There was an interesting post on Slashdot this week about someone who went to load their official Cisco VPN client CD only to find that it was in fact a bootleg music disc. These things happen, suppliers outsource to third parties who subcontract to others who find slack in someone else’s JIT delivery system.
Then I read this piece and cogs slowly, rustily start turning in my mind.
Complexity adds risk. If I have just a single rock then my risks are limited, the rock basically sits there. I could lose it or drop it or trip over it or break it but that’s about it. If I have two rocks then not only have I now doubled the number of those risks but I gain new ones as well – one of the rocks could fall off the other for example or I could lose one rock behind the other.
So complexity breeds risk, so far so obvious. Companies outsource and there is now an added creator of risk to mispress CDs, government buys from the cheapest supplier and there is now an added creator of risk to mis-sell hooky gear, you can name your own examples.
We work to try and mitigate these supply or delivery chain risks but there are two additional sources of complexity which we do not always consider.
The first is that risk mitigation can itself be a source of risk. Recent events in the financial world are a classic example of this. Some people thought that they had cracked the secret of achieving high returns without high risks. IT supports the creation of complex and often opaque financial risk management tools which make Black-Scholes seem like basic addition. Combine this with automated trading engines and we create a vast cybernetic plate-spinning engine which works until the first plate starts wobbling.
Paul Samuelson said “Business is the management of risk”, for me this means that unless you are willing to manage your risks then you should not be in business. And management does not mean magical thinking.
The second source of emergent risk arises out of the complexity of individual systems. Think for an instance about how you are reading this piece. You are using a computer whose hardware you trust, whose operating system you trust, a browser you trust, a network connection you trust, a network protocol you trust, a website you trust, a web server you trust, web server hardware you trust, and network hardware you trust.
That’s a lot of trust isn’t it?
Lost ConsCIOusness 
Of course, if you just have one rock, that’s one rock to store, clean, insure, keep updated with WinRock(TM) software, protect from theft etc etc, so the risks are still pretty significant. In theory, much better to work out what you want the rock for, and get someone to lease you those rock characteristics as and when you need them.
In principle, outsourcing is the optimal approach, just like in principle it’s possible to manage by incentives and targets. It’s just that I’ve hardly ever seen either of them work optimally, and outsourcing is particularly, spectacularly unsuccessful in the case of IT (based on my simple end-user perspective). Given the fuzzy world we live in (the complexity you describe), our innate inability to predict or describe future needs properly, human nature and the imperative to creatively exploit incentives, outsourcing is almost always riskier and probably costlier than insourcing.
I enjoyed Joel Spolsky’s latest column in Inc.com on the gaming of incentive schemes by employees – I think the same issues apply to outsourcing by and large:
http://www.inc.com/magazine/20081001/how-hard-could-it-be-sins-of-commissions.html
Phew – well that’s a cheery start to the week!