Risk based assessment of IT Control Frameworks: a case study

Al-Khazrajy, Maher
Cusack, Brian
Item type
Degree name
Master of Philosophy
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

Businesses are constantly advised to implement Information Technology Governance (ITG) frameworks or adapt best practices to gain efficiency, accountability, and/or to meet regulatory compliance. However, organisations require a clear statement of the business value to be gained from implementing resource intensive IT control-based structured environments. Business value has many facets, depending on the industry, size of the organisation, and how business value is perceived. Business risk provides both positive and negative metrics for an assessment of potential business gain and loss. It has often been contested that the implementation of control frameworks is a liability that is not supported by measurable business benefits.

This study proposes to investigate the relationship between IT control frameworks, best practices and standards, and business risk treatment. The expectation is that the value generated by the relationship will become apparent and that by implication the costs and benefits of ITG can be identified. At present there are many tools available to assist business managers with risk management. An assessment of a representative set of control frameworks, best practices and standards is made to identify which risks may be treated, the scope of a framework, and what benefits may be expected from implementing those frameworks and best practices. Part of the literature review investigates the challenges that organisations face when implementing IT control frameworks and best practices. Also, the set of related problems is explored and the research focuses on one researchable problem, how to identify business value from managing IT risks in control-based structured environments. The research question is: How could a business realise the value of managing IT risk in control-based structured environments?
Identifying business value in risk based IT control-based structured environments is a complex and subjective domain that suits qualitative research methods. Research reports in the subject area suggest that case study research methods are most commonly used to obtain factual data and to construct theory.  Consequently in this study face-to-face semi-structured interviews, document collection, analysis and observation are the main source of data gathered for analysis. The researcher has interviewed staff with relevant roles in two organisations to understand what liabilities, challenges and benefits are observed in practice. Collected data is analysed qualitatively utilising qualitative analysis software tools and the results are reviewed and further analysed by the author. The conclusion of the thesis summarises the challenges, problems and solutions derived from the data collected in the case study companies and shows the answer to the research question is conditional on a complex set of conditions. Among the identified business value outcomes are the improved business-IT communication and alignment. Improved communication leads to a better alignment between business and IT objectives. Subsequently, organisations are able to direct their efforts to secure their most valuable assets to ensure resilient business. In addition, these organisations continuously build required IT capabilities that allow them to capture business opportunities when they arise. 
 Lastly, recommendations for further research are also provided. To establish adequate ITG and risk management process, organisations have no choice but to adopt a mix of frameworks, best practices and standards. The justification is either to meet compliance requirements or to complement the applied frameworks, where one framework doesn’t cover certain aspects of ITG, security, risk and compliance. The author has learned from the research that an investigation into integrating frameworks, best practices and standards would be the next step in better understanding the issue of identifying business value in risk based IT control-based structured environments. Practitioners as well businesses would benefit from the outcomes of this type of research.
IT Risk Management , Business Value , IT Control Frameworks , Control based structured environment
Publisher's version
Rights statement