An Assessment Of Risks Of ICT Outsourcing Functions In Commercial Banks Listed In Nairobi Securities Exchange, Kenya.

Abstract

Information and Communications Technology outsourcing is one of the successful strategies implemented to reduce an organization’s ICT operational cost and to give more priority to their core business rather to ICT operational activities. However, it causes significant risks to the success of the outsourcing ventures. This study sought to assess the risks of outsourcing ICT functions in Kenyan commercial banks listed in Nairobi Securities Exchange. The study was guided by the following specific objectives: to identify the extent of information security risks; capability risks; internal control risks; and financial risks in outsourcing ICT functions in Commercial Banks in Kenya. The study adopted descriptive research design. The target population of the study was five technical staff and one manager in ICT Department in the 11 commercial banks in Kenya listed in Nairobi Securities Exchange. Since the population and sampling frame for this study is small, a census study was considered appropriate and all the 66 ICT staff formed the sample size for the study. Primary data was collected through a questionnaire which had both closed and open-ended questions. A pre-test of the questionnaire was conducted prior to the actual data collection to test for validity and reliability of the instrument. Reliability coefficient was calculated through use of Cronbach’s alpha test, whereby a co-efficient of above 0.8 was achieved which implies that the instrument was sufficiently reliable for the measurement while validity was established by the researcher and supervisor discussing and reviewing the items before the actual study. The researcher employed drop and pick later method to administer the questionnaire in order to allow the respondents adequate time to respond. The data collected was analyzed through descriptive and inferential statistics. Descriptive statistics used included measures of relative frequencies, mean scores and standard deviation. A multivariate linear regression analysis was employed to examine the relationship between the variables. Data was presented using appropriate tools such as tables, charts and graphs. The study found out that commercial banks had outsourced helpdesk support services, connectivity services, ATM management, database management and application management services to a great extent. It was also found out that the commercial banks had experienced information security risks, capability risks as well as internal control risks as a result of outsourcing of ICT functions. The study concludes that use of third parties had exposed the banks to risks. On security risks, the banks were constantly at the risk of losing confidentiality, integrity and availability of the organization information. Moreover, outsourcing ICT functions had exposed commercial banks to internal control risks. Outsourcing of ICT functions had led to internal control loss of control over services outsourced data. The study recommends that banks need to constantly evaluate information security risks and derive a threat risk factor which lists all systems by priority to be used for ICT outsourcing.