IT Outsourcing in Small Business: A View of Risk and Mitigating Actions

Deyvison de Lima Oliveira1, Érica Cristine de Paula1, Odirlei Arcângelo Lovo1, Elizângela Maria Oliveira Custódio1

1 Federal University of Rondônia

ABSTRACT

Studies on Information Technology (IT) outsourcing in small businesses are relevant because of the prominent position these organizations occupy in the market. Thus, this research aims to identify the risks of outsourcing IT in small companies and analyze the initiatives/actions taken to reduce such risks. As a research method, the study of multiple cases was used in small companies that use Information System (IS) outsourced. Data analysis was used to analyze the data. The results indicate that the model identified for small companies, where short-term strategies and reactive actions prevail, end up making them vulnerable to the risks of IT outsourcing. Limitations and research opportunities are included in the final considerations.

Keywords: IT Outsourcing; Information system; Small business; Risk factors; Mitigating Actions.

INTRODUCTION

Information Technology, in the environment of volatilities and rapid changes in organizations, has the role of making processes in companies more developed and with secure information about the business (Oliveira et al., 2015). Information technologies are characterized by ubiquity, since they are in every productive environment, from the operational to the strategic level of the organization (Moraes, 2007), due to the facilities of access, acquisition and standardization of supply in the market (Chae et al., 2014).

In small companies, the trend of using IT follows the same line as in medium and large organizations, the difference being in the amount of resources and the speed of adoption of the technology (Lunardi et al., 2010). As a result of their resource constraints, when compared to large companies, small companies tend to opt for IT outsourcing, a decision that may be cost-appropriate but it also brings other concerns, which begin with the process of choice of systems, as well as the IT service provider (Chang et al., 2012).

When it comes to IT outsourcing, dealing specifically with the information system (SI), its occurrence is the search for better market practices (Oliveira et al., 2014), that is, small businesses seek to optimize processes, mostly operational, seeking fast and consistent information, through its implementation (Laranjeira, 2012). IT outsourcing is a current topic, however, the predominant literature in the Brazilian scenario addresses the phenomenon in medium and large organizations (Lunardi et al., 2010), as, for example, the study of Prado (2011) on the risk of mitigation in IT outsourcing, in which only large and medium-sized companies are used. Additionally, national studies have addressed the decision factors for investments in internal IT and outsourcing (Oliveira et al., 2014; Löbler et al., 2015). In the international field, in the 1990s, Aubert et al. (1998) researched the risk management of outsourcing IT in a large insurance company. Along the same lines, Willcocks et Feeny (2006) used Dupont, a large company, for its research regarding IT outsourcing and the core capabilities. Qi et Chau (2012), on the other hand, researched the relationships, contracts and success of IT outsourcing, using in its case study TAL Apparel, one of the largest apparel manufacturers in the world and Pepsi Cola Beverage (Guangzhou), one of the largest companies in the food and beverage segment in the world. More recently, studies have focused on the factors for choosing IT vendors (Chang et al., 2012), offshore IT outsourcing (Chang et De Búrca, 2016), capacity development from outsourcing (Gewe et al., 2016), among others.

Considering the predominance of studies in large companies, it is pertinent to concentrate efforts in the research of the 'IT outsourcing' phenomenon in small companies, since it is a field that is surrounded by peculiarities (Prado, 2011). This segment of companies represents the backbone of several economies, such as China, Brazil, Chile and Europe, which own 99% of companies in this size within their economies; in India, these companies account for 45% of the industrial production (Zhang et al., 2008, Sebrae, 2013, Ruivo et al., 2012, Cebri, 2012).

Small businesses represent an important source of employment. They leverage economic and social development, incorporate new technologies, and become competitive in both developed and developing countries (Ghobakhloo et al., 2011). According to data from Sebrae (2013), 52% of Brazilian formal jobs are in small enterprises.

These companies usually do not have internal IT structure, so outsourcing is a constant practice. This is a situation that usually occurs due to the scarcity of resources to invest in IT itself (Martens, 2001; Lunardi et al., 2010).

IT outsourcing brings numerous benefits, but it also brings several risks that need to be mitigated by managers. Historically, the risks involved include failure of security (Willcocks et al., 2002; Dhillon et al., 2017); supplier opportunism (Aubert et al., 1998, Prado, 2011); negligence in the interrelationships for risk management (Fan et al., 2012); inappropriate use of the contracted product, due to low capacity to manage the customer by technology (Beraldi et Escrivão Filho, 2000; Han et al., 2013), among others that deserve to be studied to be of great impact, especially, on small businesses .

Considering the research demand, this article aims to identify the risks of outsourcing IT in small companies and to analyze the initiatives/actions to mitigate these risks.

The article is structured in four more sections besides this introduction. Section 2 presents the theoretical framework, which includes subjects related to the concept and characteristics of IT outsourcing, its risks and actions for its reduction; in section 3, are the methodological procedures adopted in the research; in sections 4 and 5, the results obtained with the research are presented, followed by the final considerations.

IT OUTSOURCING AND SMALL BUSINESSES

This section describes the relationship between IT and small businesses as well as IT outsourcing within organizations, their risks and mitigation initiatives.

Information technology and small businesses

In the recent scenario, small companies have a large share of the market, both in revenue and in jobs. All this visibility has forced small businesses to invest in various information technologies, tools that can give them time-based decision making, no longer based on assumptions. IT also makes it possible to develop competitive strategies by means of knowledge of the business itself, seeking sustainability in its field of activity (Sacilotti, 2011; Ghobakhloo et al., 2011).

Among the factors considered by small companies to adopt IT, the external pressure on the figure of the competition is seen as the one of great influence (Oliveira et al., 2014), because in the understanding of managers, if there is no pressure for its use, neither there is a need for its adoption (Alam et Noor, 2009; Sarosa et Zowghi, 2003). This factor confirms that IT adoption by small businesses is based on the assumption that it should make it more competitive in the market by adding value to its business by obtaining return through IT investment (Ghobakhloo et al., 2011; Sarosa et Zowghi, 2003).

In addition, access to outsourced IT resources benefits small businesses by having few employees, and the owner often assumes the role of manager, making IT critical to overcoming the limits of their reduced physical and human structure (Martens, 2001). In this context, the use of externally offered IT capabilities represents market opportunities for small firms (Gewe et al., 2016).

In these acquisition/outsourcing processes, some factors may influence or limit the absorption of technological models. In small companies, managers and employees are central to successful investment and outsourcing (Löbler et al., 2012). Management support in relation to IT can determine the success or failure of these resources (Oliveira et al., 2014), whose most relevant factor is the user, who needs organizational support to understand the tool available, so that it does not become an unnecessary expense (Prates, 2003; Cristofoli et al., 2012).

On the other hand, making IT more financially affordable is the greatest difficulty faced by small firms in adopting technology, which may be critical to their growth and competitiveness (Lunardi et al., 2010). Thus, with limited financial resources, caution is the best way for small companies in the IT selection and implementation process, evaluating the impacts on all company variables, taking into account the strategies adopted, including the criteria to choose suppliers (Chang et al., 2012). For a company of this size, a wrong choice can be devastating, considering the representativeness of the investment in the budget (Gonçalves et al., 2010; Sarosa et Zowghi, 2003).

IT Outsourcing

Loh et Venkatraman (1992, p.33) define IT outsourcing as "the significant contribution by external suppliers, the physical and/or human resources associated with the entire or specific IT infrastructure components in the user organization." For years, IT outsourcing has been seen only as a means of reducing costs; Recently it is seen as a differential instrument of a company, which brings greater visibility of the business to clients and suppliers, adding value to the organization, when applied in the improvement of the operational and management processes and, therefore, better evaluating them (Prado et al. Cristofoli, 2012).

The outsourcing of IT is based on the expectation of making the company more competitive in the market in which it operates, but for that to occur, it is necessary that it be aligned with the organization's objectives (Cristofoli et al., 2012). In the context of advantages, technological outsourcing is seen as a means of developing technological capabilities, enabling small businesses to benefit from technological learning, acquisition and application of new technologies to the production process, access to new markets (Gewe et al., 2016), among others.

In order to align expectations and strategies to achieve better results, agreements between suppliers and customers of IT outsourcing are established through contracts (Cristofoli et al., 2012). This formal agreement provides knowledge transfer between supplier and customer, positively impacting IT outsourcing user’s productivity (Chang et Gurbaxani, 2012). The complementarity between vendor and customer capabilities is associated with the success of IT outsourcing. For Han et al. (2013), the greater complementarity between these capacities occurs when suppliers and customers have similar levels of capacity, which makes it possible to extract greater value from outsourcing. In addition, the use of external IT capabilities can contribute to process and firm performance in small enterprises (Oliveira et al., 2016).

In addition to those mentioned, several issues are addressed in the literature regarding IT outsourcing, such as: determinants of IT outsourcing (Loh et Venkatraman, 1992); insights into the practice of IT outsourcing (Lacity et al., 2009); the use of Transaction Cost Theory in IT outsourcing (Alaghehband et al., 2011), results of IT outsourcing in Brazilian organizations (Prado et Cristofoli, 2012); empirical analysis of IT outsourcing, knowledge transfer, and firm productivity (Chang et Gurbaxani, 2012); models of IT outsourcing management (Bergamaschi, 2004); risk mitigation in IT outsourcing (Prado, 2011); risk and mitigation assessment (Willcocks et al., 2002); risk analysis in IT outsourcing and communication (Prado, 2009).

From the other extreme of the advantages, various subjects derive. Among them, the risks involved in outsourcing, which is one of those that deserve greater prominence, to be present from the formulation of the contract, during the implementation process, until its effective use, being able to determine its success or failure (Willcocks et al., 2002 , Saroza et Zowghi, 2003, Chang et al., 2012b; Dhillon et al., 2017).

IT Outsourcing Risks

When an organization decides to outsource IT, it must clearly visualize not only the benefits, but also the risks involved in decision making and execution (Aubert et al., 1998; Prado, 2011). Risk management works with risk mitigation mechanisms, through their identification, assessment and likelihood of occurrence within the organization (Lacity et al., 2009).

Many of the risks to which clients are exposed by outsourcing IT can be mitigated early in the process through the contract between the parties (Bergamaschi, 2004). The contract is the legal basis that will guide the relationship of the supplier with the customer. However, only the preparation of a contract does not guarantee that the organization is exempt from mishaps as they are limited so that they cannot foresee all organizational, supplier and market changes during the duration of the contract. There is no way to presuppose the uncertainties of the unknown future; establishing a partnership with the supplier is the way for the organization to create an exchange model independent of the contract (Prado, 2011).

According to Chang et al. (2012), the choice of suppliers in the process of IT outsourcing involves the analysis of four capacities, covering the ability of professional skills, service, operation and external evaluation (e.g. contract flexibility). However, the technological capabilities of those involved (customer and supplier) should be complementary to the greater success of outsourcing and risk minimization (Han et al., 2013; Bergamaschi, 2004). The contractor has a broad knowledge of its operational and strategic activities, while the supplier has the foresight to see the risks and their probability of occurrence in the organization from previous experiences added to the knowledge of the business to be passed on by the contractor, thus obtaining an adequate analysis of the risks involved and reducing the chances of the organization not achieving the desired return (Prado, 2011).

And when it comes to small business it is necessary for the manager to understand the risks involved in IT outsourcing. These companies have dynamic strategies that are almost always informal and end up opting for decisions about the short-term prism (Lunardi et al., 2010). This reality makes IT outsourcing contracts that do not include these variables, a risk for organizations. According to Lunardi et al. (2010), there is a need for small business managers to start working on long-term strategies, properly planning their technological investments. For, as in any type of investment, risks must be evaluated and managed, which occurs when one knows the current situation of the business and makes projections for future situations (Aubert et al., 1998).

The literature on IT outsourcing risks is predominantly applied to large enterprises, with the exception of recent studies applied to small firms (e.g. Gewe et al., 2016; Chang et al., 2016). During the last twenty years, several IT outsourcing risk factors have been presented in the literature, mainly in the international scenario. The main factors mentioned include, among others, the agents of exchange relationship – customer and supplier (Chang et Gurbaxani, 2012; Willcocks, Lacity et Kern, 2002), the establishment of contract criteria (Willcocks et Feeny, 2006; Dhillon, Syed et Sá-Soares, 2017), systems/software (e.g. Tallon, 2013), and outsourcing planning (Willcocks, Lacity et Kern, 2002; Han et al., 2013).

Based on the revised literature on the subject, in both national and international journals, the risk factors of IT outsourcing are listed, with the specification of these risks and the mitigating actions (Table 1). They will be used as a basis for analyzing empirical research data.

Table 1. Risks in IT outsourcing

Figure 1

Source: Elaborated from the literature.

From the elements reviewed in the literature (Table 1), data are collected from small companies to respond to the research objective.

METHOD

The methodological approach used in the research was the multiple case study method. Yin (2010) defines case study as an investigation based on experience, that is, investigation to obtain detailed and in-depth data, to arrive at an explanation for the phenomena of contexts that are not clearly evident.

The case study method is not only about data collection, but rather a broad research technique for analyzing contemporary events (Hori, 2003; Yin, 2010). This type of research has been used in the literature of Information Systems, such as Dolci (2009), Souza (2000), Qi et Chau (2012), Willcocks et Feeny (2006), among others.

This methodological approach is justified because it proposes to identify and analyze in depth a contemporary phenomenon that intensifies in new ways, in this case IT outsourcing in small companies (Perez et Zwicker, 2005).

Data Colection

At the data collection stage, multiple sources of evidence (Yin, 2010) were adopted, which allowed triangulation in the cases studied. The data were collected in small companies with outsourced information system and in companies that work with software development and provision of IT service, located in the Southern Cone of the State of Rondônia. The "customer-supplier of IS" study perspective (system user and supplier) was used in order to capture the vision of the two interlocutors and to identify potential conflicts and agreements regarding mitigation risks and actions in relation to IT outsourcing. This approach of confrontation between customer and supplier in the context of IT outsourcing has been adopted in the literature, such as Dhillon et al. (2017).

For the collection, the interviews were first used. According to Yin (2010), the interview is a source of information relevant to the case study, considering the fact that the technique covers human and behavioral issues.

This research seeks to gather information about IT outsourcing in small companies, specifically the risks of outsourcing and actions to reduce these risks, that is, a behavioral event, so that interviews were used as the main source of evidence in this research.

The second source of evidence was documentary analysis, which, in this research, was characterized by an analysis of IT outsourcing contracts of small companies (clients). This source is important because it contains specific details that support information from other sources (Yin, 2010).

As a third source of research, direct observation was adopted, which adds new perspectives to understanding the context (Yin, 2010). In this article, it was applied with notes during visits to companies during interviews. According to Yin (2010), "the use of multiple sources of evidence in the case studies allows the investigator to address a wider range of historical and behavioral aspects".

Data Analysis

Data collection was performed between December 2013 and February 2014. Data were analyzed through content analysis. According to Bardin (1979), content analysis "is a research technique whose purpose is the objective, systematic and quantitative description of the manifest content of communication”.

The content analysis was traced through a data analysis strategy, based on the inference of knowledge about IT outsourcing in small companies, emphasizing the risks of outsourcing and the actions to reduce them (Bardin, 1979).

For content analysis, the a priori categories, presented in Table 1, are used. These categories cover risk factors, risks and mitigating actions - elements identified in the literature. To address the results, the analysis will prioritize, in particular, the 'IT outsourcing risks' and 'risk reduction actions' columns in Table 1.

RESULTS AND DISCUSSION

This section addresses the characteristics of the multiple case studies surveyed, as well as the explanation of the risks of IT outsourcing in small companies and the actions to mitigate them. Finally, there is the discussion between the literature used (Table 1) and the research data.

Characterization of the cases studied

Based on the definition of the sources of evidence, the case study protocol was elaborated, with the scope of guiding the research in the collection of data. The case study protocol was applied in small companies with outsourced IT from the sectors (from): i) apparel sales; (ii) food; and (iii) mechanical services. Research was also conducted with IT companies that serve small businesses. In this case, in a specific way, these companies are providers of information systems and they also provide IT service for the maintenance of software and hardware.

Therefore, the research was carried out from the perspective of IS customers and suppliers, in order to identify the risks and the mitigating actions of the outsourcing risks of IT. This approach aims to clarify the real risks faced by business customers.

In the research, consolidated companies were used in their areas of activity, being these organizations chosen by the large number of companies that operate in each sector, which represents a relevant factor in the application of the results of this research in the future.

At the first moment, three pilot case studies were carried out to adapt the proposed research (Yin, 2010) and refinement of the case study protocol, as proceeded in related studies (Souza, 2000; Dolci, 2009). These pilot case studies are divided as follows:

A. 01 (one) pilot case study: conducted in a small company with a consolidated IT outsourcing process;

B. 01 (one) pilot case study: applied in a small company that was going through the IT vendor switching process;

C. 01 (one) pilot case study: conducted in an IT company (suppliers) that develops software, as well as providing IT service.

In order to refine the protocol, the pilot case studies included the perspective of the three groups analyzed in the final/complete study (three of clients and one IT vendor), including start-ups in IT outsourcing.

Subsequent to the refinement of the case study protocol, eight complete case studies were carried out. Among them, six were carried out in small companies with outsourced IT, divided into three groups according to the IT outsourcing stage:

A. 02 (two) small companies that were starting the process of adoption of outsourced IT;

B. 02 (two) small companies with the process of outsourcing consolidated;

C. 02 (two) small companies that were going through the IT vendor replacement process.

These six companies outsource IT with respect to the Information System (IS) and the provision of IT service (maintenance). Therefore, the outsourcing of IT in the research is treated in this perspective.

Two case studies were carried out in IT companies (suppliers) that develop software, as well as the provision of IT service, divided into two groups:

A. 01 (one) IT company that develops software or provides small business IT services with outsourced and consolidated IT;

B. 01 (one) IT company that develops software or provides IT service to small businesses that are going through the IT vendor switching process.

As the cases do not all resemble each other, Table 2 highlights the stage of IT outsourcing, the branch of activity of the organizations studied, the time of use and the reason for outsourcing – as aspects of the distinction between the analyzed cases.

Table 2. Main characteristics of the cases studied

Figure 2

Source: Research Data.

In this research, the initial and consolidated titles were used to indicate the stage of outsourcing (Table 2) in four small companies of the research so that what determined this differentiation between them was the way IT was being developed within these organizations. The beginners were thus called to use the systems only in operational processes (e.g. sales, fiscal control), while the consolidated ones make the use of IT (systems) comprehensively in their processes, using it in the operational activities and in the strategic actions of their organizations (e.g. financial, planning).

Table 2 shows the use time of outsourced IT and the reason for its use as the main notes. As for the time of use of outsourced IT, it is noted that this item does not determine the stage in which the company is in the process of outsourcing, with the exception of the beginners, since among small companies with consolidated IT and those that are replacing the IT/IS there is not a considerable distance in the time of use of outsourced IT. There is also no relation of time to the stage of outsourcing they are in (example: companies 'replacing systems' have been outsourcing IT for many years). The small companies that were replacing IT went through this process due to problems with previous vendors.

Regarding the reasons for IT outsourcing, all small companies understand the cost of investments in their own systems and in infrastructure as the determinant factor for their adoption. According to small companies, this reality is justified by the fact that they neither have the infrastructure, nor the purchasing power to maintain an internal IT, besides understanding that there is no such need.

Risks of IT outsourcing in small businesses

The risks are inherent to the adoption of outsourced IT by small enterprises, so they reach all, varying only the incidence on a larger or smaller scale. Based on the analysis of thematic content (Bardin, 1979), based on data from the sources of evidence (interviews, documentary analysis and direct observation), Table 3 shows only the results for the companies (clients and suppliers) that are present in the Literature review (Table 1), in line with the outsourcing stage of each case (Table 2).

Table 3. Risks in outsourcing IT

Figure 3

Source: Elaborated from literature and research data.

Table 3 shows the incidence of risks found in the literature in small companies from the perspective of both clients and IT suppliers, so that the small firms' knowledge risks are only those that have already occurred in their companies. This assertion is confirmed by organizations when questioned about the risks presented:

(I1) “[...] Other than those risks I said, honestly, I had not yet thought about them..." (F1) "... What happens is that the risks that are our responsibility have preventive actions developed, but other risks depend on our customers, but they end up giving us as the only culprits." (C1) "... Most of the risks you mentioned are difficult to happen in small companies like mine".

On the other hand, some risks not identified in the reviewed literature appeared in the empirical phase of the research. They are listed in Table 4.

Table 4. Other risks in IT outsourcing (research cases).

Figure 4

Source: Research Data.

As for the knowledge risks of small companies and IT companies (Table 4) there is unanimity among companies I1, C2 and S1 regarding the problems with the assistance offered by IT suppliers (systems and services). According to these companies, there have already been situations where these risks have affected operational services. On the other hand, IT companies pointed out as risks (besides those in the literature) the operational vice and improper use of the software (F1 and F2). This is because small business customers are reluctant to change their way of working, even if they are for process improvements, creating situations that often cause serious errors in the database. According to the supplier F1, the small companies only acquire management systems as a result of the fiscal obligation; at any time they have shown concern in terms of the risks and most of them do not use 5% of the system capacity.

Actions to mitigate risks

Because risks are inherent in the process of IT outsourcing, small businesses need to take action to reduce or prevent them. Table 5 presents the results for the small companies and IT companies mentioned in the revised literature (listed in Table 1), according to the outsourcing stage (Table 2).

Table 5. Actions to reduce risks

Figure 5

Source: Elaborated from literature and research data.

Regarding the actions to reduce the risks of IT outsourcing, Table 5 brought the actions identified in the literature, in comparison with the position of the organizations surveyed regarding the adoption of risk mitigation practices. It is noticed that there is no effective symmetry between what the literature proposes and the reality of small companies, leaving clear the gaps between the two visions.

In addition, Table 6 presents the actions to reduce IT outsourcing risks developed by these organizations that were not identified in the revised literature (Table 1).

Table 6. Actions to reduce risks posed by the enterprises surveyed

Figure 6

Source: Research Data.

In the actions listed by the organizations there is also no unanimity, that is, they do not share the same procedures against the risks of outsourcing IT, but the reactive way of how these actions are designed coincides between these organizations. This can be proven in the interviewees' speeches when asked about how they develop these actions in their organizations:

(I2) "[...] here in the company we do not have defined actions for these risks with IT; a problem happens and then we develop an action to correct it". (S1) "[...] so... after we write down what we are going to do, if there is a certain risk - we do not have it – but, when it happens, we end up finding a way to solve it." (C2) "... For some time we have been having defined actions for some risks, but for those of daily life, most of them are still reactive, yes".

Both the small companies and the IT companies surveyed believe that it is from the experience of various situations that it is possible to know firm actions towards the risks of IT. For them, only experience brings efficient action. Despite being an important vision, it ends up taking from these organizations the focus of developing preventive actions.

After outlining the risk path of IT outsourcing, as well as actions to mitigate these risks, Table 7 is presented. This table gathers the risks and actions found in the research organizations, based on the literature (Table 1), as well as those not pointed out in the literature, but identified in the empirical phase (cases).

Table 7. Risks and actions of IT outsourcing – literature and case studies

Figure 7

Source: Elaborated from literature and research data.

Discussion

As for the reasons for using outsourced IT, the six small companies (customers) were unanimous in affirming that it is a mechanism to reduce costs, which is the only factor taken into account by them for the implementation of this IT structure. Whereas, for IT companies (suppliers), small companies contract their services taking into account, as a main factor, the fiscal obligations. For Prado et Cristofoli (2012) the two views presented are outdated because they present functionalities that are only a consequence of the use of outsourced IT to improve processes and develop more efficient business management strategies.

Regarding the risks of IT outsourcing, it was noticed that there is no prior and comprehensive knowledge of these risks in small companies. Thus, in these companies, it is only after their occurrence that strategies are drawn to eliminate other situations of the same nature, following in the opposite direction to the literature (Aubert et al., 1998; Prado, 2011).

Among risks, clients and contracts appear to be the most conflicting because of their divergence in IT outsourcing among small businesses, IT vendors, and the researched literature. In the "customers" risk factor, the companies consolidated in IT outsourcing have the discernment that, even though they are the main stakeholders, they can also be risk-takers when they do not know the ways of outsourcing (unrealistic expectations towards the supplier). Contrary to this assertion, both startups and IT starters do not see the lack of knowledge about outsourcing as risk, which therefore impacts on the lack of actions to reduce this risk or ineffective actions.

In the "contracts" risk factor, IT companies (suppliers) understand that they do not pose risks to small companies, contrary to the set of risks defended by Cristofoli et al. (2012) and Chang et Gurbaxani (2012). On the other hand, small businesses (customers) also share the idea that contracts are one of the risks of outsourced IT.

With regard to actions to reduce the risks of outsourcing IT, one of the main problems is the lack of an early study of outsourcing by small companies, which does not corroborate the literature (Aubert et al., 1998).

In the small companies surveyed, it is noticed that, in the face of risks, their mitigating actions are, in most cases, reactive - different from what Lacity et al. (2009) point out.

In spite of the importance of working together between clients and suppliers in order to take effective action against the risks of outsourcing, it was perceived that, from the perspective of customers, suppliers are seen as a "necessary evil"; While for suppliers, customers are responsible for most of the risks of outsourcing and do not assume this position - therefore, they address these problems to suppliers, contrary to what is cited by Prado (2011) and Fan et al. (2012).

The cases confirm what is brought by Lunardi et al. (2010) regarding the fact that small companies guide their strategies in the short term. It should be stressed that, as in all areas of the organization, long-term strategies are needed. With regard to actions to reduce IT risks, this reality is strengthened, considering that the planning contributes to the better management of these actions at (or before) the occurrence of risks.

FINAL CONSIDERATIONS

As proposed, this study identified the risks of outsourcing IT in small enterprises, as well as it analyzed initiatives/actions that small businesses use to reduce such risks. From the perspective of the cases studied, it is concluded that the organizational model of small companies, where short-term strategies and reactive actions prevail, end up making these companies more vulnerable to the risks of IT outsourcing.

Due to the limited number of IT outsourcing publications focusing on small businesses, this research has made it possible to discuss how these companies view risks and what actions are being taken to mitigate them by contributing to the literature, since it is a contemporary issue with a focus on small companies, which are the fastest growing organizations in Brazil, mainly.

As a limitation of the research, the use of the administrator/manager as the only respondent in the interviews stands out, considering that other participants of the organization can hold distinct and additional knowledge about the outsourcing of IT. As alternatives to this limitation, strategies to reduce the single response bias were used. Triangulation was also used for data collection and case study development with clients and suppliers, thus obtaining different views, considering that the two are in different positions of the contract.

Another limitation focuses on the literature used - predominantly with empirical research in large companies - considering the incipience of studies on Information Systems in the small business scenario. As a way of reducing this limitation, we sought, in the empirical phase, to capture other mitigating risks and actions, in addition to those pointed out in the literature - in order to reflect the reality of this size of enterprise.

From this research, it is understood as opportunities of new investigations: i) identification of the success factors of outsourcing IT in small companies; ii) studies that relate risks, mitigating actions and results of outsourcing IT in small companies.

REFERENCES

Alaghehband, F. K. et al. (2011). An assessment of the use of Transaction Cost Theory in information technology outsourcing. Journal of Strategic Information Systems, 20(2), 125-138. doi: 10.1016/j.jsis.2011.04.003

Alam, S. S. et Noor, M. K. M. (2009), ICT adoption in small and medium enterprises: an empirical evidence of service sectors in Malaysia. International Journal of Business and Management, 4 (2).

Aubert, B. A. et al. (1998), Managing the Risk of IT Outsourcing. Cirano – Séries Scientifique. Working Paper, 98s-18.

Bardin, L. (1979), Análise de conteúdo. (L. A. Reto & A. Pinheiro, Trad). São Paulo: Edições 70, (Obra original publicada em 1977).

Beraldi, L. C. et Escrivão Filho, E. (2000), Impacto da tecnologia de informação na gestão de pequenas empresas. Ci. Inf., 29 (1), 46-50.

Bergamaschi, S. (2004), Modelo de gestão da terceirização de tecnologia da informação: um estudo exploratório. Tese de Doutorado, Faculdade de economia, administração e contabilidade de São Paulo, FEA–USP, São Paulo, SP, Brasil.

Centro Brasileiro de Relações Internacionais (CEBRI). (2012), Estudo de benchmarking Internacional Micro e Pequenas Empresas – Desburocratização. Recuperado em 20 de outubro de 2013, de http://ois.sebrae.com.br/wp-content/uploads/2013/02/CEBRI_Projeto-BMI_Desburocratiza%C3%A7%C3%A3o.pdf.

Chae, H.-C. et al. (2014). Information technology capability and firm performance: contradictory findings and their possible causes. Mis Quarterly, 38(1), 305-326.

Chang, B. Y. et Gurbaxani, V. (2012), Information technology outsourcing, knowledge transfer, and firm productivity: an empirical analysis. MIS Quarterly, 36(4), 1043-1063.

Chang, J. et De Búrca, C. (2016). An Investigation into How Small Companies in London and the South East UK Engage in IT Offshore Outsourcing and the Impact of Culture on this Phenomenon. Procedia Computer Science, 100, 611-618. doi: 10.1016/j.procs.2016.09.202

Chang, S.-I. et al (2012). An analysis of IT/IS outsourcing provider selection for small- and medium-sized enterprises in Taiwan. Information & Management, 49, 199-209. doi: http://dx.doi.org/10.1016/j.im.2012.03.001

Cristofoli, F. et al. (2012), Resultados obtidos com a terceirização de serviços de TI baseados nas práticas de governança de TI. Simpósio de Administração da Produção, Logística e Operações Internacionais - SIMPOI, São Paulo, SP, 15.

Dhillon, G. et al. (2017). Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors. Information & Management, 54(4), 452-464. doi: 10.1016/j.im.2016.10.002

Dolci, P. C. (2009), Explorando as Dimensões da Gestão do Portfólio de TI (GPTI) com gestores de TI em empresas brasileiras. Encontro da Asso¬ciação Nacional de Pós-Graduação e Pesquisa em Administração – ENANPAD, São Paulo, SP, 33.

Fan, Z.-P. et al. (2012), Identifying risk factors of IT outsourcing using interdependent information: An extended DEMATEL method. Expert Systems with Applications, 39, 3832–3840.

Fitoussi, D. et Gurbaxani, V. (2012), IT outsourcing contracts and performance measurement. Information Systems Research, 23 (1), 129-143.

Gewe, A. M. et al. (2016). Local industry technological capability development using outsourcing opportunities. Strategic Outsourcing: An International Journal, 9(3), 287-302. doi: 10.1108/so-02-2016-0005

Ghobakhloo, M. et al. (2011), Information Technology Adoption in Small and Medium-sized Enterprises; An Appraisal of Two Decades Literature. Interdisciplinary Journal of Research in Business, 1 (7), 53-80.

Gonçalves, P. A. et al. (2010), Estratégia de terceirização de sistemas de informação e de alinhamento estratégico entre negócio e TI. Gestão & Regionalidade, 26 (77), 18-32.

Han, H. S. et al. (2013). Complementarity between client and vendor IT capabilities: An empirical investigation in IT outsourcing projects. Decision Support Systems, 55(3), 777-791. doi: 10.1016/j.dss.2013.03.003.

Hori, A. S. Modelo de Gestão de Risco em Segurança da Informação: Um estudo de caso no mercado brasileiro de Cartões de Crédito. (2003). Dissertação de Mestrado, Fundação Getúlio Vargas, FGV-EASP, São Paulo, SP, Brasil.

Lacity, M. C. et al. (2009), A review of the IT outsourcing literature: Insights for practice. Journal of Strategic Information Systems, 18, 130-146.

Laranjeira, R. M. D. Terceirização de desenvolvimento de software e modelos de contratação. (2012). Dissertação de Mestrado, Universidade Federal da Bahia, UFBA, Bahia, BA, Brasil.

Löbler, M. L. et al. (2012), Validação de Instrumentos para Mensurar os Fatores Influenciadores na Aquisição e na Implantação de Sistemas de Informação em Micro e Pequenas Empresas. Encontro da Asso¬ciação Nacional de Pós-Graduação e Pesquisa em Administração – ENANPAD, São Paulo, SP, 36.

Löbler, M. L. et al. (2015). Elaboração de instrumentos para mensurar os fatores influenciadores na aquisição e na implantação de sistemas de informação em micro e pequenas empresas. Revista de Administração, Contabilidade e Economia da FUNDACE, 6(1), 1-18.

Loh, Lawrence; Venkatraman, N. (1992), Determinants of Information Technology Outsourcing: A Cross-Sectional Analysis. Journal of Management Information Systems, 9 (1), 7-24.

Lunardi, G. L. et al. (2010), Adoção de tecnologia de informação e seu impacto no desempenho organizacional: um estudo realizado com micro e pequenas empresas. R.Adm., 45 (1), 05-17.

Martens, C. D. P.A. (2001), Tecnologia de informação (TI) em pequenas empresas industriais do Vale do Taquari/RS. Dissertação de Mestrado, Universidade Federal do Rio Grande do Sul, UFRGS, Porto Alegre, RS, Brasil.

Moraes, G. M. (2007), Análise da eficiência dos investimentos em tecnologia da informação em lojas de supermercados de cooperativas do Rio Grande do Sul. Dissertação de Mestrado, Universidade Federal de Santa Maria, UFSM, Santa Maria, RS, Brasil.

Oliveira, D. D. L. et al. (2014). Fatores de decisão para investimentos em Tecnologia da Informação nas micro e pequenas empresas. Gestão Contemporânea, 15.

Oliveira, D. L. et al. (2015). Valor da Tecnologia da Informação na Firma: Estudo com Empresas Brasileiras. Revista de Administração Contemporânea, 19(2), 170-192. doi: 10.1590/1982-7849rac20151410.

Oliveira, D. L. et al. (2016). Internet Banking Capabilities and Performance of Small Business: The IT Business Value from the Perspective of External Capabilities. BASE - Revista de Administração e Contabilidade da UNISINOS, 13(4), 265-278.

Perez, G. et Zwicker, R. (2005), Seleção de fornecedores de tecnologia da informação: um estudo sobre os procedimentos de avaliação e critérios de seleção. Revista de administração Mackenzie, 6 (2), 159-180.

Prado, E. P. V. (2011), Mitigação de risco na terceirização da tecnologia de informação. Revista Eletrônica de Sistemas de informação, 10 (2). doi:10.5329/RESI.2011.1002001.

Prado, E. P. V. (2011). Mitigação de risco na terceirização da Tecnologia de Informação. Revista Eletrônica de Sistemas de Informação, 10(2), 1-22.

Prado, V. P. E. et Cristofoli, F. (2012), Resultados da terceirização da tecnologia da informação em organizações brasileiras. Gestão & Regionalidade, 28 (84), 77-88.

Prates, G. A. (2003). Tecnologia de informação em pequenas empresas – Analisando empresas do interior paulista. Revista Administração On Line, 04 (04), 1-13. Recuperado em 09 de maio de 2013, de http://www.fecap.br/adm_online/art34/prates.htm.

Qi, C. et Chau, P. Y. K. (2012), Relationship, contract and IT outsourcing success: Evidence from two descriptive case studies. Decision Support Systems, 53, 859–869.

Ruivo, P. et al. (2012), ERP use and value: Portuguese and Spanish SMEs. Industrial Management & Data Systems, 112 (7), 1008-1025, 2012.

Sacilotti, A. C. (2011), A importância da tecnologia da informação nas micros e pequenas empresas: um estudo exploratório na região de Jundiaí. Dissertação de Mestrado, Faculdade Campo Limpo Paulista, FACCAMP, Campo Limpo Paulista, SP, Brasil.

Sarosa, S. et Zowghi, D. (2003), Strategy for Adopting Information Technology for SMEs: Experience in Adopting E-mail within an Indonesian Furniture Company. Electronic Journal of Information Systems Evaluation, 6 (2), 165-176.

Sebrae. Pequenos Negócios no Brasil. (2013). Recuperado em 09 de agosto de 2013, de http://www.agenciasebrae.com.br/indicadores/apresentacao_mpe_indicadores.pdf.

Souza, C. A. (2000), Sistemas integrados de gestão empresarial: Estudos de casos de implementação de sistemas ERP. Dissertação de Mestrado, Faculdade de economia, administração e contabilidade de São Paulo, FEA–USP, São Paulo, SP, Brasil.

Tallon, P. P. (2013), Corporate Governance of Big Data: Perspectives on Value, Risk, and Cost. Computer, 46 (6), 32-38.

Willcocks, L. P. et al. (2002), Application service provision: risk assessment and mitigation. MIS Quarterly Executive, 1 (2), 113-126.

Willcocks, L. P.; et Feeny, D. (2006), IT outsourcing and core is capabilities: challenges and lessons at DuPont.). Information Systems Management, 23 (1), 49-55.

Yin, R. K. (2010), Estudo de caso: planejamento e métodos (4ª ed.). Traduzido por A. Thorell, Trad.). Porto Alegre: Bookman. (Obra original publicada em 1984).

Zhang, M. et al. (2008), Unpacking the effect of IT capability on the performance of export-focused SMEs: a report from China. Journal compilation Information Systems, 18, 357–380. doi:10.1111/j.1365-2575.2008.00303.