Dr. Jamey Worrell, CPA, CISA, CIA
Managing Organizational Risk Associated with IT Managing Risks in Arms-length Transactions Governing collaboration and exchanges in electronically-mediated transactions Managing Risks in Organization & System Design Aligning people, processes and technologies to enable organizational agility Managing Risks in ERP Post- implementation Aligning ERP functionality and business needs in post- implementation phase Identifying Sources of Risk Teaching cases on IT risk identification and IT audits Understanding perceptual differences in IT risk
What is the problem? Why is this important? What do we know about IT risk? How did we investigate this problem? What do we now know about IT risk? What do you think?
IT ManagersBusiness Managers How do different stakeholder groups within organizations conceptualize IT risk? IT Audit & Security
IT risk defined as “the risk that an organization’s information systems will not adequately support the organization in achieving its business objectives, sufficiently safeguard its information resources, or deliver accurate and complete information to its users.
Event identification is all about identifying those events that have a potentially harmful impact on the organization…i.e., risks When we begin talking about IT risks, the picture gets a little cloudy…how do we resolve (potentially) differing perspectives?
Composition and importance of technology- related risk is a long running debate, with limited resolution Past 20 years of scholarly research on IT risk has had limited success in identifying a consistent conceptualization Scholarly research on IT risk tends to focus on a single stakeholder’s perspective (project manager, executive management, “user”) Business and technical personnel have demonstrated difficulties speaking the same language and understanding each other’s needs
Delphi study Appropriate for identifying and ranking issues for managerial action Uses a “panel of experts” to resolve complex questions and problems
IT Audit / Security Panel (n=17) All manager level and above Big 5 experience Business Panel (n=15) Mostly Fortune 1000 mid and senior managers IT Panel (n=12) All Fortune 1000 companies Wide variety of responsibilities
Phase 1 Each panel receives identical list of risk factors Asked to select “Top 10” IT risks For each panel, items receiving a simple majority (50% or more of panelists selected) moved forward to next phase Phase 2 Each panel receives panel-specific list of risk factors Asked to rank in order of importance Justify #1 ranking Subsequent rounds present risk factors in order of mean ranking Iterate until consensus on rankings or plateau
WInterpretation 0.1Very Weak Agreement 0.3Weak Agreement 0.5Moderate Agreement Source: Schmidt 1997
Risk ItemIT AS BITComments R8 Lack of organizational alignment between business and IT 142 “Not having IT ‘at the table’ leads to…irrelevant investments, wasted efforts and lost opportunities” R6 Interdependencies between systems 461 “…we have numerous systems cobbled together…like Frankenstein’s monster…error recovery is excruciating…” R19Technical complexity899 “…it’s often difficult to find the human resources with knowledge across systems to maintain these (complex, cross platform systems)”
Why do YOU think that 1. there wasn’t more overlap between the three panels? 2. the Business Professionals panel and IT Professionals panel were unable to reach consensus on IT risk rankings?
Heterogeneity within panels wide and varied representation IT Professional panel BCP/DRP, enterprise architecture, database management, application development, computer operations, technology product life cycle management Business Professional panel financial reporting, human resources, marketing, business controllership, procurement Individual biases in decision-making Recency bias Anchoring and adjustment Disconnects between IT and business professionals in decision making and risk identification
THANK YOU! Dr. Jamey Worrell