Risk Service Engineering: Informationsmodelle für das Risikomanagement

Problem: The pivotal role of information technology in modern business processes highlights the importance of managing the associated risks induced efficiently. Since mitigating such risks always requires a trade-off between the technological possibilities for risk control, their organizational suitability, and their economic feasibility, risk managers need to obtain and maintain business support for realizing risk controls. Hence, when designing new risk controls, risk managers are increasingly required to systematically show the business value of the proposed initiatives. Methodology: This research is based on the methodological foundation of design-oriented research in Information Systems Research, in particular method engineering. The author outlines and subsequently applies a theory-guided construction process that facilitates incorporating the existing theoretical and practical knowledge base as well as documenting the main design decisions. This construction process results in design principles that apply theories from the areas of risk research and information visualization. Results: This thesis proposes a conceptual modeling method that supports risk managers in systematically developing risk controls. At the heart of the method lies the concept of risk services as specific services that secure the value proposition of corporate information management. Subsequently, the modeling facilitates risk managers in the process of risk service engineering, i.e., it allows risk managers to visualize and resolve conflicting requirements regarding technical possibilities of risk services, their organizational stability and economic necessity. Theoretical implications: The fundament of the design research process is derived from a critical analysis of existing approaches to risk management. In particular, the author questions the predominant focus on identifying and analyzing risks. Based on a multidisciplinary analysis of existing research on risk management, we suggest focusing on potentially available risk controls and their mitigation effects and impacts on business processes. Practical implications: The author shows that by modeling risk services, risk managers are able to develop business value-oriented arguments that provide rationale for managerial decisions in risk management. Additionally, the author outlines how to incorporate existing knowledge on risk controls and their effects in the risk service engineering process. Furthermore, the method enables risk managers to systematically identify and resolve unintended effects of risk services. Outlook: The proposed modeling method requires an effective information logistics. Hence, further research could focus on integrating existing information management functions such as IT service management as well as decision support functions such as IT controlling. Furthermore, we show the importance of effective information visualization. Thus, further research may advance the suggested way of visualizing risk services as well as explore new forms of information visualization