Cousins Separated by a Common language: Perceptions of IT Risk

1
Cousins Separated by a Common language
Perceptions of IT Risk

• Dr. Jamey Worrell, CPA, CISA, CIA

2
(No Transcript)
3
Agenda

• What is the problem?
• Why is this important?
• What do we know about IT risk?
• How did we investigate this problem?
• What do we now know about IT risk?
• What do you think?

4
What is the problem?
How do different stakeholder groups within
organizations conceptualize IT risk?
5
What is the problem?

• IT risk defined as the risk that an
  organizations information systems will not
  adequately support the organization in achieving
  its business objectives, sufficiently safeguard
  its information resources, or deliver accurate
  and complete information to its users.

6
Why is this important?
7
Why is this important?

• Event identification is all about identifying
  those events that have a potentially harmful
  impact on the organizationi.e., risks
• When we begin talking about IT risks, the picture
  gets a little cloudyhow do we resolve
  (potentially) differing perspectives?

8
What do we know about IT risk?

• Composition and importance of technology-related
  risk is a long running debate, with limited
  resolution
• Past 20 years of scholarly research on IT risk
  has had limited success in identifying a
  consistent conceptualization
• Scholarly research on IT risk tends to focus on a
  single stakeholders perspective (project
  manager, executive management, user)
• Business and technical personnel have
  demonstrated difficulties speaking the same
  language and understanding each others needs

9
How did we investigate this problem?

• Delphi study
• Appropriate for identifying and ranking issues
  for managerial action
• Uses a panel of experts to resolve complex
  questions and problems

10
How did we investigate this problem?

• IT Audit / Security Panel (n17)
• All manager level and above
• Big 5 experience
• Business Panel (n15)
• Mostly Fortune 1000 mid and senior managers
• IT Panel (n12)
• All Fortune 1000 companies
• Wide variety of responsibilities

11
How did we investigate this problem?
12
How did we investigate this problem?

• Phase 1
• Each panel receives identical list of risk
  factors
• Asked to select Top 10 IT risks
• For each panel, items receiving a simple majority
  (50 or more of panelists selected) moved forward
  to next phase
• Phase 2
• Each panel receives panel-specific list of risk
  factors
• Asked to rank in order of importance
• Justify 1 ranking
• Subsequent rounds present risk factors in order
  of mean ranking
• Iterate until consensus on rankings or plateau

13
How did we investigate this problem?
14
What do we now know about IT risk?
15
Quiz Time

• Why do YOU think that
• there wasnt more overlap between the three
  panels?
• the Business Professionals panel and IT
  Professionals panel were unable to reach
  consensus on IT risk rankings?

16
Possible Explanations

• Heterogeneity within panels
• wide and varied representation
• IT Professional panel
• BCP/DRP, enterprise architecture, database
  management, application development, computer
  operations, technology product life cycle
  management
• Business Professional panel
• financial reporting, human resources, marketing,
  business controllership, procurement
• Individual biases in decision-making
• Recency bias
• Anchoring and adjustment
• Disconnects between IT and business professionals
  in decision making and risk identification

17
Questions and Comments?

• THANK YOU!
• Dr. Jamey Worrell
• worrellj_at_uab.edu
• 205.514.1045