Simplified IT Risk Management Maturity Audit System based on “COBIT 5 for Risk”

In recent years, the role of risk management has emerged as a key success factor in ensuring the growth on the one hand and the survival on the other hand of any organization. Moreover, dependence on IT has become systematic within any organization. This dependence therefore, implies the importance of implementation of an IT risk management system in order to well manage IT risks. There are several standards that deal with enterprise risk management in general or information security in particular. However, few standards deal with IT risk management. Noting, for example, COBIT 5 (Control Objectives for Information and related Technology) which deals with IT risk management but is complicated to deploy. The purpose of this article is to describe a simplified IT risk management maturity audit system in an organization based on “COBIT 5 for risk”. This system aims to evaluate the maturity of IT risk management before proceeding to the implementation or update of an IT risk management system within an organisation. Keywords—IT risk management; COBIT 5 for risk; maturity audit system; COBIT 5 enablers; analysis axes; maturity scale and score; maturity audit report


I. INTRODUCTION
Taking risks is a prerequisite for the survival and growth of any business. By consequence, it is essential to properly manage and control the risks inherent in the activity, otherwise, if these risks arise, the company will not be able to achieve its objectives [1] [2].
On the other hand, with the emergence of Information Technology, which has become an integral part of any business ecosystem, IT risk management is becoming vital for the business [3].
"Risk management is a process that aims to reduce the harmful effects of an activity through conscious action to anticipate unwanted events and plan to avoid them. Risk management can be thought a process of measuring or evaluating risk and then designing strategies for risk management" [4] [5] [6] [7]. Therefore, standards have been developed to deal with risk management in general, IT risk management and information security in particular. Many risk management standards or information security standards exist, but few are the standards that deal with the question of IT risk management.
Noting for example, COSO, an internal control reference framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and aims to improve the performance and governance of companies as well as reduce fraud within organizations [8].
On the other hand, there is the COBIT, a reference framework for IT audit and IT governance, is intended for management (which must decide on the investments to be made, to ensure the security and control of IT, and adjust them according to the risks of the environment) and the users (security, control of the IT services provided) [9] [10].
The COBIT 5 framework includes specific documentation for IT risk management called "COBIT 5 for Risk [11]" but this framework is complicated to deploy with a large library of publications requiring operationalization and consolidation of concepts related to IT risk management.
To respond to these limitations, we had focused our research on the development of a simplified IT risk management system that can be used easily within an organization. The first step in this development starts with the setting up of an IT risk management maturity audit system. The main purpose of this system is to evaluate the maturity of IT risk management, identify the gaps and define action plans that will allow the setting up or update of IT risk management within an organization. In this article we'll describe a proposed system for IT risk management maturity audit within an organization based on "COBIT 5 for Risk".
After an introduction, we will present a review of the literature on IT risk management. The next part will describe the methodological approach to be adopted when setting up the maturity audit system for the IT risk management of an organization. Afterwards, we will describe the proposed system for the maturity audit of the IT risk management of an organization. We will end with a conclusion and perspectives.

II. REVIEW OF THE LITERATURE ON IT RISK MANAGEMENT
A risk can be defined as the "effect of uncertainty on objectives. An effect is a deviation from the expected -positive or negative. Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood." [12] [13].
"COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. IT risk can occur with both uncertain frequency and impact and creates challenges in meeting strategic goals and objectives." [11].
Risk management is the "coordinated activities to direct and control an organization with regard to risk". As a consequence, risk management framework is a "set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization." [13].
Within the framework of risk management, several standards exist. Noting, for example, the COSO, a reference framework for internal control developed by the Committee Of Sponsoring Organizations of the Treadway Commission and aimed at improving the performance and governance of companies as well as reducing fraud within organizations. [8].
On the other hand, there is the COBIT which constitutes a reference framework for IT audit and IS governance and which is intended for both management and users. This framework includes dedicated documentation for IT risk management: "COBIT 5 For Risk" [11].
Regarding ISO 31000, it is a standard that provides principles and guidelines for risk management as well as the implementation processes at the strategic and operational level [14].
For ISO / IEC 27005, it is a standard that describes the main lines of risk management with a view to setting up an information security management system [15].
Below is a comparative table of a selection of existing standards related to risk management (Table I):   TABLE I. COMPARATIVE Except COBIT 5, all of the frameworks / standards are either generic risk management frameworks, or specific frameworks for information security risk management and do not deal with all components of IT risk management. The COBIT 5 framework includes specific documentation for IT risk management called "COBIT 5 for Risk" but this framework is complicated to deploy with a large library of publications requiring operationalization and consolidation of concepts relating to IT risk management.
In addition, the COBIT 5 is a framework that aligns and incorporates the key components of other risk management frameworks [11] [10]: • ISO 31000 (principles, Risk management Framework, process for managing risk).
In the literature, there are research articles that discuss the COBIT 5 deployment for IT risk management. Authors "Walid Al-Ahmad" and "Basil Mohammed" in their article [16] present the business processes used in information security risk management, as well as the corresponding activities and guidelines for implementing them. This article does not take into account IT risk governance processes (EDM03 Ensuring risk optimization) and focuses on information security risk management. The authors "Hanim Maria Astuti et al." in their article [17] present a case study for the COBIT 5 deployment for the identification, assessment and management of IT risks of an organizational unit (Service Desk). This article is limited to the deployment of the two COBIT 5 processes: DSS02 Manage service and APO12 Manage Risks.
The main limitation noted of the two research articles cited above is that they partially cover the implementation of an IT risk management system and do not detail the IT risk governance process.
According to the different elements mentioned above, a research work has been launched for the development of an IT risk management system based on COBIT 5. This article presents the first phase of the development of this system and which consists of the description of a maturity audit system of the IT risk management of an organization.
III. DESCRIPTION OF THE METHODOLOGICAL APPROACH TO BE ADOPTED In order to setting up a maturity audit system IT risk management within an organization, we suggest adopting an approach based on the analysis of the Risk Function perspective described by COBIT 5 for risk (Fig. 1). The Risk Function Perspective "describes what is necessary in a company to effectively and efficiently build and maintain governance and risk management activities". [11].

Risk Function Perspective
The risk function perspective describes how to build and sustain a risk function in the enterprise by using the COBIT 5 enablers.

Risk Management Perspective
The risk management perspective looks at core risk governance and risk management processes and risk scenarios. This perspective describes how risk can be mitigated by using COBIT 5 enablers.
Indeed, the risk function perspective is based on the seven COBIT 5 enablers (Fig. 2) [9] in order to detail the different functions / dimensions of an organization that enable IT risk governance and management. An enabler can be considered as a dimension or a pillar for the establishment of IT governance.
The proposed methodological approach is broken down into seven macro-phases in alignment with the seven enablers defined by COBIT 5 (Table II.): For each macro-phase, all of the steps described in Fig. 3 must be taken to audit the level of maturity of each enabler (Except the "Process" enabler whose maturity audit steps are partially described by the COBIT 5 [9]) in terms of IT risk management:

Sub-step 1.1: Identification of the different values of the enabler audited in relation to IT risk management
For each enabler, the objective is to define its different values in relation to IT risk management in order to audit each value according to the defined axes of analysis.

Delivery:
List of values of the enabler audited.

Sub-step 1.2: Definition of analysis axes
For each enabler, a set of good practices to be observed are specified by COBIT 5, on the basis of these good practices, the different axes of analysis are defined.

Sub-step 1.3: Definition of an overall maturity scale
The maturity scale varies between 1 and 5. The definition of the value ranges included in each level is defined according to the minimum score and the maximum score of the enabler being audited.

Sub-step 1.4: Identification of stakeholders
We determine the various stakeholders necessary for the conduct of the enabler maturity audit in terms of IT risk management. For each value of the enabler audited, we define the business manager who will collaborate with the IT auditor in order to carry out the audit.

Sub-step 1.5: Collection and saving of documents to be analysed
We collect and save the various documents to be analysed in order to audit the maturity of the IT risk management of the facilitator being audited.

Sub-step 2.1: Analysis and attribution of scores to each value of the enabler audited
We analyze each value of the enabler audited and assign a score per axis of analysis. We calculate the number and the percentage of the different scores assigned by axis of analysis and by value of the enabler audited (the number and the percentage of 0, 1 and 2). The overall score is calculated by summing all the scores. Depending on the overall score obtained, a maturity level is obtained in accordance with the previously defined maturity scale.
Delivery: Breakdown in percentage of scores 0, 1 and 2, Overall maturity level of the enabler audited.

Sub-step 3.1: Description of the weaknesses / strengths identified as well as the action plan to be implemented
Based on the analysis of each value of the enabler according to the predefined axes of analysis, the strengths and weaknesses are identified as well as the action plan to be implemented to remedy the weaknesses observed.
Delivery: Summary of strengths and weaknesses and corresponding action plan.

Sub-step 3.2: Preparation of the final audit report on the enabler maturity in terms of the IT risk management
Prepare the maturity audit report for the enabler in terms of IT risk management, including a description of the various stages carried out and the audit results obtained.
Delivery: Enabler maturity audit report in terms of IT risk management.

IV. DESCRIPTION OF THE PROPOSED SIMPLIFIED IT RISK MANAGEMENT MATURITY AUDIT SYSTEM
In this part, we will describe the simplified IT risk management maturity audit system in an organization by reviewing the different macro-phases. The first two macrophases (Table II) will be described in detail; the others are similar to the first macro-phase except for certain steps which will be described below.

A. Maturity audit of the Principles, Policies and Frameworks
Related to IT Risk Management 1) Planning of the maturity audit of the "Principles, policies and frameworks" enabler in terms of IT risk management a) Identification of the different values of the enabler audited related to IT risk management This step consists in identifying the principles and policies making it possible to build and implement IT risk management in an organization.
Regarding policies, COBIT 5 lists 18 policies with the description of each policy. Below are the 18 policies mentioned by COBIT 5 (Fig. 5) [11].
b) Definition of analysis axes: This step consists in determining the analysis axes based on the good practices of COBIT 5 [11]. The different axes of analysis and the corresponding rating system are described (Table III).

c) Definition of a global maturity scale
In this step, we define a maturity scale that varies between 0 and 5 and is divided between the minimum score and the maximum score (Fig. 6):

d) Identification of stakeholders
In this step, we determine the various stakeholders necessary for the conduct of the maturity audit process of the macro-phase "maturity audit of principles, policies and frameworks related to IT risk management". For each policy, we define the business manager who will coordinate with the IT auditor in order to carry out the audit.

e) Collection and saving of documents to be analysed
In this step, we collect and save the various existing policies in order to analyze them and audit the maturity of the IT risk management of the "Principles, Policies and Frameworks" enabler.
2) Execution of the maturity audit of the "Principles, policies and frameworks" enabler in terms of IT risk management.

a) Analysis and attribution of scores to each value of the enabler audited
In this step, we analyze each policy according to the predefined analysis axes and we attribute a score per axe according to predefined rating system (Table IV):

Maturity level 1 1
Rating between 1 and 72

Maturity level 2 2
Rating between 73 and 144

Maturity level 3 3
Rating between 145 and 216

Maturity level 4 4
Rating between 217 and 288

Maturity level 5 5
Rating between 289 and 360 645 | P a g e www.ijacsa.thesai.org (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 8, 2021 b) Calculation of the overall score and assessment of the maturity level This step consists in calculating the number and the percentage of the different possible scores (0, 1 and 2). Then calculating the overall score by summing all the scores awarded by value of the enabler and by analysis axe. The overall score makes it possible to assess the level of maturity of policies, principles and frameworks according to the positioning in the global maturity scale.
3) Summary of the maturity audit of the "Principles, policies and frameworks" enabler in terms of IT risk management.
a) Description of the weaknesses / strengths identified as well as the action plan to be implemented.
This step consists of positioning for each policy audited the scores assigned by analysis axe on a radar to better identify the strengths and weaknesses (Fig. 7). Then, we proceed to the description of the strengths / weaknesses identified of each policy and we propose the action plans to be implemented to improve the level of maturity of the "Principles, Policies and Frameworks" enabler.

b) Preparation of the final report on the enabler maturity audit in terms of IT risk management.
In this step, the maturity audit report of the enabler "Principles, policies and frameworks" in terms of IT risk management is drawn up, with a description of the various stages carried out and the audit results obtained.

B. Maturity Audit of IT Risk Management Processes
The first step is to identify the processes needed for building and implementing IT risk management in an organization.
COBIT 5 defines 2 core processes dedicated only for IT risk governance and management [11] [19]: • EDM03 Ensure Risk Optimization • APO12 Manage Risk COBIT 5 defines 12 supporting processes for IT risk governance and management (Fig. 8)  The rest of the 23 processes defined by COBIT 5 [19] also help in governance and IT risk management, but the contribution is low. These processes will therefore not be subject to a maturity audit.
The second step consists in determining the analysis axes, we retain the level of maturity of the process according to the maturity scale defined by COBIT 5. The level of maturity makes it possible to audit the maturity of a process, 6 maturity levels are defined in COBIT 5 (Fig. 9) [9]: In the third step, we determine the different stakeholders necessary for the conduct of the process maturity audit. For each process, we define the business manager who will coordinate with the IT auditor to carry out the audit.
In the fourth step, we collect and save the documentation relating to existing processes in order to analyze and audit the maturity of the IT risk management of the "Process" enabler.
In the fifth step, we assess the maturity level of each process defined in the first step.
In the sixth step, the overall score is calculated by applying the following formula (1): The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose.

Performed process 1
The implemented process achieves its process purpose.

Managed process 2
The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.

Established process 3
The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes.

Predictable process 4
The previously described established process now operates within defined limits to achieve its process outcomes.
Optimizing process 5 The previously described predictable process is continuously improved to meet relevant current and projected business goals.
646 | P a g e www.ijacsa.thesai.org (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 8, 2021 • N g : represents the overall score, the overall score makes it possible to assess the level of maturity of the processes according to the scale which varies between 0 and 5.
• N cp1 : represents the maturity of the first core process for governance and IT risk management (EDM03).
• N cp2 : represents the maturity of the second core process for governance and IT risk management (APO12).
• N spx : represents the maturity of the 12 supporting processes for governance and IT risk management (list mentioned above).
In the seventh step, we proceed to the description of the strengths / weaknesses identified of each process and we propose the action plans to be implemented to improve the level of maturity of the enabler "process".
In the last step, we proceed to the preparation of the process maturity audit report in terms of IT risk management by resuming the various stages carried out and the audit results obtained.
In the remaining macro-phases going from 3 to 7, we only describe the two sub-steps "Definition of the analysis axes" and "Definition of a global maturity scale" of the planning step of the maturity audit. The rest remains similar to that of macrophase 1.

C. Maturity Audit of Organizational Structures related to IT
Risk Management 1) Definition of analysis axes: This step consists in determining the analysis axes based on the good practices of COBIT 5 [11]. The different axes of analysis and the corresponding rating system are described below (Table V).
2) Definition of a global maturity scale: In this step, we define a maturity scale that varies between 0 to 5 and is divided between the minimum score and the maximum score (Fig. 10).

Maturity level 1 1
Rating between 1 and 70

Maturity level 2 2
Rating between 71 and 140

Maturity level 3 3
Rating between 141 and 210

Maturity level 4 4
Rating between 211 and 280

Maturity level 5 5
Rating between 281 and 352 647 | P a g e www.ijacsa.thesai.org (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 8, 2021 D. Maturity Audit of Culture, Ethics and Behaviour related to IT Risk Management 1) Definition of analysis axes: This step consists in determining the analysis axes based on the good practices of COBIT 5 [11]. The different axes of analysis and the corresponding rating system are described (Table VI).
2) Definition of a global maturity scale: In this step, we define a maturity scale that varies between 0 to 5 and is divided between the minimum score and the maximum score (Fig. 11).

E. Maturity Audit of the Information related to IT Risk Management 1) Definition of analysis axes:
This step consists in determining the analysis axes based on the good practices of COBIT 5 [11]. The different axes of analysis and the corresponding rating system are described (Table VII).
2) Definition of a global maturity scale: In this step, we define a maturity scale that varies between 0 and 5 and is divided between the minimum score and the maximum score ( Fig. 12):

Maturity level 1 1
Rating between 1 and 46

Maturity level 2 2
Rating between 47 and 92

Maturity level 3 3
Rating between 93 and 138

Maturity level 4 4
Rating between 139 and 184

Maturity level 1 1
Rating between 1 and 72

Maturity level 2 2
Rating between 73 and 144

Maturity level 3 3
Rating between 145 and 216

Maturity level 4 4
Rating between 217 and 288

Maturity level 5 5
Rating between 289 and 360 The audit focuses on the quality of this attribute.

Bad Medium Good
Contingency "The attribute that identifies the information that is required to precede this information (for it to be considered as information)." The audit focuses on the quality and availability of the prerequisites of the information subject to the audit.

Bad Medium Good
Context "The attribute that identifies the context in which the information makes sense, is used, has value, etc., e.g., cultural context." The audit focuses on the quality of this attribute.

Bad
Medium Good 649 | P a g e www.ijacsa.thesai.org (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 8, 2021 F. Maturity Audit of Services, Infrastructures and Applications related to IT Risk Management 1) Definition of analysis axes: This step consists in determining the analysis axes based on the good practices of COBIT 5 [11]. The different axes of analysis and the corresponding rating system are described below (Table VIII): 2) Definition of a global maturity scale: In this step, we define a maturity scale that varies between 0 and 5 and is divided between the minimum score and the maximum score ( Fig. 13): G. Maturity Audit of People, Skills and Competencies related to IT Risk Management 1) Definition of analysis axes: This step consists in determining the analysis axes based on the good practices of COBIT 5 [11]. The different axes of analysis and the corresponding rating system are described below (Table IX): 2) Definition of a global maturity scale: In this step, we define a maturity scale that varies between 0 and 5 and is divided between the minimum score and the maximum score ( Fig. 14):

Maturity level 1 1
Rating between 1 and 34

Maturity level 2 2
Rating between 35 and 68

Maturity level 3 3
Rating between 69 and 102

Maturity level 4 4
Rating between 103 and 136

Maturity level 1 1
Rating between 1 and 66

Maturity level 2 2
Rating between 67 and 132

Maturity level 3 3
Rating between 133 and 198

Maturity level 4 4
Rating between 199 and 264