Board and management level factors affecting IT risk management in organizations

• In Event: IT Material Weaknesses and IT Risk Management

Abstract

The December 2009 release of enhanced proxy disclosure requirements directing risk oversight and risk management to both board members and top management combined with the 2013 release of the Committee of Sponsoring Organizations (COSO) updated internal control framework, have caused organizations to increase their focus on information technology (IT) risk assessment. Consequently, this study examines whether the maturity of IT risk management practices are influenced by board expertise, board involvement and risk culture among the top management.
We survey senior IT professionals and find that the board expertise and board involvement positively influence the maturity of IT risk management practices. Further, when the top managers display more risk taking behavior it negatively influence the maturity of IT risk management. Additional results indicate that the maturity of IT risk management practices do not differ among companies where the risk oversight lies with the overall board, audit committee, risk committee or technology committee. However, the maturity of IT risk management practices is less in firms in which the risk oversight lies with a management committee rather than a board committee. The results make multiple contributions to the IT governance literature as well as the profession.

Authors

• Nishani E Vincent, University of Tennessee at Chattanooga

• Julia L Higgs, Florida Atlantic University - Boca

• Robert E Pinsker, Florida Atlantic University - Boca