Computing and Information Systems
Volume 3 Number 1

Minimising Risks In Organisational Information Systems

Joseph Akomode

Research reveals that there are various types of risk associated with the development and successful implementation of Information Technology (IT) based Information Systems (ISs) at organisational level. The situation often leads to a plethora of problems in attempting to meet business needs or organisational goals. This paper reviews the failures of some organisational IT-based ISs and discusses possible types of risk associated with the development and application of the ISs coupled with business risk factors. Based on the experience gained in a current project for developing an IT-based IS for manufacturing management, the author suggests an anti-positivist methodology (Action Research) that articulates a learning process which may be employed to minimise possible risks of failure in the development and application of organisational ISs. It is hoped that the discussion put forward will help to generate and increase participants' awareness level of risks of failure of organisational ISs so that they can be avoided or reduced. A possible model to minimise risks in IS projects through Action Research strategy is presented which may assist to improve and simplify the process of development and implementation of such systems for enterprises.

Keywords: Information Technology; Information Systems; Risks; Anti-positivism; Action research.


An ongoing research project in the Computing and Information Systems (CIS) Department in collaboration with Compaq Computer Manufacturing Limited, Bishopton is focused on developing an IT-based Information System. The investigation reveals that all such IS projects potentially exhibit some form of risks to organisations. The point could equally be substantiated by the remark of Willcocks and Margetts (1994. p.128) that "Risk is involved in all IS projects". Inadequate assessment and management of risks in the development of a computer based IS in an organisation may lead to failures in the successful performance of the information system, which in turn may lead to other business problems. To drive home the point about failures of organisational ISs, examples could be cited of major instances in the UK such as: (a) In 1991 a commercial bank (National Westminster) abandoned a 20 million IBM DB2 Share registration system that was to link the bank with the London Stock Exchange's Transfer Automated Registration of Uncertified Stock (Taurus). The abandonment of the Share registration system was said to be due to lack of adequate specifications for the trading system Taurus (Computing, 16 May 1991, p.1); (b) Taurus itself was one of the greatest failures of bespoke information system developments, costing a total of 400 million which was aimed at being a paperless Stock Exchange system but ended up generating more paper than was ever dreamed of and was eventually abandoned (Computing, 25 March 1993, p.52).

The implication of the two examples is that while the failures of major information system projects (such as the NatWest IBM DB2 Share registration system and Taurus itself) may be loudly reported in the news media, there could be many others that fail in less noticeable or less publicised ways. Considering expenditure in this aspect of a growing technology, it could be said that in the UK both private and public organisations spend a substantial sum of money on IT-oriented ISs. As of 1992 a review of expenditure on IT by private sector organisations in the UK rose to over 1.5% of revenue on the average while that of the public sector organisations (ignoring operational equipment of the ministry of defence) accounts for over 1.7% of revenue on the average (see details in: Willcocks and Margetts, 1994, p.127; Price Waterhouse, 1992; Margetts, 1991). In both cases of the expenditures on IT between 30% to 40% of the projects achieve no net benefits (see research review details in Willcocks 1992, 1993). Consequently, discussing ways and means of minimising risks of failure associated in the development and successful implementation of organisations' ISs may provide a significant area of concern to managers and such information systems analysts/developers. Also, a methodology that is capable of integrating both the 'soft' and 'hard' aspects of organisational information systems' development, in order to minimise the chances of failure of ISs for business management and operations, may be a worthwhile strategy for deliberation.

A distinction could be drawn between IT and IS, in that: (a) IT represents the competence presented by computer hardware, software applications and telecommunications technologies; (b) IS represents a wider notion which encompasses various intelligence gathering devices put together to meet the defined information requirements of an individual (or organisation) in attempt to properly control the surrounding. IS may or may not be IT-based (cf. Davenport and Short, 1990, p.11; Stowell, 1991, p.174; Willcocks and Margetts, 1994, p.128). In most of the rest of the paper the term IS will be used to include the potential offered by IT. The next section discusses possible types of risk in ISs and business risk factors of an organisation.


Risk could be broadly characterised as the possibility of a negative outcome and the consequences of that possibility (cf. Hertz and Thomas, 1983, p.3; Brauers, 1986, p.139). Risk management constitutes a practice of reacting to perceived risk by some form of assessment or observations in order to reduce (or entirely avoid) the unfavourable consequences that may ensue should the risk occur. In the development and implementation of ISs for organisations types of risk that could be encountered may include: (i) extended budgetary cost, due to over-stepping the amount initially allotted for completing the project; (ii) longer time for implementation; (iii) inadequate systems specifications, which may be due to lack of proper understanding of the business needs by the IS analyst(s)/designer(s); (iv) poor performance of technical systems, which may be due to choosing unsuitable hardware/software for the system; (v) inadequate data model, which may due to the systems analyst/developer not obtaining sufficient (or appropriate) business data to model and modify the Knowledge-base of a required Knowledge Based System (KBS) for the IS; (vi) incompatibility of the system with other information systems of the organisation; (vii) failure to achieve some of (or all) the expected benefits due to users' ill-understanding of operational techniques or other implementation obstacles. Furthermore, these types of risk in IS may have adverse impact on an organisation's effectiveness and efficiency to profitably satisfy its customers.

Based on theoretical and empirical investigations in the current research project of developing a prototype IS for tendering process in manufacturing management, the possible types of risk associated with the development and implementation of ISs as listed above could further have an impact on and compound an organisation's business risk factors. In manufacturing management, results obtained from organisational investigation indicate that the risk factors which are often considered in practice are both quantitative and qualitative, encompassing the areas of: (i) total cost/benefit assessment in monetary terms; (ii) quality in terms of fitness for purpose; (iii) technology advantage; (iv) price and profitability; (v) timely delivery of products/services; (vi) image attainment and its sustainability; (vii) long term partnership relations and its proper management (with suppliers and customers) in terms of shared business risks and shared rewards; (viii) safety. These risk factors may also be applicable to the service industry. The types of risk and business risk factors aforementioned are not exhaustive but they serve to illustrate the potential risks in ISs. The exposure of an organisation to risks in ISs may increasingly become prominent when such risks further affect parameters of its 'business deliverables' to customers and stakeholders. In extreme cases the commercial viability of the company may be seriously jeopardised.

Some proponents and exponents of risk assessment/analysis of IS projects in organisations have evolved some models to help in evaluating various possible types of risk at the feasibility stage in order to avoid pitfalls. For instance, Corder (1989, pp.242-244) discusses the "strategic weighting of risk factors in estimating computer projects", and presents a table for the calculation of strategic risks associated with such projects. The method identifies risk factors in organisational ISs and classifies them into three groups specified as: (1) High-risk factors, encompassing five components given to be (a) project size, (b) project definition, (c) user commitment and stability, (d) elapsed time and (e) number of systems interfaces; (2) Medium-risk factors, which includes seven elements given to be (a) functional complexity, (b) number of user department, (c) newness of technology/vendor, (d) user experience of computers (e) the project team's experience of the user area, (f) newness of technology to the organisation, (g) number of vendor/contractors; (3) Low-risk factors, covering three elements listed to be (a) number of sites, (b) functional newness (c) number of project phases. Some other models include that of Parker et al (1988) and that of Cash et al (1992; also see Willcocks and Margetts, 1994, p.128).

While these approaches may be useful they are likely to fall short of offering a 'complete solution' to risks reduction (or avoidance) in the development and successful implementation of organisational ISs; they tend to lay emphasis on the feasibility (or initial) stage. But the initial stage which represents only a part of a coherent 'whole' in an IS project may be largely based on financial and statistical evaluation techniques that do not fully consider the human and business implications. Therefore, a problem-solving methodology which articulates an iterative learning process for both the organisational participants and the ISs analyst(s)/designer(s), then consider the various stages of the project may have a better potential in helping to reduce (or entirely avoid) the risks associated with all the stages (e.g. feasibility, design, development, implementation, training and use). The methodology suggested here is the anti-positivist paradigm of social inquiry and organisational analysis which is further discussed in the sections below.


The philosophies of positivism and anti-positivism in organisational inquiry draws upon the assumptions of conceptualising the nature of science by subjective - objective dimensions for social inquiry; while the assumptions about the nature of society can be thought of as regulation - radical change dimensions Burrell and Morgan (1994, pp.21-23). The positivist (or 'functionalist') perspective favours the application of models based on natural science (such as in physics, engineering or biological methods) to the study of human socio-cultural affairs and organisational analysis (ibid pp.25-28). In terms of the development and implementation of an IS the implication is that the systems analyst(s)/designer(s) plays the explicit role of an observer of actions. Soft Systems Methodology (SSM) clearly points out a breakdown in the application of the natural science approach (e.g. systems engineering) for a situation of problem-solving in social inquiry and organisational analysis. SSM suggests an implicit participation and articulates a learning approach to organisational inquiry and analysis (Checkland, 1981; Checkland and Scholes, 1990).

In the anti-positivist (or 'interpretive') approach to organisational investigation the researcher (or analyst/designer) is an active participants in the process with the relevant group in the organisation. This contrasts with the natural science approach in which the researcher (or analyst/designer) is an observer, external to the process. The concept (based on the philosophy of SSM) seeks individual consciousness and human participation in a situation of problem-solving as opposed to that of an observer of action. Equally, it favours basic meaning that underlies social life (Burrell and Morgan, 1994, p.31). With regards to information systems design, development and implementation the approach implies an understanding of the subjectively created world in the form of an ongoing process. Both the general form of phenomenology ('philosophical examination of the foundation of experience and action') and hermeneutics ('interpretation and understanding' of the context of our social environment in a manner akin to our interpretation and understanding of text) Winograd and Flores (1990, pp.9 and 27-8 respectively) have ontological commitment to the 'interpretive' paradigm for social inquiry and organisational investigation. In attempt to minimise risks in the development and implementation of ISs in an organisation Action Research (AR) strategy is suggested here as a means to enable the ISs researcher (or analyst/designer) to be implicitly and actively involved with the relevant group in the subject of investigation. Comprehensive details about AR are available elsewhere (see: Rapoport 1970; Foster, 1972; Susman and Evered, 1978; Hult and Lennung, 1980; Checkland, 1981; Checkland and Scholes, 1990). The original concept of AR is credited to Lewin (1946), who expresses concern that the traditional science approach to social inquiry was not helping to resolve critical social problems (Susman and Evered 1978, p.587).


Figure 4.1 represents an AR framework which may be employed in the process of minimising risks in ISs. The various stages (1 - 6) represent the life-cycle of an IS. The model recognises that: (a) organisations are not homogeneous but they are different and unique in many ways; (b) organisation clients (or managers) may not fully know what they want (in terms of ISs) for their businesses; (c) the assumption should not be made that all managers in organisations are capable of articulating their expertise. Therefore, the AR model is based on an iterative learning process and implicit participative problem-solving sessions between the organisation participants and the IS analyst(s)/developer(s) in order to effect change and reduce (or avoid) risks in an IS project. As shown in Figure 4.1, the AR stage (No. 2) has an iterative link with the stage above it (No. 1) and the majority of the stages below it (Nos. 3,4 and 5). With stage 6 inclusive the model is a single coherent 'whole' aimed at reducing ( or entirely avoiding) perceived risks in the various stages of an IS project. In most cases the effective involvement of the organisational participants from the initial stage to the final stage may result in little or no further serious training programme. If the approach is properly employed a minimum level of risks coupled with satisfactory performance may be expected in an IS project.

Figure 4.1 Possible Model of AR for Minimising Risks in ISs


In most situations of organisational management data required from managers (or business 'owners') which are associated with types of risk in ISs and business risk factors are often a mixture of quantitative and qualitative parameters (see section 2). The assumption that the business 'owners' (or clients) fully know what they want and can clearly articulate their needs or expertise may be an over ambitious expectation. The benefits derived from using AR may help to obtain suitable data as well as minimise risks in an IS development and implementation processes. Some of the possible benefits are enumerated below:

5.1 Bringing about change.

Experience in using AR shows that it has the potential to assist in identifying key elements of risks, business needs and data considered suitable for the development of an information system in the attempt to improve and simplify business decision making and operations. This involves investigation into what the managers may consider to be the main components of risks associated with profitably satisfying their customers' requirements as well as how to carry out such risk assessment/analysis in practice. The action methodology of research as a framework for inquiry in human activities has been suggested by many authors and practitioners (e.g. Lewin, 1946; Rapoport, 1970; Foster, 1972; Susman and Evered, 1978; Checkland, 1981; Wilson, 1984; Checkland and Scholes, 1990) The knowledge of this information about AR and personal experience of using it in the current IS project has contributed to considering it as a suitable approach that may help to bring about change and minimise risks in organisational ISs, if properly employed. Fundamentally, AR does not view human actors as objects of inquiry but as initiator of actions in their own right that can bring about changes (Checkland, 1989, pp.38-9).

5.2 'Reductionist' Character of the Positivist Approach.

Checkland (1989, p.36) writes that the application of the natural science approach to social inquiry is usually 'through controlled observation' with 'reductionist' ideas which yield 'testable public knowledge' rather than opinion. Similarly the positivist science approach places emphasis upon parts of a system by failing to consider the 'emergent properties' (Checkland and Scholes, 1990, pp.18-9; Stowell and West, 1994, p.135). However, AR recognises the significance of the 'whole' social structure of an organisation and attempts to treat a problem situation in that respect. This view appears to be in agreement with the notion of hermeneutics circle, as nature does not fragment the world into compartments (cf. Winograd and Flores, 1990, pp.30-33; Burrell and Morgan, 1994, pp. 237-8).

5.3 Collaborative Learning in Risk Assessment.

Action research philosophy proposes an iterative process of investigation and favours participative learning between the researcher (or analyst) and client (see: Lewin, 1946; Rapoport, 1970; Foster, 1972; Susman and Evered, 1978; Stowell, 1991). The concept is in concord with the notion of Soft Systems Methodology which articulates a process of inquiry that leads to action (Checkland, 1981; 1989; Checkland and Scholes, 1990). The integrative problem solving approach is considered a suitable means of reducing risks in ISs projects such that: (a) the 'owner' of the problem situation and the information systems researcher (or analyst/designer) can collaboratively work out the nature of the problem in a project of IS development, its implementation and how to go about resolving the entire problem situation; (b) the organisational participants and the researcher can be involved in the process of learning and improving the system under investigation at an early stage of the project, thereby creating a feeling of ownership and satisfaction for the clients and analyst(s). The process of learning which is likely to improve the mental image of both the analyst and the organisational participants is comparable to the idea of hermeneutics, phenomenology (Winograd and Flores, 1990; Burrell and Morgan, 1994) and Vickers' concept of appreciation (Vickers, 1965).

5.4 Integrating Theory and Practice.

The main concept of AR is that of combining theory with practice as the researcher acts on the social system. This has been shown to involve a cyclic process having five major stages: diagnosis, action planning, action taking, evaluating and specifying learning (see: Susman and Evered, 1978, pp.586-9; Stowell and West, 1994, p.128). The merging of theory and practice then subsequent reflection leads to an increased understanding of the problem situation, which may lead to appropriate action. The AR approach falls into the 'interpretive paradigm' as opposed to the 'functionalist' (positivist) paradigm of resolving organisational problem situations and it is capable of assisting in reducing (or entirely avoiding) risks in the development and implementation stages of organisational ISs.

5.5 Creating a More Desirable Information Systems.

In discussing the corrective measures offered by AR Susman and Evered (1978) note that 'the consequences of selected actions cannot be fully known ahead of time' (ibid p.590). This implies that in the development of an information system for an organisation, the researcher (or analyst/designer) should recognise that what the suitable system should be and how it should be developed to meet the client's needs must be deduced from the AR process itself and not assumed. An assumed 'what' and 'how' in the development of an information system is likely to lead to the creation of an unsatisfactory system which could even assault the very situation it is meant to improve or save.


The findings of the investigation presented in the paper indicate that risks associated with organisational ISs can in turn affect other business activities and risks factors in both product and service companies. Apart from the frustration it may cause to managers and other staff of the organisation there could be potential economic pitfalls in both the short and long terms. In some cases the commercial stability of the organisation may slide on a downward slope due to performance failures of the ISs which may in turn lead to inadequate customer satisfaction, hence the company's poor competitive edge in the market-place. The point has been made that due to human 'cultural differences' organisations are not homogeneous but they are different and unique in their own respect including the way they carry out their business activities. The major issues advanced in the paper are: (a) that IT has the capability to improve ISs if appropriately synchronised; but a risk assessment/analysis model focused mainly on the feasibility stage of an IS project rather than on the 'coherent whole' may not adequately minimise overall risks for an organisation; (b) that inadequate methodology employed by IT-systems analysts/designers in the development of an information system without suitable specifications to meet the business needs may lead to an unsatisfactory IS; (c) that AR strategy which considers a problem situation and articulates a learning process for both ISs analysts/designers and clients has the potential to reduce risks associated with ISs. It is worth noting that while computers may be good at processing data, only human beings make things 'happen' in an organisational environment and a suitable combination of human capability and IT potential may help to reduce risks in IS projects. The AR literature and model presented are capable of coping with both the 'soft' area of human activities and the 'hard' technological aspect of an IS project. It is rather too early to present full results based on the ongoing project (CIS/Compaq), however it is expected that the discussion put forward in the paper may prove useful to organisational managers and information systems analysts/designers in order to improve and simplify the development of ISs, with minimum amount of risks for organisations.


Appreciation and gratitude is offered to the following management personnel at Compaq Computer Manufacturing Limited, Bishopton, for their support in the ongoing project: (i) Procurement managers (Jean-Francois Baril; Gwen Wight); (ii) Senior Commodity Engineer (Ewan McGowan); (iii) Programme manager (Derek Boyd); (iv) Information Management Systems manager (Robert Sharpe ); (v) Manufacturing Director (Ian NcNair); (vi) Purchasing Specialist (Willie Scott); (vii) Marketing and Sales sector technical manager (William McGowan).


Brauers, W. K. (1986):
Essay Review Article: Risk, Uncertainty and Risk Analysis. Long Range Planning. Vol. 19, No.6, pp.139-43.

Burrell, G. and Morgan, G. (1994):
Sociological Paradigms and Organisational Analysis. British Library Cataloguing in Publication Data.

Cash, J; McFarlan W and McKenny, J (1992):
'Corporate Information Systems Management. Irwin, Boston, Massachusetts.

Checkland, P. B. (1981):
Systems Thinking, Systems Practice. Chichester; Wiley.

Checkland, P. B. (1989):
OR and Social Sciences: Fundamental Thoughts. In Jackson, M. C.; Key, P. and Cropper, S. A. (eds): Operational Research and the Social Sciences. publ. Plenum press, New York.

Checkland, P. B. and Scholes, J. (1990):
Soft Systems Methodology In Action. Chichester; John Wiley and Sons.

Corder, C. (1989):
'Taming Your Company computer'. McGraw-Hill, London.

Davenport, T. H. and Short, J. E. (Summer 1990):
The New Industrial Engineering; Information Technology and Business Process Redesign, Sloan Management Review, Vol. 31, pp.11-27

Foster, M. (1972):
An Introduction to the Theory and Practice of Action Research in Work Organisations. Human Relations, Vol.25, No.6, pp.529-556.

Hertz, D. B. and Thomas, H. (1983):
Risk Analysis Of Its Applications. Publ. J. Wiley, Chichester. pp.1109.

Hult, M. and Lennung, S. (1980):
Towards a Definition of Action Research: A Note and Bibliography. Journal of Management Studies, Vol.17, pp.241-250.

Lewin, K. (1946):
Action Research and Minority Problems. Journal of Social Issues, Vol.2, pp.34-46.

Margetts, H (1991):
'Information Technology in the public sector: new risks, new risks, dangers'. Paper presented at the ESRC/LSE Seminar series on Hazard Management, 'IT Development and Hazard Analysis' London, November.

Parker, M; Benson, R and Trainor, E. (1988):
Information Economics: Linking Business Performance to Information Technology. Prentice-Hall, Engleswood Cliffs, New Jersey.

Price Waterhouse (1992):
'Price Waterhouse Review 1992/3' Price Waterhouse,

Rapoport, R. N. (1970):
Three Dilemmas of Action Research. Human Relations, Vol. 23, pp.499-513.

Stowell, F. A. (1991):
Towards Client-led development of information systems. Journal of Information Systems, Vol. 1, pp.173-189.

Stowell, F. A. and West, D. (1994):
Client-Led Design: A systemic approach to Information Systems Definition. McGraw-Hill Information Systems, Management and Strategy Series. pp.250.

Susman, G. I. and Evered, R. D. (Dec. 1978):
An Assessment of the Scientific Merits of Action Research. Administrative Science Quarterly, Vol. 23, pp.582-603.

Vickers, G. (1965):
The Art of Judgement: A study of policy Making, London: Chapman and Hall, pp.36-74.

Willcocks, L (Ed) (1993):
'Of Capital Importance: Evaluation and Management of Information Systems Investments'. Chapman and Hall, London.

Willcocks, L, and Margetts, H. (1994):
'Risk Assessment and Information Systems', Engineering Journal of Information systems, Vol. 3, No.2, pp.127-138.

Willcocks, L. (1992):
'The manager as Technologist' (Willcocks, L and Harrow, J. Eds) In Rediscovering Public Services Management, McGraw-Hill, London.

Winograd, T. and Flores, F. (1990):
Understanding Computes and Cognition: A New Foundation for Design. Publ. Addison-Wesley.

A. J. Akomode is a Research Student at the University of Paisley


University of Paisley, 1996.