Socio-Technical Networking and IS/IT Related Risk Assessment Model Construction: The Case of Operational Risk Assessment in Financial Institutions

Authors

Abstract

Assessing the risks associated with Information Systems (IS)/Information Technology (IT) is an increasingly necessary activity. If on the one hand the proliferation of IS/IT in all aspects of Financial Institutions has brought benefits, on the other hand growing dependence upon these technologies can be harmful. Risk analysis (risk identification, assessment and administration) was the way found to reconcile the dichotomy between progress and any adverse effects. This research focuses on risk identification and assessment. Traditionally, in Financial Institutions, the tasks of risk identification and assessment have been considered technical-scientific tasks for specialists, in which the social factors (perceptions, beliefs, interests, power, cultural and contextual influences) involved were considered as distorting ideal solutions and should be minimized or excluded. This means that subjective and qualitative risk identification and assessment must be overcome by objective and quantitative risk identification and assessment. On the contrary, Science and Technology Studies have shown that social factors are always present and therefore shape technical-scientific solutions. This research intends to analyze how social and technical factors interact and shape a technical-scientific IS/IT related risk assessment model. The challenge is to comprehend and to characterize a technical-scientific approach for operational risk identification and assessment in Financial Institutions, its weaknesses and strengths. An interpretative study of the empirical case will be carried out. In order to tackle these issues, a literature review is carried out on the nature of risk and the influence of social and technical factors on the evolution of knowledge. Actor-Network Theory and the concepts of Doability and Standardized Package will be used to interpret the data collected. The strategies undertaken in order to translate a complex problem (identify operational risk and develop the risk assessment model) into a 'doable� problem will be described. The study also reveals that the solution was conceived as a 'standardized package�. Moreover, the solution in relation to the universe of IS/IT related risks will be evaluated. Operational risk assessment is a multidisciplinary problem however the proposed problem framework/solution are not. They are disciplinary oriented (statistics), they don´t consider the context of risk causes and they are reductionist. Therefore, the very characteristics that give technical-scientific knowledge its strength also make it vulnerable. The final goal is not to argue against the proposed model. The intentions of this research are: to elucidate how socio-technical factors have shaped a technical-scientific IS/IT related risk knowledge/model; to identify the weaknesses and strengths of that specific technical-scientific approach; and to use these insights to help improve the effectiveness of IS/IT related risk identification and assessment.

Conference

Doctoral Consortium - European Conference on Information Systems, June 2002