Professional Documents
Culture Documents
*
School of Electrical Engineering and Informatics, Bandung Institut of Technology
Jalan Ganesha No. 10, Bandung 40132
2suhardi@stei.itb.ac.id
#
PT. Telekomunikasi Indonesia, Tbk,
Jalan Japati No. 1 Bandung 40133
3doddi@telkom.co.id
Abstract—Utilization of Information Technology (IT) in an The risk management provide considerations regarding
enterprise, in addition to achieve benefit from the measures to be taken to address these risks [1]. Enterprise
implementation of IT should come along with the risks
Risk Management (ERM) can provide a structured
(Information Technology Risk) that may affect the achievement
consideration by taking into account all forms of uncertainty
of corporate goals. IT risk management will always involving the
company's overall risk management for IT risk will impact in decision making.
enterprise itself, thus a framework is required as a tool to International Organization for Standardization (ISO) has
integrate the IT risks with ERM. issued a standard framework for managing risk (ISO
This paper present a case study research on IT risk 31000:2009). This standard is issued to assist companies in
management framework based on ISO 31000. The research managing risk [2]. Currently there are some risk management
methodology used in this study is Design Science Research standards that have been published previously. However,
Methodology (DSRM). The designed architecture includes three enterprise risk management (ERM) and IT risk framework is
components, they are the principles of IT risk management, risk presented separately, not yet integrated in a single framework.
identification and analysis of IT. The method used to examine On the other hand the IT risk management will always
the framework was a Focus Group Methodology while sampling
involve the company's overall risk management for IT risk
technique that used was purposive sampling. The Focus Group
Discussion (FGD), conducted based on expert judgment in the will impact the enterprise itself. Although one of the IT risk
framework stated that IT Risk Information System and
PT. Telekomunikasi Indonesia, Tbk.
Control Association (ISACA) has elaborated on ERM but
The examination of IT risk management framework
resulting in accordance with the needs of companies that only more specific in terms of IT usage in the enterprise, not
engaged in the telecommunications industry and has been too focused on the control (control activities), which is one of
integrating IT risk with ERM. In this case the company need is a important component in the ERM [3]. Similarly, the
security related financial statements to support compliance with framework Control Objective for Information and related
Sarbanes-Oxley Act agreement (SOA). The main thing in the Technology (COBIT) focused on meet the standards of The
development of IT risk management framework is the presence Committee of Sponsoring Organizations of the Treadway
of internal control as a key role in the Enterprise Risk Commission (COSO) in terms of IT control [4], this indicated
Management. that the two frameworks are complementary to each other not
yet integrated in a single framework.
Keywords— IT Risk, ERM, FMEA, ISO 31000:2009, SOA This paper examines on IT risk management framework
Section 404 based on ISO 31000. The methodology used is Design
I. INTRODUCTION Science Research (DSRM). The study focused on IT security
related to the financial statements to support compliance with
Utilization of Information Technology (IT) in an enterprise, Sarbanes-Oxley Act agreement (SOA). The research resulted
in addition to benefit from the implementation of IT come
an IT risk management framework based on ISO 31000:2009
along with the risks (Information Technology Risk) that may
which has been tested on a case study in PT. Telekomunikasi
affect the achievement of corporate goals. Given a thought
Indonesia, Tbk.
that IT is an important asset than it must be managed
effectively to maximize the effectiveness of its use and that
the associated risks of the implemented technology can be
mitigated.
TABLE IV
Risk Assessment Process
RESULT OF ASSESSMENT IT RISK IDENTIFICATION AND
Steps FMEA SOA Section 404
ANALYSIS PROCESS PROPOSED
Identify the components and Identifying significant accounts and
1 related functions disclosures
Assessment
No The proposed process Score Average Identify the process/business cycle
Based on the mapping, the proposed IT risk management
and sub-processes/cycle and do
1 Reviewing business processes 47 4.7 2
framework Identify
is shownthe failure mode
in Appendix Amapping
Fig.7. Explanation about and
2 Identification of all failures 47 4.7 for significant accounts
3 Compile a list of risk 47 4.7
IT Risk Analysis process: disclosures
a) Determining a the
significant Identification of the relevant financial
4 Assessment of the possibilities 48 4.8 Identifying effects of risk factor of each sub-process
3 statement assertions for each
5 Impact assessment 48 4.8 business. failure
significant account and disclosures
6 Mitigation/treatment 50 5.0 ExamplesDetermine
of riskthefactorsseverity/ [12], that is the
Perform impact
business on the sub-
risk assessment
4
financial statements; the complexity processes/sub-cycles
of the system; frequency
7 Early detection/control 47 4.7 gravity of the failure
of transactions; Complete
riskslistinherent
of locationsinor the
business
5 Identifyingcentralization process;
the cause of failure units
To be more clear, the average value in TABLE IV plotted process
Determine the probability/ Identifying the location based on
on a graph as shown in Fig.5. The results of the assessment 6 possibilities of failure examination and assessment coverage
and discussion with the examiners that’s important to be b) Determine the risk level of each risk Map factor.
location for the process/business
mentioned about the process of identification and analysis of 7
CategoriesIdentify
defined the control
as follows [12]. cycle and sub-processes/subcycles
previously identified.
IT risk is that the proposed framework is too general so it was High;Determine
high possibilities of misstatements, or the balance
the effectiveness of
still not able to detect possible fraud, so the deepen 8sheetcontrol
have a material impact on the financial statements. -
framework preparation is a necessary for fraud detection. 9Medium;
Calculatethe possibility
the risk priority for a certain section -
of
(RPN)
misstatements in financial statements is moderate, or the
Determine measures to reduce
10errorthe
rateriskisofaverage.
failure -
Low; the process is easy, and misstatements have
minimal impact on the financial statements.
ACKNOWLEDGMENT
Authors wish to thank PT. Telekomunikasi
Indonesia, Tbk. for their thoughtful support and
encouragement during the research.
REFERENCES
[1] Susilo, L., dan Kaho,V., Manajemen Risiko Berbasis ISO
31000 Untuk Industri Non Perbankan, Penerbit PPM, Jakarta,
2010.
[2] Shortreed, J., “Enterprise Risk Management and ISO 31000”,
The Journal of Policy Engagement, vol.2, no.3, 2010.
[3] (2011) The ISACA website. [Online]. Available: http://www.isaca.org/
[4] (2011) The ITGI website. [Online]. Available: http://www.itgi.org/
[5] (2011) The ISO website. [Online]. Available: http://www.iso.org/
[6] Nocco, B., dan Stulz, R., “Enterprise Risk Management: Theory
and Practice”, Journal of Applied Corporate Finance, vol.18,
no.4, 2006.
[7] Peffers, K., Tuunanen, T., Rothenberger, M., dan Chatterjee, S.,
“A Design Science Research Methodology for Information
Systems Research”, Journal of Management Information
Systems, vol.24, pp.45- 78, 2007.
[8] Susilo, L., Tantangan Penerapan ISO 31000:2009: Risk
Management- Principles and Guidline, General lecture in
Manajemen Risiko TI, 2011.
[9] (2011) The TELKOM website. [Online].
Available: http://www.telkom.co.id/
[10] Riduwan, Metode dan Teknik Menyusun Tesis, Penerbit
Alfabeta, Bandung, 2008.
[11] (2011) Failure Modes & Effects Analysis. [Online]. Available:
http://www.fmeainfocentre.com/
[12] (2012) The Institute of Internal Auditors website. [Online].
Available: http:// www.theiia.org/
[13] (2012) The Sarbanes-Oxley Act website. [Online]. Available:
http://www.sox-expert.com/
Appendix A
Fig .7. IT risk management framework based on ISO 31000 (test results)