IT Risk Assessment: Developing and defining the IT Risk Assessment Process Framework in the case company
Damonte, Ronnie (2016)
Damonte, Ronnie
Metropolia Ammattikorkeakoulu
2016
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2016060111251
https://urn.fi/URN:NBN:fi:amk-2016060111251
Tiivistelmä
The objective of this study was to define the Information Technology risk assessment process framework for an international Finnish firm belonging to a major IT corporation. The study was motivated by the fact that, in the case company, due to the lack of a common defined process for IT risk assessment, it was challenging to correctly evaluate and compare the relevancy on each risk. As a consequence, potentially misleading and inconsistent information on the impact and related importance of IT risks may have led the top management to make incorrect investment decisions.
The current state analysis was based on both qualitative (two rounds of semi-structured interviews) and quantitative (maturity survey) data. Nineteen managers and directors of the case company participated in different phases on the data collection. These data was utilized to create the project proposal, which was shared, commented and then approved by the top management of the case company. Additionally, the survey was used to evaluate the level of IT risk assessment process maturity in the case company before and after the project, as well as to compare it with industry benchmarks and the best in class.
The final outcome of the present study was the definition of the IT risk assessment process framework for the case company, leading to the following outcomes: (1) Common IT risk evaluation approach was established across the organization, and it is now duly followed in order to achieve a correct IT risk evaluation, (2) resources of the case company are used more efficiently. This is due to the fact that the top management may, on the basis of a reliable IT risk assessment, make informed decisions, concentrating the resources of the company on the most relevant risks.
In conclusion, based on the feedback and the comparison to defined targets, the research has fully achieved the established business objectives.
The current state analysis was based on both qualitative (two rounds of semi-structured interviews) and quantitative (maturity survey) data. Nineteen managers and directors of the case company participated in different phases on the data collection. These data was utilized to create the project proposal, which was shared, commented and then approved by the top management of the case company. Additionally, the survey was used to evaluate the level of IT risk assessment process maturity in the case company before and after the project, as well as to compare it with industry benchmarks and the best in class.
The final outcome of the present study was the definition of the IT risk assessment process framework for the case company, leading to the following outcomes: (1) Common IT risk evaluation approach was established across the organization, and it is now duly followed in order to achieve a correct IT risk evaluation, (2) resources of the case company are used more efficiently. This is due to the fact that the top management may, on the basis of a reliable IT risk assessment, make informed decisions, concentrating the resources of the company on the most relevant risks.
In conclusion, based on the feedback and the comparison to defined targets, the research has fully achieved the established business objectives.