In this paper we extend IT risk management theory using evidence gleaned from IT-enabled process management in a Swedish pulp and paper factory. Our analyses of risk management practices in the factory’s core process revealed surprising insights. As organizational actors managed process related IT risks to ensure that the core production process was running 24/7, they generated strategic IT risks that threatened the sustainability of the process infrastructure. However, they could not manage these strategic risks without jeopardizing the 24/7 operation. Hence, they inadvertently found themselves between a rock and a hard place where they could not mitigate one high priority risk without generating another. Drawing on practice theory, we explain the observed risk management practices, introduce the notion of risk dilemmas, and discuss the practice-based view of risk as a useful approach to advancing IT risk management theory.
Öbrand, Lars; Holmström, Jonny; and Mathiassen, Lars
"Between a Rock and a Hard Place: Facing Dilemmas in IT Risk Management,"
Journal of Information Technology Theory and Application (JITTA): Vol. 19:
3, Article 3.
Available at: https://aisel.aisnet.org/jitta/vol19/iss3/3