Modelo de la televisión dado por la normativa

One of the key objectives of this study was to evaluate the extent, practice and perception of risk awareness in the Abu Dhabi police and in the UAE. The findings show that in the UAE there is a general lack of understanding and failure to maximise the practice of IT risk management in relation to the understanding, usage and level of risk awareness. Risk management still appears to be considered a tick box process except by large organisations such as oil or construction companies which have project management processes embedded in their daily operations. Employees of such companies are more aware of risk than any other organisation. However this is consistent with evidence from the public sector including police organisations emphasising the compliance and tick box mentality which pervades many processes including risk management (Lapsley, 2009). This suggests that potentially conceptual development of risk awareness and management at national, cultural and organisational level is the collective responsibility of government policy makers, risk regulators and large business organisations. The findings further emphasise that all organisations have risk management standards implemented in one form or another, for example health and safety policy, however risk management in relation to IT systems was not well communicated. In addition senior management was acknowledged to be ineffective in cascading knowledge of risk management appropriately to staff at other levels of the hierarchy. This has significant implications as communication and information flows are

Page | 142 acknowledged as critical elements to enhance risk awareness (ECHA, 2010; Science Wise ERC, 2009). Effectiveness is underlined by dynamic interactive communication with key groups and audiences (Infanti et al., 2013) suggesting that the organisations are missing critical opportunities to raise risk awareness. Another crucial finding is that organisations which should have 100% risk awareness and management in place such as government disaster departments and smaller private IT companies are the least aware about risk procedures. This underlines the potential need to understand the specific contexts in which risk awareness is practiced in order to tailor and develop appropriate risk awareness strategies.

The results show that a diverse level of knowledge in relation to risk awareness and management is evidenced in the Abu Dhabi Police Force. Gaps in awareness were evidenced as detailed knowledge of risk management was weak. A key result highlights the substantially widespread belief in the sole responsibility of the IT department to address risk and risk awareness reinforced by the majority view that it is not each employee’s responsibility to assess organisational and IT systems risk. This perspective is potentially highly prejudicial to risk awareness as the findings in relation to risk awareness and the MERIT model emphasise the collective nature of risk responsibility and enhancing awareness. In terms of organisational practices to support risk awareness the results indicated a low level of implementation with limited extent of training while performance of risk assessment by the IT department was perceived as inconsistent and highly irregular.

Nevertheless the findings overall underline the major development in the AD Police over the past decade to address the security challenges faced by the country. This has witnessed progress towards a modernised e-police force working on a strategic, methodological and scientific basis. In conclusion, risk management is important for police organisations however the findings clearly show that they are yet to develop their risk management policies and programmes. Risk management should be integral to their strategy and operations and not implemented separately.

Page | 143 7.3 MERIT Model

A further key objective of the study focused on defining and exploring key elements of risk awareness based on a holistic theoretical framework composed of major areas of IT management. The central premise is that risk awareness levels in each of the areas of governance, compliance, enterprise, IT GRC, and risk management critically impact on the effectiveness of functions and the overall organisational success. Risk awareness within the MERIT model represents the central connecting underpinning dimension impacting on the effectiveness of the five other dimensions and which themselves have a significant iterative impact on risk awareness.

The findings from the Delphi Panel convened to identify and substantiate the components of the MERIT model demonstrate that a holistic approach is critical to enhancing IT risk awareness. The consensus expert view validated all five components of Governance, Compliance, Enterprise, IT GRC and Risk management within the MERIT IT systems risk awareness model. This confirms that individual and organisational risk awareness is dependent on these factors. The findings are consistent with Tarantino (2008) who emphasises governance, compliance and risk management as fundamental elements supporting risk awareness and Pohlman (2008) who argues the importance of all five factors.

The findings notably provide support for the integral role of governance in risk management, acknowledged to derive from its function in applying and enforcing the accountability and responsibility necessary in organisational processes and culture. The validation of governance as an important risk awareness variable is not unexpected as Cavalcanti (2014) notes that governance is a key tool for connecting the structures and processes of an enterprise. Evidence shows that the presence of strong governance can significantly enhance risk awareness and communication supporting an enterprise-wide culture of risk-awareness (EIU, 2013). Governance is therefore critical to embedding a risk culture which can impact the level and effectiveness of risk awareness and in turn impact effective management of risk.

The findings show that application of governance potentially facilitates implementation of compliance as these two functions usually overlap each other due to organisational policy and regulatory requirements such as international standards for quality reporting. This suggests an interconnected element among the components in which the correct order of implementing the MERIT model would be governance  compliance  enterprise  IT GRC and

over-Page | 144 arching risk management process of identification – assessment – monitoring and control.

This aligns with evidence from the EIU (2013) which shows that governance improves the coordination of functions essential to the promotion of risk awareness such as risk management and compliance.

This point further underlines that the relationship between the five dimensions of the MERIT model and risk awareness are highly intertwined. The results evidence a level of awareness of the interdependence of the risk factors in the MERIT model. Each contributes a perspective and focus in terms of raising awareness. Each component of this model is vital in promoting risk awareness and is in turn enhanced through enhanced risk awareness. On the one hand a key relationship between risk awareness and these dimensions is that awareness serves as a trigger in identifying and mitigating risks. At the same time the inherent processes can serve to enhance risk awareness that in turn feeds back into the cycle.

The findings point to the importance of enterprise-wide dimensions for promoting risk awareness on both an individual and organisational level. Risk awareness can enhance the ability of employees to differentiate between various risks, their contexts and their impacts.

Promoting an enterprise approach to risk awareness further maximises the potential of tacit knowledge flows between individuals in different departments to promote understanding of issues and risks.

A number of studies provide significant support for the methods used to confirm and empirically validate the components of the MERIT IT risk awareness model. The use of risk management experts as in the Delphi method used in the present research is highly effective as it can combine both qualitative methods involving interpretative data and quantitative methods utilising statistical data. Al-Shehab (2007) investigated risk management methods, identification, control and mitigation in information systems projects to understand the reasons for the high number of information systems project failures involving experts and using a similar combination of qualitative and quantitative data. The proposed CorMod model contains strategies and techniques to model, analyse and simulate project factors relating to risk. Al-Shehab notes that, “expert opinion, together with a shared and highly visible model, plus the inherent facility for coherent group working, is shown to add

Page | 145 significantly to the capabilities of project stakeholders in understanding risk models, and therefore in mitigating risk.”

Al-Shehab’s (2007) use of experts concurs with the MERIT IT Risk model and its use of the Delphi Panel to derive quantitative measures of risk awareness. While identification and measurement of risk factors is necessary for risk management it is not sufficient and input from human expert views is significant. The MERIT risk management model identifies with a view to facilitating measurement of significant variables in enterprise risk management, but unlike other studies it deploys the Delphi method to use experts to provide a consensus view on risk management.

Ikram’s (2000) study of information systems development projects found that claims in the literature about project management were not confirmed empirically. The study reveals that there is a lack of ‘rigorous research into Risk Management’ and risk management is not a common practice in information systems development projects, with little positive effect of risk management on practice. While Ikram’s proposed ‘socio-technical model’ of risk management makes a valuable contribution by using multiple perspectives it is qualitative in nature. It traces the causes of risk to social and technical factors. The Delphi panel of experts in the present research empirically confirms that risk awareness is low among employees in enterprises, showing a value of zero (0). This kind of measurable value is more tangible and can be the impetus for immediate action to mitigate risk.

Qualitative knowledge of risk management improves our knowledge of the nature of risk but it does not improve our knowledge of how to measure and mitigate risk and provide a gauge on the levels of risk management achieved by organisations. The facility to measure risk awareness is a valuable contribution of the MERIT risk awareness model to the knowledge of risk management. Measurement is necessary to improve the quality of risk management through evidence.

Kutsch’s (2005) study shows that risk awareness among IT systems development project managers is low, as, “project managers tended to deny, avoid, ignore risks and to delay the management of risk.” He found that ‘IT project managers were unaware of risks’ and considered them beyond their scope of influence. More alarmingly, he found that “IT project managers preferred to let risks resolve themselves rather than proactively engaging with

Page | 146 them.” In terms of practice, Kutsch’s (2005) study is a quantitative explanation of risk management interventions in IT systems development projects and it does not provide the intervention tools.