Risk Profiles in Individual Software Development and Packaged Software Implementation Projects: A Delphi Study at a German-Based Financial Services Company

The aim of this paper is to compare risk profiles of individual software development (ISD) and packaged software implementation (PSI) projects. While researchers have investigated risks in either PSI projects or ISD projects, an integrated perspective on how the risk profiles of these two types of information system (IS) projects differ is missing. To explore these differences, this work conducted a Delphi study at a German-based financial services company. The results suggest that: First, ISD projects seem to be more heterogeneous and face a larger variety of risks than the more straightforward PSI projects. Second, ISD projects seem to be particularly prone to risks related to sponsorship, requirements, and project organization. Third, PSI projects tend to be predominantly subject to risks related to technology, project planning, and project completion. Finally, in contrast to available lists of risks in IS projects and irrespective of the project type, the paper found a surprisingly high prominence of technology and testing-related risks

A SITUATIONAL PERSPECTIVE ON WORKAROUNDS IN IT-ENABLED BUSINESS PROCESSES: A MULTIPLE CASE STUDY

Workarounds are still one of the most puzzling phenomena in business process management research and practice. From a compliance perspective, workarounds are studied as control failure and the cause for inferior process quality. From a process reengineering perspective, however, workarounds are studied as an important source of process improvement. In this paper, we advance recent theory on the emergence of workarounds to resolve this puzzle by analyzing empirical evidence from a multiple case study. Our analysis reveals that employees utilize workarounds based on a risk-benefit analysis of the situational context. If the realized benefits (efficiency gains) outweigh the situational risks (exposure of process violations), workarounds will be perceived as process improvement. Erroneous risk-benefit analysis, however, leads to exposure of the same workaround as control failure. Quite unexpectedly, we found that information systems serve as critical cus for the situational balance of benefits and risks. Our result suggests that process-instance-level workarounds are treated as options that are engaged if the situation permits, in contrast to process-level workarounds that manifest as unofficial routines. We also contribute the notion of situational risk-benefits analysis to the theory on workarounds

When to manage risks in IS projects: An exploratory analysis of longitudinal risk reports

Research attributes the mixed performance of IS projects to a poorunderstanding of risks and thus limited capabilities to manage suchrisks. In line with others, we argue that the poor understanding ofrisks is partly due to the fact, that current research almostexclusively concentrates on which risks are important in ISprojects. In contrast to this static view, we focus on the temporalaspect of project risks, i.e., we explore when risks become more orless important during a project. In doing so, we analyze an archiveof risk reports of completed enterprise software projects. Projectmanagers regularly issued the risk reports to communicate thestatus of the particular project. Our findings are as follows: First,risk exposure and thus the perceived importance of risk types doesvary over project phases. Second, the volatility of risk exposurevaries over risk types and project phases. Third, risks of variousorigin exhibit synchronous changes in risk exposure over time.From a research perspective, these findings substantiate the needfor a temporal perspective on IS project risks. Thus, we suggestaugmenting the predominant static view on project risks to helpproject managers in focusing their scarce resources. From apractical perspective, we highlight the benefits of regularlyperforming risk management throughout projects and constantlyanalyzing the project portfolio. In sum, we provide a first time,descriptive and exploratory view on variations in project riskassessments over time

EXPLORING THE CONTRIBUTION OF INFORMATION TECHNOLOGY TO GOVERNANCE, RISK MANAGEMENT, AND COMPLIANCE (GRC) INITIATIVES

Information technology (IT) has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. This paper explores the role of IT for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly run under the label of Governance, Risk Management, and Compliance (GRC IS). We apply a grounded theory approach to structure the value drivers of GRC IS into a research framework. In order to understand the impact of IT, we relate the GRC IS value drivers to control theories. Practical implications include understanding GRC IS benefits beyond compliance and providing clear strategic reasoning for GRC IS depending on the individual company’s situation. Research implications include the fact that integrating IT into the context of accounting leaves several unsolved yet promising issues in theory which future research might address. This paper is the first to use the lens of organizational control theories on Governance, Risk Management, and Compliance information systems and establishes a potentially fruitful research agenda for GRC IS as a highly relevant topic for information systems research

ANTECEDENTS OF IT-ENABLED ORGANIZATIONAL CONTROL MECHANISMS

Organizational control is one of the fundamental management functions. Literature on control design suggests two underlying antecedents for designing organizational controls: \u27knowledge of the transformation process\u27 and \u27ability to measure output\u27. We conducted an exploratory case study, drawing on archival data and interviews to test organizational control theory (OCT), taking into account the role of Information Technology (IT) in control design. We operationalized OCT as characterized by literature and classified 525 organizational controls. We found OCT correctly predicted the control type based on the antecedent conditions in approximately two out of three cases. We found the other third being influenced by automation, centralization, and mass data analysis. We argue that IT allows management to implement behavior controls in situations, where processes and procedures are unknown and therefore ?knowledge of the transformation process? is low. As contribution for theory, we reveal exploring capabilities of organizational control in addition to exploiting activities. As contribution for practice, we introduce new antecedents for designing organizational controls. This research is in line with others to test control theory, but it is the first to explain the catalyzing functions of IT on organizational control design within a case study

Towards Understanding the Relative Importance of Risk Factors in IS Projects: A Quantitative Perspective

Commonly, project managers and researchers agree that identifying risks is the most crucial step in project risk management. Hence, extant research provides various rankings of risk factors. In this paper, we rank the importance of risk factors based on an archive of project risk reports provided by project managers of a large software development company. In contrast to previous research that ranks people and processes as most important risk domains, our analysis emphasizes technologyrelated risk factors. We argue that this conflict might result from two dimensions determining the perceived importance of risk factors: Controllability and micro-politics. A project manager will rank risks higher when he has only limited control on mitigating risks. Risks beyond control will be neglected. However, in a corporate context, micro-political mechanisms change the importance towards these risks. They will exploit risk management to escalate uncontrollable threats to project success and cover risk factors that stem from shortcomings of their own or of colleagues. Thus, micropolitical mechanisms reveal the most important risks from a corporate perspective. Detached from the corporate context, project managers emphasize risks threatening efficient project management. We contribute to IS research by proposing alternative explanations for the ranking discrepancies

Understanding the Enabling Design of IT Risk Management Processes

Although managing information technology (IT) risks is widely regarded as a critical in organizations, stakeholders often question the value provided by IT risk management (IT-RM) to an organization. Organizational research suggests the concept of ‘enabling formalization’ to design highly formalized organizational processes. Processes like IT-RM that are designed in an enabling way support organizational members through flexible guidelines that communicate best practices and empower them in resolving surprises and crises during process execution. It remains unclear, however, how organizations can implement enabling IT-RM processes. We conduct an exploratory study and identify four design decisions for IT-RM. We identify different solutions to these IT-RM design decisions and provide empirical evidence as to how these solutions facilitate enabling process design. Our results suggest that organizations need to balance rewarding and punishment-centered strategies in designing IT-RM to change it from an ineffective, costly, and detrimental endeavor into an enabling organizational process

Seven principles for managing IT solutions from a provider’s perspective

IT solutions are a way to differentiate between competitors and to meet new customer expectations. For organizations transforming into IT solution providers, it is still unclear how to manage IT solutions. Based on literature on IT solutions and a multiple case study, we derive seven principles for managing IT solutions from the provider’s perspective. Main principles include that IT solution providers should have a modularized offering portfolio in place to ensure cost-efficient IT solution delivery for each customer and that IT solution providers should learn from each customer engagement to attune their offering portfolio constantly to market needs. As a result from our management principles, we argue that becoming an IT solution provider requires more effort than just changing the offering portfolio to include service