The Development and Initial Results of a Component Model for Risk Mitigation in IT Governance

Abstract

Risk mitigation is an important process for risk management in information technology (IT) governance. Practitioners adopt risk mitigation to allay risks within IT systems and provide for a sufficient medium to resolve and control operational, strategic and technical risks which depend on IT infrastructures. Risk mitigation is necessary to ensure the successful implementation of IT governance. Currently, mitigating risks in IT governance is not fully and successfully adopted due to inadequate support in the mitigation process. The majority of the existing models and frameworks lack the capability to support IT governance practitioners to adequately mitigate risks. Thus, there is a need for a model that can provide support to help the risk mitigation team to identify and treat arising risks. Hence, this paper aims to present risk mitigation components and the related metrics needed for risk mitigation in IT governance. These components and metrics are essential in mitigating both operational and technical risks that practitioners face in the IT governance process. A quantitative methodology was adopted to collect data on risk mitigation practice, process and procedures implemented by practitioners in selected governmental institutions in Malaysia. The developed model component and related metrics were initially verified through an online survey (using Survey Monkey) carried out among 23 IT practitioners in 12 selected Malaysian institutions. Results from the survey show that the components and associated metrics are important and should be considered by practitioners and experts when mitigating risks in IT governance.