When IT Risk Management Produces More Harm than Good: The Phenomenon of ´Mock Bureaucracy´

This paper investigates the complications of designing effective governance for IT risk management (IT-RM). Literature on formal governance suggests that either a coercive (i.e., to force employees´ effort and compliance) or an enabling (i.e., to help employees better to master their tasks) design of procedures help to avoid what literature calls ´mock bureaucracy´ (i.e., rules are promulgated for their symbolic value but ignored in practice). Our analysis of two organizations, however, implies that both coercive and enabling governance for IT-RM may lead to mock bureaucracy. We categorize antecedents of ´mock´ IT-RM procedures and identify important design challenges for IT-RM research and practice. Our study contributes to the IT governance body of knowledge by linking types of bureaucracy to IT governance tasks and providing anti-patterns associated with IT-RM procedures.