Umeå universitets logga

This study problematizes the long-lived assumption that eliminating paper and becoming paperless contributes to organizational digitalization and sustainability efforts. By identifying paperless as a trope in discourse and a norm in practice, we show how the strive for paperless drives digitization of a paper-based logic rather than creates conditions for digital value creation. A sense of doing good when reducing paper, combined with neglecting opportunity costs related to digital technologies can also create adverse effects on sustainability as well as simplify the complexities of converging digitalization efforts with sustainability outcomes.

Digital reform of public sector organizations rests on their ability to innovate with digital technology. Since the public sector innovation literature pays limited attention to digital, and as digital innovation is rarely investigated in public sector contexts, current knowledge on digital innovation capabilities in such organizations is limited. Through a case study of digital reform in a local government organization, we identify how public sector conditions organizations' capability for digital innovation. This includes legal structures that propagate infrastructural fragmentation, resource allocation systems that restrict innovation scopes, how political pressure leads to conflicting frames of the strategic role of digital, and how public and legal liability may lead to innovation paralysis. The paper contributes to the literature by illustrating the unique conditions for digital innovation in the public sector, and to practice by highlighting key shifts that increase organizations' digital innovation capability.

Information systems development (ISD) has been part of the core of information systems for over 40 years. Throughout its history, the issue of risk has been closely related to ISD projects, and significant efforts have been made by researchers and practitioners to improve their quality. While important headway has been made in assessing and resolving ISD risk, the literature shows that new and salient risks emerge outside the scope of extant risk management regimes. As a consequence, organizations still struggle with leveraging new tech- nology as projects continue to fail at almost the same rate, albeit for different reasons. Understood as the distinction between reality and possibility, risk is inherently intertwined with practice and rooted in the knowledge, goals, power, and values of specific actors in particular contexts. Hence, to understand how risks emerge, we present a longitudinal case study in which we trace the origin and locus of risks in contemporary ISD practices. We draw on these insights to theorize information technology risk as increasingly inter- stitial, originating from sources positioned in between established practices and therefore outside the scope of conventional risk anal- yses. In conclusion, we discuss interstitial risks as an important form of emergent risk with implications for both research and practice.

In this paper, we extend IT risk management theory using evidence gleaned from IT-enabled process management in a Swedish pulp and paper factory. Our analyses of risk management practices in the factory’s core process revealed surprising insights. As organizational actors managed process related IT risks to ensure that the core production process was running 24/7, they generated strategic IT risks that threatened the sustainability of the process infrastructure. However, they could not manage these strategic risks without jeopardizing the 24/7 operation. Hence, they inadvertently found themselves between a rock and a hard place where they could not mitigate one high priority risk without generating another. Drawing on practice theory, we explain the observed risk management practices, introduce the notion of risk dilemmas, and discuss the practice-based view of risk as a useful approach to advancing IT risk management theory.

In this paper, we contribute to risk management theory by investigating the internal dynamics of IT risks in contemporary organizations. We explore how digitization of previously physical organizational con- texts trigger risk by conceptualizing risk management from a performative perspective and the assumption that risks are sociomaterial by nature. Through an exploratory case study of the risk man- agement practices at a paper and pulp factory, we analyze the different epistemic strategies employed by the practitioners as proactive, reactive and adaptive. We discuss how and why these strategies emerge as a result of the sociomaterial configurations. 

This dissertation investigates the nature and management of information infrastructure risks in organizations. Specifically, it examines how practitioners identify and manage threats towards their organizational aims, and suggests ways of achieving sustainable risk management, in settings characterized by the integration of information technology (IT) and organizational processes. The dissertation is motivated by the difficulties organizations encounter when attempting to leverage IT as an organizational resource and the observation that IT projects have high rates of failure despite three decades of research on and practice of risk management in Information Systems (IS). Three aspects of the underlying logic of existing research and practice on IS risk management are challenged: (1) the infrastructural character of IT is suggested to be consequential for organizational risk management, however not recognized by either IS research on risk or risk experts, (2) risk management is enacted within and across practices beyond the boundaries of formal risk management models, and subsequently, (3) risks are increasingly emergent rather than predictable. To investigate such risks and risk management processes the studies in the dissertation build on information infrastructure theory and practice theory and a qualitative approach.

As the role of IT in organizations has changed significantly over the last decades, so has both practice and research concerned with IT related risks. Research on risk in the field of IS has thus come to encompass a large variety of levels of analysis, risk levels and dimensions, organizational processes and research approaches. An analysis of the extant literature shows that despite this richness, it still does not account, or offer support, for situations characterized by a high degree of uncertainty and equivocality. In these kinds of situations, risks are typically emergent and cannot be identified or managed by the prescriptions found within the IS discourse. However, emergence has long been recognized as a characteristic of the organizational consequences of information technology. Paradoxically, while most IS scholars would recognize the socio-technical, or even sociomaterial, nature of IT, it has had little impact on research on risk in our field.

A key argument in this dissertation is that theories of technology and organizational change within IS are equally valid for practice and research on IT related risk and risk management. Information infrastructure theory has been influential in improving our understanding of the changing nature and role of contemporary IT in organizational processes. It highlights the infrastructural character of IT, technological agency, and the entanglement of IT and organizational practices. Grounded in information infrastructure theory, this dissertation examines how practitioners identify, assess, prioritize and resolve risk in their everyday organizational practices. While risk has been used as a concept to characterize the underlying logic of information infrastructure evolution, scant attention has been paid to the particularities of risk emergence and operational risk management practices. As such, existing IS research on risk management explains why risk emerges but not how. The notion of practice has recently gained momentum in the IS field for its usefulness as an analytical lens in approaching complex, dynamic and emergent phenomena, and it is reflective of information infrastructure theory in its fundamental ontological and epistemological assumptions. All of the papers included in this dissertation build, to varying degrees, on information infrastructure theory and a practice approach.

The dissertation contributes new knowledge to research on information infrastructure risk and risk management in IS by theorizing information infrastructure risk as emergent, interstitial, and rooted in practice and sociomaterial contexts.

Failure to understand, identify, and manage risk is often cited as a major cause of IT problems. While the project is the preferred level of analysis in most IT risk management research, IT is becoming increasingly infrastructural, and there is therefore a need to adapt risk strategies beyond the project level. In this paper, we explore how risk management practices in a successful IT service provider group emerged over time as the group coped with infrastructural dynamics and complexities. Drawing on Orlikowski's practice lens, we investigate actual practices and possible options related to risk management as rapid technological and organizational changes resulted in increased infrastructure management challenges for the IT service provider. Our research contributes to the IT risk management literature by applying risk theory to service management in the infrastructural domain and by moving beyond the project as level of analysis.