Assessment Framework for Defining the Maturity of Information Technology within Enterprise Risk Management (ERM)

The process of reviewing, assessing and improving the organization's IT risk management requires some basic information summarized in a process maturity profile. In general, IT risk management standards or frameworks do not include a mechanism for assessing the maturity level of process implementations. This study was conducted to develop a framework, which can be applied to assess the maturity level of IT risk management under ISO / IEC 27005. A standards-based management system implementation can be represented as a model cycle of planning, implementation, validation and also action plan. The proposed evaluation framework consists of templates, methods, and working papers. Therefore, the template focus on the evaluation areas, which are planning, execution, validation, and execution, then evaluation area details (8 domains, 35 subdomains, 82 items), and evaluation metrics and criteria. Meanwhile, a working paper has been created to assist in conducting the evaluation. Actually, by using this evaluation framework, it can provide a representation of the maturity level from the entire process in managing IT risk, based on the provisions of ISO/IEC 27005. This framework complements the existing model with the representation of (1) providing a singlecycle planning, establishment, validation, and execution, (2) evaluation tools, (3) more comprehensive data collection methods, and (4) priority list of elements to be reformed and/or


I. INTRODUCTION
In the process of forecasting, minimizing, monitoring, and controlling the likelihood or impact of unfortunate events, also in maximizing the realization of opportunities; organizations utilize enterprise risk management (ERM) frameworks in particular to manage every potential loss, problem or damage towards company. This framework needs to provide a structured process that integrates risk management activities into the systems development life cycle (SDLC) or agile management project to enable risk managers in making the informed decisions. In general, this process should involve determining the accuracy of risk decisions and the possible accepted risks. On the other hand, good prescriptions for making risk decisions include a mixture of objective data, pass or fail test results, mitigation measures, qualitative analysis, subjective data, and a healthy bit of intuition [1]. In actual, a description of the enterprise's risk management maturity level should provide the benefit of identifying the actual strengths and weaknesses of risk management in the enterprise. Then get measurement results that will help organization to increase its maturity level and ladder. It also integrates organizational risk management documents to enhance its contribution to be more effective organizational governance and to improve the quality of risk management and risk mitigation processes. Thus, the company's leadership must define expectations for the company's risk management programs on how to measure them, especially the security assessment stage of the risk management framework. Asking the right questions is important for auditors to discover how risk management software works and the true state of program integration. Moreover, audit teams need to focus and concentrate on a more in-depth review of a broader set of systems and integrity testing.
Each year, the public sector provides indicators and metrics to support government compliance and reporting requirements. Some of these many metrics include the number of systems that company operates in their viability to execute and risk of acceptability. Therefore, the accuracy in measuring the effectiveness of risk management programs depends on whether safety controls are regularly tested as well retested, and whether there is a record of test results related to five primary sources of risk namely production, marketing, financial, legal and human [2]. Risk is a necessary part of doing business and in a world where massive amounts of data are processed at an ever-increasing rate, identifying and mitigating risks is a challenge for any company. Actually, little wonder that many contracts and insurance policies require strong evidence of good risk management practices [3]. In addition, it is imperative that the framework provides guidance for companies to integrate risk-based decision-making into organizational governance, planning, management, reporting, policies, values and culture. It is an open principles-based system that allows organizations to apply standard principles in their context. Every International Standard Organization (ISO) are reviewed every five years and revised as needed. This allows them to remain a useful and relevant tool in the market. Therefore, in this case, the study focuses on old versions and emphasize about ownership that many organizations face obstacles and barriers directly to further modernizing technology and infrastructure, while at the same time needing the guidance to be as simple as possible so the older versions provide benefit in term of contextual more compare to the latest version developed. In particular, this framework helps provide the basis for a comprehensive risk management www.ijacsa.thesai.org methodology for assessing and improving program risk management practices. The risk management framework can be applied to all stages of the system development life cycle, including acquisition, development and operations. In addition, the framework can be used to guide the management of various types of risks, including acquisition program risks, software development risks, operational risks, and information security risks [4]. In short, risks are of paramount importance to organizations that need to identify, assess, manage and the process to report many types of risks for the company is extremely important to improve external and internal decisionmaking. Interestingly, risks can be viewed as threats or called as a negative event to the organization. Managing risk in this context means using management techniques to reduce the likelihood and impact of adverse events without incurring excessive costs. On the other hand, risk also can be defined as uncertainty as the danger related to the distribution of all possible outcomes, positive and negative. Thus, managing risk means minimizing the difference between expected and actual results. Finally, risk can be described contextually as an opportunity that can be viewed as a source of business opportunities [5], [6]. Thus, it is recommended to utilize the popular and older version of ISO/IEC 27005 with the modified version to bring simplification to the organization that have been used in certain period of time without the burden in the transition process or adopting the new method regularly every five year while at same time creating flexibility and improvement to the business process as a whole, which, this study want to offer the ERM template.

II. LITERATURE REVIEW
Processes in risk management besides functioning to reduce negative impacts can also be used to identify and optimizing the positive and potential aspect of the organization. Meanwhile, ISO/IEC Guide 73 defines risk as a combination of an opportunity (likelihood) and its impact (implication). Information Technology (IT) Risk is a business risk related to the use, ownership, operation, involvement, influence, and application of IT in a company [7], [8]. It is also defined as something that is wrong with IT and has a negative impact on business [9], [10]. The types of risks that affect and/or become a direct result of IT activities have a broad scope. In short, risks can be grouped into several categories that help providing an overview of the organization's risk profile. The IT risk portfolio is one approach in identifying and grouping IT risks, which can be grouped into 7 (seven) categories, namely: projects, continuity of IT services, information assets, service providers, applications, infrastructure, and strategic matters [11], [12]. The IT risk portfolio provides an overview of things that should be the main concern of the organization in managing the risks associated with IT, which Symantec [13] classifies IT risk into 4 categories, namely: security risk, availability risk, performance risk, and compliance risk. In addition, the common threads that serve as for the various IT risk rating models are confidentiality, integrity, and availability [14].
In general, PDCA (Plan, Do, Check, Act) is included in an endless cycle of risk management where all executed and implemented solutions can be seen as indicators of further improvement activities. This knowledge is used as a basis and fundamental organizational resource that provides an ongoing competitive advantage in a relevant and dynamic environment and market by identifying gap between strategic planning and potential knowledge [12]. National Institute of Standards and Technology [15] defines IT Risk Management as a process that allows IT managers to balance operational and economic costs from the protection of IT and benefit from such protection. This definition compromises between classical definitions in business and definitions in the context of the organization's IT operations. Risk management also must be carried out continuously and have sustainability to be developed in order to overcome the risks of the organization at present and in the future. Thus, every manager and staff must understand their roles and responsibilities in risk management. In addition, risk management must also be integrated with organizational culture through policies and programs led directly by senior management [16]. In fact, IT Risk Management is the foundation of the implementation of the Information Security Management System [17]. ISO/IEC 27001 stipulates that the controls implemented within the scope, limits, and context of the Information Security Management System (ISMS) must be risk-based. The PDCA has been engaged as an impressive and essential tool for quality and continuous improvement with both simple and powerful to implement the strategy and policy in the organization. The application of the PDCA cycle has been found more effective than adopting "the right first time" approach. By using of the PDCA cycle means continuously looking for better methods of improvement and enhancement [18].
Implementing a risk management process is not always easy, and some organizations give up without achieving the desired results. This may be due to the inability to implement the risk management process in a consistent and predictable manner in the long term. On the other hand, a maturity model is a tool that represents the pathway to an increasingly structured and systematic way of doing business, usually involving people, organizations, and processes. Over the past few years, these tools have become very popular, using models of maturity in many areas, such as data management, information security, and project management. In a maturity model, the evolutionary path is described through separate stages. To reach the next level, the organization must achieve the objectives of the required level and all previous levels [19], [20]. To enable the measurement of maturity levels and identify gaps between current levels and follow-up to enable planning efforts; priorities and objectives should be formulated to achieve proposed goals. It allows the assessment process run smoothly and building the achievement compliance. Ultimately, this approach provides organizations with an understanding of strengths, weaknesses, and opportunities that can support audits, benchmarks, and progress assessments against goals, strategic decisions, and project portfolio management [21], [22].
The difference between organizations whose systems are more or less mature is not only related to the results of the indicators used, but also to the fact that dominantly mature organizations measure differently using various indicators when compared to immature organizations. The concept of maturity is related to one or more of the elements identified as www.ijacsa.thesai.org being related but the concept of function is only appropriate for each of these elements [23], [24]. It appears very important for non-financial companies to promote and discuss on how to implement and manage risk management efforts. One of the key issues is how to effectively evaluate the quality of a company's risk management performance. The most important factor is the growth of a consistent risk culture and the independence of the board of director in determining the decision for integration process within the organization [25], [26], [27]. Therefore, it is also important to understand the role of individual, institutional and environmental within the organization as the primary prerequisites for improvement in raising awareness of the strategies used in each business process within the framework of a particular project or service [28].

III. FRAMEWORK DESIGN
This study was conducted using several phases: literature review, framework design, and case studies (see Fig. 1). The evaluation framework, on the other hand, consists of evaluation forms, methods, and a worksheet of descriptive structure (see Interestingly, the presence of a Chief Risk Officer (CRO) does not clarify the level of support and leadership from the CEO and the Board of Directors in relation to the creation and distribution of risk information throughout the organization, which dedicated to mitigate and manage major risks [29], [30]. Most importantly, create a portfolio of company risks and opportunity events: finance, strategy, compliance, operations, and reputation can influence the achievement of strategic goals.

IV. ASSESSMENT AREA
In fact, this study divided the process into five groups related to the plan in implementing ERM: full implementation, partial execution, implementation planning process, feasibility study or evaluation, and level of ERM implementation. On the other hand, traditional risk management approaches utilize segmented methods to face different risks across different organizations. In contrast, ERM is a relatively new paradigm that enhances a company's ability to predict the set of risks it faces [31], [32], [33]. ERM is a top-down approach that includes identifying, assessing and addressing strategic, operational and financial risks to achieve the following four objectives: (1) high-level strategic objectives aligned with the corporate mission, (2) effective and efficient use of resources, (3) reliability of reporting, and (4) compliance -enforcement of legal and regulatory compliance [34]. As can be seen in Fig. 2, the process is started and ended with context establishment to risk identification, estimation and evaluation, the once again context become the consideration to determine risk treatment as well risk acceptance. The main purpose of placing this evaluation form is to provide a structured description of the improvement stages of the PDCA cycle process. The following table defines levels using the Business Risk Management Maturity Model and the Business Process Maturity Model. Providing metrics is essential because the lack of process measurement affects the determination of performance levels and further disrupts the organization's business and activity improvement processes. Measurements are an approach of the evaluation process and organizational performance, and in this model the standard is defined as a metric of the elements score level and a list of conditions that indicate the determination of requirements. In www.ijacsa.thesai.org addition, referring to the standard paragraph, each domain is divided into several subdomains and elements. The result was 35 subdomains and 82 items (Table I). In addition, PDCA code elements are assigned to classify needs based on several specifications to increase the sustainability of the activity process (Table II). The life cycle of an innovation project is a series of interrelated processes and stages of novelty. Innovation projects generally include the following life cycle rule with well-defined stages: innovation development, production readiness, market entry, growth, maturity, recovery, or decline. In order to maintain the competitiveness of innovation projects at all stages, it is necessary to develop and implement specific type of innovations (incremental, responsive, disruptive or radical) that are included in the portfolio of innovation projects and which are implemented in a specific order with different levels of innovation content and research intensity [35]. Entirety was used then to map the component into each Assessment Area, in which each element is also mapped into them respectively (Fig. 3-7). The level and criteria should be defined to set the indicators that can be looked at and matching for the purpose of improvement in the process (Table III). Meanwhile, the metrics is also essential to simplify the process maturity to be recognized in every type of risk domain respectively (Table IV). Risks are localized in implementing innovation projects in the process of analyzing and modeling a set of innovations. Choosing the best combination of risk management techniques as part of a particular innovation project requires assessing a range of factors, such as the complexity and specificity of innovation activities and the level of profitability of the innovation at a given time. Time periods, insurance service costs, likelihood of risk, size and quality, predictability of risk, legal limits and provisions, and project implementation phases are several aspects that become primary considerations [36].

Level Criteria
Level 5 Organizational focus is the ongoing improvement process. The whole process was in accordance with the reference standard.

Level 4
Organizational focus is the evaluation and optimization of existing resources. Much of the process followed a reference standard.

Level 3
Organizational focus is to build a standard managerial processes to achieve organizational goals. A small part of the process followed the reference standard.

Level 2
Organizational focus is to build managerial foundation in every program or project. Some processes are standardized, without a reference standard.

Level 1
No specific targets. Achievement of the organization depends on the competence and hard work of a handful of personnel. There is no standard process. The ERM template can be seen in Table V is designed for use as a self-assessment for the tool to be effective; it must be conducted in such a way that the process is as objective as possible to avoid bias or group thinking. From experience using the model, the self-evaluation discussion includes the following important considerations such as project duration and role responsibility. According to the government comments, it could take hours to a day or more, depending on the amount of preparation before the group discussion and the level of detail of the discussion itself take place. Ideally, there should be a diverse group of employees responsible for managing ERM involved in the self-assessment across the ranks. Thus, caring must be taken to ensure that the conversation is open and transparent, which people should be encouraged to express their opinions. It may be helpful to ask someone outside of the management chain to manage ERM to facilitate discussion. That person should read specific note and understand on how to handle the self-evaluation of the form [37]. In addition to facilitating discussions, a person should be able to challenge the opinions of the self-assessment group, including looking for supporting evidence as needed. The    In general, the framework evaluation process consists of four steps, starting with the definition of an organizational profile, the collection and analysis of data, and finally the maturity profile of the presentation. In the early stages of defining an organization's profile, it helps determine the most suitable data collection method for targeted application. The next step is data collection, which the methods are: (1) Document analysis, (2) Interview, (3) Questionnaire, or (4) Material review [19,20]. Methods (1) and (2) are the two main data collection methods for obtaining evidence. Methods (3) and (4) are necessary when the organization is highly complex and high risks are expected in the IT arena. The resulting data is processed into a worksheet that contains the results of data evaluation, data manipulation and data processing in the basic form as shown graphically in the  The organization's overview involves services with offices in multiple cities with more than 1000 employees, information technology (IT) helps supporting basic business and IT departments with the employees at around 30 to 60 people. The data was collected using interviews and document analysis, which is obtained through storage process using the analytical methods described in the previous section. The interview was conducted with an IT risk manager with the material used was the material described in the worksheet and clarified with the reference document for evaluation. The analysis performed on the referenced document was directly related to IT risk management as they are complementary methods. A list of included documents can be stated such as MRTI/20xx policy, MRTI/20xx appendix policy, asset registration software, hardware asset registration, movable property registration, asset data or information record. The evaluation results consist of (a) PDCA cycle maturity, (2) maturity evaluation of each component, and (3) conclusions and recommendations. Organizational policies are forward-looking policies, based on strong evidence of what the organization can achieve, and that promote a consistent approach to health and safety at all levels of the organization. Therefore, organizational leaders promote a consistent approach to health and safety and setting the transition or transmiting the clear directives that shape daily activities. It also works continuously at all levels of the organization, promotes the values, ethics and culture needed to achieve the goals of the organization, and transforms the leadership style for the entire organization rather than transactional [38]. The result for case study can be seen in Table VII for the maturity assessment. ERM should be viewed as an evolutionary process within an organization. This is often considered a compliance driven exercise that is achieved, documented and presented while it is doubtful at certain situation whether much value can be extracted from this type of effort [39]. Solving cost and skill problems in the evaluation process also motivates the organization to provide correct answers, and to show robust results in all real-world ways [40]. Aligning the IT investments with ever-changing business goals and priorities remains a major challenge for IT managers. Despite management's efforts to improve project success, an unacceptable number of IT initiatives cannot reach specific goals and target, or simply do not reach the objective in full. There is no end to the various factors that can contribute to the failure of the project. As a result, IT organizations have invested significantly in improving output predictability, productivity, and quality. Techniques such as estimation, risk assessment, process management, delivery management, and project management improve project implementation, but they cannot address the more important issues of investment selection and improving IT performance [41].
As can be seen in Fig. 4 to 7, each code of element and heatmap are distributed to plan, do, check and act realm. The resulting heat map can also be used to inform senior management, audit committees and councils of risk assessment. By having iterative design and management methods used in the business, it can support for continuous control and improvement of processes and products. Basically, the two frameworks in this study cannot be compared with the difference in maturity model for reference. However, the framework proposed in this study includes several aspects that may complement the missing aspects of the current model such as the representation, measurement, method, and presentation of evaluation results as the conclusion. It is important to keep the results anonymous in certain timeframe to ensure that community or governments are not influenced by the use of the maturity model due to concerns about outside perceptions, and its primary purpose as a self-assessment tool to inform the future strategies as well as to promote the attempt to assess the process quality within the organization [37]. Historically, organizations have sought to improve project visibility by compiling schedules, budgets, progress, and spending information from detail-oriented project management tools or enterprise risk management systems. To be successful, all projects must be planned in detail and updated in a consistent and reliable manner. This is a rare case, and the resulting collected data is often inaccurate, outdated and misleading [41]. It should be noted that PDCA cycle in IT Risk Management (ISO/IEC 27005) could not be separated from the company's overall risk management [42]. In addition, clients and organizations often misunderstand responsibilities and rights in business functions, processes, and levels. Thus, it is necessary for professionals to think about how to formulate the rules governing the collection and distribution of information; also, information system specifications and requirements for developers and administrators. Therefore, to improve the effectiveness of stakeholder interactions and communication, many related factors such as human beings, environment, culture, language, literacy, and organization have to be taken into account [43], [44], [45]. Interestingly, by leveraging the creativity and entrepreneurial spirit of employees and managers, it should depend on the ability of the organization to create favorable conditions for potential entrepreneurial to emerge in the proper way that align with context and trend within the environment [46], [47], [48]. In the end, the most effective risk functions have gained strategic influence within the organization and are empowered to invest in the overall development of task and role responsibilities [49], [50].

VI. CONCLUSION
The unexpected framework recommends establishing the appropriate alignment between the ERM design parameters called ERM Mix or Modified with contingent variables in order to achieve organizational effectiveness. These type of ERM includes specific roles for risk identification processes, frequency of risk meetings, risk tools, risk functions, then, contingent variables as the types of risks that refer to preventable organizational and industry variables, parameters, strategy or external domain. Finally, it must also be understood that it is impractical to expect an ERM process to develop into this mature state in a relatively short period of time. Interestingly, it can be implemented shortly if the organization want to concentrate or focusing in assessing certain aspects only such as risk treatment and risk acceptance by utilizing context establishment. Several sample companies have integrated ERM software for some time and the process still ongoing especially to improve the quality. On the other hand, the ERM process should continually update existing risk inventories and reviewing probability and impact assessments to ensure that significant and potentially catastrophic risks are not overlooked. To ensure that this ERM approach becomes dominant within the company, both the Board of Directors and the CEO explicitly agree on the ERM efforts, and elements of the mature ERM process described by the framework reported with the ERM staff as it is also essential to have sufficient resources available to fully achieve the implementation. As this modified framework has been used in case study, it is expected to be evaluated further in different context and perspective of diverse case study to strengthen and advance the proposed framework.