Risk assessment and information systems

The paper discusses types of risk, problems and failure experience in developing and implementing information systems. A broad definition of risk, in terms of risk factors and risk outcomes, is put forward. Frameworks for risk classification at the investment appraisal stage are assessed. A framework for analysing risk is then applied to five cases. The paper argues the merit in interpreting risk operationally as not just inherent in certain structural features of the environment or of a project, but also arising as a result of distinctive human and organizational practices and patterns of belief and action. More comprehensive frameworks for risk assessment are needed to replace the all too frequently encountered truncated forms of assessment used in work organizations. Whether the objective is to study and/or influence risk levels in IT-related change, the need is to apply as much learning from organization studies as from the more traditionally utilised project management, operational research and financial management fields.