Information Systems Frontiers

, Volume 13, Issue 4, pp 595–611 | Cite as

RiskM: A multi-perspective modeling method for IT risk assessment

  • Stefan Strecker
  • David Heise
  • Ulrich Frank


Stakeholder involvement and participation are widely recognized as being key success factors for IT risk assessment. A particular challenge facing current IT risk assessment methods is to provide accessible abstractions on matters of IT risk that attend to both managerial and technical perspectives of the stakeholders involved. In this paper, we investigate whether a conceptual modeling method can address essential requirements in the IT risk assessment domain, and which structural and procedural features such a method entails. The research follows a design research process in which we describe a research artifact, and evaluate it to assess whether it meets the intended goals. In the paper, we specify requirements and assumptions underlying the method construction, discuss the structural specification of the method and its design rationale, present a prototypical application scenario, and provide an initial method evaluation. The results indicate that multi-perspective modeling methods satisfy requirements specific to the IT risk assessment domain, and that such methods, in fact, provide abstractions on matters of IT risk accessible to both a technical and a managerial audience.


IT risk assessment Enterprise modeling Meta modeling Design science research 



The authors would like to thank the anonymous referees for their constructive comments that greatly helped improve the paper. We would also like to thank Arne Weuster for his support and Jens Gulden for valuable comments on an earlier version of the manuscript.


  1. Atkinson, C., & Kuehne, T. (2008). Reducing accidental complexity in domain models. Software & Systems Modeling, 7(3), 345–359.CrossRefGoogle Scholar
  2. Bandyopadhyay, K., Mykytyn, P. P., & Mykytyn, K. (1999). A framework for integrated risk management in information technology. Management Decision, 37(5), 437–444.CrossRefGoogle Scholar
  3. Boczany, W. J. (1983). Justifying Office Automation. Journal of Systems Management, 34(7), 15–19.Google Scholar
  4. Carnaghan, C. (2006). Business process modeling approaches in the context of process level audit risk assessment: An analysis and comparison. International Journal of Accounting Information Systems, 7(2), 170–204.CrossRefGoogle Scholar
  5. Chavez-Demoulin, V., Embrechts, P., & Neslehova, J. (2006). Quantitative models for operational risk: Extremes, dependence, and aggregation. Journal of Banking & Finance, 30(10), 2636–2658.Google Scholar
  6. Clemen, R. T., & Winkler, R. L. (1999). Combining Probability Distributions From Experts in Risk Analysis. Risk Analysis, 19(2), 187–203.Google Scholar
  7. Crouhy, M., Galai, D., & Mark, R. (2001). Risk management. New York: McGraw-Hill.Google Scholar
  8. Davies, I., Green, P., Rosemann, M., Indulska, M., & Gallo, S. (2006). How do practitioners use conceptual modeling in practice? Data & Knowledge Engineering, 58(3), 358–380.CrossRefGoogle Scholar
  9. Frank, U. (1994). Multiperspektivische Unternehmensmodellierung: Theoretischer Hintergrund und Entwurf einer objektorientierten Entwicklungsumgebung. München: Oldenbourg.Google Scholar
  10. Frank, U. (2006). Towards a Pluralistic Conception of Research Methods in Information Systems Research. Institute for Computer Science and Business Information Systems (ICB), Duisburg-Essen University. ICB Research Report 7.Google Scholar
  11. Frank, U. (2008). The MEMO Meta Modelling Language (MML) and Language Architecture. Institute for Computer Science and Business Information Systems (ICB), Duisburg-Essen University. ICB Research Report 24.Google Scholar
  12. Frank, U., & Lange, C. (2007). E-MEMO: a method to support the development of customized electronic commerce systems. Information Systems and E-Business Management, 5(2), 93–116.CrossRefGoogle Scholar
  13. Frank, U. (1999). Conceptual Modelling as the Core of the Information Systems Discipline—Perspectives and Epistemological Challenges Proceedings of the Fifth Americas Conference on Information Systems (AMCIS 99), Milwaukee, WI. 695–697.Google Scholar
  14. Frank, U. (2002). Multi-perspective enterprise modeling (MEMO): Conceptual framework and modeling languages Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS). Honululu, HI, 72–82.Google Scholar
  15. Frank, U., Heise, D., Kattenstroth, H., & Schauer, H. (2008). Designing and Utilising Business Indicator Systems within Enterprise Models—Outline of a Method. In Loos P, Nüttgens M, Turowski K, Werth D, eds. Proceedings of the Modellierung betrieblicher Informationssysteme (MobIS 2008), Saarbruecken, Germany, Koellen:89–105.Google Scholar
  16. Frank, U., Heise, D., Kattenstroth, H., Ferguson, D., Hadar, E., & Waschke, M. (2009). ITML: A Domain-Specific Modeling Language for Supporting Business Driven IT Management. In Rossi M, Gray J, Sprinkle J, Tolvanen J-P, eds. Proceedings of the 9th Workshop on Domain-Specific Modeling (DSM) at the International Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), Orlando, Florida, USA.Google Scholar
  17. Gemmer, A. (1997). Risk Management: Moving Beyond Process. Computer, 30(5), 33–43.CrossRefGoogle Scholar
  18. Gerber, M., & Solms, R. v. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.CrossRefGoogle Scholar
  19. Hatfield, A. J., & Hipel, K. W. (2002). Risk and Systems Theory. Risk Analysis, 22(6), 1043–1057.CrossRefGoogle Scholar
  20. Heemstra, F. J., & Kusters, R. J. (1996). Dealing with risk: a practical approach. Journal of Information Technology, 11, 333–346.CrossRefGoogle Scholar
  21. Kirchner, L. (2005). Cost Oriented Modelling of IT-Landscapes: Generic Language Concepts of a Domain Specific Language. In Desel J, Frank U, eds. Proceedings of the Proceedings of the Workshop on Enterprise Modelling and Information Systems Architectures (EMISA 2005), 166–179.Google Scholar
  22. Kliem, R. L. (2000). Risk Management for Business Process Reengineering Projects. Information Systems Management, 17(4), 71–73.CrossRefGoogle Scholar
  23. Klinke, A., & Renn, O. (2002). A New Approach to Risk Evaluation and Management: Risk-Based, Precaution-Based, and Discourse-Based Strategies. Risk Analysis, 22(6), 1071–1094.CrossRefGoogle Scholar
  24. Lankhorst, M. (2005). Enterprise Architecture at Work: Modelling, Communication and Analysis. Berlin: Springer.Google Scholar
  25. Loch, K. D., Carr, H. H., & Warketin, M. E. (1992). Threats to Information Systems: Today's Reality, Yesterday's Understanding. MIS Quarterly, 16(2), 173–186.CrossRefGoogle Scholar
  26. Lu, R., Sadiq, S., & Governatori, G. (2008). Compliance Aware Business Process Design. In ter Hofstede AHM, Benatallah B, Paik H-Y, eds. Proceedings of the Business Process Management Workshops, Brisbane, Springer:120–131.Google Scholar
  27. March, J. G., & Shapira, Z. (1987). Managerial perspectives on risk and risk taking. Management Science, 33(11), 1404–1418.Google Scholar
  28. McGaughey, R. E., Jr., Synder, C. A., & Carr, H. H. (1994). Implementing information technology for competitive advantage: Risk management issue. Information & Management, 26(5), 273–280.CrossRefGoogle Scholar
  29. Mun, J. (2004). Applied risk analysis: Moving beyond uncertainty in business. Hoboken: Wiley.Google Scholar
  30. Neiger, D., Curilov, L., zur Muehlen, M., & Rosemann, M. (2006). Integrating Risks in Business Process Models with Value Focused Process Engineering Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12–14, 2006. Google Scholar
  31. Odell, J. (1998). Power Types. In J. Odell (Ed.), Advanced Object-Oriented Analysis and Design Using UML, (pp. 23–33). Cambridge: Cambridge University Press.Google Scholar
  32. Rainer, R. K., Synder, C. A., & Carr, H. H. (1991). Risk Analysis for Information Technology. Journal of Management Information Systems, 8(1), 129–147.Google Scholar
  33. Remenyi, D., Bannister, F., & Money, A. (2007). The Effective Measurement and Management of ICT Costs & Benefits. Oxford: Elsevier.Google Scholar
  34. Rogers, S., Lukens, S., Lin, S., & Jon, E. (2008). Balancing Risk and Performance with an Integrated Finance Organization (The Global CFO Study 2008). Somers: IBM Global Business Services.Google Scholar
  35. Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling Control Objectives for Business Process Compliance. In Alonso G, Dadam P, Rosemann M, eds. Business Process Management, Springer:149–164.Google Scholar
  36. Salmela, H. (2008). Analysing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185–202.CrossRefGoogle Scholar
  37. Sayer, P., & Wailgum, T. (2008). What You Can Learn about Risk Management from Société Générale. Accessed Jan 21, 2009.
  38. Schaefer, G. (1988). Functional Analysis of Office Requirements: A Multiperspective Approach. Chichester: Wiley.Google Scholar
  39. Scheer, A.-W. (1992). Architecture of Integrated Information Systems: Foundations of Enterprise Modelling. Berlin: Springer.Google Scholar
  40. Scheer, A.-W. (1999). ARIS—Business Process Frameworks (3rd ed.). Berlin: Springer.CrossRefGoogle Scholar
  41. Scheer, A.-W. (2000). ARIS—Business Process Modeling (3rd ed.). Berlin: Springer.CrossRefGoogle Scholar
  42. Schelp, J., & Winter, R. (2006). Method Engineering: Lessons Learned from Reference Modeling. In Chatterjee S, Hevner A, eds. Proceedings of the First International Conference on Design Science Research in Information Systems and Technology (DESRIST'06), Claremont, CA, 555–575.Google Scholar
  43. Sienou, A., Lamine, E., Karduck, P. A., & Pingaud, H. (2007). Conceptual model of risk: towards a risk modeling language. In Weske M, Hacid M-S, Godart C, eds. Proceedings of the Web Information Systems Engineering—WISE 2007 Workshop, Montpellier, France, June 17, 2008, Springer:118–129.Google Scholar
  44. Sienou, A., Lamine, E., & Pingaud, H. (2008). A Method for Integrated Management of Process-risk. In Sadiq S, Indulska M, zur Muehlen M, Franch X, Hunt E, Coletta R, eds. Proceedings of the 1st International Workshop on Governance, Risk and Compliance—Applications in Information Systems (GRCIS'08) held in conjunction with the CAiSE'08 Conference, Montpellier, France, June 17, 2008.Google Scholar
  45. Verschuren, P., & Hartog, R. (2005). Evaluation in Design-Oriented Research. Quality & Quantity, 39(6), 733–762.CrossRefGoogle Scholar
  46. Wand, Y., & Weber, R. (2002). Research Commentary: Information Systems and Conceptual Modeling-A Research Agenda. Information Systems Research, 13(4), 363–376.CrossRefGoogle Scholar
  47. Wand, Y., Monarchi, D. E., Parsons, J., & Woo, C. C. (1995). Theoretical foundations for conceptual modelling in information systems development. Decision Support Systems, 15(4), 285–304.CrossRefGoogle Scholar
  48. Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management, 21(2), 97–105.CrossRefGoogle Scholar
  49. Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School PressGoogle Scholar
  50. Westerman, G., & Hunter, R. (2007). IT Risk: Turning Business Threats into Competitive Advantage. Cambridge: Harvard Business School Press.Google Scholar
  51. Willcocks, L., & Margetts, H. (1994). Risk assessment and information systems. European Journal of Information Systems, 3(2), 127–138.CrossRefGoogle Scholar
  52. zur Muehlen, M., & Rosemann, M. (2005). Integrating Risks in Business Process Models Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), Sydney, 62–72.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Institute for Computer Science and Business Information SystemsUniversity of Duisburg-EssenEssenGermany

Personalised recommendations