Information Systems Risks and Risk Factors: Are They Mostly About Information Systems?

Abstract

This article is the second of two whose goal is to advance the discussion of IS risk by addressing limitations of the current IS risk literature. The first article (CAIS Volume 14, Article 1)presented a general, but broadly adaptable model of system-related risk that addressed the limited usefulness of existing IS risk models for business managers. In this article, we focus on organizing risk factors to make them more useful and meaningful for business managers. This article shows how the nine elements of the work system framework can be used to organize the hundreds of risk factors in the IS risk literature. It also shows that many of the most important and most commonly cited risk factors for IS in operation and IS projects are actually risk factors for work systems in general. Furthermore, risk factors initially associated with one type of system (e.g. ERP implementation) are often equally relevant at other levels (e.g., information systems projects or work systems in general). Over half of the risk factors in a representative sample of the IS risk literature are valid for work systems in general. This conclusion is a step toward useful risk diagnostic tools based on an organized set of risk factors that are meaningful to business managers and IT professionals.