Risk management can be an extremely powerful approach to dealing with the complexities and uncertainties that increasingly surround technological change and its management. Conventionally in information technology (IT) projects, risks have been narrowly defined. Today, with IT becoming integral to a company's existence, the stakes are considerably higher and broader in scope. However, risk is sometimes seen a negative concept in information systems (IS) organizations because it implies that something could go wrong with an IT project. To understand effective risk management in IS, the authors convened a focus group of senior IS managers from a number of organizations in a variety of industries. The results of this discussion, the managers' presentations, and a review of the current research on risk management, were integrated and are presented in this paper. The nature of risk, identifying risk in IT initiatives, determining appropriate levels of risk, and dealing with unacceptable types and levels of risk are discussed. The following conclusions were reached. Risk management is a means to an end - whether it is a successful IS project; stable, secure technical operations; or a properly implemented business strategy using technology. It is not a one-time activity, but rather an ongoing process of identification, assessment, and action, which needs to be well integrated into every part of IS management. IS managers must learn to control both the problems and the potential that risk represents. Several general principles to help IS managers deal effectively with risks were identified. Effective risk management involves taking a holistic approach to risk, developing a risk management policy, establishing clear accountabilities and responsibilities, balancing risk exposure against controls, being open about risks to reduce conflict and information hiding, enforcing risk management practices, and learning what works and doesn't from past experience.
Smith, H., McKeen, J., & Staples, S. (2001). New Developments in Practice I: Risk Management in Information Systems: Problems and Potential. Communications of the Association for Information Systems, 7, pp-pp. https://doi.org/10.17705/1CAIS.00713