Risk management practices in IS outsourcing: an investigation into commercial banks in Nigeria

This research work focuses on the risk management practices adopted by Commercial Banks in Nigeria that are related to the outsourcing of information systems (IS). The need for the research emerged from the lack of studies addressing these problems in developing countries in general and in this country in particular. The research reported in this paper shows that despite the globally increasing trend of IS outsourcing in the sector, Nigerian commercial banks are lacking in both strategic and operational risk management practices. Consequently, they are especially prone to the adoption inappropriate IS solutions and are vulnerable to IS failure and fraud. The research is empirically based drawing on an extensive literature and case study review as well as an extensive survey of banks in Nigeria. The main method of data collection was a questionnaire sent to 15 commercial banks, which was aimed at respondents in three distinct categories: executive management, systems managers and users. The analysis of the data included both a quantitative and an inductive qualitative approach. The latter was used to draw inferences on the current situation. The findings revealed that managers of commercial banks understand the nature of IS outsourcing and that they all agreed that adopting risk management practices is important. Nevertheless, the situation is critical. A significant proportion of the commercial banks have no documented and structured outsourcing strategy or policy; consequently no programme or procedural guidance is available at any level. The study also discovered that contrary to practice in developed countries, the regulatory authorities in Nigeria have not formulated substantive guidelines or procedural rules to be adopted nationally by commercial banks. (C) 2004 Elsevier Ltd. All rights reserved.