University of Melbourne · S1 2026 · FACULTY OF INFORMATION SYSTEMS

ISYS90026 · Concepts In Information Systems

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters10-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 8 of 11 · ISYS90026

IT Sourcing and Outsourcing

IT sourcing is the second half of ISYS90026's Theme 3 (IT Governance & Sourcing): the build-or-buy decision and everything that follows it. The deciding question is strategic, not technical — keep what is core, strategic or sensitive in-house, and outsource what is commodity, mature and outside your core competencies. The chapter runs the sourcing spectrum (in-house → onshore → offshore → cloud/XaaS), the IaaS/PaaS/SaaS responsibility boundaries, and the two named models the exam loves: Cullen et al.'s five-phase outsourcing lifecycle and Ranganathan & Balaji's offshore critical capabilities. The golden rule throughout: outsourcing transfers work, never accountability.

In this chapter

What this chapter covers

  • 011. Build-or-buy — in-house ('build it yourself') vs outsourcing ('buy it from others'); a strategic decision tied to core competence
  • 022. The build-or-buy gate — keep core/strategic/sensitive/control-critical work in-house; outsource commodity, mature, non-core work
  • 033. Sourcing options spectrum — in-house → onshore (domestic) → offshore (different country) → cloud (XaaS); control falls as you move right
  • 044. Offshoring ≠ outsourcing — offshoring is about location, outsourcing about ownership; you can offshore in-house via a captive centre
  • 055. The cloud stack — IaaS (rent hardware) vs PaaS (rent the platform) vs SaaS (rent the finished service); differ by who manages which layer
  • 066. Drivers & risks — efficiency/focus, strategic agility and tech maturity vs loss of control, security/IP, vendor viability and hidden costs
  • 077. Cullen lifecycle — Assess → Evaluate → Contract → Transition → Manage; the 'lifecycle imperative' (the SLA is enforced in Manage)
  • 088. Offshore capabilities (Ranganathan & Balaji) — systematic approach, whole lifecycle, the winner's curse, structure & people, periodic capability audits
Worked example · free

Source three systems and diagnose an offshore failure

Q [13 marks]. "Meridian Bank" must source three things: (i) a standard payroll system from commercial software, (ii) a customer-facing fraud-detection engine that is core to its strategy and depends on deep knowledge of local banking regulation, and (iii) 24/7 multilingual card-support to cut labour cost. It offshored its call centre three years ago and service has 'slowly gotten worse and nobody can say why.' (a) Recommend a sourcing approach for each, justified. (b) Diagnose the call-centre failure. (9 + 4 marks)
  • +3Classify each (1 mark each): (i) payroll is standard and non-core → outsource / SaaS cloud; (ii) the fraud-detection engine is strategic, uses sensitive data and needs a rare blend of banking-regulation and IT knowledge → keep in-house (build); (iii) 24/7 card-support is routinised and cost/scale-driven → offshore outsource.
  • +3Justify against the build-or-buy rule (1 each): outsource when work is mature, commodity and outside the core; insource when it is a competitive advantage, needs an uncommon domain-plus-IT mix, or handles sensitive data (the fraud engine is all three); offshore when work is routinised and the goal is cost and talent scale, not daily collaboration or sensitive IP.
  • +3Add the cloud and lifecycle nuance: for payroll, pure off-the-shelf → SaaS (PaaS if they wanted to build but not run servers; IaaS for raw compute), then run every option through Cullen's lifecycle (Assess → Evaluate → Contract → Transition → Manage), noting the SLA is enforced in the Manage phase.
  • +4Diagnose the offshore failure: 'worse and nobody can say why' is the textbook performance blind spot — Meridian failed to run periodic capabilities audits (Ranganathan & Balaji), likely treated the deal as ad-hoc and under-invested in transition/governance, and may have fallen to the winner's curse after the early cost win. Fix: institute regular capability audits, active SLA governance in the Manage phase, and a dedicated relationship-management capability.
Payroll → outsource (SaaS); the strategic, sensitive fraud-detection engine → keep in-house; commodity 24/7 card-support → offshore. The call centre degraded because Meridian lacked periodic capabilities audits and active Manage-phase governance — the classic offshore blind spot — and outsourcing never outsourced its accountability for the outcome.
Sia tip — When a case hands you several systems, classify AND justify each against the build-or-buy rule (don't just label them), add the cloud boundary (IaaS/PaaS/SaaS) and Cullen's lifecycle, and for any 'service got worse, can't tell why' failure name the capabilities audit and the winner's curse. Memorise the two soundbites: 'outsource the commodity, keep the competence' and 'outsourcing doesn't outsource accountability.'
Glossary

Key terms

Build-or-buy (in-house vs outsourcing)
In-house IT means systems built and maintained by your own staff ('build it yourself'); IT outsourcing means a third-party vendor does the development or maintenance ('buy it from others'). The decision is strategic: keep core/strategic/sensitive work in-house and outsource commodity, non-core work.
Offshoring
Sourcing from a supplier in a different country, chosen for cost reduction, global scale and skilled labour at lower cost. Offshoring is about location, not ownership — you can even offshore in-house through a captive centre — so it is not a synonym for outsourcing.
Onshoring / domestic sourcing
Using a vendor in the same country, preferred for high-security or non-routine work because of faster delivery and cultural alignment, usually at higher cost than offshore.
Cloud / XaaS
'Anything as a service' delivered over the internet on demand, giving elastic scale, low upfront capital and no location restriction. The three models — IaaS, PaaS and SaaS — differ by how much of the stack the provider manages.
IaaS / PaaS / SaaS
IaaS rents virtual hardware (you still manage the OS, runtime, data and app); PaaS rents the platform (you bring only the app and data); SaaS rents the finished service (the provider manages everything and you just log in). The higher up the stack you buy, the more the provider manages.
Outsourcing lifecycle (Cullen et al. 2005)
A five-phase model — Assess, Evaluate, Contract, Transition, Manage — embodying the 'lifecycle imperative': manage the whole cycle, not just the deal. The SLA is written in Contract but enforced in the Manage phase.
SLA / Cloud Service Agreement (CSA)
The service-level agreement specifying the performance the vendor must deliver; it is the organisation's primary protection if the vendor underperforms, negotiated in the Contract phase and policed in the Manage phase.
RFP and Proof of Concept (POC)
A Request for Proposal invites and compares vendor bids during the Evaluate phase; a Proof of Concept (trial run) tests a shortlisted vendor's solution before you sign the contract.
Winner's curse
Complacency after an early outsourcing success: the client assumes capabilities are static and stops adapting, even though offshore environments keep changing — a failure mode Ranganathan & Balaji warn against.
Capabilities audit
A periodic review of the capabilities of both client and vendor. Skipping it creates a performance blind spot, where service quietly degrades and the client 'can't tell why' — the signature offshore failure.
FAQ

IT Sourcing and Outsourcing FAQ

How do I decide whether to build or buy an IT system?

Ask whether the system is part of what makes the firm uniquely competitive. Keep it in-house if it is a competitive advantage, is (or feeds) a core competence, handles sensitive or proprietary data, or needs deep specialised domain knowledge. Outsource it if it is standard, commodity, mature off-the-shelf technology outside your core competencies, or if you lack the capital and staff to build it. The rule of thumb is 'focus on what you do best, let specialists handle the rest' — but start small with a non-core service and measure performance first.

Is offshoring the same thing as outsourcing?

No, and the exam tests this. Outsourcing is about ownership (a third party does the work); offshoring is about location (the supplier is in a different country). They often go together, but a firm can offshore in-house by running its own captive centre abroad, and it can outsource onshore to a domestic vendor. Treating the two as synonyms is a classic wrong answer.

What is the difference between IaaS, PaaS and SaaS?

They differ by which layers of the stack you still manage versus the provider. IaaS rents virtual hardware — you manage the OS, runtime, data and app. PaaS rents the platform — you bring only the app and data. SaaS rents a finished service — the provider manages everything and you just log in. A quick way to choose in a case: pick by what the firm does NOT want to manage.

What is Cullen's outsourcing lifecycle and why does it matter?

Cullen, Seddon & Willcocks (2005) describe outsourcing as a five-phase lifecycle: Assess (build or buy?), Evaluate (RFP, shortlist, proof of concept), Contract (terms and the SLA), Transition (migrate and cut over), and Manage (enforce the SLA and govern the relationship). Their 'lifecycle imperative' is that you must manage the whole cycle, not just sign a good deal — most failures come from over-investing in the contract and neglecting transition and manage. Remember the SLA is enforced in the Manage phase, not the Contract phase.

Does outsourcing transfer accountability to the vendor?

No — this is the single most common exam trap. You can transfer the work, but you retain accountability for the outcome and must actively govern the vendor: 'outsourcing doesn't outsource accountability.' You also should not outsource a core competence, a competitive-advantage system, or sensitive-data work; the framework says keep those in-house.

Why does offshore service often degrade over time?

Ranganathan & Balaji (2007) identify the pattern: a firm wins early on cost, then falls to the winner's curse (complacency in a changing environment) and stops running periodic capabilities audits. Without those audits it develops a performance blind spot — service slips and the firm 'can't tell why.' The fix is a systematic approach, ongoing capability audits, dedicated governance structure and people, and active SLA enforcement in the Manage phase.

Study strategy

Exam move

Treat sourcing as an application exercise, not a list to memorise. For any system in a case, run the build-or-buy gate first (core/strategic/sensitive → in-house; commodity/mature/non-core → outsource), then place it on the spectrum (in-house → onshore → offshore → cloud) and justify the choice with case evidence; if it is cloud, pick IaaS/PaaS/SaaS by what the firm does not want to manage. Frame every recommendation with Cullen's five-phase lifecycle and remember the SLA is enforced in the Manage phase, and for any 'service got worse, can't tell why' failure, name Ranganathan & Balaji's capabilities audit and the winner's curse. Drill the high-frequency traps — outsourcing does not transfer accountability, offshoring is not outsourcing, and don't outsource a core competence — and bank the two soundbites 'outsource the commodity, keep the competence' and 'outsourcing doesn't outsource accountability.'

A+Everything unlocked
Unlocks this Bible + all 12 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your ISYS90026 tutor, unlimited, worked the way the exam marks it
The full 10-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full ISYS90026 Bible + 12 University of Melbourne subjects解锁完整 ISYS90026 Bible + University of Melbourne 12 门科目
$25/mo