IT risk management: interrelationships based on strategy implementation

• DOI: https://doi.org/10.1108/IJAIM-08-2019-0093
• Pages: 553-575
• Published date: 16 March 2020
• Date: 16 March 2020
• Author: Nishani Edirisinghe Vincent,Robert Pinsker
• Subject Matter: Accounting methods/systems,Accounting & Finance,Accounting/accountancy

IT risk management:

interrelationships based on

strategy implementation

Nishani Edirisinghe Vincent

Department of Accounting, University of Tennessee at Chattanooga,

Chattanooga, Tennessee, USA, and

Robert Pinsker

School of Accounting, Florida Atlantic University, Boca Raton, Florida, USA

Abstract

Purpose –Risk management is an under-exploredtopic in information systems (IS) research that involves

complex and interrelatedactivities. Consequently, the authors explorethe importance of interrelated activities

by examining how the maturity of one typeof information technology risk management (ITRM) practice is

inf‌luenced by the maturity of other types of ITRMpractices. The purpose of this paper is to explore these

relationships, the authors developa model based on organizational strategy implementation theory and the

COBIT framework. The model identif‌ies four types of ITRM practices, namely, IT governance (ITG);

communications;operations; and monitoring.

Design/methodology/approach –The authors use a survey methodology to collect data on senior

information technology (IT) executives’perceptions on ITRM practices. The authors use an exploratory

factor analysis (EFA) to identify four dimensions of ITR M practices and conduct a structural equation

model to observe the associations.

Findings –The survey of senior IT executives’perceptionssuggests that the maturity of ITRM practices

related to ITG, communicationsand monitoring positively inf‌luence the maturity of operations-relatedITRM

practices. Further,the maturity of communications-related ITRMpractices mediates the relationship between

ITG and operations-relatedITRM practices. The aggregate results demonstratethe inter-relatedness of ITRM

practicesand highlight the importance of taking a holistic viewof ITRM.

Research limitations/implications –Given the content and complexityof the study, it is diff‌icult to

obtain senior executives’responses in large f‌irms. Therefore, this study did not use a separate sample to

conduct theEFA to obtain the underlyingfour constructs. Also, the ITRM practices identif‌iedare perceptions.

Even though the authorsconsider this to be a limitation, it also communicates the pressingareas that senior

IT professionals are expected to focusgiven various external and internal pressures. This study focuses on

large f‌irms,hence, small to midsize f‌irms are not well represented.

Practical implications –Given the demanding regulatoryand f‌inancial reporting requirements and the

complexityof IT, there is an increasing possibility that the accountingprofession will require IT professionals

to focus on operations-relatedITRM practices, such as security, availabilityand conf‌identially of data and IS

are closely related to internal controls. However, as this study demonstrates, the maturity of operations-

related ITRM practices cannot be achieved by focusing solely on operations-related IT risks. Therefore, IT

practitioners can use this studyto raise awareness of the complex interrelationships among ITRM practices

among managersto improve the overall ITRM practices in a f‌irm.

Social implications –The study also shows the importance of establishing proper communication

channels among various business functions with regard to ITRM. Extant IT research identif‌ies the

importance of the f‌irm’s communication structure on various f‌irm performance measures. For example,

Krotov (2015) mentions the importance of communication in improving trust between the Chief Executive

Off‌icer and Chief Financial Off‌icer. Firms with established communication channels have the necessary

medium to educate and involve otherdepartments with regard to the security of data. Thus, such f‌irms are

more likely to have mature risk management practices because of increased awareness of risks and

preventivetechniques.

IT risk

management

553

Received1 August 2019

Revised13 November 2019

30January 2020

3 February2020

Accepted10 February 2020

InternationalJournal of

Accounting& Information

Management

Vol.28 No. 3, 2020

pp. 553-575

© Emerald Publishing Limited

1834-7649

DOI 10.1108/IJAIM-08-2019-0093

The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/1834-7649.htm

Originality/value –The study contributesto ITG and risk management literature by identifying the role

of monitoring-relatedITRM practices on improving other areas of risk management. The study alsoextends

the existing ITRM literature by providing an organizational strategy perspective to ITRM practices and

showing how ITRM practices follow organizational strategy implementation. Further, the authors identify

four underlyingITRM categories. Consequently, researcherscould choose between two factors (Vincentet al.,

2017) or four factorsbased on the level of detail required for the particular study.

Keywords IT governance, IT risk management, Organizational strategy, IT risk, IT risk categories,

Maturity of IT risk

Paper type Research paper

1. Introduction

Both academia (Wilkin and Chenhall, 2010;Turel and Bart, 2014;Vincent et al.,2017) and

practice (the Securities ExchangeCommission [SEC] 2009; COBIT 5 [ISACA, 2012]) identify

information technology (IT) risk management as a critical f‌irm practice within the larger

auspice of IT governance (ITG). Once IT risks are identif‌ied, management should also

identify appropriate risk responses and establish various practices to mitigate the risks,

with more mature practices ultimately leading to better risk management. Wilkin and

Chenhall list several ITrisk management (ITRM) topics that are currently under-researched

including: risk categories; strategies to manage risk and the role of the senior management.

While the extant literature explores IT risk factors in various, individual contexts such as

project management (Tesch et al., 2007;Kutsch et al.,2013), IT operations (Goldstein et al.,

2011) and IT outsourcing (Gonzales et al.,2010), there is a serious gap in the literature

exploring the interrelationships and effects of mature processes among risk categories.

Understanding these interrelationships among risk categories is an important aspect of

ITRM as evidenced by major cybersecurity incidentssuch as the incident at Target in 2013

(Shu et al., 2017)[1]. As implementing and enforcing controls for risk management is a

delicate balance between effectiveness and eff‌iciency, management must consider whether

the maturity of one risk management practice will positively inf‌luence other risk

management practices within the f‌irm[2]. Consequently, the purpose of our study is to

explore how the maturity(i.e. the extent to which management performs particular activities

to identify, assess, monitor and respond to IT-relatedrisks; ISACA, 2009a;KPMG, 2013)of

different types of ITRM practices are inf‌luenced by the maturity of other related types of

ITRM practices.

Tallon (2011) explores IT/business alignment and value creation and suggests the

importance of consideringthe effects of alignment at the process level. Further, he f‌inds that

alignment in a given process has spillover effects creating higher IT/business alignment in

downstream processes. Regarding ITRM practices, Wilkin and Chenhall (2010) suggest

focusing on the process rather than an outcome when implementing risk responses. Even

though the importance of ITRM process/practice is recognized and guidance on how to

identify various IT risk categories is available through best practice frameworks (e.g.

COBIT 5 [ISACA, 2012] and risk IT [ISACA, 2009a]), to this point, the ITRM research has

not taken the necessary, holistic approach to interrelatedness and spillover effects of ITRM

practices. We argue that following regulatory requirements and best practices should

incentivize senior managers to engage in said holistic ITRM practices and, therefore,

consider the interrelationshipsamong IT risk categories.

The SEC (2009) addresses the importance of the role of senior management in risk

management via their enhanced proxy disclosure requirements. In addition, the Committee

of Sponsoring Organizations (COSO) updated its internal control framework to ref‌lect the

changes in the business environment including expectations for governance/oversight

IJAIM

28,3

554