When IT risk management produces more harm than good: The phenomenon of ‘mock bureaucracy’
In our current research we investigate the complications of designing effective governance for IT risk management (IT-RM). Literature on formal governance suggests that either a coercive (i.e., to force employees’ effort and compliance) or an enabling (i.e., to help employees better to master their tasks) design of procedures help to avoid what literature calls ‘mock bureaucracy’ (i.e., rules are promulgated for their symbolic value but ignored in practice). Our analysis of two organizations, however, implies that both coercive and enabling governance for IT-RM may lead to mock bureaucracy. We categorize antecedents of ‘mock’ IT-RM procedures and identify important design challenges for IT-RM research and practice. Our study contributes to the IT governance body of knowledge by linking types of bureaucracy to IT governance tasks and providing anti-patterns associated with IT-RM procedures. This research will be presented at the 46th Hawaii International Conference on System Sciences (HICSS) in January 2013.
And so - in your experience when does IT Risk management promote more harm than good? Not just the study... Your overall experience.
This is a very short blog. It doesn't really contain any useful information. Harsh, I know. I'm hoping for a good answer to the question I posted.
Both are bad - and we can hear about it in the conference on January 2013. Mmmmm.... OK, but can you give us a little bit of information now?
Hi Michelle,
apologies for not answering earlier, my email alert does not work properly as I just found out. I hope this information is still helpful for you.
As a short summary: we found several anti-patterns which lead to mock bureaucracy, i.e. harming IT-RM rather than helpful. My overall experience with IT-RM is that it can be a useful vehicle to inform management and to prepare decision making. But only if applied correctly. We found that many organizations - as they are driven by external regulations such as KontrG here in Germany - just implement a function to comply with regulations. IT-RM has to be conducted carefully by employees and management in terms of keeping the identification of new risks going and on the other hand providing countermeasures for existing risks. The process has to be balanced with documentation for reporting, tracking and compliance but on the other hand flexible enough to accrue new insights and allow negotiations. In a nutshell: if management does not take IT-RM information serious, I will end as mock bureaucracy for sure.
Sorry for only putting this short pointer here. You can email me to receive the full paper right now, but I am not allowed to post it online.
What are you working on?
best
Manuel