‘The Digital Wild West’: Managing the Risks of Digital Disruption

Marian Carcary and Eileen Doherty

Innovation Value Institute, Maynooth University, Ireland
Marian.carcary@nuim.ie
Eileen.doherty@nuim.ie

Abstract: Digital transformation requires entire organizations to change their traditional ‘modus operandi’ - reinvent their
business models and business processes, rethink skill sets and investment strategy, and continuously learn from business
ecosystem interactions. While these changes afford organizations significant value realization potential, the positioning of
digital technology as central to the business and how it operates and generates revenue, proliferates the risks
organizations may face. Digital risks encompass traditional IT risk categories (e.g. strategic, operational, financial) and an
expanded set that are more specific to the transformational changes brought about by new and emerging technologies
(e.g. industry displacement as a result of adopting a digital laggard stance). As distinct from a traditional mind-set where
organizations are more risk averse, in the digital landscape digital leaders typically exemplify a higher tolerance and
appetite for risk. However, despite the existence of multiple risk categories and a more ‘risk on’ attitude to technology,
43% of organizations in a recent survey did not recognise the risks of digital disruption or had not effectively addressed
them. Organizational investments in, and approaches to, risk management are not keeping pace with digital
transformation risks. However, given the changes brought about by digital transformation, it is recognized that
organizations need to reconceptualise how they approach the management of risk. An organizational culture that
embraces more entrepreneurial and active risk-taking behaviour in digital programmes must be balanced with the use of
proactive risk management approaches that minimize the potential downside of risk exposure. This paper presents a
review of pertinent literature, and discusses core learnings in relation to managing the risks of digital transformation.
Based on literature analysis and insights gained from engaging with industry and academic thought leaders, it
conceptualises a model that may be used to develop a digital risk management capability and support effective digital risk
management. This model aims to serve as a basis for testing and further development in a future industry/academia
collaborative research project and serves to provide practical guidance to organizations in managing digital risk.

Keywords: Digital transformation, digital risk management, digital risk management model, IT-CMF.

1. Introduction
The advent and proliferation of new and emerging technologies such as social media, cloud computing, big
data and analytics, wearable devices, 3D printing, and intelligent autonomous systems, are profoundly
changing the strategic context of organizations: changing the structure of competition, business strategies,
business processes, organizational capabilities, products and services, inter-organizational relationships, and
ultimately, the nature of entire industries (Bharadwaj et al, 2013; Fichman et al, 2014). Innovative examples of
digitization are prevalent across many aspects of the corporate value chain with many senior executives
indicating that achieving digital transformation is critical to their organization’s survival. However, one of the
key challenges in embracing digital transformation is the fact that it impacts every function and business unit.
According to Peppard et al (2014), it is recognized that IT “can shape business models and is embedded in
customer interactions and experiences; business operations and supply chains; products and services, and in
relationships with regulators and investors” (Peppard et al, 2014 p3). Consequently, digital transformation
requires an organization to evolve its business models, reinvent its business processes, re-think its skill sets
and investment strategy, and continuously engage with and learn from interactions across the wider business
ecosystem. These fundamental changes to an organization’s traditional operations, together with the rapid
evolution of technological advances expose an organization to a landscape of unprecedented risk that cannot
be effectively managed using traditional risk management approaches.

This paper examines how the management of risk in the digital landscape should be re-conceptualised. Based
on a literature review, it discusses the changing nature of risk and risk management in the digital business
context. Based on the key issues uncovered through this review as well as insights gained from industry
practitioners and academic researchers in a collaborative development of a risk management capability
maturity model using a design science approach, this paper puts forwards a conceptual model for a strategic
enterprise approach to digital risk management. The structure of this paper is as follows: Section 2 provides
contextual background to digital risk management in the form of a literature review. Section 3 outlines the
methodological approach adopted. Section 4 presents the conceptual model, while section 5 presents
discussions, conclusions, and avenues of further research.

29
 Marian Carcary and Eileen Doherty

2. Literature Review

2.1 The changing nature of risk in the digital business context

Digital business transformations are characterized by significant risks and uncertainties, where risk relates to
the potential loss traceable to IT/digital assets and digitally enabled managerial and operational processes
(Sambamurthy and Zmud, 2012). One third of business leaders in a 2013 survey of 147 CEOs strongly agreed
that technology-related risks to the business were increasing (Raskino and Lopez, 2013). Risks are complex
concepts, immerged within an environment, and dependent on time and the logical relationships and
interrelationships with other objects (Sienou et al, 2010). Factors such as the pervasiveness of and reliance on
technology, rapid enabling technology advances, greater organizational connectivity, dissolving organizational
boundaries, customer power, and information velocity and density increase the complexity of the digital
environment, and give rise to greater ranges, scales, and frequencies of digital attacks and amplification of
their impacts on business operations (Cearley et al, 2015). Referring to the occurrence of security-related
intrusions, Sambamurthy and Zmud (2012) outlined that “the interconnected nature of today’s business
environment results in ripple effects …, severely affecting organizations distant from (and seemingly unrelated
to) the early targets”.

Numerous IT-related risks have been discussed in the literature (for example Geraldi et al, 2010; Hussain et al,
2007a; 2007b; Karlsen et al, 2005; Luftman and Kempaiah, 2007; Lee and Baby, 2013; Sambamurthy and Zmud,
2012). Digital risks encompass traditional IT risk categories and an expanded set that are more specific to the
transformational changes brought about by new and emerging technologies. They include, for example,
strategic, operational, financial, technical, programme/project delivery, data/information, reputation and
brand, political, legal and regulatory, supply chain/business ecosystem, new business models and business
processes, conduct, and disruptive technology implications. A further risk is that of adopting a digital laggard
stance whereby organizations may become irrelevant or may even be displaced in their industries by fast-
moving digitally enabled players (Bradley et al, 2015; ). Despite the existence of the above multiple risk
categories, in a recent survey 43% of organizations did not recognise the risks of digital transformation or had
not effectively addressed them. Approximately, one third of respondents adopted a ‘wait and see’ approach,
with the aim of emulating the risk management approaches of successful competitors (Bradley et al, 2015).

Industry and academic reports outline that a significant liability in effectively exploiting digital assets is the
existence of organizational structures, incentives, or culture that discourage adaptability or risk taking
(Fitzgerald et al, 2013; Sambamurthy and Zmud, 2012). 18% of respondents to a 2013 MIT Sloan and
CapGemini Consulting survey stated risk aversion as the most significant cultural barrier to their organization’s
digital transformation journey (Fitzgerald et al, 2013). Traditionally organizations tended to be more risk
averse with a predominant focus on risk and cost minimization, internal performance, metrics, and standard
waterfall processes (Colella et al, 2014), and this mind-set still prevails in organizations termed as ‘digital
laggards’. Some suggest that organizational/IT management essentially need to simultaneously operate in two
worlds: “the world of tight cost management, slow-moving, risk minimization and incremental improvement of
old IT versus the new world of entrepreneurial and creative risk-taking, fast-moving, leading-edge digital”
(Raskino, 2014).

In the rapidly changing digital business landscape, digital leaders have a higher tolerance and appetite for risk.
CEOs/CIOs with a more “risk-on” attitude to technology (Raskino, 2014) engage in risk-taking actions,
experimentation and digital business innovation using exploratory, fail fast approaches to identify the key
opportunities for the future (Bradley et al, 2015;). Such risk-taking behaviour, however, must be balanced with
the use of proactive risk management approaches that minimize the potential downside of risk exposure. An
organizational culture that embraces and supports more entrepreneurial and active risk-taking (and proactive
risk management) in digital programmes is characteristic of higher organizational performance. In a 2015
McKinsey survey, for example, 65% of digital leader organizations had a high tolerance for risk or bold
initiatives and over half had changed the risk profiles of their corporate business portfolios in response to
digital trends. In contrast, among average digital performers 70% of respondents did not see support for risk
taking (Rickards et al, 2015). While this cultural shift may come more naturally to “born digital” organizations,
for others the path to digital transformation is more challenging.

30
 Marian Carcary and Eileen Doherty

2.2 Effective risk management in the digital business context

Effective digital risk management serves two objectives: 1) establishing awareness and a common
understanding across organizational stakeholders regarding the nature of digital risks, and 2) establishing
programmes to ensure risks are effectively addressed by relevant individuals (Sambamurthy and Zmud, 2012).
However, organizational investments in, and approaches to, risk management are not keeping pace with the
risks of digital transformation. Only 25% of business leader respondents to a recent survey adopted proactive
approaches to managing digital disruption (Bradley et al, 2015). Given the changes brought about by digital
transformation however, it is suggested that organizations need to reconceptualise how they approach the
management of risk as opposed to continuing with traditional approaches to risk management. In this sense,
organizations should focus on developing a risk management capability (Carcary, 2012; 2013; Sambamurthy
and Zmud, 2012) that provides the organization with the ability to rapidly and dynamically respond to digital
disruptions, and agilely sense and manage unexpected risks. Relative to practices for prioritizing and mitigating
known and expected risks, agility to sense and respond to unknown and unexpected risks is increasing in
importance (Lee and Baby, 2013). The move towards a risk management capability draws on the work of
Peppard and Ward (2004) who argue for the move towards the development of an IT capability in order to
leverage greater value from IT. A capability can be defined as an organization’s “ability to perform a set of co-
ordinated tasks, utilizing organizational resources, for the purposes of achieving a particular end result” (Helfat
and Peteraf, 2003).

As a key aspect in developing a risk management capability, digital risk needs to be a focus area of the
corporate board’s agenda. Corporate board level involvement can set the mandate for the organization’s risk-
taking propensity. Communication from senior management should direct each individual employee in being
cognisant of risk management, as in the event of a breach of the organization’s preventive and detective
barriers, the actions of employees become the last line of defence (Sambamurthy and Zmud, 2012).
Consequently, organizations need to develop comprehensive employee-directed risk management education
as part of their IT risk management programmes (Sambamurthy and Zmud, 2012), and build on competences
such as decision-making, and enhance organizational awareness and a business results orientation, in order to
facilitate employee decision-taking on risk (CEB, 2015a). At an individual employee level, CIOs need to reflect
risk management as a key improvement area in their individual and team’s performance plans with success
being measured in how well the team responds to risk i.e. its resilience, as opposed to how well its prevent
issues from occurring. The link to employee performance appraisals is important, as employee noncompliance
with IT-related risk problems is regarded as a growing concern (Sambamurthy and Zmud, 2012).

Corporate governance needs to be redefined to meet the requirements and demands of the digital business.
Organizations need to evolve from a focus on IT governance and a tactical information security focus to
enterprise digital governance and enterprise accountability i.e. establishing cross-functional responsibility for
effectively and efficiently leveraging digital technology in support of the organization’s goals (Accenture, 2014;
Sambamurthy and Zmud, 2012). Organizational structures need to reflect a separation of the operational
aspects of risk management from governance-related aspects, with a distinction being made between those
who own risk decisions, those who provide risk assessments, and those who audit risks, yet these should
simultaneously work together (CEB 2015b). Clear ownership should be assigned and accountability shared for
risk management, with both business and IT leaders assuming responsibility. It is the responsibility of those
risk owners to establish specific policies and standards for the risk area, to regularly assess the risk, and
manage associated risks (Sambamurthy and Zmud, 2012).

A clear understanding of the organization’s risk tolerance and the evolving risk landscape is required.
Approaches to risk management need to be driven by the organization’s appetite for risk, as this
understanding enables an organization to balance the need to protect the organization and the need to
effectively run and grow the business (Cearley et al, 2015). Typically, organizations need to shift from a mind-
set that regards all risk as bad to an attitude to taking appropriate risks in order to realise super normal profits.
According to Sambamurthy and Zmud (2012), “the real challenge is to balance the necessity to secure an
organization’s computer systems, communication systems, and information systems against the necessity for
the organization to apply IT productively and creatively in executing and evolving the organization’s business
models in the face of an ever-changing competitive environment”.

31
 Marian Carcary and Eileen Doherty

Established and reliable risk management approaches, compliance with legal and regulatory requirements
(Prentice and McGee, 2013), and comprehensive digital risk management strategies that reflect a range of risk
responses are required. Digital risks, by their nature, are dynamic - characterized by continuous changes in the
external environment. Hence, their management needs to be dynamic and involves coordination of numerous
internal elements such as people, processes, and technology in dealing with this dynamism (Lee and Baby,
2013). Risks needs to be continually monitored and evaluated as risks change and technologies evolve (Cearley
et al, 2015), and risk responses need to be matched to the magnitude of the risk posed to the organization and
the particular needs of individual operating units (Sambamurthy and Zmud, 2012). In order to drive effective
digital transformations, risk management approaches typically need to be proactive, agilely focus on business
outcomes, reflect a phased containment approach to control risk execution in short sprints (Colella et al, 2014;
Lee and Baby, 2013), and balance the potential severity of the risks with the need for businesses to innovate
and seize IT-related/digital opportunities (Cearley et al, 2015).

A direct alignment exists between digital risk and the organization’s strategic business goals, hence risk
management policies, procedures and programmes need to be linked to the organization’s strategy, objectives
and culture (Sambamurthy and Zmud, 2012). As distinct from traditional approaches where the IT strategy was
perceived as a subservient functional-level strategy that needed to be aligned with the overall business
strategy, more recently digital technologies have helped reshape traditional business strategy, as modular,
distributed, and cross-functional, that enables work to be carried out across boundaries of time, distance, and
function (Bharadwaj et al, 2013; Ettlie and Pavlou 2006; Kohli and Grover 2008; Rai et al. 2012; Sandberg
2014). In essence traditional IT and business strategies are coherently integrated. As such, in integrating risk
management programmes with the organization’s strategies, a sole focus on minimizing technical risk is
inadequate for engaging in digital transformation (Sambamurthy and Zmud, 2012). Organizations need to
broaden the IT conversation beyond the IT function and eliminate a command and control mentality towards
IT operations and decisions. A more strategic, enterprise-wide approach, with a focus on business exposures is
required. Due consideration must be given to encouraging partnerships between technical and business
managers, and digital risk management practices must further consider the wider business ecosystem and
the management of risks pertaining to the entire supply chain. Greater communication, collaboration and co-
operation across departments are required to address digital risks, as well as a partnership-type approach with
suppliers, partners, and external agencies (Sambamurthy and Zmud, 2012). Hence, business partner
understanding of risk versus reward trade-offs needs to be improved, and risk management processes need to
be more customer friendly for business partners in order to facilitate business risk owners in making risk
decisions (CEB, 2015).

3. Methodological approach
This paper puts forward a conceptual model for managing risk in the digital business context. The model is
based on insights gained in a collaborative workgroup setting of industry practitioner and academic researcher
subject matter experts who co-developed and tested a capability maturity model for IT risk management
(Carcary, 2012; 2013) using a design science approach (Hevner et al, 2004; March and Smith, 1995; March and
Storey, 2008). Design science is a problem solving paradigm that involves building and evaluating innovative
artifacts in a rigorous manner to solve complex, real world problems, make research contributions that extend
the boundaries of what is already known, and communicate the results to appropriate audiences (Hevner et al,
2004; March and Smith, 1995; March and Storey, 2008). The risk management capability model developed
through a collaborative design science approach was one of 35 critical capabilities for improving the
management of IT, encompassed within version 1.0 of the IT Capability Maturity Framework (Carcary, 2011;
Curley, 2004; Curley et al, 2015). IT-CMF is an action-oriented IT capability toolset of 35 IT-related critical
capabilities developed by the Innovation Value Institute (IVI) research consortium. Each capability of IT-CMF is
decomposed into a series of categories and associated capability building blocks, and for each capability, a
series of management insights, maturity roadmaps, assessment instruments, and improvement guidelines has
been developed. The framework’s five-level maturity curve, ranging from initial to optimizing, enables
organizations to systematically assess and understand their current IT capability maturity, strategically
prioritize specific capabilities, and move toward their desired target maturity state (Curley et al, 2015; Carcary
et al, 2015).

The insights pertaining to IT risk management gleaned in this workgroup setting and in feedback through
testing the model in multiple organizations were combined with the learnings taken from the above literature

32
 Marian Carcary and Eileen Doherty

review, with the aim of putting forward an updated view of risk management in the digital business context.
IVI is currently in the process of updating the IT-CMF body of knowledge to develop and increase its relevance
to the continually evolving digital environment. Hence, the conceptual model put forward in this paper will
form the basis for updating the aforementioned risk management critical capability in version 2.0 of IT-CMF.

4. A conceptual model for digital risk management

A review of the academic literature indicates a paucity of models that support a holistic approach to managing
digital risk. Much work to date focuses on specific components of risk management. As a number of examples:
ƒ Hussain et al (2007a; 2007b) defined a failure scale to quantify the failure of risk based decision-making in
the interactions of digital ecosystem participants.
ƒ Sienou et al (2010) focused on the modelling of risk in an organizational context through the application of
a graphical modelling language for risk driven business process management.
ƒ Lee and Baby (2013) in their study of dynamic risk in global IT projects aimed to understand the dynamic
interactions among the multiplicities embedded in both internal and external elements of such projects
and, based on the principles of service oriented architecture, established a set of agile management
strategies for mitigating those risks.
ƒ Sambamurthy and Zmud (2012) argued that effective risk management involves 3 core elements: risk
planning (e.g. identifying and categorizing risks, assigning risk owners), risk assessment (e.g. estimating
risk exposure), and ongoing risk control (e.g. ongoing monitoring and determining risk response
strategies).
As such, the authors argue that in addition to gaining insights with respect to specific aspects of digital risk
management, organizations initially need a solid understanding of how to holistically approach the
management of digital risk. A key contribution of the below conceptual model is in offering organizations an
overarching view of all issues they need to consider and the relationships between them, in a comprehensive
digital risk management approach (based on insights from academic and practitioner literature, and
informants insights in development of the aforementioned IT-CMF v1.0 risk management capability model).

The conceptual model developed is based on the premise that in order to effectively address the risks of digital
transformation, organizations need to establish an effective risk management capability that balances the
potential severity of IT-related/digital risks with the need for businesses to innovate and seize IT-related/digital
opportunities, and reduces the frequency and the severity of IT-related/digital risks negatively impacting the
organization’s business operations. The key activities involved in effectively managing the risks of digital
transformation are reflected in the conceptual model in Figure 1, which outlines a strategic enterprise
approach to digital risk management and to developing a digital risk management capability.

The conceptual model outlines that in managing digital risk organizations need to:
ƒ Establish enterprise digital governance structures and corporate board/senior management direction on
risk management.
ƒ Establish and implement appropriate digital risk management strategies and policies that align with the
business strategy, and increase compliance with legal and regulatory requirements relating to IT
deployment and use.
ƒ Understand the organization’s risk appetite/risk tolerance.
ƒ Increase organizational awareness of digital risk management across all stakeholders through senior
management led communication activities.
ƒ Build employee competences to facilitate risk decisions, and assess their performance in relation to risk
management in individual and team performance plans.
ƒ Identify digital risk management roles, and assign ownership, responsibility and shared accountability for
risk avoidance across business and IT leaders.
ƒ Establish collaborative, partnership type relationships between IT and business leaders and business
ecosystem partners in order to effectively manage risk across the entire value chain.
ƒ Establish risk management approaches or processes that are proactive, agile, and balanced. Identify,
profile, and continually assess and prioritize the IT-related/digital risks that present vulnerabilities to the
entire organization and the wider business ecosystem, determine appropriate risk treatment/responses to

33
 Marian Carcary and Eileen Doherty

risk disruptions in alignment with the organization’s risk appetite, and monitor the effectiveness of the risk
responses.
ƒ Monitor ongoing changes in the risk landscape and any technological advances, and proactively sense and
respond to unexpected/unforeseen risks.
Figure 1: Strategic Enterprise Approach to Digital Risk Management

5. Discussion and Conclusions

Digital transformation requires an organization to rethink the role of IT within its organization, and effectively
regard it as a central enabler of its day-to-day operations. However, rapid advances with respect to new and
emerging digital technologies increases the potential risk of digital transformation, requiring organizations to
rethink their approach to digital risk management. The conceptual model outlined in section 4 identifies the
key fundamental issues that an organization should address in order to effectively balance the magnitude of
risk with the need to capitalise on the opportunities of digital transformation. One of the most critical mind-set
shifts is that of evolving the practice of IT-related risk management from an IT function-centric activity to an
enterprise-wide activity, with shared ownership, responsibility and accountability across IT and business
functions leaders, as well as greater engagement and collaboration with broader business ecosystem partners.
The mandate for this change needs to be set by the Corporate Board who drives a shift from IT governance to
enterprise digital governance. A further fundamental shift in the digital business context is an evolution of
many organizations risk taking propensity, with a shift from a traditional risk averse attitude to a more
entrepreneurial and active risk-taking approach to technology to identify and capitalise on opportunities for
the future. Consequently, organizations now need far more proactive approaches to risk management in order
to minimize the potential downside of risk exposure – these approaches need to be sufficiently agile to sense
and respond to continually evolving and unknown or unexpected risks, whilst balancing the trade-off between
potential loss and potential benefit.

While this model is based on a review of pertinent digital literature, given the volume of existing and emerging
literature dedicated to the topic of digital transformation, the review cannot be exhaustive. While the model
presented is based on the analysis of this literature combined with the insights of subject matter experts, the
resultant model is not further substantiated by primary research in this paper. As an avenue of further

34
 Marian Carcary and Eileen Doherty

research, researchers are invited to validate the components of the conceptual model identified via both
qualitative and quantitative means.

In addition, the output of this paper will serve as the first step in the development of an updated critical capability maturity
model for digital risk management as part of IT-CMF v2.0. This further research will be undertaken through collaboration
with industry practitioners and academic researchers using a design science approach. The output from this research will
include a detailed digital risk management body of knowledge reflecting key definitions, capability building blocks, maturity
profiles across five maturity levels and maturity assessment tools, and a series of practices, outcomes and metrics/key
performance indicators to support an organization’s transition to a higher maturity state. Further, transition to higher
maturity states will be supported through the development of numerous artefacts, including for example:
ƒ A strategic digital risk management plan template to consider all relevant risks alongside the business
strategy.
ƒ A digital risk management policy template to define, for example, the scope and objectives of the digital
risk management activities, the organization’s risk appetite and the level of acceptable risk, mechanisms
and procedures for risk management, protocols for risk reporting and communication, and training
priorities.
ƒ A risk register template to record known risks associated with IT, including estimates of their potential
impact and likelihood, risk treatment options, and risk owners, and to track the effectiveness of the risk
treatment approaches over time.
ƒ A risk dashboard providing summary reporting, spotlight reporting, and trend analysis.
ƒ A heat map to periodically identify risk areas and to assess the robustness of systems in place to mitigate
those risks.

References
Accenture (2014). Accenture Technology Vision 2014. Every Business is a digital business. From digitally disrupted to digital
disrupter. Accenture.
Bharadwaj, A., El Sawy, O.A., Pavlou, P.A. and Venkatraman, N. (2013). Digital business strategy: toward a next generation
of insights. MIS Quarterly, 37, (2), p471-482.
Bradley, J., Loucks, J., McCaulay, J., Noronha, A., and Wade, M. (2015). Digital vortex - how digital disruption is redefining
industries. Global Centre for Digital Business Transformation.

Carcary, M. (2011). Design science research: the case of the IT Capability Maturity Framework (IT-CMF). Electronic Journal
of Business Research Methods. 9, (2), p109-118.
Carcary, M. (2012). Developing a framework for maturing IT risk management capabilities. In Proceedings of the 6th
European Conference on Information Management and Evaluation. Cork. 13th-14th September 2012.
Carcary, M. (2013). IT risk management: A capability maturity model perspective. Electronic Journal of Information Systems
Evaluation. 16, (1), p3-13.
Carcary, M., Doherty, E., and Thornley, C. (2015). Business innovation and differentiation: maturing the IT capability. IEEE IT
Professional, 17, (2), 46–53.
Cearley, D.W., Walker, M.J., and Blosch, M. (2015). The top 10 strategic technology trends for 2015. Gartner.
CEB (2015a). IT Quarterly - Spotlight on business engagement. Corporate Executive Board.
CEB (2015b). IT Quarterly - Spotlight on IT clock speed. Corporate Executive Board.
Colella, H., Nunno, T., Rowsell-Jones, A. and Mesaglio, M. (2014). Three steps to successfully implementing bimodal-aware
IT governance. Gartner.
Curley, M. (2004). Managing Information Technology for Business Value. Practical Strategies for IT and Business Managers.
Intel Press.
Curley, M., Kenneally, J., and Carcary, M. (eds) (2015). The Information Technology Capability Maturity Framework (IT-
CMF) – The Body of Knowledge Guide. Van Haren.
Ettlie, J., and Pavlou, P.A. (2006). Technology-based new product development partnerships. Decision Sciences. 37, (2),
p117-148.
Fichman, R., Santos, B. and Zheng, E. (2014). Digital innovation as a fundamental and powerful concept in the Information
Systems curriculum. MIS Quarterly. 38, (2), p329-353.
Fitzgerald, M., Kruschwitz, N., Bonnet, D. and Welch, M. (2013). Embracing digital technology - a new strategic imperative.
MIT Sloan and CapGemini Consulting.
Geraldi, J, Lee-Kelley, L. and Kutsch, E. (2010). The Titanic sunk, so what? Project manager response to unexpected events.
International Journal of Project Management. 28, (6), p547–558.
Helfat, C.E., and Peteraf, M.A. (2003). The dynamic resource-based view: capability lifecycles. Strategic Management
Journal, 24, (10), p997-1010.
Hevner, A., March, S. and Park, J. (2004). Design science in Information Systems research. MIS Quarterly. 28, (1), p75-105.

35
 Marian Carcary and Eileen Doherty

Hussain, Q., Chang, E., Hussain, F. and Dillon, T (2007a). Ascertaining risk in financial terms in digital business ecosystem
environments. In Proceedings of 2007 Inaugural IEEE International Conference on Digital Ecosystems and Technologies.

Hussain, Q., Chang, E., Hussain, F. and Dillon, T (2007b). Quantifying failure for risk based decision making in digital
business ecosystem interactions. In Proceedings of the 2nd International Conference on Internet and Web Applications
and Services. Morne, 13th-19th May. IEEE.
Karlsen, J., Andersen, J., Birkely, L. and Ødegård, E. (2005). What characterizes successful IT projects? International Journal
of Information Technology and Decision Making. 4, (4), p525–540.
Kohli, R., and Grover, V. (2008). Business value of IT: an essay on expanding research directions to keep up with the times.
Journal of the Association for Information Systems. 9, (1), p23-39.
Lee, O. and Baby, D. (2013). Managing dynamic risk in global IT projects: agile risk management using the principles of
service-oriented architecture. International Journal of Information Technology and Decision Making. 12, (6), p1121-
1150.
Luftman, J. and Kempaiah, R. (2008). Key issues for IT executives. MIS Quarterly Executive. 7, (2), p99–112.
March, S. and Smith, G. (1995). Design and natural science research on information technology. Decision Support Systems
15, (4), p251–266.
March, S.T. and Storey, V.C. (2008). Design science in the Information Systems discipline: an introduction to the special
issue on design science research. MIS Quarterly. 32, (4), p725-730.
Peppard J. and Ward J. (2004). Beyond strategic information systems: towards an IS capability. 13, (2), p167–194.
Peppard, J., Galliers, R.D. and Thorogood, A. (2014). Information systems strategy as practice: micro strategy and
strategizing for IS. Journal of Strategic Information Systems. 23, p1-10.
Prentice, S. and McGee, K. (2013). Master the six essential elements of a digital strategy. Gartner.
Rai, A., Pavlou, P.A., Im, G., and Du, S. (2012). Interfirm IT capability profiles and communications for co-creating relational
value: evidence from the logistics industry. MIS Quarterly. 36, (1), p233-262.
Raskino, M. (2014). CEO resolutions for 2014. Time to act on digital business. Gartner.
Raskino, M. and Lopez, J. (2013). CEO and senior executive survey 2013: As uncertainty recedes, the digital future emerges.
Gartner.
Rickards, T., Smaje, K. and Sohori, V. (2015). ‘Transformer in chief’: The new chief digital officer. McKinsey.
Sambamurthy, V and Zmud, R. (2012). Guiding the digital transformation of organizations. Legerity Digital Press.
Sandberg, J. (2014). Digital capability - investigating coevolution of IT and business strategies. Department of Informatics,
Doctoral Dissertation, Umeå University, Umeå.
Sienou, A., Lamine, E., Pingaud, H., and Karduck, A. (2010). Risk driven process engineering in digital ecosystems: modelling
risk. In Proceedings of the 4th IEEE International Conference on Digital Ecosystems and Technologies.

36
 Reproduced with permission of copyright owner.
Further reproduction prohibited without permission.