Understanding the Enabling Design of IT Risk Management Processes

Although managing information technology (IT) risks is widely regarded as a critical in organizations, stakeholders often question the value provided by IT risk management (IT-RM) to an organization. Organizational research suggests the concept of ‘enabling formalization’ to design highly formalized organizational processes. Processes like IT-RM that are designed in an enabling way support organizational members through flexible guidelines that communicate best practices and empower them in resolving surprises and crises during process execution. It remains unclear, however, how organizations can implement enabling IT-RM processes. We conduct an exploratory study and identify four design decisions for IT-RM. We identify different solutions to these IT-RM design decisions and provide empirical evidence as to how these solutions facilitate enabling process design. Our results suggest that organizations need to balance rewarding and punishment-centered strategies in designing IT-RM to change it from an ineffective, costly, and detrimental endeavor into an enabling organizational process

Developing the concept of Individual IT Culture and its Impact on IT Risk Management Implementation

Organisational implementations of IT risk management (IT-RM) frameworks often fail due to cultural forces. This work-in-progress study focuses on the action of IT individuals involved with IT-RM implementations. Particularly, this research steps outside the conventional factor analytic perspective of IT risk management research by focusing on contextual and processual elements as well as the actions and interpretations of managers to explain successful implementations. A series of case studies were designed around semi-structured in-depth interviews with IT managers. Grounded theory-like analysis of the case text produced a structure of conceptual categories and themes depicting the successful implementation of an IT-RM framework

Risk Management in IT Departments: a Process Perspective

This research reports on a field based research investigation into the processes of implementing risk management (RM) schemes in IT departments from a sensemaking perspective. Participation and implementation of the framework is conceptualised as a process of organisational learning. The literature on RM, specifically implementation issues associated with RM schemes, is reviewed. This work-in-progress paper focuses on contextual and processual elements as well as the action of key players associated with implementation. This research also suggests a different approach to doing RM research — one that takes into account the interaction over time of participations, context, meaning, process, planning and action around the implementation of RM schemes. The findings will provide insight for theory and practice, detailing the organisational learning that are associated with RM frameworks under certain circumstances, and how these might be assessed and managed

Conceptualization of Relational Assurance Mechanisms - A Literature Review on Relational Assurance Mechanisms, Their Antecedents and Effects

Assurance mechanisms are an important element of relational governance and frequently used in information systems (IS) research; still missing in this field, however, is a coherent and interrelated structure to organize available knowledge. In this study, we provide a first step towards development of a conceptualization framework of relational assurance mechanisms to enable their further investigation. From our analysis of existing literature, we discover two gaps in assurance research: (1) a fragmentation of assurance research and (2) a lack of conceptual consensus on relational assurance mechanisms. We provide a theoretical framework consisting of a conceptualization of identified relational assurance mechanisms, their antecedents and effects as a means of advancing theory in this area. Several possibilities for future research are discussed

Perceived Control and Privacy in a Professional Cloud Environment

Cloud customers need to assess whether their cloud service provider offers high-quality services and handles sensitive information confidentially. Privacy protection is therefore a major challenge during cloud sourcing. Although cloud customers want control over their sensitive information, they have limited resources to do so. They therefore consider other control agents, such as certification authorities or collectives, but the effectiveness of these groups to ensure privacy protection is unknown. This study differentiates between three control agents (personal control, proxy control, and collective control) and investigates the influence of these agents on cloud customers’ perceived control over sensitive information to protect privacy during cloud sourcing. Results show that proxy and collective control influence cloud customers’ perceptions but personal control does not. Therefore, only external control agents, who can apply sanctions, are perceived as being able to effectively protect privacy

IT Risk Management Implementation as Socio-Technical Change: A Process Approach

This study introduces a new process for implementing risk management in IT departments, promoting a socio-technical change approach. This research steps outside the conventional factor analytic perspective of IT risk management by embedding contextual and processual elements (e.g. socio-technical interactions and interpretations) to explain successful implementations. Adopting a multi-case approach for obtaining richer data from a problem domain, we outline new details of an implementation process. The proposed process model represents how these elements work together to produce a successful outcome. Grounded theory-like analysis of the case findings helped us to understand and explore conceptual categories and themes that are relevant to the proposed process. By developing the conceptual model of IT risk management implementation with a socio-technical perspective, we generate a set of propositions in this paper that explains the dynamic nature of IT implementation