The Implementation of Governance, Risk, and Compliance IS: Adoption Lifecycle and Enterprise Value

ABSTRACT Governance, Risk, and Compliance has become an emerging field within the IS academic community. Motivated by this research direction, the study capitalizes on the theoretical background of enterprise systems and extends the focus on governance, risk, and compliance systems’ implementation (enterprise value and lifecycle). Building upon expert views on governance, risk, and compliance IS implementation projects, the analysis indicates that the three value drivers of integration, optimization, and information should be considered throughout the whole governance, risk, and compliance IS implementation lifecycle.

[1]  Robert Winter,et al.  Situational method engineering for governance, risk and compliance information systems , 2009, DESRIST.

[2]  Helmut Krcmar,et al.  Understanding the Role of Information Technology for Organizational Control Design: Risk Control as New Control Mechanism , 2011, Governance and Sustainability in Information Systems.

[3]  Helmut Krcmar,et al.  Patterns for Understanding Control Requirements for Information Systems for Governance, Risk Management, and Compliance (GRC IS) , 2011, CAiSE Workshops.

[4]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[5]  Peter Jones,et al.  EAI and SOA: factors and methods influencing the integration of multiple ERP systems (in an SAP environment) to comply with the Sarbanes-Oxley Act , 2007, J. Enterp. Inf. Manag..

[6]  Richard Lee An Enterprise Decision Framework for Information System Selection , 1998, Inf. Syst. Manag..

[7]  Shan Ling Pan,et al.  The Emergence of Dynamic Capabilities from a SME-Enterprise System Upgrade , 2008, ECIS.

[8]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[9]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[10]  V. Nissen,et al.  The Development of a Data-Centred Conceptual Reference Model for Strategic GRC-Management , 2014 .

[11]  Marinos Themistocleous,et al.  Playing Catch up: How Different Is Large Scale Enterprise Systems Implementation in Transition Countries and Organizations? , 2011, 2011 44th Hawaii International Conference on System Sciences.

[12]  Thomas A. Schwandt Qualitative data analysis: An expanded sourcebook , 1996 .

[13]  Gerhard Knolmayer,et al.  Assimilation of Compliance Software in Highly Regulated Industries: An Empirical Multitheoretical Investigation , 2013, 2013 46th Hawaii International Conference on System Sciences.

[14]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[15]  Anastasia Papazafeiropoulou,et al.  Analysing The Governance, Risk And Compliance (Grc) Implementation Process: Primary Insights , 2013, ECIS.

[16]  Michael Quinn Patton,et al.  Towards Utility in Reviews of Multivocal Literatures , 1991 .

[17]  Scott L Mitchell,et al.  GRC360: A framework to help organisations drive principled performance , 2007 .

[18]  Anastasia Papazafeiropoulou,et al.  Understanding governance, risk and compliance information systems (GRC IS): The experts view , 2016, Inf. Syst. Frontiers.

[19]  Jeanne W. Ross,et al.  Learning to Implement Enterprise Systems: An Exploratory Study of the Dialectics of Change , 2002, J. Manag. Inf. Syst..

[20]  Peter B. Seddon,et al.  Enterprise systems for innovation in products and processes : beyond operational efficiency , 2012 .

[21]  Julia Mundy,et al.  The Use of an ERP System to Facilitate Regulatory Compliance , 2013, Inf. Syst. Manag..

[22]  Peter Dadam,et al.  On enabling integrated process compliance with semantic constraints in process management systems , 2012, Inf. Syst. Frontiers.

[23]  David Clarke,et al.  Advancements in Research Synthesis Methods: From a Methodologically Inclusive Perspective , 2009 .

[24]  Daniel Gozman,et al.  Managing Governance, Risk, and Compliance for Post-crisis Regulatory Change: A Model of IS Capabilities for Financial Organizations , 2015, 2015 48th Hawaii International Conference on System Sciences.

[25]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[26]  Peter B. Seddon,et al.  Going Beyond Operations with Enterprise Systems , 2011 .

[27]  M. Markus,et al.  The Enterprise System Experience— From Adoption to Success , 2000 .

[28]  Guido Governatori,et al.  On compliance checking for clausal constraints in annotated process models , 2012, Inf. Syst. Frontiers.

[29]  Volker Nissen,et al.  Towards a Research Agenda for Strategic Governance, Risk and Compliance (GRC) Management , 2013, 2013 IEEE 15th Conference on Business Informatics.

[30]  Stefano De Paoli,et al.  Managing license compliance in free and open source software development , 2012, Inf. Syst. Frontiers.

[31]  H. Suri Purposeful sampling in qualitative research synthesis , 2011 .

[32]  I. Coyne Sampling in qualitative research. Purposeful and theoretical sampling; merging or clear boundaries? , 1997, Journal of advanced nursing.

[33]  Peter F. Green,et al.  Effective information technology (IT) governance mechanisms: An IT outsourcing perspective , 2009, Information Systems Frontiers.

[34]  Tom Butler,et al.  A conceptual model and IS framework for the design and adoption of environmental compliance management systems , 2012, Inf. Syst. Frontiers.

[35]  Richard E. Boyatzis,et al.  Transforming Qualitative Information: Thematic Analysis and Code Development , 1998 .

[36]  Lance Hayden Designing Common Control Frameworks: A Model for Evaluating Information Technology Governance, Risk, and Compliance Control Rationalization Strategies , 2009, Inf. Secur. J. A Glob. Perspect..

[37]  Young Rok Yu,et al.  IT GRC-based IT internal control framework , 2013, 2013 15th International Conference on Advanced Communications Technology (ICACT).

[38]  R. Zmud,et al.  Information technology implementation research: a technological diffusion approach , 1990 .

[39]  Edgar Weippl,et al.  A process model for integrated IT governance , risk , and compliance management , 2010 .

[40]  M. Engle Book Review: Qualitative Data Analysis: An Expanded Sourcebook (2nd Ed.) , 1999 .

[41]  Uwe Flick,et al.  Designing Qualitative Research , 2008 .

[42]  Jeanne W. Ross,et al.  Enterprise Architecture As Strategy: Creating a Foundation for Business Execution , 2006 .

[43]  Marinos Themistocleous,et al.  The Same, but Different: Enterprise Systems Adoption Lifecycles in Transition Economies , 2011, Inf. Syst. Manag..

[44]  Jeanne Harris,et al.  Enterprise systems and ongoing process change , 2004, Bus. Process. Manag. J..

[45]  Susan Scott,et al.  The enactment of risk categories: The role of information systems in organizing and re-organizing risk management practices in the energy industry , 2012, Inf. Syst. Frontiers.

[46]  Piotr Soja,et al.  Success factors in ERP systems implementations: Lessons from practice , 2006, J. Enterp. Inf. Manag..