Project topics and materials
Get Complete Project Material File(s) Now! »
Background and Research Area
Risk management is an indispensable part of every organization and a mechanism by which impacts of threats (or risks) are identified, assessed, and minimized and opportunities for gains are seized (ExecutiveBrief, 2008; Jutte, 2010). Consequently, risk management is crucial for the efficient operation of the information systems of an organization. Information system is defined as an interface between people and IT that enhances an effective gathering, processing, storing, and transmission of organizations‟ information and provide feedback mechanism which helps an organization to achieve its goals (Belle, Eccles, and Nash, 2003; Ralph, George, and George, 2009). Applegate, Austin, and McFarlan (2007) point out that both opportunities and threats are created as a result of the relentless pace of the IT evolution. It implies that information system risk has equally relentlessly evolved since the information system is a product of people‟s use of IT to provide the information needs of organizations.
Information system risk management is defined here as the process by which potential risks of an information system are identified, assessed, and systematically controlled and/or mitigated to enable an organization achieve its goals (James, 2003). From the premise made above about the evolution of the information system risk as IT evolves means that information system risk is dynamic and hence its management must equally be dynamic if organizations want to stay in business. The question as to how information systems risks are managed in a constantly changing world of IT arise logically.
Various explanations and/or models regarding risk management in information technology projects and/or companies have been offered by the contemporary literature on risk management. Apostol-Maurer (2008) discusses that an efficient concept of risk management based on information systems that optimize on the flow of information is an effective risk management model for companies. Radack (2009) offers the National Institute of Standards and Technology (NIST) risk management framework as an effective way to manage information systems risks. The NIST‟s framework provides a structured process and information that helps organization to be able to indentify information system risks, assess the risks, and take systematic steps to mitigate the risks (Radack, 2009). On the other hand, Olzak (2008) offers a modified version of the NIST‟s framework (making it a generic model) for both private and public organizations. Olzak (2008) claims that the NIST‟s framework focuses on how the U.S. government operates hence the need for the modification. Other frameworks offered by other authors include but not limited to the Enterprise Risks Management (ERM) (Shaker, 2010); and the ten golden rules for successful risk management in projects (Jutte, 2010). All the models are well framed for risks managers to adopt and apply in managing risk in their companies. However, literature on problem-solving in IT suggests a different approach. Hedman and Kalling (2002) point out the importance of strategy in IT firms and discuss that strategy is a problem-solving process, as firms deal with specific problems as they occur: that is practical problems. Thus problem-solving in IT should be based on the IT environment. The environment of IT is an ever changing one (that is IT is very dynamic). If information systems operate in the same dynamic environment as IT then information system risk management will equally be dynamic in response to specific information system risk as they occur and will involve the consideration of many important factors rather than just the risk management approaches. Risks is often dynamic and may have different meanings to different people albeit the use of risk as a universal concept for threats and loss. Kloman (1990) explains that different users of risk often attach different meanings to it, though it looks like a universal concept. Therefore, it is not enough for firms to simple adopt risk management models; firms understanding of the nature of risk and hence the critical factors for risk management are important to reduce the rate of risk management failures shown by various scientific evidences.
The rate of failures of IS/IT projects due to risk management problems, even with the existence of the risk management models, is unimaginable. For instance, according to Standish Group (2001) quoted in Tiwana and Keil (2004) in U.S. it cost companies as much as $75 billion annually due to large numbers of IT projects‟ failures from risk that could be assessed and managed. The rate of success of IT projects is estimated at 34%, 15% failures, and as much as 51% projects suffering from cost and time overruns (Standish Group, 2003 in Al-Shehab, Robert & Graham, 2005). Similar revelations include as much as 142 billion Euros loss in information systems failures across European Union due primary to poor and/or lack of stakeholder communication within the projects community as well as the wider management hierarchy (John and Trevor, 2007). Saur and Cuthbertson (2003) in Bronte-Stewart (2009) list projects‟ failures from various sources including but not limited to an Oxford survey report which shows just 16% IT project were successful, and as much as 74% were “challenged” with 10% abandonments. Apparently, the data presented here questions not only the effectiveness of risk management models, but also suggests that effective risk management is more a matter of many critical factors such as effective communication which guide both the understanding of risk and its environment and the strategy to manage to the risk. Kloman‟s (1990) discussions of various connotations of the risk and Hedman and Kalling‟s (2002) presentation of strategy as a problem-solving process of firms give an idea that firms consider many important factors in risk management.
The present research tries to investigate risk management in practice and especially the factors that contribute to effective risk management. This is the basic problem which this essay is concerned and hence tries to investigate. To be specific, it is hypothesized in this essay that if information system risks is as dynamic (relentless pace) as it has been described analogous to Applegate, Austin, and McFarlan description of IT then effective IS risks management in practice will require fundamental factors that will play crucial roles in making risk management effective. Challenges that contemporary information system risk management models encounter in practice will be considered in the light of the critical factors that risk managers need to consider.
This study makes contribution to literature in the following ways. Firstly, it investigates how risk managers are able to cope with the complexities and dynamic nature of risk in practice. IT project failures have been the talk of many studies therefore the way risk management is done in practice is worth investigating. Secondly, this essay collects data from Egypt by which may reveal some vital information about risk and its management in non-Western country.
Problem Statement and Research Purpose
In theory there are many well formulated risk management frameworks for IT managers to use in managing information systems risk. However, given the statistics of IT projects failures found in the literature, this is essay proposes to investigate how IT risks are managed by companies in practice.
It follows from above that, this essay would attempt to answer the following questions:
1. What are the critical factors for information systems risk management?
2. Do threats impact on the extent to which risk management frameworks are used?
3. How do companies attempt to increase the effectiveness of their risk management approaches?
Answering the questions posed above would deepen our understanding about the risk management processes in practice. This essay would hopefully provide rich source of information especially with regards to fundamental factors that underlie successful risk management.
Limitations of the Essay
The scope of this research is based mainly on investigation and analysis of critical factors for effective information system risks management in IT projects in Egypt. Thus, the results obtained may not be applicable to other types of risks managed by other IT projects in other countries. There may also be some difficulty in gathering all the necessary empirical data from the anticipated number of companies hence limiting the amount of empirical data to be presented.
Essay Outline
The rest of the essay shall be discussed in four chapters. Chapter 2 presents the methodology applied to answer the research questions. The methodology chosen for the empirical data collection, the sample size of the data, and the place for the data collection shall be presented. This essay uses structured interviews to gather the empirically data. This approach is chosen because our main interest is to evaluate crucial factors necessary for effective risk management in practice. The theoretical framework comprising the features of information systems, qualities of good risk management models, IS risk management models, and a generic risks management frameworks shall be presented in chapter 3. The discussion presented in chapter 3 is meant to elicit the nature of IS risk and the proposed risk management models in the IS literature, to enable us investigate the extent of the application of the risks management models in practice. The generic risk management framework which will mirror the risk management models identified and shall be presented using the framework of Schlaak et el. (2008, pp.3-4). Empirical results from the interviews and analysis shall be presented in chapter 4. The conclusion and discussion shall be presented in chapter 6. The implications of our findings as well as areas that need further research shall be presented as well in this chapter.
Research Methodology
This research work is based on deductive approach because we are concern with the possible link between risk management in theory and in practice: hence it requires methodology of inquiry that can be used to gather data from the experiences of risk management practitioners. In order to learn the subtle difference between theory and practice of IS risk management in IT companies, it is important to present relevant theoretical discussions connected to risk management in the IS literature and then conduct an investigation to bring forth practitioners actual practices which enable us to confirm or refute the theories presented. Practitioners‟ actual practices in this context is analogous to what Argyris & Donald (1978) labelled as people having mental maps that enables them in specific situations and most importantly the mental maps guide practitioners‟ actions rather than the theories they espouse explicitly to. Thus, this essay conducts two parts of research: conceptualization part and confirmatory part. The conceptualization and confirmatory parts fall under the deductive approach because as Gill and Johnson (2002 in Pathirage, Amarantunga, and Haigh, 2008) assert that “a deductive research method entails the development of a conceptual and theoretical structure prior to its testing through empirical observation.” Deductive approach is helpful where new and more coherent framework is needed to explain a problem which is not adequately explained by contemporary frameworks. Pathirage, Amarantunga, and Haigh (2008) discuss that the emphasis in deductive approach is the deduction of new ideas or facts from the new conceptual and theoretical framework in the hope that it provides explanation to a problem than preceding theories. This thesis is concern with the issue of increasing risk management failures even with the existence of explanations of how risk could be managed effectively and so the deductive approach is robust for the issue under consideration.
The conceptual and theoretical part discusses the nature of IS risks and the requirements risk management models must meet to be useful in managing IS risk in practice. Risk management models discussed in the IS literature will be identified and presented. It should be made clear that the processes in individual models will not be discussed but rather a set of generic risks management processes which corresponds to the processes in individual models. The discussion of the generic processes rather than the processes in individual models is based on the framework presented by Schlaak et el. (2008, p.3-4). Since this research‟ goal is not test a particular risk management model but to rather find out risk management models IS risk managers are assumed to espouse to, presenting the models in the present framework matches with the goal. Consequently, the information gathered and presented in this part will enable us to find out which of the risk management models are used in practice, the extent of the usage of risk management models, and the critical factors that underlie effective risk management in the confirmatory part.
Structured interview shall be conducted in the confirmatory part to find out how risk managers are guided in practice that is either by their experience or theory and/or both. Since our attempt is to answer questions such as “What are the critical factors…” posed in this essay, the confirmatory approach is a perfect approach to enable us confirm or refute the critical factor we deduced and discussed in the theoretical framework.
A purposeful sampling would be used to gather the data since our interest is in IT projects. Ten (10) IT projects representing the population of IT projects in Egypt would be sampled to gather an information rich empirical data set through a structured-interview technique. Maxwell (1997) discusses that purposeful sampling is useful in situations where particular events or persons should be deliberately selected for information which cannot be gotten from other sources apart from the sample selected. There are many international and national IT projects in Egypt. All the companies selected for the interview have good reputation, in and outside Egypt, based both on their histories and their performances, hence gathering data from risk managers in Egyptian IT projects offers a quality data set. Furthermore, the blend of national and international companies might reveal something interesting about differences in risk management. The researcher would first contact risk managers, Chief Information Officer (CIO), Chief Technology Officer (CTO) or some application/software manager in IT companies identified to discuss the research, the intended structured interview, and discuss the possible date on which the interviewed can be conducted. The structured interview questions will be delivered to the respective interviewees a day before the date for the interview: to enable the interviewees to acquaint themselves with the questions and for the interviewer to confirm the possibility of the interview the next day. Then the next stage follows, that is the interview is conducted according to the dates agreed with each interviewee. The interviews are face-to-face and expected to take between thirty to forty minutes. The interview will take place in Cairo, Egypt at smart village: a place where all technological projects have their headquarters. The purpose of the research, the importance of responding, assurance of confidentiality: companies will be labelled with letters in the data presentation and analysis, and the non transferability of the information will be expressed at the beginning of every interview.
Table of contents :
1 Introduction
1.1 Background and Research Area
1.2 Problem Statement and Research Purpose
1.3 Limitations of the Essay
1.4 Essay Outline
2 Research Methodology
2.1 Reliability and Validity
3 Theoretical Frameworks
3.1 Features of Information Systems
3.2 Qualities of Risk Management Model
3.3 Information Systems Risk Management
3.2.1 Risk Management Approaches
3.2.2 Generic Risk Management Processes
3.2 Summary: Risks Management Framework
4 Empirical Findings and Analysis
4.1 Information Systems Risk Management
4.2 Qualities of Risk Management Models
4.3 Features of Information Systems
4.4 Effectiveness of Risk Management
5 Conclusion and Discussion
List of References
Appendix I: Structured Interview Questions
