A Process Theory of IT Risk Management Implementation

Abstract

The study develops a process model of the implementation of IT risk management frameworks involving IT department individuals. The literature on IT risk management and specifically participation with IT risk management frameworks, is reviewed. The review indicates a need for process research to improve existing knowledge and practices in the domain of IT risk management. Specifically, the thesis addresses four research questions: (i) What IT culture could be identified during the implementation of ITRM for the first time? (ii) What factors and contextual conditions influence the implementation of ITRM? (iii) What are the processes IT managers go through when implementing ITRM within IT departments? (iv) How can these ITRM processes be depicted in a model? This qualitative study adopts a subjectivist epistemology, complemented with an interpretive paradigm and inductive reasoning. A series of nine case studies were designed around forty-two semi-structured in-depth interviews and were conducted to investigate how and why IT managers and their IT teams implemented risk management for the first time. The study focused on contextual and processual elements as well as the action of key players associated with implementation. The use of a Grounded theory− like qualitative analysis was particularly appropriate, generating a set of insights, issues, and propositions that addressed the critical individual and organisational elements involved in implementing IT risk management, elements to date largely overlooked in the risk management literature. The theory generated from the empirical findings suggests that the intentions and actions of IT department’s members (head of IT, senior IT management and operational IT groups), the processes they enact, as well as the organisational context into which they are implemented, critically influence IT risk management implementation. The findings provide new insights in relation to IT risk management implementation by considering IT individual culture. The thesis conceptualises IT risk management implementation as a cultural process through which IT managers socially construct the meanings and purposes of their work activities. These findings suggest a dynamic approach to implementing IT risk management framework — one that considers the interaction over time of intentions, context, process, and action around risk management frameworks. The research develops a substantive theory (Gregor, 2006) involving a schematic model involving five sub-process and a set of theoretical propositions. The thesis discusses the propositions by way of reference to the literature thereby enhancing the credibility and generalisability of theory building from case research. The last section presents an evaluation of the resulting theory by following the guidelines introduced by Sjoberg et al. (2008) for building behavioural theories in software engineering.