ABSTRACT
Management control systems and risk management have become intertwined as organisations face increasingly complex environments. These changes, such as digitalisation, challenge existing patterns of value creation and introduce new risks that must be managed to achieve the organisation’s objectives. As a response, it has been suggested that management control systems can play a key role in addressing cyber risk. This work studies how management control systems, operationalised as Simons’ four levers of control framework, are used to manage cyber risk in four medium-sized case organisations. The findings suggest that, to a limited extent, management control systems are used to manage cyber risk or ensure cybersecurity: The beliefs systems are absent. The boundary systems are the most used and mainly reactive in design. Diagnostic control of cyber risk is often outsourced, and the possibility of executing interactive control seems to be crippled by limited competence. Lastly, competence seems to be of particular importance to explain the “absence of use” of management control systems, drivers for outsourcing and perhaps unlock the potential for managing cyber risk.
