2012 International Conference on System Engineering and Technology

September 11-12, 2012, Bandung, Indonesia

IT Risk Management Framework Based on

ISO 31000:2009
Tati Ernawati #1, Suhardi *2, Doddi R.Nugroho #3
#
Informatics, Politeknik TEDC Bandung,
Jalan Pasantren Km 2 Cibabat Cimahi Utara
40513
1tatiernawati@yahoo.com

*
School of Electrical Engineering and Informatics, Bandung Institut of Technology
Jalan Ganesha No. 10, Bandung 40132
2suhardi@stei.itb.ac.id

#
PT. Telekomunikasi Indonesia, Tbk,
Jalan Japati No. 1 Bandung 40133
3doddi@telkom.co.id

Abstract—Utilization of Information Technology (IT) in an
enterprise, in addition to achieve benefit from the
implementation of IT should come along with the risks
(Information Technology Risk) that may affect the achievement
of corporate goals. IT risk management will always involving the
company's overall risk management for IT risk will impact
enterprise itself, thus a framework is required as a tool to
integrate the IT risks with ERM.
This paper present a case study research on IT risk
management framework based on ISO 31000. The research
methodology used in this study is Design Science Research
Methodology (DSRM). The designed architecture includes three
components, they are the principles of IT risk management, risk
identification and analysis of IT. The method used to examine
the framework was a Focus Group Methodology while sampling
technique that used was purposive sampling. The Focus Group
Discussion (FGD), conducted based on expert judgment in the
PT. Telekomunikasi Indonesia, Tbk.
The examination of IT risk management framework
resulting in accordance with the needs of companies that
engaged in the telecommunications industry and has been
integrating IT risk with ERM. In this case the company need is a
security related financial statements to support compliance with
Sarbanes-Oxley Act agreement (SOA). The main thing in the
development of IT risk management framework is the presence
of internal control as a key role in the Enterprise Risk
Management.
Keywords— IT Risk, ERM, FMEA, ISO 31000:2009, SOA
Section 404
I. INTRODUCTION
Utilization of Information Technology (IT) in an enterprise,
in addition to benefit from the implementation of IT come
along with the risks (Information Technology Risk) that may
affect the achievement of corporate goals. Given a thought
that IT is an important asset than it must be managed
effectively to maximize the effectiveness of its use and that
the associated risks of the implemented technology can be
mitigated.
The risk management provide considerations regarding
measures to be taken to address these risks [1]. Enterprise
Risk Management (ERM) can provide a structured
consideration by taking into account all forms of uncertainty
in decision making.
International Organization for Standardization (ISO) has
issued a standard framework for managing risk (ISO
31000:2009). This standard is issued to assist companies in
managing risk [2]. Currently there are some risk management
standards that have been published previously. However,
enterprise risk management (ERM) and IT risk framework is
presented separately, not yet integrated in a single framework.
On the other hand the IT risk management will always
involve the company's overall risk management for IT risk
will impact the enterprise itself. Although one of the IT risk
framework stated that IT Risk Information System and
Control Association (ISACA) has elaborated on ERM but
only more specific in terms of IT usage in the enterprise, not
too focused on the control (control activities), which is one of
important component in the ERM [3]. Similarly, the
framework Control Objective for Information and related
Technology (COBIT) focused on meet the standards of The
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) in terms of IT control [4], this indicated
that the two frameworks are complementary to each other not
yet integrated in a single framework.
This paper examines on IT risk management framework
based on ISO 31000. The methodology used is Design
Science Research (DSRM). The study focused on IT security
related to the financial statements to support compliance with
Sarbanes-Oxley Act agreement (SOA). The research resulted
an IT risk management framework based on ISO 31000:2009
which has been tested on a case study in PT. Telekomunikasi
Indonesia, Tbk.

978-1-4673-2376-5/12/$31.00 ©2012 IEEE

II. ENTERPRISE RISK MANAGEMENT ERM is a comprehensive approach in the management of risk,
especially to minimize the uncertainty affecting the organization. Risk management process includes 5 (five)
achievement of corporate goals. ERM process involves activities as described in Fig. 2.
activities such as identification, measurement and monitoring Establish the context
of risk in a structured manner that supported by risk
management framework as a tool in managing risk so it can
more integrated, sustainable and controllable.

Monitoring and Review

Communication and consultant
ISO 31000 "Risk Management-Principles and Guidelines
on Implementation" is a part of international standards of risk RISK ASSESSMENT
management guidelines [5]. The structure of ISO 31000 Risk Identification
consists of three interrelated elements, they are principles of
Risk Analysis
risk management, risk management framework and risk
management process.
A. Principle of Risk Management Risk Evaluation

The principles for managing risk in the ISO 31000 [1]:

adding value; an integral part of the organization, part of the
decision making process; addressing the issue of uncertainty;
Risk treatment
systematic, structured and precised time; based on the best
information available; typical for use; consider the human and
cultural factors; transparent and inclusive; dynamic, iterative Fig. 2 Risk management process of ISO 31 000
and responsive to change; facilitate the improvement and D. Methods/techniques of risk assessment
enhancement of the organization as a continuing.
Engineering and risk management methods/technique
described in ISO 31000 [1]:
B. Risk Management Framework
One thing that emphasized in the ISO 31000, to be 1) The principles of risk management
effective risk management must be integrated in decision- The use of management as agent of change principles, both
making process of the organization. This standard does not from the aspect of individual and organizational aspects.
only explain the important elements required in the 2) Risk management
framework but also explains how an organization should framework
create, implement and maintain the relevant and up to date  Mandate and commitment
elements [6]. Prepare a document that clearly outlines the
responsibilities of directors and board of
Mandate and Commitment
commissioners in association with the
implementation of risk management.
 Design of framework for managing risk
Design of framework for managing risk - Understanding the organizational context
- Development of risk management policy
- Risk governance structure
- Application of risk management processes
Continual improvement of the framework  Monitoring and review
Implementing risk
Process profile worksheet as the basis for monitoring
and review.
 Continual improvement of the framework
Application of the principle of PDCA (Plan-Do
Monitoring and review of the framework
Check-Action).
3) Risk management process
 Communication and consultancy
Fig. 1 Risk management framework of ISO 31000 [1] Stakeholder analysis and Technical communication
 Establish the context
C. Risk Management Process - Understanding the organizational context
ISO 31000 risk management process largely adopted the - Taxonomy of the risk of both internal and
process of the AS/NZS 4360:2004. The process of risk external environment.
management is an integral part of general management. Risk - Criteria for risk
management should be part of organizational culture,  Risk Assessmen
organizational best practices and business processes of the - Risk identification
Deepening of the techniques that been used before:
document review, stakeholder analysis, risk
breakdown structure, business process mapping.
- Risk Analysis and risk evaluation  What information needs to be evaluated
Qualitative Methods and quantitative methods  The procedures to be used
4) Risk treatment  The reporting process
 Risk treatment strategy 6) Documentation of the risk management process
 The strategy emergency response and disaster  Records of each stage of the process
recovery  Storage of documents
 Built risk treatment plan  Use knowledge management techniques.
 Consideration of benefits and costs
5) Monitoring and review III. THE PROPOSED FRAMEWORK
 Determination of who is doing the monitoring and The research methodology used is Design Science Research
review Methodology (DSRM). Six stages of design is shown in Fig. 3 as
 What needs to be monitored and reviewed follows.

Fig. 3 The process model of DSRM [7]
A. Identify problem and motivate
Unintegrated enterprise risk management (ERM) with IT
risk in a single framework, become a main trigger to develop
a IT risk management framework based on ISO 31000 that
adapted to the needs and objectives of the company.
B. Define objectives of a solution
Based on problem identification and motivation, the
objectives of the solution in the study are:
 IT risk management framework based on ISO 31000
adapted to the needs and goals of the organization.
 Meet the needs use of risk management framework
which is integrated IT risk with ERM.
C. Design and development
Stages of the framework design as follows.
1) Step 1: Conduct a literature review
Selection of ISO 31000 framework was conducted by
comparison with some of the enterprise general risk
effectively and efficiently), to cooperate and synergized,
prioritize quality in every tasks/works, respect and appreciate.
Based on the mapping, it can be analyzed that the company's
business ethics are applied in accordance with some of the
principles of ISO 31000 risk management such as IT risk
aware culture; integrated IT risk management with corporate
risk management: a systematic, structured and
precised time, transparent and inclusive; create IT value .
The second stage of the analysis was conducted by
reviewing the events that may occur and will disrupt IT
objectives in the case at PT. Telekomunikasi Indonesia, Tbk.,
Analysis results can be seen in TABLE II. The proposed IT
management framework such as AS/NZ 4360:2004, COSO-
ERM 2004 and ISO 31000:2009. The results of the
comparison are presented in TABLE I as follows.
TABLE I
COMPARISON OF RISK MANAGEMENT FRAMEWORK [8]
Framework ERM Principle Framework Process
ISO 31000:2009 ✓ ✓ ✓
AS/NZ 4360:2004 X X ✓
COSO ERM :2004 X X ✓
Compared with the COSO ERM, ISO 31000 has the
advantage of more practical, more detailed, the terms defined
explicitly in the framework, written more clearly so it is easy
to understand [8]. Based on those comparisons, the ISO 31000
was chosen as a reference framework with the following
considerations: ISO 31000 is more structured/systematic so
that easy to be applied; the architecture supports the risk
management process changes in the application; there is
consistency in the terminology [8]; in contrast to other risk
management framework, ISO 31000 provides the techniques
of risk assessment that can be adapted to the conditions and
needs of the company; the integration through the provision of
more general framework can accommodate all types of risk
management in an ISO 31000 framework, this shows that risk
management is an integral part of the organization.
2) Step 2: Data collection
Research derived from primary and secondary data.
Primary data obtained by conducting a survey to the PT.
Telekomunikasi Indonesia, Tbk. Data collection was
conducted through interview with the Senior Officer IT
Governance and Compliance Strategy in the unit associated
risk management IT namely Solutions and Strategy Portfolio
(ITSP) and Compliance Risk Management (CRM). Secondary
data obtained by content analysis techniques derived from
various references based on problems that examined. The
purpose of this phase was to obtain detailed information on
existing conditions of the risk management process in PT.
Telekomunikasi Indonesia, Tbk.
3) Step 3: Data Analysis
Analysis is performed on 31000 ISO risk management
framework and data surveyed in the field.
a) IT Risk Management Principles
The design of risk management principles based on ISO
31000 IT was done in two stages, by mapping business ethics
with the principles of ISO 31000 and an analysis of IT
objectives and strategic.
The first stage of mapping done by analyzing every
element of corporate and business ethics and the search for a
counterpart with risk management principles of ISO 31000.
The goal is to obtain a comprehensive picture of business
ethics policies related to ISO 31000 risk management
principles. Business ethics consists of [9]: primary values,
consisting of: integrity, openness, commitment, teamwork,
discipline, caring and responsibility; primary behaviors,
consisting of: achieving a higher target, simplify (working
risk management principles are drawn from the management and
need to be done in anticipation of the event that may occur and
will disrupt IT objectives.
TABLE II
ANALYSIS OF RESULTS IT OBJECTIVES AND STRATEGIC
No Aspects analyzed Event*
IT goals [9]
IT helps corporate TI does not effectively support
1
governance in an integrated the implementation of the
company's business
Strategic IT
a. Efficiency of IT Lack of adequate IT
investments Architecture
 b. Efficiency of IT The absence of the IT strategic - Acquiring and maintaining technology infrastructure
investments on cloud plan for the implementation of
Technology infrastructure (hardware and software)
computing services cloud computing initiative
Changes to financial reporting
designed and acquited in accordance with the
c. Accurate financial requirements of financial applications. Unit of
2 system by unauthorized parties
statements manager is UPTI.
and/or without adequate testing
the use of the system by - Perform the operations
unauthorized persons, or the Updating of policies, procedures and documentation
d. IT governance in an
modification of the data related to application and infrastructure systems. Unit
effective corporate
integrity by violance of manager is UPTI (IT Development Division).
information systems security - Installing and accrediting the solutions and changes
*)
Events that may occur and will disrupt IT goals Performance and system reliability related to financial
Based on the mapping of business ethics to ISO 31000 risk reporting requirements. Unit of manager is UPTI.
management principles with the analysis of the IT goal and  Program changes
strategic, the proposed IT risk management can be seen in - Manage the the change
Appendix A Fig. 6. The accuracy and security of the financial statements
related to the process of switching the system
b) IT Risk identification and analysis process
development/ changes. Unit of manager is UPTI.
In designing the IT risk identification, the stage is carried
- Define and manage service levels
out by analyzing business process and IT assets that involved
Service level over the financial reporting system in
in the achievement of IT objectives and strategy. IT and
accordance. Unit of manager is UPTI.
business processes that examined were associated with the
- Manage the third party services
assurance that the financial statements to support SOA
The process of control with third-party contracts
compliance agreements are taken on a case study in PT.
handled by a unit that has accountability to handle the
Telekomunikasi Indonesia, Tbk.
procurement process. Unit of manager is Unit Suply
Bussiness process to achievement of bussiness IT
Center.
objectives and strategic:
 Access to program and data
 Program development
Ensure the security of the
- Acquire and maintain application software
system:
The process of application acquisition related to
effectiveness of financial reports, security and integrity - The legitimacy of the financial statements.
of the process. Unit of manager is IT Policy - Integration of data.
UPTI (Unit Pengelola TI). - Policies and procedures related to security nfrastructure.
- Control authentication and access rights on a
periodic basis.
Unit of manager is BPO (Bussiness Process Owner) and
UPTI
 Computer Operation
- Manage the configuration
The company's commitment to comply with the use of
legal software. Unit of manager is Unit Suply Center.
- Managing problems and incidents
Problem and incident management operations related
to financial reporting system. Unit of manager is Unit
Suply Center.
- Managing the data
Integrity, completeness, security and accuracy of
financial report related to data management and
financial information process performed in accordance
with IT governance. Unit of manager is Unit Suply
Center.
- Managing the physical environment and operational
Management of information assets that affect the
integrity of financial statements performed in
accordance with corporate IT governance compliance
to accommodate the technology and IT governance
best practice internationally. Unit of manager is Unit
Suply Center.
 End User Computing Management (CRM) for customer service, network
Policy and/or procedures that govern of End User management system, provisioning system, server service
Computing related to the integrity financial statements. (content and value added services), ERP (for internal
Unit of manager is BPO. operations management include the financial system began
IT assets related to the financial statements guarantee to revenue, treasury, taxation, the burden of capex/opex, to
support compliance with Sarbanes-Oxley Act agreement financial reporting).
(SOA) can be seen in as follows:  Human Resources (HR)
 Hardware Telecommunications experts from customer access
Telecommunications infrastructure such as central, transmission, optical backbone, and satellite; marketing and
transmission, satellite, nationwide backbone network to business experts; and company's internal management system.
the last-mile at the point of customer. Each IT business process and assets involved in the achievement
 Software of IT objectives will certainly pose a risk of IT, so the effects can
Billing system, Application of Customer Relation influence the achievement of corporate goals. Therefore, it is
necessary to cope with the anticipation of IT risks by
identifying failures at every business process.
Identification techniques to be used based on Failure Mode
and Effect Analysis (FMEA). FMEA techniques are used in
the identification of IT risks with the following considerations.
 FMEA can be used widely to all areas, software,
hardware, processes et cetera.
 Important prerequisite the use of FMEA is the clarity of
the business process [1]. Availability of information and
surveyed data in PT. Telekomunikasi Indonesia, Tbk., of
related business processes with IT goals and strategic are
fairly complete and clear.
 The results of the FMEA is a list of failures, the
possibilities and impact on the achievement of corporate
goals [8]. This is in accordance with the conditions
where the identification of risk carried by significant
business process that affected on the
sustainability/corporate goals.
4) Step 4: Proposed IT risk management framework
based on ISO 31000
Proposed IT risk management framework can be seen in
Appendix A Fig.6.
5) Step 5: Testing of IT risk management framework
Tests are conducted through Focus Group Discussion
(FGD), which is based on expert opinion (expert judgment) of
PT. Telekomunikasi Indonesia, Tbk. FGDs were conducted
with three groups, namely IT Solutions and Strategy Portfolio
(ITSP) as the holder of a business process, the Compliance
with arguments the IT risk management should be
implemented according to the time planned, budgeted costs
and supported by adequate human resources (expert).
The results of the assessment and discussion with the
examiners that it is important to be mentioned about IT risk
management principles are as follows:
 The proposed principle can be used as the principle of risk
management but are not limited to the 8 proposed
principles. Other principles can also be developed such as:
part of the process of decision making and avoid surprise.
 Business ethics can be used as the principles of risk
management with the reason good values such as the
honesty, transparency and integrity will mitigate the risk
Risk Management (CRM) which establishes the methodology
of risk in the corporate and Information Technology Center
(ITC).
D. Demonstration
Perform the test through a Focus Group Discussion (FGD),
this is done with considerations: researcher and examiners are
allowed for intensive discussions in a very specific topic, so
the researcher could find arguments, perceptions, attitudes and
experience toward the examiner expertisement opinion/
judgment; the examinitation process can be done in a
relatively shorter time period.
Assessment plan was done by 12 (twelve) experts in
accordance with the recommendations of ITGI and
determination FGD. The FGD was attended by 10 examiners
who came from three divisions (IT Strategy Portofolio,
Compliance Risk Management and IT Center), FDGs were
performed a total of 4 meetings between February 13th to 17th
,2012 held at PT. Telekomunikasi Indonesia, Tbk. The
sampling technique used in research was purposive sampling,
this technique is used with the consideration that this
technique is suitable for case studies based on judgment and
expert opinion (expert judgment) [10].
TABLE III
RATING TO THE PRINCIPLE OF THE PROPOSED
Assessment
No The principle of the proposed Score Average
1 IT Risk Awareness 43 4.3
2 IT risk management is integrated with
corporate risk management 47 4.7
3 Transparent and inclusive 50 5.0
4 Create IT Value 47 4.7
5 Oversight of IT projects 47 4.7
6 IT controls to support the financial
reporting 47 4.7
7 Ensure the security of system 47 4.7
To be more clear, the average value in TABLE III plotted on a
graphic as shown in Fig.4.
Fig.4 Assessment of IT Risk Management Principles (Average Value)
The other IT risk management principle were examined in
the form of open questions were systematic, structured and
precised time. Examiner considers that systematic, structured
and precised time can be used as risk management principles
of fraud. Risk management is essentially an implementation of
the corporate culture that can oversee the achievement of
corporate goals and information dissemination efforts will be
more effective. Examiner stated it was appropriate if the
proposed principles derived from the company's business
ethics are analyzed using the principles of ISO 31000.
 TABLE V SOA SECTION 404 (source [11,12,13])
RISK ASSESSMENT PROCESS FMEA COMPARISON WITH

TABLE IV
Risk Assessment Process
RESULT OF ASSESSMENT IT RISK IDENTIFICATION AND
Steps FMEA SOA Section 404
ANALYSIS PROCESS PROPOSED
Identify the components and Identifying significant accounts and
1 related functions disclosures
Assessment
No The proposed process Score Average Identify the process/business cycle
Based on the mapping, the proposed IT risk management
and sub-processes/cycle and do
1 Reviewing business processes 47 4.7 2
framework Identify
is shownthe failure mode
in Appendix Amapping
Fig.7. Explanation about and
2 Identification of all failures 47 4.7 for significant accounts
3 Compile a list of risk 47 4.7
IT Risk Analysis process: disclosures
a) Determining a the
significant Identification of the relevant financial
4 Assessment of the possibilities 48 4.8 Identifying effects of risk factor of each sub-process
3 statement assertions for each
5 Impact assessment 48 4.8 business. failure
significant account and disclosures
6 Mitigation/treatment 50 5.0 ExamplesDetermine
of riskthefactorsseverity/ [12], that is the
Perform impact
business on the sub-
risk assessment
4
financial statements; the complexity processes/sub-cycles
of the system; frequency
7 Early detection/control 47 4.7 gravity of the failure
of transactions; Complete
riskslistinherent
of locationsinor the
business
5 Identifyingcentralization process;
the cause of failure units
To be more clear, the average value in TABLE IV plotted process
Determine the probability/ Identifying the location based on
on a graph as shown in Fig.5. The results of the assessment 6 possibilities of failure examination and assessment coverage
and discussion with the examiners that’s important to be b) Determine the risk level of each risk Map factor.
location for the process/business
mentioned about the process of identification and analysis of 7
CategoriesIdentify
defined the control
as follows [12]. cycle and sub-processes/subcycles
previously identified.
IT risk is that the proposed framework is too general so it was  High;Determine
high possibilities of misstatements, or the balance
the effectiveness of
still not able to detect possible fraud, so the deepen 8sheetcontrol
have a material impact on the financial statements. -
framework preparation is a necessary for fraud detection.  9Medium;
Calculatethe possibility
the risk priority for a certain section -
of
(RPN)
misstatements in financial statements is moderate, or the
Determine measures to reduce
10errorthe
rateriskisofaverage.
failure -
 Low; the process is easy, and misstatements have
minimal impact on the financial statements.

c) Determine the risk level sub-processes based on risk

factors.
Establish the overall risk rating (high, medium, or low) for
each sub process.
Fig.5 Graph Assessment Process Risk Identification and Analysis of IT
(Average Value) d) Assessment of the likehood of IT risk.
Criteria of the possibility (likehood)
E. Evaluation
 Low; the possibilities of future risks are small.
Based on the examination results, the evaluation to the
 Moderate; the possibilities of future risks may still occur.
design of IT risk management framework is developed. The
 High; the possibilities of future risks is still very possible.
initial stage is the identification and mapping of risk analysis
using FMEA techniques and SOA section 404, as shown in
TABLE V.
e) Assessment of the impacts of IT risk. Insignificant Significant Material
Kriteria (1) (2) (3)
An assessment of the impact level is the approximate
High High High
magnitude of the negative impact on business processes Moderate (3.1)
esPossibiliti

(3) (3.2) (3.3)

resulting from the financial statements when an error occurs. Moderate Low Moderate High
 Insignificant (2) (2.1) (2.2) (2.3)
- The process does not directly relate to the recording of Low Low Low Moderate
(1) (1.1) (1.2) (1.3)
significant accounts in the ledger.
- There is potential for fraud that occurs in the process of
g) Documenting analysis
financial report misstatements that can cause insignificant
Documenting the results of risk analysis that includes the IT
amount.
implementation process, risk rating that needs to get treatment and
 Significant
risk profile.
- The process of recording directly related to one or more
significant accounts in the ledger. F. Communication
- There is potential for fraud that occurred in the reporting The results of the study is documented in the form of scientific
process that led to a number of significant writing and research reports published as a paper. The contribution
misstatements. of this research is the development of an integrated IT risk
 Material management framework with the ERM, and focus on ensuring the
- The process of recording directly related to one or more financial statements to support compliance with Sarbanes-Oxley Act
significant accounts in the ledger. agreement.
- There is potential for fraud that occurred in the financial
reporting process that causes the amount of material IV. CONCLUSIONS
misstatement. After doing research on the development of IT risk management
(source: Telkom data) framework based on ISO 31000, it can be concluded as follows: IT
risk management framework that is designed covering the principles,
f) Calculate the priority level of each IT risk. process identification and risk analysis of IT processes. The
The priority is based on the impact and possibilities. Criteria principles of the proposed IT risk management is obtained by
for risk rating can be seen as follow: mapping the company's
TABLE VI
CRITERIA FOR PRIORITY/LEVEL OF RISK
Impact
business ethics, IT objectives and strategic companies
with risk management principles of ISO 31000. The
process of identification and analysis of IT risk is
obtained by mapping results of FMEA risk assessment
techniques in ISO 31000:2009 and SOA section 404;
based on the results of examination, the IT risk
management framework has been designed in
accordance with the requirements related to company
financial statements to support the treaty compliance of
Sarbanes-Oxley Act (SOA); examination is conducted
through FGDs in PT. Telekomunikasi Indonesia, Tbk.
The results for the proposed principle of IT risk
management obtained by minimun assesment score
that is 43 with average score 4.3 and a maximum of 50
with an average of 5.0. For the IT risk identification
and analysis the assessment scores obtained is 47 with
an average score of 4.7 and a maximum of
50 with an average of 5.0; the main issue in IT risk
management framework is the presence of IT internal
controls that play an important part/role in the
Enterprise Risk Management.
IT risk management framework based on ISO
31000:2009 remains to be studied further. Some
suggestions can be underlined for further improvement
and development: the proposed framework is not
designed as a whole architecture (principles, framework
and process) so it is possible to be developed in further
research; this framework is not been implemented so
that an assessment can not be related to level its
efficiency and effectiveness; this framework also
limited to the fulfillment of SOA agreements related to
financial report, so it is possible to be developed on a
broader study; and framework examination was
conducted in only one case study, it is possible to be
examined elsewhere in the company that engaged in the
same field.

ACKNOWLEDGMENT
Authors wish to thank PT. Telekomunikasi
Indonesia, Tbk. for their thoughtful support and
encouragement during the research.
REFERENCES
[1] Susilo, L., dan Kaho,V., Manajemen Risiko Berbasis ISO
31000 Untuk Industri Non Perbankan, Penerbit PPM, Jakarta,
2010.
[2] Shortreed, J., “Enterprise Risk Management and ISO 31000”,
The Journal of Policy Engagement, vol.2, no.3, 2010.
[3] (2011) The ISACA website. [Online]. Available: http://www.isaca.org/
[4] (2011) The ITGI website. [Online]. Available: http://www.itgi.org/
[5] (2011) The ISO website. [Online]. Available: http://www.iso.org/
[6] Nocco, B., dan Stulz, R., “Enterprise Risk Management: Theory
and Practice”, Journal of Applied Corporate Finance, vol.18,
no.4, 2006.
[7] Peffers, K., Tuunanen, T., Rothenberger, M., dan Chatterjee, S.,
“A Design Science Research Methodology for Information
Systems Research”, Journal of Management Information
Systems, vol.24, pp.45- 78, 2007.
[8] Susilo, L., Tantangan Penerapan ISO 31000:2009: Risk
Management- Principles and Guidline, General lecture in
Manajemen Risiko TI, 2011.
[9] (2011) The TELKOM website. [Online].
Available: http://www.telkom.co.id/
[10] Riduwan, Metode dan Teknik Menyusun Tesis, Penerbit
Alfabeta, Bandung, 2008.
[11] (2011) Failure Modes & Effects Analysis. [Online]. Available:
http://www.fmeainfocentre.com/
[12] (2012) The Institute of Internal Auditors website. [Online].
Available: http:// www.theiia.org/
[13] (2012) The Sarbanes-Oxley Act website. [Online]. Available:
http://www.sox-expert.com/
Appendix A

Fig .6. Proposed IT risk management framework based on ISO 31000:2009

Fig .7. IT risk management framework based on ISO 31000 (test results)