was to understand the
specific outsourcing strategies and the impacts of outsourcing in the banks. The third section
investigated the roles of users and stakeholders in the decision making process. The next two
sections aimed to identify risk management procedures and guidelines and investigate how
outsourcing risks are managed in these banks. The last section investigated the disaster recovery
practices that are adopted by the respondent banks.
Each questionnaire was sent with a covering letter explaining the purpose of the study. The
length of the questionnaire was taken into consideration and the terms used in the questionnaires
were not technical, so no explanations were needed.
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 173
40
35
30
Response (%)
25
20
15
10
0
SAP Bankmaster Globus Finacle Phoneix Others
Yes
33%
43%
No
Do not
know
24%
174 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
0%
Software development
0%
3%
0% Software maintenance
3%
24%
Data communication networks
19%
Support operations (equipment maintenance/
service)
Disaster recovery
16%
Telephone support of customers
19%
Development of a fully integrated system
16% (hardware, software or networking)
This survey also identified that from all respondents who stated that they were outsourcing,
96% stated they were doing it selectively, while 4% do third party maintained. This can be
considered as very good practice, since selective outsourcing often results in greater flexibility and
better services. Fig. 3, shows how different IS functions (that is software development, software
maintenance, data communication networks, support operations, training and education) are
distributed in terms of outsourcing: training and education (24%), software development (16%),
software maintenance (16%), and both support operations and data communication networks
(19%). By contrast telephone support of customers and disaster recovery rank as the lowest (3%).
This comes as no surprise since customer support is paramount to guarantee customer satisfaction
and acceptance and constitutes a core competence of the organisation. Similarly, disaster recovery
is also of crucial importance since the costs of disaster are not only of a financial nature, but have
also high visibility and high image and reputation risks. Therefore, banks tend to ensure that both
of these services are kept in-house.
Furthermore, this research confirms that the banks do see organisational data as a strategic
advantage that must be operated and maintained done internally. In fact, all banks surveyed
stated that they operated their data centre internally. This is in line with current practice in the
banking sector worldwide. On the other side, training and education seemed to be frequently
outsourced and this is possibly due to the fact that most of the software is bought from vendors
and this often includes training clauses in the contracts.
ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 175
100
90
80
68.5
70 65.7
Response (%)
60 60 60
60 54.2
50
40
30
20
utilisation of
efficiency e.g.
relationships
in respect of
security e.g.
management
statements
errors e.g.
information
Reduced
Improved
customer
Improved
payment
Inproved
speed, in
business
systems
errors
Better
Greater
staff
176 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
* threaten security, namely in what concerns guaranteeing the loyalty and confidentiality of
vendor and vendor’s staff;
* threats of having overall performance dependent on vendor; and
* introducing ‘‘buck passing’’ resulting from the lack of clear assignment of responsibilities over
IS tasks and processes shared between in-house and vendor’s staff.
These results show that there is a clear awareness of the benefits and drawbacks of outsourcing
in banks in Nigeria, which represents the realisation of this research’s first objective. Managers, IS
staff and users seem to be aware of the majority of problems and risks associated to the practice of
outsourcing as reported in the literature in the field. So they are well informed and outsourcing
decisions are well supported. The next question in this research was to investigate if this
knowledge of risk is expressed in terms of appropriate risk management strategies and policies.
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 177
80
68.5
60
60 57.1 57.1
Responses (%)
54.2
48.5
42.8 42.8
40
20
Documentation
documentation
Circulation of
Identification of
Joint meetings
risk occurrence
Interviews with
Examining the
impacts of risk
of transaction
Planning for
of all stake
of existing
problems
Review of
holders
system
list of
flows
staff
risks
these organisations during outsourcing (57.1%). 6 of the banks make sure that joint meetings with
systems staff, internal control, and users occur regularly. Five of the banks circulate list of existing
problems in the different departments and use these to justify decisions for change and
outsourcing.
However, only 42.8% of the respondents declared to have departmental plans to avoid the
occurrence of risks and its impacts and only 1 bank had strategic and global risk control plans.
Similarly, only 2 banks considered identification of the risks in outsourcing as a major component
of their decision making process.
On the positive side, 71.4% of the respondents stated that their organisation had a disaster
recovery plan in place, which is reviewed periodically. The study revealed that different banks
have different reasons for adopting a disaster recovery plan. For example in Fig. 6, 55% of
respondents said that the plan covers responsibilities of specific individuals. All respondents stated
that there are provisions for uninterrupted power supply. All respondents also said their disaster
recovery plans cover procedures for protecting integrity of data and information. Again, 100% of
respondents said these plans include alternate procedures in the event that an outsourced IS
breaks down.
This was to be expected since the Basel Committee on Banking Supervision (BCBS) (1998)
imposed the need for ‘‘adequate preventive measures’’ that help minimising the probability that
negative events occur. The BCB also proposes that management should ensure that ‘‘adequate
systems of containment measures’’ are put in place in order to help detect and limit the effects on
the business of events, which may bypass preventive controls and threaten banks’ operations.
ARTICLE IN PRESS
178 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
120
80
71.4 71.4
60 55
40
master plan that
power supply in
responsibilities
destroyed files
reconstructing
insurance that
covers cost of
uninterrupted
Have in place
Written down
power failure
Copies of all
master files,
Provision of
the event of
of specified
outsourced
transaction
prevention
describes
the banks
programs
indiduals
files, and
installed
disaster
Covers
Fig. 6. Disaster recovering plan.
This exploratory empirical study investigating the risk management practices in the outsourcing
of IS in commercial banks in Nigeria has led to several important conclusions. While some of
these have confirmed initial assumptions, others have been contrary to ordinary intuition. The
survey showed that in spite of the lack of regulations and infrastructures in the country,
outsourcing is now a common practice and has achieved some considerable degree of success.
However, it is evident that banks are taking a reactive approach to outsourcing risk management
that may make them vulnerable to a number strategic and operational risks, which may have
considerable financial and reputation costs. In order to avoid these, a more proactive management
attitude is required including the adoption of well-defined and structured risk management
guidelines, policies and procedures.
Although the sample size is representative of the population of banks in Nigeria, and the results
provide valuable insights into the risk management practices in the outsourcing process, the need
for further work in this area is strongly recommended. Future research efforts should expand the
body of literature, but also critically examine, document and recommend the role of managers in
banks and regulatory and supervisory bodies in enforcing the adoption and adaptation of global
best practices.
References
Atkinson, J. (1985). The flexibility factor, Institute for Manpower Studies, Sussex University, Sussex.
ARTICLE IN PRESS
B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180 179
Agusto & Co (2001). Rated Banks Nigeria and bank profile. [Online] http://www.agusto.com/pub1/default.html
[Accessed August 11 2002].
Baranshamaje, E., Boostrom, E., Brajovic, V., Cader, M., Clement-Jones, R., Hawkins, R., Knight, P., Schware, R., &
Sloan, H. (1995). Increasing Internet Connectivity in Sub-Saharan Africa: issues, options, and World Bank Group role,
[Online] http://www.uneca.org/eca resources/publications/disd/old/padis/telemat/africa03.htm [Accessed August 11
2002].
Basel Committee on Banking Supervision (1998). Operational risk management: Basel Committee Publications No. 42,
[Online] http://www.bis.org/publ/bcbs42.htm [Accessed July 10 2002].
Boiney, G. L. (1999). Knowledge is Power: but knowledge management requires organizational change. Journal of
Contemporary Business Practice, Spring 1999, [Online] http://gbr.pepperdine.edu/992/infotech.html [Accessed July 1
2002].
Broady-Preston, J., & Hayward, T. (2001). Strategy, information processing and scorecard models in the UK financial
services sector. Information Research, 7(1), [Online] http://InformationR.net/ir/7-1/paper122.html [Accessed July 4
2002].
Butler, M., Holt, M., Menzies, K., Jones, G., Jennings, T., Jagger, E., Smith, E., Newman, J., Jones, T., & Gibbes, K.
(2001). Strategic sourcing: Effective alternatives for the enterprise. Butler Group, Technology Infrastructure,
Research and Advisory Services.
Computer Sciences Corporation (CSC) (2000). CSC enters outsourcing agreement with Swiss bank, [Online]
http://www.csc.com/newsandevents/news/221.shtml. [Accessed June 11 2002].
DeLoach Jr., J. W. (2000). Enterprise-wide risk management: Strategies for linking risk and opportunity. London:
Financial Times.
De Looff, L. (1997). Information systems outsourcing decision making: A managerial approach. London: Idea Group
Publishing.
Drucker, P. F. (1995). Managing in a time of great change. New York: Truman Talley Books.
Dyer, J. F., & Ouchi, W. G. (1993). Japanese-style partnership: giving companies competitive edge. Sloan Management
Review, 4(16), 51–63.
Fan, Y. (2000). Strategic outsourcing: Evidence from British companies. Marketing Intelligence and Planning, 18(4),
213–219.
Fleck, F. (2002). Clients left out in cold by Swiss private bank mergers, [Online] http://www.milleniumassociates.com/
PDF/Complinet%20Clients%20left%20out%202Jul2002.pdf. [Accessed July 4 2002].
Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management,
20, 235–240 [Online] www.elsevier.com/locate/ijproman. [Accessed 20 July 2002].
Huber, R. L. (1993). How Continental Bank Outsourced its Crown Jewels. Harvard Business Review, 31(1),
77–84.
Jason, P. (1998). Turn around in Nigeria banking: New Africa Market. NEWAFRICA [Online] April.
http://dspace.dial.pipex.com/town/terrace/lf41/na/apr98/namb0406.htm. [Accessed July 20 2002].
Lacity, M. C., & Hirschheim, R. (1993). Information systems outsourcing: Myths, metaphors and realities. London:
Wiley.
Loh, L., & Venkatraman, N. (1992). Diffusion of information technology outsourcing: Influence sources and the
Kodak effect. Information Systems Research, 3, 334–358.
Lonsdale, C. (1999). Effectively managing vertical supply relationships: A risk management model for outsourcing
supply chain management. An International Journal, 4(4), 176–183.
McFarlan, F., & Nolan, R. (1995). How to Manage an IT Outsourcing Alliance. Sloan Management Review, 36(2),
9–23.
Mylott III, T. R. (1995). Computer outsourcing: Managing the transfer of information systems. Eaglewood Cliffs, NJ:
Prentice Hall.
O’Brien, J. A. (1996). Management information systems: Managing information technology in the networked enterprise.
Boston: McGraw-Hill.
Pearlson, K. E. (2001). Managing and using information systems: a strategic approach. Chichester: Wiley.
Scott, S. V. (2000). ‘IT-Enabled Credit Risk Modernisation: A revolution under the cloak of normality. Accounting,
Management and Information Technology, 10(3), 221–255.
ARTICLE IN PRESS
180 B.C. Adeleye et al. / International Journal of Information Management 24 (2004) 167–180
Sun Microsystems (2001). Sun in financial services. Santa Clara, California: Sun Microsystems, [Online]
http://www.sun.com/finance/overview.html [Accessed August 2 2002].
The Nigerian Stock Exchange (2001). The quoted companies. [Online] http://www.thenigerianstockexchange.com/
exchange frame. [Accessed June 20 2002].
Ward, J., & Griffiths, P. (2001). Strategic planning for information systems. Chichester: Wiley.
West, T. W. (1996). Leveraging technology. Educom Review, 31(3), 34–35.
White, L. H. (2002). In what respects will the information age make central banks obsolete? An Interdisciplinary
Journal of Public Policy Analysis, 21(2), [Online] http://www.cato.org/pubs/journal/cj21n2/cj21n2-7.pdf
[Accessed July 16 2002].
Willcocks, P. L., & Lacity, M. C. (1998). IT outsourcing in insurance services: Risk, creative contracting and business
advantage. Information Systems Journal, 9, 163–183.
Bumni Adeleye, Pg.Dip., B.Sc., M.Sc. is currently a Business Risk Manager at Heineken Africa in Nigeria. She holds a
B.Sc. in Computer Science and an M.Sc. in Information Systems. She is currently involved in designing and establishing
risk management practices in her company.
Fenio Annansingh, A.Sc., B.Sc., M.Sc., is a Researcher in Information Systems at the Department of Information
Studies, University of Sheffield. She holds a B.Sc. in Professional Management and an M.Sc. in Information Systems.
She is currently investigating risk management associated with projects involving intensive knowledge management
issues and possible loss of intellectual property. She is also engaged in completing a Ph.D. in information Studies. As a
member of the Data Management and Information Systems Research Group, she has been involved in research in
information systems risk and database design.
Jos!e Miguel Baptista Nunes, Lic. MatApl, M.Sc., Ph.D., ILTM, FIMIS, is a Lecturer in Information Management at
the 5A Department of Information Studies, University of Sheffield. He holds an M.Sc. in Applied Mathematics, an
M.Sc. in Information Management and a Ph.D. in Information Studies. As a Member of the Data Management and
Information Systems Research Group, he has been involved in research in information System modelling, database
design and social informatics.