When IT Risk Management Produces More Harm than Good: The Phenomenon of 'Mock Bureaucracy'

This paper investigates the complications of designing effective governance for IT risk management (IT-RM). Literature on formal governance suggests that either a coercive (i.e., to force employees' effort and compliance) or an enabling (i.e., to help employees better to master their tasks) design of procedures help to avoid what literature calls 'mock bureaucracy' (i.e., rules are promulgated for their symbolic value but ignored in practice). Our analysis of two organizations, however, implies that both coercive and enabling governance for IT-RM may lead to mock bureaucracy. We categorize antecedents of 'mock' IT-RM procedures and identify important design challenges for IT-RM research and practice. Our study contributes to the IT governance body of knowledge by linking types of bureaucracy to IT governance tasks and providing anti-patterns associated with IT-RM procedures.

[1]  J. March,et al.  Managerial perspectives on risk and risk taking , 1987 .

[2]  Philipp Mayring Qualitative Inhaltsanalyse : Grundlagen und Techniken , 2003 .

[3]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[4]  A. Gouldner Patterns Of Industrial Bureaucracy , 1954 .

[5]  Thomas J. Mowbray,et al.  AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis , 1998 .

[6]  James D. McKeen,et al.  Developments in Practice XXXIII: A Holistic Approach to Managing IT-based Risk , 2009, Commun. Assoc. Inf. Syst..

[7]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[8]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[9]  M. Power Counting, Control and Calculation: Reflections on Measuring and Management , 2004 .

[10]  D. Sandy Staples,et al.  New Developments in Practice I: Risk Management in Information Systems: Problems and Potential , 2001, Commun. Assoc. Inf. Syst..

[11]  Edgar R. Weippl,et al.  Security Ontologies: Improving Quantitative Risk Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[12]  A. Mikes From counting risk to making risk count: Boundary-work in risk management , 2011 .

[13]  P. Adler,et al.  Two Types of Bureaucracy: Enabling and Coercive , 1996 .

[14]  Sumana Sharma,et al.  IS RISK ANALYSIS: A CHAOS THEORETIC PERSPECTIVE , 2009 .

[15]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[16]  Steven L. Alter,et al.  A General, But Readily Adaptable Model of Information System Risk , 2004, Commun. Assoc. Inf. Syst..

[17]  Art Gemmer,et al.  Risk Management: Moving Beyond Process , 1997, Computer.

[18]  H. Krcmar,et al.  The Role of Information Systems in Supporting Exploitative and Exploratory Management Control Activities , 2012 .

[19]  P. Prasad,et al.  Patterns of ‘Mock Bureaucracy’ in Mining Disasters: An Analysis of the Westray Coal Mine Explosion , 1997 .

[20]  Gail Ridley,et al.  COBIT and its utilization: a framework from the literature , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[21]  Guy H. Gessner,et al.  Holistic Compliance with Sarbanes-Oxley , 2004, Commun. Assoc. Inf. Syst..

[22]  Grant Purdy,et al.  ISO 31000:2009—Setting a New Standard for Risk Management , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[23]  Thomas Ahrens,et al.  Accounting for Flexibility and Efficiency: A Field Study of Management Control Systems in a Restaurant Chain , 2004 .

[24]  B. Reich,et al.  Governing Information Technology Risk , 2009 .

[25]  P. Adler The Evolving Object of Software Development , 2005 .

[26]  Robert A. Simons How new top managers use control systems as levers of strategic renewal , 1994 .