Professional Documents
Culture Documents
*
School of Electrical Engineering and Informatics, Bandung Institut of Technology
Jalan Ganesha No. 10, Bandung 40132
2
suhardi@stei.itb.ac.id
#
PT. Telekomunikasi Indonesia, Tbk,
Jalan Japati No. 1 Bandung 40133
3
doddi@telkom.co.id
Abstract—Utilization of Information Technology (IT) in an The risk management provide considerations regarding
enterprise, in addition to achieve benefit from the measures to be taken to address these risks [1]. Enterprise
implementation of IT should come along with the risks Risk Management (ERM) can provide a structured
(Information Technology Risk) that may affect the achievement consideration by taking into account all forms of uncertainty
of corporate goals. IT risk management will always involving the in decision making.
company's overall risk management for IT risk will impact International Organization for Standardization (ISO) has
enterprise itself, thus a framework is required as a tool to issued a standard framework for managing risk (ISO
integrate the IT risks with ERM.
31000:2009). This standard is issued to assist companies in
This paper present a case study research on IT risk
management framework based on ISO 31000. The research managing risk [2]. Currently there are some risk management
methodology used in this study is Design Science Research standards that have been published previously. However,
Methodology (DSRM). The designed architecture includes three enterprise risk management (ERM) and IT risk framework is
components, they are the principles of IT risk management, risk presented separately, not yet integrated in a single framework.
identification and analysis of IT. The method used to examine the On the other hand the IT risk management will always involve
framework was a Focus Group Methodology while sampling the company's overall risk management for IT risk will impact
technique that used was purposive sampling. The Focus Group the enterprise itself. Although one of the IT risk framework
Discussion (FGD), conducted based on expert judgment in the stated that IT Risk Information System and Control
PT. Telekomunikasi Indonesia, Tbk. Association (ISACA) has elaborated on ERM but only more
The examination of IT risk management framework resulting specific in terms of IT usage in the enterprise, not too focused
in accordance with the needs of companies that engaged in the on the control (control activities), which is one of important
telecommunications industry and has been integrating IT risk
component in the ERM [3]. Similarly, the framework Control
with ERM. In this case the company need is a security related
financial statements to support compliance with Sarbanes-Oxley Objective for Information and related Technology (COBIT)
Act agreement (SOA). The main thing in the development of IT focused on meet the standards of The Committee of
risk management framework is the presence of internal control Sponsoring Organizations of the Treadway Commission
as a key role in the Enterprise Risk Management. (COSO) in terms of IT control [4], this indicated that the two
frameworks are complementary to each other not yet
Keywords— IT Risk, ERM, FMEA, ISO 31000:2009, SOA integrated in a single framework.
Section 404 This paper examines on IT risk management framework
based on ISO 31000. The methodology used is Design
I. INTRODUCTION Science Research (DSRM). The study focused on IT security
Utilization of Information Technology (IT) in an enterprise, related to the financial statements to support compliance with
in addition to benefit from the implementation of IT come Sarbanes-Oxley Act agreement (SOA). The research resulted
along with the risks (Information Technology Risk) that may an IT risk management framework based on ISO 31000:2009
affect the achievement of corporate goals. Given a thought which has been tested on a case study in PT. Telekomunikasi
that IT is an important asset than it must be managed Indonesia, Tbk.
effectively to maximize the effectiveness of its use and that
the associated risks of the implemented technology can be
mitigated.
5) Step 5: Testing of IT risk management framework Fig.4 Assessment of IT Risk Management Principles (Average Value)
Tests are conducted through Focus Group Discussion
(FGD), which is based on expert opinion (expert judgment) of The other IT risk management principle were examined in
PT. Telekomunikasi Indonesia, Tbk. FGDs were conducted the form of open questions were systematic, structured and
with three groups, namely IT Solutions and Strategy Portfolio precised time. Examiner considers that systematic, structured
(ITSP) as the holder of a business process, the Compliance and precised time can be used as risk management principles
with arguments the IT risk management should be TABLE V
RISK ASSESSMENT PROCESS FMEA COMPARISON WITH SOA
implemented according to the time planned, budgeted costs
SECTION 404 (source [11,12,13])
and supported by adequate human resources (expert).
The results of the assessment and discussion with the Risk Assessment Process
Steps FMEA SOA Section 404
examiners that it is important to be mentioned about IT risk Identify the components and Identifying significant accounts and
management principles are as follows: 1
related functions disclosures
• The proposed principle can be used as the principle of risk Identify the process/business cycle
management but are not limited to the 8 proposed and sub-processes/cycle and do
2 Identify the failure mode
mapping for significant accounts and
principles. Other principles can also be developed such as: disclosures
part of the process of decision making and avoid surprise. Identification of the relevant financial
Identifying the effects of
• Business ethics can be used as the principles of risk 3
failure
statement assertions for each
management with the reason good values such as the significant account and disclosures
Determine the severity/ Perform business risk assessment sub-
honesty, transparency and integrity will mitigate the risk of 4
gravity of the failure processes/sub-cycles
fraud. Risk management is essentially an implementation Complete list of locations or business
5 Identifying the cause of failure
of the corporate culture that can oversee the achievement units
of corporate goals and information dissemination efforts 6
Determine the probability/ Identifying the location based on
will be more effective. Examiner stated it was appropriate possibilities of failure examination and assessment coverage
Map location for the process/business
if the proposed principles derived from the company's 7 Identify the control cycle and sub-processes/subcycles
business ethics are analyzed using the principles of ISO previously identified.
31000. 8
Determine the effectiveness of
-
control
TABLE IV Calculate the risk priority
9 -
RESULT OF ASSESSMENT IT RISK IDENTIFICATION AND (RPN)
ANALYSIS PROCESS PROPOSED Determine measures to reduce
10 -
the risk of failure
Assessment
No The proposed process
Score Average Based on the mapping, the proposed IT risk management
1 Reviewing business processes 47 4.7 framework is shown in Appendix A Fig.7. Explanation about
2 Identification of all failures 47 4.7 IT Risk Analysis process:
3 Compile a list of risk 47 4.7 a) Determining a significant risk factor of each sub-process
4 Assessment of the possibilities 48 4.8 business.
5 Impact assessment 48 4.8
Examples of risk factors [12], that is the impact on the
6 Mitigation/treatment 50 5.0
financial statements; the complexity of the system; frequency
7 Early detection/control 47 4.7
of transactions; centralization process; risks inherent in the
To be more clear, the average value in TABLE IV plotted process
on a graph as shown in Fig.5. The results of the assessment
and discussion with the examiners that’s important to be b) Determine the risk level of each risk factor.
mentioned about the process of identification and analysis of Categories defined as follows [12].
IT risk is that the proposed framework is too general so it was • High; high possibilities of misstatements, or the balance
still not able to detect possible fraud, so the deepen framework sheet have a material impact on the financial statements.
preparation is a necessary for fraud detection. • Medium; the possibility for a certain section of
misstatements in financial statements is moderate, or the
error rate is average.
• Low; the process is easy, and misstatements have
minimal impact on the financial statements.
Fig .7. IT risk management framework based on ISO 31000 (test results)