A Study of Success Factors of Principle and Practice in Information Technology Risk Management

The purpose of studying the success factors of principle and practice in Information Technology Risk Management (ITRM) is initiated from the proposition that appropriate ITRM principle and practice can mitigate IT risks and losses which is a result of security threats. The literature showed that various general principles and frameworks are widely published but the established principle cannot be put into the practice. Additionally, there is a research study regarding the difficulty to maintain independent in identifying, reviewing and reporting tasks of IT risk and internal audit functions. The methodology consisted of the review of general principles and frameworks? documents and the interview from case studies. The general principles and frameworks in this research collected from the question ?Which principles and frameworks are applied to ITRM in your organization??. The question was asked to people in IT risk and IT internal audit functions from banking organizations and other industries which advanced information technologies are critical to the organizations. The content from first five applied principles and frameworks from the survey are Basel, COBIT 5 framework, COSO Enterprise Risk Management, ISO 31000 and ISO/IEC 27005 were reviewed. In addition, the interviews were conducted to the people in both functions from banking organizations regarding the success factors of principle and practice in ITRM in their opinions without guiding from the interviewer. The findings from the review of documents are eleven success factors that are general principle and framework selection, principle establishment, process design, structure of risk team, team?s expertise, complex level of task, interdependent level, risk culture, communication in organization, training and risk management?s tools and techniques. Meanwhile, the in-depth interviews? results showed that nine success factors that are adoption of ITRM principle, appropriate Process from ITRM Principle, task, interaction, adaptability, outsourcing, management support, conflict management and culture transformation. In conclusion, the success factors from both resources were compared and discussed as triangulation.The practical contribution of the research is that the success factors can be used as a primary check for the appropriation of current principle and practice, the exploration an intrinsic problem in both principle and practice on ITRM or the development stage. For the theoretical contribution, the researcher recommends studying various success case studies applying the principle and practices from various industries and classified the patterns by organization types which the information technologies are significant to their operation.