Management Information Systems Quarterly


Recently, an option-based risk management (OBRiM) framework has been proposed to control risk and maximize value in IT-investment decisions. While the framework is prescriptive in nature, its core logic rests on a set of normative risk-option mappings for choosing which particular real options to embed in an investment in order to control specific risks. This study tests empirically whether these mappings are observed in practice. The research site is a large Irish financial services organization with well established IT risk management practices not tied to any real options framework. Our analysis of the risk management plans developed for a broad portfolio of 50 IT investments finds ample empirical support for OBRiM’s risk-option mappings. This shows that IT managers follow the logic of option-based risk management, though purely based on intuition. Unfortunately, reliance on this logic based on intuition alone could lead to suboptimal or counterproductive risk management practices. We therefore argue that managerial intuition ought to be supplemented with the use of formal real option models, which allow for better quantitative insights into which risk mitigations to pursue and combine in order to effectively address the risks most worth controlling.