Integrated risk and compliance analytics in large-scale it programs
DOI:
https://doi.org/10.22399/ijcesen.5082Keywords:
Integrated Risk and Compliance Analytics, Large-Scale IT Programs, IT Governance, Enterprise Risk Management, Regulatory Compliance, Data-Driven OversightAbstract
The risk and compliance management of large IT projects is characterized by fragmented, periodic and reactive processes, despite the existence of many risks and highly regulated environments. The existing governance for risk and compliance is primarily achieved through the use of static registers, retrospective audits and manual reporting mechanisms to gain limited visibility into emerging issues. This paper proposes the concept of Integrated Risk and Compliance Analytics (IRCA), a governance capability that enables the continuous, data-driven monitoring of very large IT projects, using IT governance and enterprise risk management literature to develop a conceptual framework that pulls together multiple sources of program information (delivery metrics, control evidence, audit logs and operational risk indicators) into a single layer of analysis. The conceptual framework created within this paper illustrates how various analytical functions (risk scoring, compliance deviation detection, and early warning indicators) can enable timely decision making and adaptive governance. Therefore, this paper presents an alternative model to the traditional literature regarding risk and compliance analytics, and argues that this is more of a dynamic oversight mechanism for control, rather than just a reporting tool.
References
[1] Weill, P., & Ross, J. W. (2004). IT governance: How top performers manage IT decision rights for superior results. Harvard Business School Press.
[2] Flyvbjerg, B. (2014). What you should know about megaprojects and why: An overview. PM World Journal, 3(2), 1–10. DOI: https://doi.org/10.1002/pmj.21409
[3] Sambamurthy, V., Bharadwaj, A., & Grover, V. (2003). Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly, 27(2), 237–263. DOI: https://doi.org/10.2307/30036530
[4] Lyytinen, K., Mathiassen, L., & Ropponen, J. (1998). Attention shaping and software risk—A categorical analysis of four classical risk management approaches. Information Systems Research, 9(3), 233–255. DOI: https://doi.org/10.1287/isre.9.3.233
[5] Tiwana, A., Konsynski, B., & Bush, A. A. (2010). Platform evolution: Coevolution of platform architecture, governance, and environmental dynamics. Information Systems Research, 21(4), 675–687. DOI: https://doi.org/10.1287/isre.1100.0323
[6] Hutchins, G. (2018). ISO 31000: 2018 enterprise risk management. Greg Hutchins.
[7] Renn, O. (2017). Risk governance: coping with uncertainty in a complex world. Routledge. DOI: https://doi.org/10.4324/9781849772440
[8] De Haes, S., Van Grembergen, W., & Debreceny, R. S. (2013). COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems, 27(1), 307–324. DOI: https://doi.org/10.2308/isys-50422
[9] Mikes, A., & Kaplan, R. S. (2014). Towards a contingency theory of enterprise risk management. Harvard Business School Working Paper, No. 13-063. DOI: https://doi.org/10.2139/ssrn.2311293
[10] Khatri, V., & Brown, C. V. (2010). Designing data governance. Communications of the ACM, 53(1), 148–152. DOI: https://doi.org/10.1145/1629175.1629210
[11] Orlikowski, W. J., & Iacono, C. S. (2001). Desperately seeking the “IT” in IT research—A call to theorizing the IT artifact. Information Systems Research, 12(2), 121–134. DOI: https://doi.org/10.1287/isre.12.2.121.9700
[12] Ropponen, J., & Lyytinen, K. (2000). Components of software development risk: How to address them? IEEE Transactions on Software Engineering, 26(2), 98–112. DOI: https://doi.org/10.1109/32.841112
[13] Portman, H. (2022). Project management maturity and excellence models: Stirring in the fruit bowl. PM World Journal, 11(2), 1-32.
[14] Geraldi, J., Maylor, H., & Williams, T. (2011). Now, let’s make it really complex (complicated): A systematic review of the complexities of projects. International Journal of Operations & Production Management, 31(9), 966–990. DOI: https://doi.org/10.1108/01443571111165848
[15] Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640–661. DOI: https://doi.org/10.1108/09513570310492335
[16] Tallon, P. P., Ramirez, R. V., & Short, J. E. (2013). The information artifact in IT governance: Toward a theory of information governance. Journal of Management Information Systems, 30(3), 141–177. DOI: https://doi.org/10.2753/MIS0742-1222300306
[17] Teece, D. J., Pisano, G., & Shuen, A. (1997). Dynamic capabilities and strategic management. Strategic Management Journal, 18(7), 509–533. DOI: https://doi.org/10.1002/(SICI)1097-0266(199708)18:7<509::AID-SMJ882>3.0.CO;2-Z
[18] Weick, K. E., & Sutcliffe, K. M. (2011). Managing the unexpected: Resilient performance in an age of uncertainty (Vol. 8). John Wiley & Sons.
[19] Henderson, J. C., & Venkatraman, H. (1999). Strategic alignment: Leveraging information technology for transforming organizations. IBM systems journal, 38(2.3), 472-484. DOI: https://doi.org/10.1147/SJ.1999.5387096
[20] Galbraith, J. R. (1974). Organization design: An information processing view. Interfaces, 4(3), 28–36. DOI: https://doi.org/10.1287/inte.4.3.28
[21] Pavlou, P. A., & El Sawy, O. A. (2011). Understanding the elusive black box of dynamic capabilities. Decision Sciences, 42(1), 239–273. DOI: https://doi.org/10.1111/j.1540-5915.2010.00287.x
[22] Van Grembergen, W., & De Haes, S. (2009). Enterprise governance of information technology: Achieving strategic alignment and value. Springer. DOI: https://doi.org/10.1007/978-0-387-84882-2_2
[23] Davenport, T., & Harris, J. (2017). Competing on analytics: Updated, with a new introduction: The new science of winning. Harvard Business Press.
[24] Jack, J. T., & Ene, R. W. (2016). Cybercrime and the challenges of socio-economic development in Nigeria. J Res Nat Dev, 14, 42-49.
[25] March, J. G. (1991). Exploration and exploitation in organizational learning. Organization Science, 2(1), 71–87. DOI: https://doi.org/10.1287/orsc.2.1.71
[26] Janssen, M., van der Voort, H., & Wahyudi, A. (2017). Factors influencing big data decision-making quality. Journal of Business Research, 70, 338–345. DOI: https://doi.org/10.1016/j.jbusres.2016.08.007
[27] Mikalef, P., Pateli, A., & van de Wetering, R. (2021). IT architecture flexibility and IT governance decentralisation as drivers of IT-enabled dynamic capabilities and competitive performance: The moderating effect of the external environment. European Journal of Information Systems, 30(5), 512-540. DOI: https://doi.org/10.1080/0960085X.2020.1808541
[28] Power, M. (2004). The risk management of everything. The Journal of Risk Finance, 5(3), 58-65. DOI: https://doi.org/10.1108/eb023001
[29] Simon, H. A. (1960). The new science of management decision. DOI: https://doi.org/10.1037/13978-000
[30] Van Grembergen, W. (2009). Enterprise governance of information technology. DOI: https://doi.org/10.1007/978-0-387-84882-2_1
[31] Ransbotham, S., & Kiron, D. (2017). Analytics as a source of business innovation. MIT sloan management review, 58(3).
[32] Power, M. (1997). The audit society: Rituals of verification. Oxford University Press.
[33] Markus, M. L. (1983). Power, politics, and MIS implementation. Communications of the ACM, 26(6), 430–444. DOI: https://doi.org/10.1145/358141.358148
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 International Journal of Computational and Experimental Science and Engineering
This work is licensed under a Creative Commons Attribution 4.0 International License.
