Structured approach to organisational ICT risk management: An empirical study in Thai businesses

Risk management in relation to information and communication technologies (ICT) has become an essential means of organisational governance. In spite of the development of ICT risk management methodologies that have been published as numerous techniques and tools aimed at assisting organisations to deal with ICT risks, questions remain about the success of its methodology. The Control Objectives for Information and related Technology (COBIT) framework is representative of this kind of risk management approach to addressing ICT risk management. It takes a holistic view of the organisation (Lainhart 2001a) and focuses on a top-down strategy which is used to describe the business functions, processes and tasks to support senior management developing, implementing and maintaining ICT governance across the organisation (Robinson 2005; Solms 2005a). Adopting a top-down strategy to manage ICT risks in an organisation means that the organisation is concerned more with whole-of-business view than with technical solutions to ICT risk management. As a result the emphasis is on organisational structure and content (Solms 2005b). Existing research, however, shows that organisations appear to lack the required technical sophistication in their internal audit management when using this top-down approach (Viator & Curtis 1998; Hermanson et al. 2000). Clearly, delineate technical orientation and business orientation are part of the planning for effective ICT risk management. In order to address this issue, a bottom-up approach to ICT risk management has also been developed and its impact reported in the literature (Solms 2005a). One representative of this bottom-up approach is the ISO/IEC 17799 (renumbered ISO/IEC 27002 in July 2007) standard for effective ICT risk management (Martinez et al 2010). The ISO/IEC 17799 standard is an information security governance framework which focuses on a detailed technical or bottom-up approach (Saint-Germain 2005; Solms 2005a). A bottom-up approach emphasises technical security and elaborates on all processes dealing with ICT risk in detail. It also provides an organisation with general guidelines on how the ISO/IEC 17799 standard can be utilised to control, prevent and mitigate ICT risks.  This research addressed the question "What factors determine successful ICT risk management in a business organisations in the Thai business context?", and three subsidiary questions "What are the current profiles of ICT risk management in Thai organisations?"; "How are ICT risk management concepts applied in those Thai business organisations?" and "What are success factors can be identified for successful ICT risk management derived from the adoption the COBIT framework and the ISO/IEC 17799 standard?". The COBIT framework and the ISO/IEC 17799 standard are used extensively to define organisational governance of business; and ICT and security functions, processes and tasks to help management develop and implement strategies and policies for effective ICT risk management. This research explores the understanding of ICT risk management in Thai business context. A mixed-method research approach was used to explore ICT risk management in a selection of Thai organisations. The findings from six case studies indicate that successful ICT risk management results from collaboration between management level activities and operational level activities. The adoption of the COBIT framework and the ISO/IEC 17799 standard in the case study companies revealed that success was dependent on six key factors: the creation of organisational policy, the management of people and their behaviour in organisations, the management of organisational ICT security, the management of ICT resources, the corporate level plan and the operational level plan. To confirm the outcomes of the case study research a survey was developed and administered to over 50 Thai organisations and across three types of industry (Banking, Technology and Insurance) listed on the Stock Exchange of Thailand. The data was analysed using structural equation modelling (SEM). The findings of the analysis of the survey data showed that there were three main factors—the effective creation of organisational policy, the effective management of ICT resources, and the effective planning of enterprise information security that drive successful ICT risk management in the Thai organisations surveyed. This research sought to investigate the current profile of ICT risk management to identify and then model the success elements of ICT risk management in a sample of Thai business organisations. This research supported and confirmed previous research that argues that policy must be structured, first at the board of directors and then at the levels of senior management and operational management, who together must delineate the procedures and practices for dealing with ICT risk management. In dealing with ICT risks, several frameworks and standards have been introduced but ICT risks still persist, therefore, the implication of this research was that we can learn from the Thai organisations that organisations needed to consider the success factors when managing ICT risk. This research proposed that three main success factors affect ICT risk management in Thai organisations. Firstly, the effective organisational policy helped the Thai organisations to plan the effective management of ICT resources and the effective planning of enterprise information security. Secondly, the effective management of ICT resources facilitated the planning of enterprise information security to achieve successful ICT risk management planning. In addition, the survey results have shown that effective organisational policy was the main influence on the management of ICT resources and the planning of enterprise information security. All three success factors complement each other and were significant together in terms of strategic development (i.e. policy) and strategic implementation (i.e. management direction). Lastly, the effective planning of enterprise information security was shown to be a critical factor that helped an organisation mitigate, prevent and avoid operational, technical and strategic risks related to ICT. All three success factors were initially drawn from both the COBIT framework and the ISO/IEC 17799 standard and were found to positively contribute to successful ICT risk management