EnablingEffectiveORM.pdf
Enabling Effective Operational Risk Management in a Financial Institution: An Action Research Study
SHIRLEY OU YANG, CAROL HSU, SUPRATEEK SARKER, AND ALLEN S. LEE
SHIRLEY OU YANG ([email protected]) is an assistant professor in the International College at Ming Chuan University, Taiwan. She holds a Ph.D. in information systems from National Taiwan University. Her research interests focus on the social aspects of information systems (IS) including risk governance, philosophical issues, and green IS. Her work has been published in the DATABASE for Advances in Information, Pacific Asia Journal of the Association for Information Systems, Journal for Philosophical Study of Public Affairs, and other venues.
CAROL HSU ([email protected]; corresponding author) is a professor in the Management Science and Engineering Department at Tongji University, China. She holds a Ph.D. in information systems from the London School of Economics and Political Science. Her research interests focus on the organizational and behavioral issues related to IS security implementation. Her work has been pub- lished in MIS Quarterly, Information Systems Research, European Journal of Information Systems, and other journals. She serves on the editorial boards of the Journal of the AIS, Journal of Strategic Information Systems, and Information Systems Journal.
SUPRATEEK SARKER ([email protected]) is Rolls-Royce Commonwealth Professor at the McIntire School of Commerce, University of Virginia, and Distinguished Visiting Professor at Aalto University. Much of his research is qualitative in nature, and his work has been published in the leading information systems journals. He serves as editor in chief of the Journal of the AIS, as a member of the Board of Editors of Journal of Management Information Systems, as a senior editor of Decision Sciences, and as an editor of other journals. He has received multiple external grants, including from the National Science Foundation and Institute for the Studies of Business Markets (ISBM). He received an honorary doctorate (informa- tion technology) from the University of Jyväskylä, Finland.
ALLEN S. LEE ([email protected]) recently retired as a professor of information systems at Virginia Commonwealth University (VCU). Previously, he served as a professor at McGill University, the University of Cincinnati, and Northeastern University. His doctoral degree is from the Massachusetts Institute of Technology. He has served as associate dean at VCU and McGill University, as editor in chief of MIS Quarterly, and as a founding senior editor of MIS Quarterly Executive.
Journal of Management Information Systems / 2017, Vol. 34, No. 3, pp. 727–753.
Copyright © Taylor & Francis Group, LLC
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: https://doi.org/10.1080/07421222.2017.1373006
ABSTRACT: Action research (AR) is significant for its promise to bridge the chasm between rigor and relevance by seeking to solve real-world problems while building scientific knowledge. In this spirit, in our research project, we argue for a return to the essence of AR—that is, focusing on problem, action, and reflection. Adopting the style of AR known as dialogical AR, we address the issue of operational risk management as encountered by a financial institution in Taiwan. In this AR project, the researchers work collaboratively with workers in a bank to manage the knowl- edge creation process as part of an operational risk management program. Through three AR cycles, our findings demonstrate that ongoing knowledge creation facil- itates the transformation of existing organizational culture and helps practitioners to identify different types of operational risks. We also highlight the conditions under which insights from reflective dialogues between practitioners and researchers can encourage managers to open themselves to new and different ways of thinking and acting. Finally, we offer principles for undertaking effective dialogical AR.
KEY WORDS AND PHRASES: action research, dialogical action research, information security management, operational risk management, principles of dialogical action research.
The finance industry has been at the forefront of adopting information technology (IT) to improve operational efficiencies and to create new business initiatives that enhance organizational performance. However, heavy reliance on IT has been accompanied by security risks resulting from either insider threats or outright external attacks. To mitigate IT-related risks, various organizational practices such as information security policy and security awareness programs have been imple- mented [5, 27, 71]. Nevertheless, the IT infrastructure failures resulting from 9/11 in 2001 and system failures at the London Stock Exchange in 2008 all exemplify high- profile losses resulting from inappropriate protection or use of IT in financial institutions. Given the mounting financial losses associated with the intentional or unintentional misuse of IT-enabled authorization for business information proces- sing, regulators and industry professionals began to question and reconsider the scope and management of IT-related risk in the finance industry [17, 49, 51]. This led to the emergence of “operational risk” as a new risk category in addition to traditional credit and market risk in this particular industry sector. While operational risk is considered as a new risk category in the financial
industry, concepts exist that are related to the information systems (IS) security field [16]. For instance, IT infrastructure failures is classified as an operational risk event, but can also be considered an IT availability failure from the IS security perspective. This emerging interdisciplinary field has resulted in the opportunity to initiate an action research (AR) project with a financial institution in Taiwan. One of the researchers authoring this study has worked in the financial industry and has a research focus on IS security management. Her experience in this area has allowed her to follow the development of operational risk in this industry sector. The opportunity to conduct AR materialized following a discussion at a public seminar
728 OU YANG, HSU, SARKER, AND LEE
in 2010 between the researcher herself and the head of a newly established opera- tional risk management (ORM) Department in CREDIT Bank (a pseudonym). Our research project contributes a practical solution to help the bank in its effort to design, organize, and implement an ORM project [3]. The research project equally provides an opportunity to enable IS security researchers to generate new theoretical insights. From a methodological perspective, considering the newness of the opera- tional-risk concept in management practices and academic research, this context provides an opportunity suitable for “dialogical AR” [37] examining how problem, action, and reflection unfold through the ongoing dialogues between the practitioner and the researcher. Thus, we began this AR project with one research question in mind: How can
research on IS security contribute to both theory and practice in the area of operational risk management as conducted in a financial institution? From a research perspective, we were interested in exploring the utility of a security risk management approach in addressing operational risks in financial institutions. From a practice perspective, our motivation was in helping CREDIT Bank understand and resolve managerial challenges in its existing ORM program. With these aims, the result was a research project geared toward pursuing AR with contributions to both theory and practice. We anticipate a number of contributions from this research project. First, despite
Ciborra’s effort [16] to highlight the importance of ORM research in the IS field, very limited scholarly work on this particular topic exists [26, 28]; however, through our AR project, we demonstrate how IS security research knowledge can help an organization to restructure its ORM program. Second, we illustrate an AR approach for resolving a number of business problems that are new to practitioners. Our use of reflective dialogue, involving interactions between what dialogical AR calls theoria and praxis, helps the researcher and practitioner work hand-in-hand so as to increase their understanding of operational risk.
Dialogical Action Research
Dialogical AR, as originally conceptualized by Mårtensson and Lee [37], analogizes the interaction between the scientific researcher and practitioner to the interaction between a psychologist and a patient, a cleric and a parishioner, or a teacher/adviser and student/advisee. The knowledge and expertise held by the former in the pair is distinct from that held by the latter. Indeed, with regard to the scientific researcher and manager of a company, the latter may not be expected to possess an equal level of scientific knowledge and theoretical sensitivity as a result of the former’s many years of socialization as a doctoral student and then as a professor. Likewise, the former (the scientific researcher) may not be expected to possess the same level of managerial expertise and local knowledge as achieved by the latter (the manager) over his many years of socialization as a member of his company. Through dialogue with the manager, the researcher (using her scientific expertise) diagnoses the
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 729
problem presented by the manager and then suggests possible remedial actions to the manager, who then accepts the responsibility to undertake one or another action and the responsibility for the consequences following such action. In dialogical AR, the difference in knowledge and expertise between the researcher and the practitioner is captured in the term, “knowledge heterogeneity.” Dialogical AR emphasizes reflective changes or innovations resulting in the
mutual enlightenment of the researcher and practitioner. It also emphasizes the significance of the learning dimension of AR. This form of AR is particularly valuable when the problem is complex and there is no obvious at-hand practical and/or scientific knowledge to solve it. A dialogue between the practitioners and researchers is needed. In other words, this form of AR does not assume scientific theory or abstract knowledge to take precedence over lay people’s practical knowl- edge, whether explicit or tacit. Rather, one-on-one dialogue and the reflections of the researcher and the practitioner can transcend the boundaries of two bodies of knowledge, theoria (for researchers) and praxis (for practitioners), and reveal a solution approach that neither party could have independently envisioned. Given that the context of operational risk was relatively new to both academic researchers and industry practitioners involved, the emphasis on reflection in the dialogical AR approach makes it especially suitable for our project. While we attempt to follow the essence of dialogical AR, we do not necessarily
follow all of Mårtensson and Lee’s suggestions for conducting dialogical AR—such adaptation of approaches is natural as different types of problems in different contexts are addressed. First, Mårtensson and Lee [37] require the dialogue to take place in the scientific researcher’s office, located away from the manager’s company; however, we have a broader view of dialogue in recognition of the fact that the power, availability/mobility, motivation, and expertise of the two parties can differ significantly in different projects. Dialogue need not be limited to a certain genre (e.g., cleric–parishioner) or exclude informal communications. Second, Mårtensson and Lee [37] suggest that the practitioner, rather than the researcher, takes actions, but in our study, the researcher is regarded as playing a supportive role in imple- menting interventions alongside the manager. Our adaptation of Mårtensson and Lee’s dialogical AR, however, retains its focus on: (a) the two-way dialogue that effectively transcends the researcher–practitioner boundary and (b) the distinction between the scientific attitude, theoria, and second-level constructs on the one hand, and the natural attitude of everyday life, praxis, and first-level constructs on the other hand. Through intensive dialogue and reflection between the researcher and the manager in an organizational setting, both gradually established a shared or compa- tible understanding. This allows the researcher to collaboratively work with the manager to design intervention actions for the problem. As in many AR projects, the outcome of the initial intervention can be unantici-
pated and even ineffective, which would lead to additional rounds of interactive dialogue and reflection between the researchers and the practitioners. For a success- ful AR project, this process continues until the real life problem is seen as solved.
730 OU YANG, HSU, SARKER, AND LEE
Motivation Arising from Practice
Basel II Regulation and Operation Risk Management
To address the growing concerns over IT-related risks, the Basel Committee on Banking Supervision published Basel II [4] and defined operational risk as: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events” and added this category of risk to the regulatory capital requirement calculation. Within the financial sector, the capital charge regulation formalizes the principle of mandating the bank to hold sufficient capital as a buffer in the case of unexpected losses. Before Basel II, credit risk and market risk had long been the two dominant categories in the capital adequacy regulation. However, inclusion of this risk type presented a major challenge to financial
institutions. Unlike the cases of credit risk and market risk, senior management had rarely considered operational risks to be strategically significant. Any manage- ment of operational risks had been fragmented and dispersed within different parts of the organization. In light of the new regulatory requirements, however, this old managerial practice would not be sufficient to satisfactorily address the capital adequacy calculation. This resulted in an urgent need to implement a firm-wide and more comprehensive ORM program.
Operational Risk Management at CREDIT Bank: An Overview of the Context
CREDIT Bank was and remains one of the largest Taiwanese commercial banks. Following industry practices and Basel II guidelines, the bank set up the ORM Department and started to implement Risk Control Self-Assessment (RCSA) proce- dures for managing operational risks in 2005. RCSA was designed to allow an organization to collect, identify, and assess the existing operational risks embedded in its business processes. Even though CREDIT Bank had a head start with its RCSA exercise compared to its peer institutions, the bank’s overall outcomes were not entirely satisfactory according to its senior management. Thus, in 2010 the AR team’s company contact Tom, as the newly appointed head of the ORM Department, was given the challenging task of rejuvenating the entire RCSA process and the overall ORM framework throughout the bank. In our early interview with Tom, he commented:
The biggest bottleneck for ORM is we do not have a thorough top manage- ment vision to implement it, so the staff can only notice tiny issues. . . . One thing problematic in risk management is it is tedious when it works out through a bottom-up approach. A top-down framework can provide common communication language in terms of broad governance.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 731
Tom’s prior experience was in business process reengineering, not in ORM. While he affirmed the need to change the current RCSA process, his lack of domain knowledge in this field limited his ability to determine how to implement an effective ORM program.
Research Motivation: Existing Research on Operational Risk and Its Relevance to Information Systems Security Management
According to the Basel Committee [4], seven risk categories can contribute to operational risk exposure. As Table 1 indicates, while operational risk may be framed as a new development in the financial industry, conceptually many of its underlying components overlap with core considerations in the IS security litera- ture. Interestingly, despite the overlapping risk types between operational risk and IS security threats, our assessment of the operational risk literature reveals few studies in the IS security field that extend relevant knowledge and expertise to this emerging phenomenon in the financial industry. Our review of relevant research
Table 1. Operational Risk and IS Security Management Principles
Possible relevance to the management of IS security principles
Basel operational risk category
Examples of operational risk
events Confidentiality Integrity Availability
Internal Fraud Insider trading X Employee theft X
External Fraud Robbery X Computer hacking X X
Employment Practices and Workplace Safety
Espionage X
Clients, Products and Business Practice
Misuse of confidential customer information
X X
Breach of privacy X Damage to Physical
Assets Natural disaster loss X Vandalism X
Business Disruption and System Failure
Hardware and software failures
X
Utility outages X Execution, Delivery and
Process Management
Data entry errors X X Unapproved access
given to client accounts
X X
732 OU YANG, HSU, SARKER, AND LEE
work shows the dominance of financial modeling (e.g. [9, 13, 14, 57]) and event study methodology in articulating the economic implications of operational risk on a company’s financial performance (e.g. [10, 11, 15, 17, 25, 70]; see Online Appendix 1). Those theoretical and methodological choices are understandable considering their popularity in managing and understanding other traditional bank- ing risks such as credit risk and liquidity risk. Within IS research, to the best of our knowledge, there is not much research available except the work by Goldstein et al. [26] and Hsu et al. [28]. Goldstein et al. [26] conducted an event study of market reaction with a specific focus on IT-data and IT-function types of opera- tional risks. Their findings echo the general thesis grounded in finance research that firms experiencing these events most likely suffer negative wealth and reputa- tional effects after event announcement. Alternative research from the IS security field is by Hsu et al. [28], who conducted an interpretive case study to provide a more in-depth account as to how institutional properties and agency action interact during the implementation process. In this light, we see two main omissions in operational risk literature—which
can be regarded as opportunities for theoretical and methodological development for IS security research. First, the typology analysis in Table 1 indicates shared concepts between the operational risk field and IS management, despite the different terminologies that may be used. Nonetheless, this interdisciplinary area seems to have attracted research interest primarily from the finance field. So far very little research has addressed operational risk from an IS security perspective, or examined the extent of applicability of IS theories and methods in this emerging interdisciplinary field. Second, most work in financial research has focused on either the economic calculation of operational risk or the direct linkage between operational risk events and its subsequent impact on a firm’s market value. While useful, these studies lack insights into the implementation and institutionalization process, that is addressing the how question. In compar- ison, a number of IS security studies have demonstrated the merit of qualitative approaches and behavioral studies in understanding how firms manage risk identification and controls (e.g. [27, 53, 54, 65, 66]). We argue that methodolo- gical diversity and accumulated research findings in IS security can help advance knowledge in how to develop appropriate risk management in the financial sector. Thus, we consider the topic of operational risk an excellent opportunity for IS security researchers to inform the knowledge on a significant real-world phenomenon and by understanding “the context within which decisions and actions take place” [41, p. 5, italics in the original]. Thus, when Tom asked whether we could collaborate with him to revitalize their
ORM program, we were positive in accepting this invitation as it offered a chance for us to learn whether (and to what extent) our knowledge in IS security manage- ment could be applied to improve their ORM program. That is, in addition to our initial focus of developing an understanding or explanation of the situation, we saw an opportunity to make a direct impact on the problem.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 733
The Action Research Project
Action research (AR) is a cyclical process that applies scientific theory to a real- world context and examines organizational impacts resulting from theory-derived practices (e.g. [7, 18, 19, 38, 67]). AR requires researchers to collect data at the beginning of the process in order to diagnose problems, and thereafter derive an action plan in accordance with the chosen theory. Intervention actions then follow and feedback is obtained from the field in preparation for the next cycle. In the empirical setting of CREDIT Bank, consistent with the dialogical AR
approach, we articulated the scientific attitude and the natural attitude of everyday life [37, p. 512] associated with the managerial tasks for ORM in organizations. This was particularly important at the initial stage of our research due to both the scientific and practical aspects of ORM being unclear.
Action Research Cycles
The project went through three AR cycles over 17 months, between late 2010 and early 2012. The foundation of our AR effort includes multiple empirical sources, such as semistructured interviews, informal discussions, direction observation as well as secondary documentation (see Online Appendix 2).
First Cycle (September 2010–April 2011)
Problem: CREDIT Bank had been implementing RCSA for five years before our AR project, but senior management had not found the results convincing. From the perspective of Tom’s own expertise (praxis), he considered that the ineffectiveness of previous ORM efforts resulted from the reliance on actions taking an exclusively bottom-up approach. He further believed that the ORM data collected up to that point were overly detailed and insignificant. Tom wanted to implement a more systematic approach based on a top-down structure in order to revolutionize the current atmosphere surrounding ORM. After a discussion with Tom about implementation challenges at CREDIT Bank,
the research team discerned that the current situation might have been the result of management’s lack of knowledge and awareness of the need to address concerns associated with operational risks. A number of IS security studies have shown the importance of top management support for effective IS security risk management [6, 29, 31, 53]. To address this problem, we introduced theory in the form of Straub and Welke’s model for managerial perceptions of security risk [66]. What we observed at CREDIT Bank seemed to be consistent with the theory presented by Straub and Welke who address the research issue as, “if managerial perception of systems risk is lower than it should be, why is this the case? How does a manager develop a sense that his or her risk-cost tradeoff is well balanced?” [66, p. 443]. In their theory, they argue that there are three underlying components contributing to a manager’s overall risk perception, which include the organizational environment, the
734 OU YANG, HSU, SARKER, AND LEE
IS environment, and individual characteristics. Their “normative model of the entire [risk] planning process includes not only risk analysis but also the constituents of other critical stages and their outcomes” [66, p. 449], thereby presenting a holistic view of the phenomenon. In our perspective, this theory was an appropriate foundation on which to design
our Cycle 1 intervention strategy for several reasons. First, this theory appeared to be compatible with Tom’s praxis regarding the value of normative models in heighten- ing management’s understanding of operational risk at CREDIT Bank. As Dhillon and Backhouse explain, normative models from the IS security literature are rooted in the functionalist paradigm of sociology, which “prescribe[s] methodologically discrete steps” [20, p.134] with the aim to “provide practical solutions to practical problems” [20, p. 129]. Second, the underlying process of the theory—the security risk planning model—is moderately familiar to Tom and the members of the ORM Department. For instance, one phase in the security risk planning model is risk analysis, which requires the participants to identify and prioritize risks. Conceptually this is comparable to the existing practice of the RCSA approach. However, current execution processes deviated from what the theory proposed. Although we did not use the exact term security risk planning model, we found that their familiarity with risk analysis eased the communication barrier between the ORM Department and us, especially at this point in the AR project. Third, we considered that starting with a normative model from the field of IS security management could help us to concentrate on eliciting findings and learning experiences for the next iteration. Intervention Strategies: Once we identified a scientific theory in the form of the
security risk planning model, we dialogued with Tom on CREDIT Bank’s problem with ORM and a proposed solution in accordance with the above theory. We first worked together with the ORM Department to conduct a benchmarking analysis to demonstrate the level of insufficiency in the existing RCSA approach. This would help to convince Tom’s boss to support the planned intervention actions. Next, drawing on the security risk planning model, we adhered to the principle of knowl- edge contextuality in dialogical AR by working with the ORM Department to assist them to come to understand, in their own way, a “risk universe” unique to the context of ORM at CREDIT Bank. Finally, building on the knowledge acquired from the previous two activities, we designed a scenario-based risk analysis work- shop for senior management. We intended this planned intervention to reframe and enhance managerial knowledge associated with operational risk. Reflection: Having completed the development of the “risk universe” and work-
shop for senior management, Tom proposed the use of the “risk universe” as the new initiative to re-collect operational risk data at CREDIT Bank. However, the response to his proposal was not entirely supportive. In principle, top management recognized the usefulness of the “risk universe” approach resulting from their participation in the workshop, but they did not see enough reasons to overturn the old RCSA method. Their assessment was based solely on a financial evaluation of time and labor investments against any cost savings or earnings that might possibly arise from
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 735
the rollout of a “risk universe” approach. On this basis, top management dismissed Tom’s proposal for a company-wide implementation. Based on interviews and observations from the workshop, the research team
concluded that the security risk planning model was still useful to enhance top management’s understanding of operational risk. However, the extent of changes in managerial perceptions was evidently not sufficient to convince top management regarding the implementation of risk universe approach. Although the normative approach of risk analysis did not prove entirely successful, we recognized that the empirical results included the finding that top managers’ theory-in-use prevented them from placing equal weight on ORM in order to prevent loss and enhance profit.
Second Cycle (May–July 2011)
Problem: Our diagnosis of the situation from Cycle 1 pertains to the influence of the economic worldview among senior managers. Traditional economic rationality pre- sumes organizational information as “pre-given” [43, 61, 62] and does not question either its quality in or its relevance to the organizational context, contributing to the generation of useful organizational knowledge. This explains why top management did not provide any substantive support to the full-scale implementation of the “risk universe” despite their recognition of its potential after the workshop. Addressing this issue, we began to conceptualize “risk management as a knowledge manage- ment” process. In particular, we considered scientific theory in the form of the SECI (socialization, externalization, combination, internalization) model [43]. This theory incorporates knowledge management to ensure the provision of context and learning possibilities that may reshape managerial assumptions on the nature of risk. Therefore, the research team began a new dialogue with Tom in an effort to further
develop his praxis for the second iteration in our AR project. Having suffered a setback from his original expectation in Cycle 1, Tom was uncertain about what strategy to pursue next. We spent a significant amount of time with Tom and his team members inside and outside the office environment to discuss and contemplate the lessons learned from Cycle 1. These interactive dialogues facilitated both the researchers’ and Tom’s reflection on and reinterpretation of the organizational problems at hand. Through the discussions, we facilitated Tom’s moving from a normative model perspective to one centered on a knowledge-based view of risk management. We purposely did not use scientific terminology tied to the SECI model. Instead, we described, using terms from Tom’s own world of work, insights and possible actions that were nonetheless consistent with the knowledge creation model. Specifically, we conveyed the idea to Tom that in order to boost the organizational value of RCSA, the ORM Department needed to transform itself by repositioning team members as knowledge management agents. Their job would no longer be to simply collect data on narrow/codified operational risks, but to help organizational members to capture tacit knowledge associated with risks previously unarticulated in either oral or written form. After subsequent interactive dialogues
736 OU YANG, HSU, SARKER, AND LEE
and idea-sharing sessions between the researchers and Tom, together we decided to implement the second-iteration actions with the objective of cultivating a knowl- edge-based risk management culture at CREDIT Bank. In particular, we followed the four-stage process of knowledge creation depicted in
the SECI model. Nonaka and Takeuchi [43] theorize that an individual can enhance his or her capabilities of problem definition and solution development through interacting with others and sharing with them both explicit and tacit knowledge in a systematic process of knowledge conversion. According to the theory, the four- stage process includes: socialization, which aims at sharing tacit knowledge among individuals through team meetings and discussion; externalization, which aims at sharing tacit knowledge by rendering it into explicit concepts through the use of dialogue; combination, which aims at integrating different aspects of explicit knowl- edge, and transforming and sharing what people know; and finally internalization, which aims at embodying explicit knowledge from a report in order to deduce new ideas or take constructive action [40, 45]. Before we deployed our action plan, Tom voiced his concern regarding the shortage of resources and lack of support outside of the ORM Department. Therefore, we collectively reached an agreement to roll out the second iteration within the Global Risk Division (GRD), of which the ORM Department is a part. Intervention Strategies: The intervention strategies were as follows. First, sociali-
zation—Tom assigned two managers from the ORM Department as provisional knowledge management agents. The research team had a good rapport with these two ORM managers from the outset of this AR project. This relationship was helpful in the research team’s effort to facilitate the managers’ development of praxis. Through weekly team meetings and daily e-mail and phone discussions the two managers were assisted in developing ideas about practical skills of knowledge creation, which prepared them for the upcoming rollout of the knowledge-based RCSA workshops within the GRD. We sometimes purposefully chose an informal setting for the reflective dialogue to take place with the two ORM managers, for example, outside the corporate building at a restaurant or a coffee shop. Without institutional pressure, the on-site researcher and ORM managers felt more comfor- table to communicate freely. Second, externalization—we then facilitated the ORM Department’s holding two
RCSA workshops as ba, a physical context providing “the energy, quality, and places to perform the individual knowledge conversions and to move along the knowledge spiral” [44, p. 6]. Each workshop was attended by ten cross-functional managers from the GRD. In contrast to the previous RCSA workshop, this time we proposed the addition of two ORM knowledge management agents as workshop moderators. Furthermore, the remaining ORM Department members and the research team were responsible for taking notes on workshop observations to further our own learning. The ORM knowledge management agents commenced the work- shop by showcasing some items identified in the risk universe, and then invited participants to discuss how these risks were relevant to their work practices. This
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 737
process stimulated deep thinking about risk knowledge, even though department members were as yet unable to clearly articulate their thoughts on these concepts. Third, combination—from the workshop, the participants’ dialogues and discus-
sions created considerable explicit codified risk knowledge. The ORM staff later consolidated the rich material from the workshop into a risk knowledge list that was circulated to all the workshop participants through e-mail. In this e-mail, the participants were asked to prioritize the high-, medium-, and low-risk issues for CREDIT Bank, as well as to complete a satisfaction survey regarding the workshop. The outcome of the workshop—the risk knowledge list—subsequently became a road map to identify the context-specific risk profile of CREDIT Bank. Fourth, internalization—to highlight the value of the risk knowledge list to
CREDIT Bank, our last activity was to present a report to the CREDIT Bank risk council at a meeting attended by senior managers from across the organization. In the presentation, we illustrated CREDIT Bank’s specific risk issues from the work- shop discussion as well as the satisfaction survey from the workshop participants showing the average score of 4.46 (out of 5). Top management was intrigued by the identification of risk issues that the original RCSA method had ignored such as the risk of former employees taking client lists and the risk of client account manipula- tion through misuse of IT-based access privileges. Consistent with the dialogical AR approach, the ORM managers led the imple-
mentation of the majority of interventions/actions during this period. Moreover, the on-site researcher was in constant dialogue with the managers and took on a number of collaborative roles. First, during the tea breaks of these workshops, she would provide immediate feedback to the two ORM managers on what had been observed and what could be done next. This was intended to help the managers identify any blind spots in managing the knowledge creation process. Second, she also worked with the ORM Department to develop a risk knowledge list and to establish the criteria for risk issue prioritization. Third, at the risk council meeting, she and another member from the research team presented a summary of workshop observa- tions and insights. In short, for the second iteration both the ORM Department and the research team had significant roles in designing and implementing relevant intervention activities. Over time, we gradually bridged the gap between the scien- tific theory of knowledge management and the practice of professional expertise in managing risk knowledge at CREDIT Bank. Reflection: The ORM managers and the workshop participants exhibited excite-
ment and a positive attitude about the knowledge creation process of risk manage- ment. In particular, the two knowledge management agents found the quality of risk knowledge generated from this type of workshop superior to what had been col- lected previously. As one of them commented: “The communication in the workshop is far better than filling out the questionnaire, because we are able to discuss and clarify. Through interaction, we can sense the strength and depth of the issues which would never be seen by filling out a questionnaire.” Whereas enthusiasm spread among members of the ORM Department, Tom had a
measured attitude and was skeptical about being able to replicate the GRD
738 OU YANG, HSU, SARKER, AND LEE
workshop’s success in other business units. His view was that the nature of the GRD could have partially contributed to people’s awareness of and sensitivity toward operational risks (especially given that the ORM Department was a part of the GRD). However, in a highly “numbers-driven” and “profit-driven” management culture (i.e., one in which people care more about sales and performance than operational risks), Tom imagined that it would still be extremely difficult to receive a buy-in from other business units if the proposal for this kind of workshop were to be put forward. From a research perspective, the results from the second iteration were largely
consistent with the SECI model and well-received by the knowledge management agents and participants from the GRD. However, Tom’s hesitation to propose a large-scale implementation brought a key issue of organizational culture to the fore. Our reflection indicated that the effectiveness of risk knowledge would not simply follow from the application of the SECI model; it was also highly related to the social context in which the knowledge management practice was embedded. This viewpoint drove us to explore additional scientific knowledge to deepen our under- standing of the relationship between organizational culture, knowledge management, and operational risk. A renewed literature review confirmed that organizational culture serves as an important backbone for successful knowledge management because it could either encourage or impede knowledge creation and sharing among organizational members [1, 2, 35]. Along similar lines, Hu et al. [31] provide some evidence on the role of organizational culture in security risk management. The result was that we turned once again to theory, this time in the form of the
practice perspective [24, 42, 46], and proposed a new framing of “tacit knowing in practice.” The SECI model, while useful, is an objective approach toward knowl- edge conversion. In comparison, the practice approach places a greater emphasis on heightening knowing as a state of consciousness [42, 47, 48, 56]. We observed that for CREDIT Bank, which had long been accustomed to framing everything in terms of numbers and quantifiable evidence, this particular organizational epistemology created bottlenecks in operational risk that were tacit, uncertain, and sociopolitically ambiguous in nature [56]. With the new insights inspired by practice theory, we sought to elicit wider acceptance of a knowledge-based RCSA approach. The theoretical perspective suggested that we needed to start changing organizational culture by first stimulating the consciousness of knowing related to operational risks among organizational members through cross-functional/cross-level discussion and learning.
Third Cycle (August 2011–January 2012)
Problem: Our findings in Cycle 2 indicated that the existing profit-driven culture at CREDIT Bank tended to limit employees’ willingness to share and exchange their internal risk knowledge.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 739
Hence, in Cycle 3 we decided to adopt a more dynamic and practice-oriented approach to address this condition and to stimulate cross-functional dialogue and communication. In accordance with Alavi and Leidner’s [2] observation that a social context fostering knowledge creation and sharing involves a “dynamic and contin- uous set of processes and practices embedded in individuals, as well as in groups and physical structures” [2, p. 123], we drew on the tacit knowing-in-practice approach [42, 47] to complement the previously used SECI model. This reflected our belief at this point that the use of the SECI model complemented by the tacit knowing-in-practice approach would help to ensure knowledge creation as an ongoing debate and interaction among various organizational practices adopted by different stakeholders [36, 44]. Thus the theory base in Cycle 3 was two-pronged, relying on both the theory behind the SECI model and the theory behind the tacit knowing-in-practice approach. Intervention Strategies: Our Cycle 3 intervention strategy was directed toward
creating a dialogue between the ORM Department and other business units. The former had adopted the knowledge creation methodology, that is, the SECI model, while the latter continued to hold localized knowledge of operational risk. According to Nicolini et al. [42], the design and implementation of knowing-in-practice should focus on “(a) the collective, (b) and its situated acts (including language use), (c) engaging the artifacts that are the focus of daily work-related practices, (d) including the nonexclusively cognitive (such as tacit, kinesthetic, and aesthetic knowledge) and the nonexclusively change-oriented” [42, p. 41]. With the above scientific knowledge in mind, we began conveying ideas to Tom
through our weekly meeting as well as informal gatherings outside the office. The dialogue was focused on the importance of developing a proactive self-learning culture leading to organizational capability to formulate risk knowledge embedded in its daily business operations. With Tom’s endorsement of the knowing-in-practice approach, the next task was to identify a potential business unit to collaborate with the ORM Department. From a number of different possibilities, Tom and two members of the research team identified the IT Division as the best candidate, for two reasons. First, the head of the IT Division was the most supportive senior manager to recognize the imperative of transforming the existing organizational culture when we made our presentation at the risk council meeting. She echoed our viewpoints, which gave us some assurance that we made significant contribu- tions at the knowledge-based workshop. Second, many of the operational risks were primarily related to the use and implementation of IT in the organization. Thus, we assumed that IT Division members might be more willing to discuss the operational risks in their local practices. Convinced of his choice, Tom secured the commitment of the head of the IT Division to run four collaborative workshops. We implemented the following interventions based on the principles identified above:
1. Focusing on the collective: This is to enable a discourse about collective action, promoting the conceptualization of different possibilities and descrip- tive terminology of organizational activities. In our empirical setting, the IT
740 OU YANG, HSU, SARKER, AND LEE
Division members had localized and tacit knowledge of operational risks, while the ORM Department had knowledge of operational risk concepts and the risk universe. Putting them together in a workshop was intended to stimulate the knowledge exchange process between the ORM staff and IT Division members. In this new arrangement, the ORM managers not only hoped to learn and capture the localized operational risks from the IT Division but also tried to train IT employees themselves in becoming knowl- edge management agents within the IT Division. The purpose was to foster a self-knowing, learning culture without the involvement of the ORM Department in the future.
2. Focusing on situated acts (including language use): Nicolini et al. [42, p. 38] assert, “knowing and learning were displayed and were visible only in the group: members had learned how to make their work practices (what they knew) visible to each other—by way of talk in the context of embodied acts and objects—in order to carry out relevant action.” Thus, the workshop in our case was designed to focus on two themes relevant to the IT Division: change management and control management. For this purpose, employees from the IT Division also invited their liaisons from other business units to participate in the workshop with them. To ensure a high quality of interaction for each workshop, the ORM managers and the researchers designed a series of activities in sequence: (1) a pre-workshop orientation, to explain the nature of the work; (2) the workshop itself, focusing on knowledge-based RCSA for change management and control management; (3) a post-workshop meeting, to consolidate the risks identified in the workshop; and (4) a participant satisfaction survey and interviews.
3. Focusing on engaging the artifacts that are the focus of daily work-related practices: According to Nicolini et al. [42, p. 37], “the concept of culture refers not only to a group of people, but also to the artifacts they create (including the values, beliefs, feelings, and other forms of meaning embedded in those artifacts).” For this purpose, knowledge management agents needed to facilitate the discussion allowing participants to identify artifacts that they would be able to associate with local operational risks. For instance, when discussing the risks associated with the change management process, the ORM managers introduced the discussion by focusing on main- frame machines—an artifact familiar to the participating IT employees. Thus, employees were more comfortable and willing to reveal embedded risks in machine maintenance.
4. Focusing on tacit and aesthetic knowledge: This refers to the kinesthetic, tacit, and aesthetic dimension of knowing as practice. Aesthetic knowing, interweaving with tacit knowledge of organizational members, is essentially experiential and expressed through feeling as well as corporeal experiences [23, 34, 64]. This idea is perfectly phrased by Polanyi, we “know more than we can tell” [50, p. 601]. Thus, another purpose of these workshops was to have knowledge management agents encourage the participants to engage in
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 741
aesthetic reflection of operational risks. Based on their sharing of the aes- thetic forms of knowing, the participants would be able to focus on “their tacit knowledge and become aware that they know how to do the work” [64, p. 64]. Combining the methods of aesthetic reflection and tacit knowing, the participants were more at ease and less constrained by the atmosphere of the (previous) profit-driven culture and were able to think more freely about any operational risk and to discuss more openly with other participants.
5. As a result, these intervention activities helped them to bring their knowing to a state of consciousness and try to make sense of these risks while expressing them verbally. One participant reflected how this method helped him be more mindful: “Many of the risks they mentioned I already knew, but couldn’t put them down. Through the discussion, I confirmed the risks I perceived were also high risks in others’ eyes. Also, at the workshop, I truly feel the anxiety of others about operational risks. This was not possible from original document-based risk assessment.”
The workshops were run and attended by employees of CREDIT Bank; however, the first two coauthors were on-site to offer feedback to participants as well as make independent notes for their meetings with the ORM Department afterward. We believe that this design worked well to align with the underlying purpose of fostering a self-learning and knowing culture in Cycle 3. Our role at this stage was to observe the workshop process and to engage in discussions with all participants from the ORM Department and IT Division during the coffee break or after the workshop. From an AR perspective, the reflective dialogues between the on-site researcher and the workshop participants allowed for the synthesis of heterogeneous knowledge held by them, covering both scientific theory and practical experiences. Reflection: The feedback from the four workshops within the IT Division was
highly positive. The workshops not only helped identify important risk issues, but also significantly improved the working relationships between the ORM Department and the IT Division. Tom was pleasantly surprised when he received congratulatory remarks from people in the IT Division, in particular thanking him for helping them to become more aware of risks previously unknown to them. As a result of these exercises, the chief information officer (CIO) actively extended
her support and belief in the effectiveness of the knowledge-based and knowing-in- practice approach in restructuring ORM at CREDIT Bank. She openly and posi- tively encouraged Tom to continue this approach for other business units. Furthermore, she decided to adopt this approach for the RCSA revision exercises within the IT Division. This open support from the CIO also fueled recognition from other senior executives. At the end of our Cycle 3 action, top management decided to move the ORM Department directly under the office of the vice chairman. This change in organizational structure empowered the ORM Department to implement the new approach and infuse a knowledge-based organizational culture at CREDIT Bank. Tom offered the following remark about this journey (emphasis added):
742 OU YANG, HSU, SARKER, AND LEE
It is eventually about changing people’s mindsets. . . . Our Department [ORM] is just like a preacher who fosters a culture for people to believe in. For me, we are working on a change in mindset, including the ORM staff and myself. We ourselves also learn during the process. Eventually the tool or the method doesn’t matter. They are just on the surface. At the end, our true concern about risk management is to create a culture.
In terms of contribution to theory, results from this cycle indicate that practice theory can add theoretical contributions to the existing literature by shedding light on how the organizational members contribute to the way risk management and its practices are adopted. This was consistent with Power [51, 52] who suggests that the concept of operational risk is a broadly defined boundary object, aimed at providing opportunities for internal agents to redefine and reposition their work in terms of risk management. In our AR project, we demonstrate that through tacit knowing in risk management practice and the formation of practice communities, the new understanding of the bank’s operational risk knowledge helped to transform the dominant profit-driven worldview to a practice-based risk culture. In this way, our findings confirm the work of Mathiassen [39], Schultz and Hatch [59], Koloskov [33], and Alavi and Leidner [2] on the role of organizational culture for knowledge management practices. In particular, through interaction with organizational members, we found that managers
at CREDIT Bank resemble what Schön [58, pp. 240–241] referred to as a “rigorous manager” with technical rationality and the attitude of unilateral control without reflec- tion. However, the adoption of a knowing-in-practice approach allowed Tom and his colleagues to reflect and reposition themselves as knowledge managers. As shown in the workshops in Cycle 3, employees began to be more mindful by not only reflecting on the organizational routines of risk management but also examining their own reflection-in- action. The tacit knowing-in-practice approach ensured an ongoing cross-functional dialogue and collaboration in terms of risk knowledge. This created a dynamic cross- divisional and cross-level knowledge spiral, leading to the expansion of risk knowledge in a bank, which in turn cumulatively changed the organizational risk culture, top management’s cognition and institutional arrangement (see Online Appendix 3).
Discussion
Substantive Contributions
In this research, we started with the broad objective of exploring our scientific knowledge in IS security management and how related areas could contribute to the emerging practice of ORM. Through the dialogical process that ensued between the researchers and practitioners of financial risk management, most notably a key manager at the CREDIT Bank, we were able not only to help solve an organizational problem but also to empirically assess the relevance of IS security research in understanding the new operational risk phenomenon and propose a number of academic contributions (see Table 2). Our first finding from Cycle 1 is consistent
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 743
Table 2. Findings and Theoretical Contributions
Finding
Relevant theoretical support or empirical
evidence Theoretical implications
Top management awareness is important to the success of ORM.
Security risk planning model and AR intervention Cycle 1
– The result is consistent with prior research on the signifi- cance of top management in IS security management [31, 53, 66].
– The finding adds theoretical value by exemplifying mechanisms through which top management awareness can be achieved.
Rationality of risk formalization and quantification in finance shapes the implementation of ORM in the financial sector.
Reflection from Cycle 1
– The finding is consistent with the dominance of the quanti- tative approach in the opera- tional risk literature.
– This offers empirical evidence to support Ciborra’s [16] argument on “the phenomen- ology of risk and information technology.”
Changing the phenomenological assumption of risk requires effort in reshaping employees’ knowledge through educational workshops.
Knowledge creation theory and AR intervention Cycle 2
– This finding broadly aligns with the suggestion of the importance of user participa- tion in IS security risk man- agement [63], but makes further theoretical contribu- tions by integrating knowl- edge management in users’ educational methods.
A knowledge-based risk management culture serves as an important backbone for successful ORM.
Reflection from Cycle 2
– This result is consistent with findings in IS security on the role of organizational culture in employees’ security policy compliance [12, 31], but we add theoretical knowledge by extending this to the risk management context.
Taking a practice approach through ongoing debate and interaction grounded in organizational actions can cultivate the organizational culture for risk knowledge development.
Knowing-in-practice approach and AR intervention Cycle 3
– This finding makes a contri- bution to both IS security and operational risk management by providing an insightful understanding about how risk culture and context-specific risk knowledge develop in an organization.
744 OU YANG, HSU, SARKER, AND LEE
with the IS security literature suggesting that top management awareness is crucial for the successful implementation of a risk management program [29, 30, 66]. However, the previous studies were limited in explaining the mechanisms to increase top management awareness. In our AR project, the work of benchmarking analysis and our dialogical AR exercise with Tom to design a scenario-based risk analysis workshop for top management helped to increase their awareness of operational risk. This finding adds theoretical value to the extant IS security literature by exemplify- ing mechanisms through which top management awareness can be achieved. Furthermore, this led to our second finding and theoretical implication related to managerial cognition in the financial world. A managerial emphasis on operational risks as quantified objects confirms the dominance of quantitative models in opera- tional risk literature, indicating an objectivist assumption rooted in financial research and practices [16, 32, 51]. Despite the importance of behavioral factors reported in IS security risk management literature, the dominant perspective constrains manage- rial cognitive capability in considering alternative risk management approaches. To motivate organizational members to conceptualize the nature of operational
risks, our scientific knowledge in the form of the “risk management as knowledge management” approach in Cycle 2 inspired Tom and his colleagues to redesign their risk data collection strategy. Through active user engagement in the risk knowledge- creation workshop created based on the SECI model, a number of new risks were identified together with higher user satisfaction reported by workshop attendees. This result not only reinforces the value of user participation reported in the IS security literature [63], but also contributes to both the IS security and operational risk literatures by specifically demonstrating the value of the knowledge creation model in discovering new forms of risks, simultaneously promoting better user satisfaction in this process [21, 22, 35]. Given the changing nature of IT, our study suggests that a knowledge-based approach holds much potential in the area of helping an organization identify the emergence of other IT-related risks. Our last finding is related to the role of organizational culture. Our reflection from
Cycle 2 reiterates the importance of organizational culture in IS security research [12, 29, 31]. Our intervention in Cycle 3 makes an important theoretical contribution to the IS and ORM literatures. Most IS security work considers organizational culture as an antecedent or moderating variable. We, however, demonstrate how organizations can cultivate a more supportive environment for risk management through the tacit knowing-in-practice approach. This finding has added theoretical knowledge to operational risk by highlighting the value and the process of managing risk knowledge. We argue that the theoretical insights derived from our dialogical AR project make important contributions by addressing what Ciborra [16, p. 1348] highlights as the “lack of knowledge, the role of biased data when assessing risk in organizations, and the influence of internal politics” in existing ORM research. With respect to practical contributions, our empirical results here offer managers
insights on how social interaction, employee participation, and knowledge sharing can enhance the effectiveness of ORM in a financial institution. Given that opera- tional risk is relatively new to many finance professionals, it is important for
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 745
organizations to have a tool to facilitate the knowledge creation process. This can be achieved through cross-functional workshops where ORM managers can act as knowledge management agents and motivate participants to question operational risks that might be relevant to their daily work routine. This approach is superior to asking employees to complete a paper-based form, especially when commencing ORM implementation. Our intervention strategies in Cycles 2 and 3 provided procedural advice on how the workshop can be effectively implemented—for example, including the use of pre-workshop orientations, promoting participants to invite their liaisons from other business units as well as the use of post-workshop meetings for risk consolidation. The previously mentioned mechanisms are bene- ficial when informing top management of the organizational knowledge that is required to manage operational risks more effectively.
Methodological Contributions
Our work also demonstrates how dialogical AR is valuable in the context where the business problem was uncertain and ill-defined to both the researcher and the practitioner (e.g., the topic of ORM). Dialogical AR emphasizes “dialogue [through which] the researcher purposely encourages and guides the practitioner to reflect and learn” [37, p. 511] as well as “an improvement in the scientific researcher’s expertise” [37, p. 519]. We found that the reflective one-on-one dialogues with Tom and members at the ORM Department enhanced the research- er’s understanding of the social and historical context of the CREDIT Bank and its ORM problems, which led to the improvement of our expertise in this research field. At the same time, our research expertise also improved over time to have a better scientific understanding of operational risks as a research topic. That is, through the practice of dialogical AR, our study makes a significant contribution to action research itself through our discussion of relationships between IS research- ers and research clients—that is, the on-site researchers and executives—demon- strating how AR leads to improved organizational situations and scientific understanding. Second, we offer some principles, and ways to implement them, based on reflec-
tions on the study. While we did not start with any specific set of principles in mind when we began our AR project, apart from a commitment to the core assumptions of dialogical AR, upon completion of the study we realized that, to some extent, we had enacted a number of valuable principles. Before proceeding with a discussion of the principles and subcriteria, and offering
them as contributions, we place our dialogical AR in perspective. The landscape of AR and AR-related research is quite broad and the term “action research” represents “a whole range of approaches and practices, each grounded in different traditions,” though often with overlapping assumptions and values [55, p. xxiv]. Indicative of the range of approaches are the differences between canonical action research and action science. Davison et al. [18] offer a detailed review of canonical AR,
746 OU YANG, HSU, SARKER, AND LEE
characterizing it as “iterative, rigorous, and collaborative,” and they propose five canonical AR principles that focus on “Research-Client Agreement,” “Cyclical Process,” “Theory,” “Change through Action,” and “Learning through Reflection” [18, pp. 67–69]. Canonical AR draws inspiration from “Lewin’s original six-stage form of action research” [8, p. 96]. Action science, on the other hand, is “defined by the elements ‘epistemology of practice’ and ‘empirical testing,’” with the former involving the need for “means-ends deliberation,” “explication” of “tacit knowl- edge,” and “double-loop learning” and where the researchers seek to infer theories- in-use from actions and to enable participants to transcend their “espoused theories” [8, p. 100]. Dialogical AR shares some elements of both canonical AR and action science. Related to AR (e.g., [72]), and even claiming AR to be a subcategory, is
“engaged scholarship,” which is defined as “a participative form of research for obtaining the different perspectives of key stakeholders (researchers, users, clients, sponsors, and practitioners) in studying complex problems” [68, p. 9]. Engaged scholarship emphasizes collective achievement and knowledge transfer across boundaries between the researcher and other stakeholders. Namely, the researchers step outside of their traditional research perspectives to obtain practical knowledge informed by others’ interpretations. Van de Ven [68] proposed four types of engaged scholarship, including informed basic research, collaborative basic research, design and evaluation research, and action/intervention research. Clearly, AR falls into the last of the four categories. Dialogical AR, however, also fits, at least partially, the category of collaborative basic research, which Van de Ven describes as follows:
Collaborative research teams are often composed of insiders [to the field setting] and outsiders [i.e., researchers] who jointly share [research activities] . . . in order to co-produce basic knowledge about a complex problem or phenomenon. The division of labor is typically negotiated to take advantage of the complementary skills of different research team members, and the balance of power or responsibility shifts back and forth as the tasks demand. [68, p. 27]
However, unlike AR in general and dialogical AR in particular, the focus in collaborative basic research does not extend to include intervention or change. Also related to AR are collaborative practice studies [39], which have the goal “to
establish well functioning relations between research and practice” in a way that “first hand information” is obtained by involvement with practice but at the same time, “the research process [must be structured and managed] in ways that produce rigorous and publishable results” [39, p. 329]. This goal is pursued by using “a wide variety of approaches” including AR, field and lab experiments, and practice studies (i.e., surveys of practice, case studies). Again, we find that collaborative practice research is a broader approach that includes AR studies, including dialogical AR studies, but is not limited to them.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 747
The last item we mention, which we also find on the broad landscape of AR and AR-related research, is action design research [60]. It can be described as “contain- ing the inseparable and inherently interwoven activities of building the IT artifact, intervening in the organization, and evaluating it concurrently” [60, p. 37], where the IT artifact is regarded as an ensemble. Sein et al. [60, p. 38] state: “By ensemble artifact, we specifically mean the material and organizational features that are socially recognized as bundles of hardware and/or software.” Action design research can thus be regarded as an integration of the principles of AR and design research. It transcends dialogical AR to the extent that the latter need not involve building any IT artifact at all. Given our brief description above of the landscape of AR and AR-related
research, we see that the contributions we offer are not so much to the overall landscape as to the niche occupied by dialogical AR itself, where our rendering of dialogical AR offers further articulations of the original dialogical AR approach proposed by Mårtensson and Lee [37]. We note that while Mårtensson and Lee provide an overall understanding of the genre of dialogical action research and underscore the importance of dialogue, they do not point to ways in which effective dialoging can be initiated and sustained in a study. Our attempt has been to propose key principles that can help in this regard. In addition, on further critical reflection, we came up with a set of explicit subcriteria (outlined in Online Appendix 4), some of which our study met and others that it did not, but never- theless are, in our opinion, desirable for a good dialogical AR study, and can guide future research. While the proposed principles are at a higher level, the subcriteria provide lower-level guidance to a research team with respect to being true to the generalized dialogical AR principles. The principle of shared responsibility describes who is responsible for what
actions in the dialogical AR project. In our empirical study, responsibility was not predetermined or well-defined at the outset. The first aspect of following this principle is to assess the feasibility of sharing responsibility. Furthermore, research- ers as well as practitioners must demonstrate sincerity and equity when discussing the respective responsibilities for action planning execution and have mutual accountability with respect to shared responsibilities. This has to be done taking into consideration the extent of feasibility of sharing responsibility. Finally, there need to be mechanisms for self-regulation when the team deviates from the principle of shared responsibility. The principle of an adaptive practitioner- research relationship focuses on the changing nature of the relationship. As we stated earlier, dialogical AR should have a more flexible approach in the interest of feasibility and different types of business problems. For instance, in our case, we started with a relationship similar to a doctor–patient relationship; however, the relationship evolved more to a partnership style in Cycle 2 and Cycle 3. To manage the dynamics of relationship change, both researchers and practitioners need to engage in dialogue and develop awareness of the nature of the relationship when a project starts, and the willingness to learn and to accept change in the relationship. The principle of mutual influence stresses the significance of the
748 OU YANG, HSU, SARKER, AND LEE
learning dimension of action research. We believe that critical reflexivity and openness of the parties regarding their own values, positions, and interests as well as the valuing of authenticity in learning are important subcriteria for this principle. Through reflection on surprising outcomes between the researchers and Tom’s team, together we gradually learned about the barrier of organizational culture and managerial thinking in supporting the creation of operational risk management. The principle of alignment of dialogue between the researcher and the practitioner emphasizes dialogue alignment regarding syntax, semantics, and pragmatics (e.g., [68, 69]). Our generalized dialogical AR approach suggests that the researchers should not presume alignment; hence, the sensitivity to misalign- ment would help to plan a more effective intervention and/or design compensatory mechanisms for lack of alignment. As demonstrated in our case, while practitioners at CREDIT Bank and the researchers knew the definition and concept of a risk universe (syntax), they held different interpretations of how to convey and develop a risk universe at CREDIT Bank, and how to apply them (semantics, pragmatics). Alignment was gradually achieved through reflective dialogues inside and outside office environments and interactive workshops. Finally, we found that the principle of vetoing is also an important mechanism to support the critical thinking process between the researcher and the practitioner. In Cycle 1, our proposal on company- wide implementation was rejected by senior management based on a financial evaluation of investment (transparency of reasoning). As we learned to accept the rejection (gracious acceptance of vetoing), it helped us to discover the problem of economic thinking and a profit-driving culture as the underlying bottlenecks for effective ORM at CREDIT Bank. Needless to say, acceptance of vetoing becomes easier, and the collaborative environment easier to sustain, if there is some balance in the vetoing—that is, the same side does not keep vetoing what the other side proposes, and the vetoing is done in a modest, not dismissive manner (see Online Appendix 4).
Conclusion
In summary, we believe that dialogical AR studies, through the interplay of the scientific and natural attitudes of the researchers and the practitioners, respectively, can be a valuable approach for making a real and substantial impact on organiza- tional life while also contributing to pragmatically valid theoretical insights into the relevant knowledge area. With this in mind, it is valuable for the two parties (researchers and practitioners) to engage in dialogue and come to a mutual under- standing in which neither information source is viewed as inherently privileged.
Acknowledgments: The authors thank the Special Issue coeditors, the associate editor, and the three anonymous reviewers for their constructive comments and recommendations that con- tributed to significant improvements in the study.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 749
Supplemental File
Supplemental data for this article can be accessed on the publisher’s website at 10.1080/07421222.2017.1373006
REFERENCES 1. Alavi, M.; Kayworth, T.R.; and Leidner, D. An empirical examination of the influence
of organizational culture on knowledge management practices. Journal of Management Information Systems, 22, 3 (2005–6), 191–224.
2. Alavi, M., and Leidner, D.E. Review: Knowledge management and knowledge manage- ment systems: Conceptual foundations and research issues. MIS Quarterly, 25, 6 (2001), 107– 136.
3. Avison, D.; Baskerville, R.; and Myers, M. Controlling action research projects. Information Technology and People, 14, 1 (2001), 28–45.
4. Basel Committee on Banking Supervision (BCBS). Consultative Document: Sound Practices for the Mangaement and Supervision of Operational Risk. 2001. www.bis.org
5. Baskerville, R. Risk analysis as a source of professional knowledge. Computers and Security, 10, 8(1991),749–764.
6. Baskerville, R. Strategies, systems, and technologies. European Journal of Information Systems, 17, 3 (2008), 179–181.
7. Baskerville, R., and Myers, M.D. Special issue on action research in information systems: Making IS research relevant to practice. MIS Quarterly, 28, 3 (2004), 329–335.
8. Baskerville, R., and Wood-Harper, A.T. Diversity in information systems action research methods. European Journal of Information Systems, 7, 2 (1998), 90–107.
9. Brechman, E.; Czado, C.; and Paterlini, S. Flexible dependence modeling of operational risk losses and its impact on total capital requirements. Journal of Banking and Finance, 40 (2014), 271–285. 10. Brown, S.; Goetzmann, W.; Liang, B.; and Schwarz, C. Mandatory disclosure and
operational risk: Evidence from hedge fund registration. Journal of Finance, 63 (2008), 2785–2815. 11. Brown, S.; Goetzmann, W.; Liang, B.; and Schwarz, C. Trust and delegation. Journal of
Financial Economics, 103, 2 (2012), 221–234. 12. Chan, M.; Woon, I.; and Kankanhalli, A. Perceptions of information security at the
workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1, 3 (2005), 18–41. 13. Chavez-Demoulin, V.; Embrechts, P.; and Nešlehová, J. Quantitative models for opera-
tional risk: Extremes, dependence and aggregation. Journal of Banking and Finance, 30, 10 (2006), 2635–2658. 14. Chapelle, A.; Crama, Y.; Hübner, G.; Peters, J.P. Practical methods for measuring and
managing operational risk in the financial sector: A clinical study. Journal of Banking and Finance, 32, 6 (2008), 1049–1061. 15. Chernobai, A.; Jorion, P.; and Yu, F. The determinants of operational risk in U.S.
financial institutions. Journal of Financial and Quantitative Analysis, 46, 6 (2011), 1683– 1725. 16. Ciborra, C. Imbrication of representations: Risk and digital technologies. Journal of
Management Studies, 43, 6 (2006), 1339–1356. 17. Cummins, J.D.; Lewis, C.M.; and Wei, R. The market value impact of operational loss
events for US banks and insurers. Journal of Banking and Finance, 30, 10 (October 2006), 2605–2634. 18. Davison, R.; Martinsons, M.; and Kock, N. Principles of canonical action research.
Information Systems Journal, 14, 1 (2004), 65–86. 19. Davison, R.; Martinsons, M.; and Ou, C. The roles of theory in canonical action
research. MIS Quarterly, 36, 3 (2012), 763–786.
750 OU YANG, HSU, SARKER, AND LEE
20. Dhillon, G., and Backhouse, J. Current directions in IS security research: Toward socio- organizational perspectives. Information Systems Journal, 11, 2 (2001), 127–153. 21. Emblemsvåg, J. The augmented subjective risk management process. Management
Decision, 48, 2 (2010), 248–259. 22. Emblemsvåg, J. Augmenting the risk management process. In G. Nota (ed.), Risk
Management Trends. Rijeka, Croatia: InTech, 2011, pp. 1–26. 23. Ewenstein, B., and Whyte, J. Beyond words: Aesthetic knowledge and knowing in
design. Organization Studies, 28, 5 (2007), 689–708. 24. Feldman, M.S., and Orlikowski, W.J. Theorizing practice and practicing theory.
Organization Science, 22 (2011), 1240–1253. 25. Gillet, R.; Hübner, G.; and Plunus, S. Operational risk and reputation in the financial
industry. Journal of Banking and Finance, 34, 1 (2010), 224–235. 26. Goldstein, J.; Chernobai, A.; and Benaroch, M. An event study analysis of the economic
impact of IT operational risk and its subcategories. Journal of the Association for Information Systems, 12, 9 (2011), 606–631. 27. Hsu, C. Frame misalignment: Interpreting the implementation of information systems
security certification in an organization. European Journal of Information Systems, 19, 2 (2009), 140–150. 28. Hsu, C.; Backhouse, J.; and Silva, L. Institutionalizing operational risk management: An
empiricalstudy. Journal of Information Technology, 29, 1 (2014), 44–58. 29. Hsu, C.; Lee, J.N.; and Straub, D. Institutional influences on information security
innovations. Information Systems Research, 23, 3 (2012), 918–939. 30. Hsu, C.; Lin, Y-T.; and Wang, T. A legitimacy challenge: An institutional perspective on
the implementation of a cross-cultural interorganizational information system. European Journal of Information Systems, 24, 3 (2015), 278–294. 31. Hu, Q.; Dinev, T.; Hart, P.; and Cooke, D. Managing employee compliance with
information security policies: The role of top management and organizational culture. Decision Sciences, 43, 4 (2012), 615–660. 32. Korinek, A. Systemic risk-taking: Accelerator effects, externalities, and regulatory
responses. Mimeo: University of Maryland, 2009. 33. Koloskov, A. Managing knowledge or knowing in practice? A critical review of
perspectives on knowledge management. iSCHANNEL, 5 (2010), 5–9. 34. Lash, S. Reflexivity and its doubles: Structure, aesthetics, community. In U. Beck, A.
Giddens, and S. Lash (eds.), Reflexive Modernization: Politics, Tradition and Aesthetics in the Modern Social Order. Oxford, UK: Polity, 1994, pp. 110–173. 35. Lee, H., and Choi, B. Knowledge management enablers, processes, and organizational
performance: An integrative view and empirical examination. Journal of Management Information Systems, 20, 1 (2003), 179–228. 36. March, J., and Simon, H. Organizations. Cambridge, MA: Blackwell Business, 1958. 37. Mårtensson, P., and Lee, A.S. Dialogical action research at Omega Corporation. MIS
Quarterly, 28, 3 (2004), 507–536. 38. Mathiassen, L.; Chiasson, M.; and Germonprez, M. Style composition in action research
publication. MIS Quarterly, 36, 2 (2012), 347–363. 39. Mathiassen, L. Collaborative practice research. Scandinavian Journal of Information
Systems, 14, 1 (2002), 57–73. 40. Marwick, A.D. Knowledge management technology. IBM Systems Journal, 40, 4
(2001), 815. 41. Myers, M.D. Qualitative Research in Business & Management. Thousand Oaks, CA:
Sage, 2009. 42. Nicolini, D.; Gherardi, S.; and Yanow, D., eds. Knowing in Organizations: A Practice-
Based Approach. Armonk, NY: M.E. Sharpe, 2003. 43. Nonaka, I., and Takeuchi, H. The Knowledge-Creating Company: How Japanese
Companies Create the Dynamics of Innovation. New York, NY: Oxford University Press, 1995.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 751
44. Nonaka, I., and Toyama, R. The knowledge-creating theory revisited: Knowledge creation as a synthesizing process. Knowledge Management Research and Practice, 1, 1 (2003), 2–10. 45. Nonaka, I.; von Krogh, G.; and Voelpel, S. Organizational knowledge creation theory:
Evolutionary paths and future advances. Organization Studies, 27, 8 (2006), 1179–1208. 46. Orlikowski, W.J. Using technology and constituting structures: A practice lens for
studying technology in organizations. Organization Science, 11, 4 (2000), 404–428. 47. Orlikowski, W.J. Knowing in practice: Enacting a collective capability in distributed
organizing. Organization Science, 13, 3 (2002), 249–273. 48. Orlikowski, W.J. Material knowing: The scaffolding of human knowledgeability.
European Journal of Information Systems, 15, 5 (2006), 460–466. 49. Orlikowski, W.J., and Iacono, C.S. Research commentary: Desperately seeking the “IT”
in IT research: A call to theorizing the IT artifact. Information Systems Research, 12, 2 (2001), 121–134. 50. Polanyi, M. Tacit knowing: Its bearing on some problems of philosophy. Reviews of
Modern Physics, 34, 4 (1962), 601–616. 51. Power, M. The invention of operational risk. Review of International Political Economy,
12, 4 (2005), 577–599. 52. Power, M. The Risk Management of Everything: Rethinking the Politics of Uncertainty.
London, UK: Demos, 2004. 53. Puhakainen, P., and Siponen, M. Improving employees’ compliance through
information systems security training: An action research study. MIS Quarterly, 34, 4 (2010), 757–778. 54. Rainer, J.; Snyder, C.; and Carr, H. Risk analysis for information technology. Journal of
Management Information System, 8, 1 (1991), 129. 55. Reason, P., and Bradbury, H. Handbook of Action Research. London, UK: Sage, 2001. 56. Renn, O., and Klinke, A. A framework of adaptive risk governance for urban planning.
Sustainability, 5 (2013), 2036–2059. 57. Rosenber, J.V., and Schuermann, T. A general approach to integrated risk management
with skewed, fat tailed risks. Journal of Financial Economics, 79, 3 (2006), 569–614. 58. Schön, D.A. The Reflective Practitioner. New York, NY: Basic Books, 1983. 59. Schultz, M., and Hatch, M. J. Building theory from practice. Strategic Organization, 3,
3 (2005), 337–347. 60. Sein, M.K.; Henfridsson, O.; Purao, S.; Rossi, M.; and Lindgren, R. Action design
research. MIS Quarterly, 35, 1(2011),37–56. 61. Simon, H.A. Rational choice and the structure of the environment. Psychological
Review, 63, 2 (1956), 129–138. 62. Simon, H.A. Organizations and markets. Journal of Economic Perspectives, 5 (1991),
25–44. 63. Spears, J.L., and Barki, H. User participation in information systems security risk
management. MIS Quarterly, 34, 3 (2010), 503–522. 64. Strati, A. Knowing in practice: Aesthetic understanding and tacit knowledge. In D.
Nicolini, S. Gherardi, and D. Yanow (eds.), Knowing in Organizations: A Practice-Based Approach. Armonk, NY: M.E. Sharpe, 2003, pp. 52–75. 65. Straub, B. Effective IS security: An empirical study. Information Systems Research, 1, 3
(1990), 255–276. 66. Straub, D.W., and Welke, R.J. Coping with systems risk: Security planning models for
management decision making. MIS Quarterly, 22, 4 (1998), 441–469. 67. Susman, G.I., and Evered, R.D. An assessment of the scientific merits of action
research. Administrative Science Quarterly, 23 (1978), 582–603. 68. Van de Ven, A.H. Engaged Scholarship: A Guide for Organizational and Social
Research. New York, NY: Oxford University Press, 2007. 69. Von Bülow, C. The “dialogic action research” approach to validation: A crossfields
institute methodology for developing organizations. Crossfields Institute, 2012.
752 OU YANG, HSU, SARKER, AND LEE
70. Wang, T., and Hsu, C. Board composition and operational risk events of financial institutions. Journal of Banking and Finance, 37, 6 (2013), 2042–2051. 71. Warkentin, M., and Willison, R. Behavioral and policy issues in information systems
security: The insider threat. European Journal of Information Systems, 18 (2009), 101–105. 72. Young, B.W.; Mathiassen, L.; and Davidson, E. Inconsistent and incongruent frames
during IT-enabled change: An action research study into sales process innovation. Journal of the Association for Information Systems, 17, 7 (2016), 495–520.
ENABLING EFFECTIVE OPERATIONAL RISK MANAGEMENT 753
Copyright of Journal of Management Information Systems is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
- Abstract
- Dialogical Action Research
- Motivation Arising from Practice
- Basel II Regulation and Operation Risk Management
- Operational Risk Management at CREDIT Bank: An Overview of the Context
- Research Motivation: Existing Research on Operational Risk and Its Relevance to Information Systems Security Management
- The Action Research Project
- Action Research Cycles
- First Cycle (September 2010–April 2011)
- Second Cycle (May–July 2011)
- Third Cycle (August 2011–January 2012)
- Discussion
- Substantive Contributions
- Methodological Contributions
- Conclusion
- The authors thank the Special Issue coeditors, the associate editor, and the three anonymous reviewers for their constructive comments and recommendations that contributed to significant improvements in the study.
- Supplemental File
- References
