JIS Senior Editors' Blog

Journal of Information Systems

This is a public blog  publicRSS

blog entry

    Overview of JIS paper: IT Governance and the Maturity of IT...
    blog entry posted February 24, 2016 by Roger S Debreceny, last edited February 26, 2016, tagged research 
    Overview of JIS paper: IT Governance and the Maturity of IT Risk Management Practices
    intro text:
    A forthcoming paper in JIS by Nishani Edirisinghe Vincent, Julia L. Higgs and Robert Pinsker is entitled IT Governance and the Maturity of IT Risk Management Practices. Here is a blog from the authors on the nature of the paper. doi: http://dx.doi.org/10.2308/isys-51365
    Nishani Vincent
    Nishani Vincent
    Julia HIggs
    Julia Higgs
    Rob Pinsker
    Rob Pinsker

                In the past decade, enterprise risk management has moved from just being a good business practice to a concern of regulators. For example, in 2009, the Securities Exchange Commission (SEC) approved enhanced proxy disclosure requirements addressing the board’s role in risk oversight. The SEC requires firms to report on the board’s leadership structure, the committee responsible for risk oversight at the board level, and the relationship between the management and the board in risk management/oversight.

                With the increased dependence on Information Technology (IT) for business operations, firms’ IT risks management has become a major component of enterprise risk management. Apart from the SEC’s disclosure requirement, state laws requiring public disclosure of compromised customer information, and high profile customer information breaches have caused IT risk management practices to be a major concern for boards of directors and management. Ongoing internal control assessments in firms based on best practice frameworks, such as The Committee of Sponsoring Organizations’ (COSO) Enterprise Risk Management (ERM) framework, emphasize the importance of the board’s oversight role while also bringing attention to the firm’s reporting structure. Therefore, this study examines whether the maturity of IT risk management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer (CEO)/Chairman of the board duality. 

                Prior research on IT governance shows that there is a lack of research exploring the role of the board and management in IT risk management. We contribute to this literature first by developing a scale to measure maturity of IT risk management practices. We surveyed senior IT professionals on IT risk management practices identified based on ISACA’s Risk IT framework. The 19 item scale measures two broad categories of IT risks (strategic and operational) and associated management practices. Next we explored the reporting structure of the CIO (i.e. does the CIO report to CEO, CFO or any other C-suite executive) and its impact on the maturity of IT risk management practices. We found that the maturity of strategic and operational IT risk management practices are higher when the CIO reports directly to the CEO. For public firms, the maturity of IT risk management practices were higher when the CEO is also the chairman of the board of directors.

                Overall, our results suggest that top management attention is necessary to establish better IT risk management practices. As C-level officers may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and interested stakeholders on how well IT risk is managed. Further, our results from public companies suggest that IT issues are more likely to get elevated to the board and, thus, receive greater oversight attention in firms where there is CEO/Chairman of the board duality. Firms without CEO/Chairman of the board duality may need to implement practices to ensure IT risk issues are included in the board agenda and in turn get appropriate attention.