JOSTIP

Vol. 2 No. 2 (Dec. 2016)

The Development and Initial Results of a Component Model for Risk

Mitigation in IT Governance
a

Bokolo Anthony Jnr *, Noraini Che Pa , Rozi Nor Haizan Nor and Yusmadi Yah Josoh

a, b, c, d

Department of Software Engineering and Information Systems, Faculty of

Computer Science and Information Technology, Universiti Putra Malaysia

*Corresponding author: bkanjr@gmail.com

Abstract
Risk mitigation is an important process for risk management in information technology (IT) governance. Practitioners adopt risk mitigation to allay risks
within IT systems and provide for a sufficient medium to resolve and control operational, strategic and technical risks which depend on IT infrastructures.
Risk mitigation is necessary to ensure the successful implementation of IT governance. Currently, mitigating risks in IT governance is not fully and
successfully adopted due to inadequate support in the mitigation process. The majority of the existing models and frameworks lack the capability to support
IT governance practitioners to adequately mitigate risks. Thus, there is a need for a model that can provide support to help the risk mitigation team to
identify and treat arising risks. Hence, this paper aims to present risk mitigation components and the related metrics needed for risk mitigation in IT
governance. These components and metrics are essential in mitigating both operational and technical risks that practitioners face in the IT governance
process. A quantitative methodology was adopted to collect data on risk mitigation practice, process and procedures implemented by practitioners in selected
governmental institutions in Malaysia. The developed model component and related metrics were initially verified through an online survey (using Survey
Monkey) carried out among 23 IT practitioners in 12 selected Malaysian institutions. Results from the survey show that the components and associated
metrics are important and should be considered by practitioners and experts when mitigating risks in IT governance.
Keywords: Risk; Risk Mitigation; Components; Metrics; IT Governance

2016 Perdana School UTM. All rights reserved

1.0 INTRODUCTION
IT governance aims to direct IT endeavours that guarantee the organisations performance on objectives as set out by the
management. With effective governance, investment in IT infrastructure can be optimized to extend an organizations business strategies
and goals. IT governance focuses mainly on the area of IT strategic alignment, IT resource management, risk management, performance
measurement and IT value delivery (ITGI, 2008). Thus, IT governance encompasses the policies and procedures implemented by the
management in organisations to ensure the proper usage of IT infrastructures among practitioners and an organisations staff (Weill and
Ross, 2005). Risks exist when IT infrastructure are used for business continuity (Daya and Mohd, 2008). Risks are events that negatively
impact the organizations ability to achieve its goals as far as the probability of their occurrence and the related consequences are
concerned (Bharat, Kapil and Subhash, 2012). Risk is described as the possibility of suffering a loss due to possible negative impact on the
process or system which could be in the form of poor IT infrastructure solution, increased costs, failure, or delayed completion (Lee, Lim
and Chung, 2006).
Furthermore, all systems to some extent share risks, and a majority of IT infrastructures faces operational, technical and strategic
risks (Lientz and Larssen, 2006). Risk mitigation includes tasks such as identifying potential risks, finding risk-reducing measures, making
decisions related to the risks and monitoring them. Risk mitigation also includes determining risk-reducing measures (Sandip and Jigish,
2010). According to Sneh and Ujjawal (2009) risk mitigation assists practitioners to prepare plans for handling and minimizing potential
adverse effects of the risk which is implemented by controlling and reducing the risk (Sneh and Ujjawal, 2009). Ahdieh and Ow (2012a)
also state that risk mitigation is an action that helps practitioners to understand and solve risks. Since risks are essentially potential
problems, they might or might not happen. Regardless of the outcome, Ahdieh and Ow (2012a) suggested that practitioners are encouraged
to identify risks, measure the probability of their occurrence, and estimate their impact.
Generally IT governance requires a distinctive mitigation process of operational, technical and strategic risks that may cause
failure or loss of important IT processes when they occur (Pricewaterhouse, 2007). Presently, only a few research has been directed to risk
mitigation in the domain of IT governance (Eugene and Johan, 2006; Dirk, 2009; Mirela, 2011). This results in a gap in mitigating
operational, technical and strategic risks. However Moeinzadeh and Hajfathaliha (2009) suggested that the essence of a risk mitigation
1|P a g e

model is to assist in making decisions that optimally align organisational processes and decisions to exploit opportunities while
simultaneously minimizing and mitigating risks. They see risk mitigation as a concept which contains all strategies and measures, all
knowledge, all institutions, all processes and all technologieswhich can be used on the technical, personal and organizational levelsto
mitigate risks in IT governance.
As stated previously three dimensions of risks are considered: operational, technical and strategic risks. If operational risks
become a reality, it is likely that IT output schedule will be affected. As a result, costs will also increase. Technical risks threaten the
quality and timeliness of IT processes. Strategic risks threaten the normal growth and development of the whole IT system and its
associated resources (Gary, Goguen and Feringa, 2002; Ronke, 2012). Despite many scholars and IT practitioners recognizing risk
mitigation processes in IT governance research, insufficient attention has been paid by researchers to select suitable risk mitigation
components and metrics. This paper attempts to address this limitation and the gap in the current literature and provide a risk mitigation
components and related metrics. For that reason, the main target of the paper is to give researchers and practitioners an insight on the
current level of risk mitigation in IT governance by presenting the essential components and the respective metrics for mitigating operation,
technical and strategic risks in IT governance.
This paper is organized as follows. In the next section, we present related work on risk mitigation and various risk mitigation
research. In Section 3 this research paper presents the research methodology adopted. Section 4 presents the risk mitigation component
model showing the risk components and related metrics. Section 5 explains component model verification. Then the verification results are
presented. Section 6 is discusses these results. Section 7 presents the researchs implications and limitations. Finally the last section
presents a conclusion and possible future work to be done.
2.0 RELATED WORK ON RISK MITIGATION
Risk mitigation may be implemented through the use of wide variety of risk mitigation models, processes or applications that
provide quantitative or qualitative measurements of the risks involved (Abdullahi-Mohamud and Basri, 2011). Thus this section discusses
existing risk mitigation models and existing risk mitigation components and metrics.
2.1 Existing Risk Mitigation Models
Risk mitigation in IT governance is an organized way of identifying risks by measuring their probability, possible impact as well as
ways to mitigate or solve them when they arise. Systematic risk mitigation may be facilitated through the use of a wide variety of risk
mitigation models, processes or applications that provide a quantitative or qualitative measurement of the risks involved. There are a few
published risk mitigation models/frameworks that resolve risks associated with IT governance. Taking decisions on a risk is based on
qualitative, quantitative or hybrid measurement results. Qualitative measurement means that the risk information are registered in a verbal
form rather than in numeric form as in the case of quantitative measurement. Hybrid measurement is combination of both quantitative and
qualitative measurement (Abdullahi-Mohamud and Basri, 2011).
Bharat et al. (2012) mentioned that an effective risk mitigation process focuses on taking care of the most frequently occurring
risks. It is possible to predict the possible result of risks in IT governance with good accuracy, not only in identifying them, but also in
estimating and providing solutions on how to treat them. Daya and Mohd (2008) proposed the Software Risk Assessment and Estimation
Model (SRAEM). In their model, the risk is estimated using risk exposure and software metrics of risk mitigation and this metric is based on
mission critical requirements stability risk metrics (MCRSRM).This model not only evaluate the risk but it also estimate the risk. Initially
the model estimates the sources of uncertainty using different paradigms such as measurement error, model error and assumption error.
Say-Wei and Armugam (2000) proposed a Software Risk Assessment Model (SRAM). This model makes use of a comprehensive
questionnaire to provide results based on risk metrics obtained from the proposed model. This model considers the following nine critical
risk elements: complexity, staff involved in the project, targeted reliability, product requirements, method of estimation, method of
monitoring, development process adopted, usability of software and tools used for development. This model considers the method of
prioritization as a single step of risk mitigation but does not specify how prioritization would be done.
Moeinzadeh and Hajfathaliha (2009) proposed an SCRM model assist to make decisions that optimally align organizational
processes and decisions to exploit opportunities while simultaneously mitigating risk by using a questionnaire for dealing with data
regarding qualitative and quantitative risk mitigation. They used a brainstorming method, which was conducive to a group decision-making
process. The researcher based their research on two processes: risk identification and risk measurement. Risk identification is the basis of
risk, the purpose of which is to recognize risks in IT. Risk measurement estimates the risk magnitude by using some qualitative or
quantitative approaches and technologies.
Basit, Abdullah and Al (2010) presented a Risk Identification, Mitigation and Avoidance Model for Handling Software Risk
(RIMAM). This model briefly presents the strategies that are expected for the purpose of identification, mitigation of risk over-optimistic
technology perceives, staff experience, staff turnover, excessive error detection and the preservation of intellectuals. This model can be
customized with respect to the environment in which it is being used (Basit, Abdullah and Al, 2010).
2|P a g e

Mohd and Mohd (2010) suggested a Software Risk Assessment and Evaluation Process using Model Based Approach (SRAEP).
This method is a better technique of risk estimation, risk prioritization and mitigation. After the identification of risks, several mitigation
countermeasures are put into place.
2.2 Existing Risk Mitigation Components and Metrics
Ahdieh and Ow (2012b) proposed a model for software risk mitigation plan which involves creating a risk mitigation plan and
actually modeling the actual risks. Their model reduces the risk consequences and their occurrence probabilities. It identifies effective
factors in fault tolerance, risks consequences, and presenting solutions to reduce the risks. The model components includes people,
environment, and organization, while the metrics are commitment, availability, cooperation, effectiveness, stability, flexibility, cost,
dependability, capability, suitability and integration.
Mohd and Mohd (2010) presented a model to mitigate IT risk which provides managers and decision makers to integrate
components comprising of people, technology, procedure, policy, and decision makers. The metrics involved are capacities, collaboration
modularity, transferability, clarity, effectiveness, extensibility, susceptibility, consistency, agility, interoperability, dependability and
predictability.
Sailesh et al. (2008) proposed a risk mitigation model for a robust design process that helps to mitigate the risks associated with
development in an IT environment. Model components comprise process, staff, technology, and process while the metrics are commitment,
collaboration, coordination, reliability, effectiveness, liability, vulnerability, compatibility, consistency, viability and acceptability.
Vu and Liu (2007) developed a risk mitigating model for integrated software systems to effectively identify and address these
potential technical risks. Components involved include people guidelines, infrastructure and process. The metrics involved are trust,
capacities, resource availability, reliability, time, capability, efficiency, performance, security, data integrity, consequences, consistency,
agility, modularity and operability.
Ahdieh and Ow (2012a) designed a software risk mitigation process model that facilitates the development of a comprehensive risk
mitigation plan by focusing on the unseen risks and opportunities accompanying risk mitigation decisions. Its components comprise team
members, process, and technique and the metrics are transferability, acceptability, extensibility, correctness, clarity, predictability,
dependability, time and trust.
Junchao et al. (2013) proposed a search-based risk mitigation planning model for solving the problem of mitigating risks in
software projects, thus providing useful decision-making support for managers. Identified components include people, procedure, methods,
technology and guidelines. Model metrics include expenses, security, data integrity, capabilities, complexity, simplicity, performance,
reliability capacities, resource availability, resource usage, mentality, team behavior and efficiency.
3.0 RESEARCH METHODOLOGY
This section presents the research methodology carried out to develop and verify the risk mitigation component model. In order to
develop the risk mitigation component model, data was collected from the existing risk mitigation literature. A systematic literature review
(SLR) on risk assessment and mitigation practice, process and procedures in IT Governance was conducted, as seen in Section 2. Then, a
preliminary study was conducted starting with the pilot study which comprises three Malaysian institutions that presently adopts risk
mitigation in the Information and Communications Technology (ICT) division of the institutions. The pilot study aimed to check if the
respondents understood the questions in the questionnaire. The next phase was to develop the risk mitigation component model based on
the secondary data from the literature collected. The model was then verified by IT practitioners from selected Malaysia-based institutions
using an online survey. The research methodology is shown in Figure 1.

3|P a g e

Figure 1 Research Methodology

Figure 1 illustrates the research methodology adopted in this research paper to develop and also verify the models components
and related metrics. Each phase shown in Figure 1 was carried out in this research paper.
4.0 COMPONENT MODEL FOR RISK MITIGATION
The aim of this research paper is to develop the component model for risk mitigation in IT governance and provide initial results
on the verification of the model components and associated metrics. A component, as mentioned by Bill and George (2001), is an object or
element. It is an independent and replaceable part of a system that fulfills a clear function in the context of a well-defined architecture by
providing the physical realization of a set of interfaces (Bill and George, 2001). On the other hand, a metric is a measurable physical or
abstract property of a component (Alexandre, Eduardo and Silvio, 2006). A measure is assigned to the metrics of a component. Therefore
this research developed a model to mitigate risk in IT governance.
The model consist of the components which are to be considered by practitioners in mitigating risk in IT governance and also each
components metrics, which influences the model components. The risk mitigation component model provides support to help the risk
mitigating team, practitioners and IT experts to identify and treat new unobserved risks. These components are essential in mitigating both
the operational and technical risks that practitioners face in IT governance. The model comprises risk components and the components
metrics. Figure 2 shows the developed component model.

4|P a g e

Figure 2 A Component Model for Risk Mitigation in IT Governance

Figure 2 shows the components for mitigating risk in IT governance. P1-P7 are the metrics for the People component, Ma1-Ma4
are the metrics for the Management component, M1-M4 are the metrics for Method component, T1-T7 are the metrics for Technique
component, Te1-Te8 are the metrics for the Technology component and RM1-RM4 is the metrics for Risk Mitigation component. People,
Technology, Technique, Management, and Methods are independent variables, whereas Risk Mitigation is a dependent variable that relies
on the other components.
The figure also shows the risk mitigation component model, which comprises of the 6 risk components and their related metrics.
Effective risk mitigation implementation can assist in determining the appropriate risk treatment procedures to meet the needs of
practitioners in IT governance. Presently, there exist several research studies that propose a component model in mitigating risk in IT
governance, thus highlighting the risk metrics, as stated by researchers such as Lientz and Larssen (2006); Dirk, and (2009); Mirela (2011).
Mitigating risks in IT governance is crucial. Therefore, this research proposes a risk mitigation component model as in Figure 2 and Table
1.
As seen in the figure, the model consists of six components, namely, people, management, technology, method, techniques and
risk mitigation, and the associated 35 metrics. The independent variables (IV) include people, method, technique, technology, and
management influences, whereas the dependent variable (DV) is risk mitigation. The IVs are independent components implemented in IT
governance to carry out the DV, which is the existing risk mitigation process or system being implemented by practitioners. Based on the
figure, the actions of the IV influence the DV.
4.1 Risk Mitigation Components
Below are the risk mitigation components from Figure 2:
Table 1 Risk Mitigation Components
Components
People

Technology

Description
This component comprises of the practitioners, IT experts, staff or team members who carry out
risk mitigation in the institution (Ahdieh and Ow, 2012a; Ahdieh and Ow, 2012b; Mohd, Banwet
and Shankar, 2007). People are the strength of any risk mitigation success in IT governance. People
are also key determiners of risk in any risk mitigation process.
This component involves the technologies (application, hardware, software networks communication
and servers) that are deployed to cater for risk mitigation (Mohd, Banwet and Shankar, 2007;
Sailesh, et al., 2008).
5|P a g e

Technique

Management

Method
Risk Mitigation

This component states the procedures employed to mitigate risk in IT governance. The processes
are carried out by the team members or staff at the institution. This component involves techniques
that assist in risk mitigation such as spreadsheets, focus group, discussions, scenario analysis,
brainstorming, lessons learnt, checklist, risk breakdown, inductive reasoning, SWOT analyses,
team meetings, and worksheet lists (Mohd, Banwet and Shankar, 2007; Vu and Liu, 2007; Sailesh
et al., 2008; Ahdieh and Ow, 2012a; Ahdieh and Ow, 2012b).
This component comprises the stakeholders and decision makers that produce guidelines and make
decisions involving the mitigation of risk in the institution (Pankaj, Whiteman and Malzahn, 2004;
Mohd et al., 2007).
This component highlights the approaches (measurements) used to mitigate risks in IT governance
(Sailesh, et al., 2008). This component involves either qualitative or quantitative methods such as
interviews, questionnaires, workshops, and surveys used for risk mitigation.
This is the dependent variable that relies on the other variables. This is the current risk mitigation
process or software that is presently adopted or implemented in the institution in mitigating risk
(Sailesh, et al., 2008; Shan, Chen, Liu, and Zhang, 2009).

4.2 Components and Related Metrics

Below is the risk mitigation components and their related metrics based on the developed component model shown in Figure 2.
Table 2 People Metrics
People Metrics
P1=Trust
P2= Supportability
P3= Commitment
P4= Collaboration
P5= Cooperation
P6= Capabilities
P7= Communication

Description
Trust between team members; helping them reach their ability to mitigate risk.
Team members available to support each other to mitigate risks in the organization.
Interest and concern of team members to mitigate risks in the organization.
Team members willingness to be involved in the mitigation process.
Team members cooperation in mitigating risks.
The talent, ability and potential of team members to achieve performance goals in risk
mitigation.
Interaction among team members in mitigating risks.

Table 2 outlines the metrics that are used to measure the people component, where the people are the practitioners in ICT division
in the institutions that implements risk mitigation in IT governance.
Table 3 Technology Metrics
Technology Metrics
Te1=Interoperability
Te2= Efficiency
Te3= Performance
Te4= Security
Te5= Data Integrity
Te6= Reliability
Te7= Responsiveness
Te8= Functionality

Description
Ability to work with other systems using different platforms.
Ability to offer proper support when mitigating risks.
The usefulness of the risk mitigation results provided by the technology.
The technology protects the data and resources related to risk mitigation.
The technology protects against altering data related to risk mitigation.
Ability to maintain a specific level of performance, when used under specific conditions.
Ability to react quickly when performing activities and complete assigned tasks within a
given time.
Ability of the technology to provide the required services to aid risk mitigation.

Table 3 outlines the metrics that are used to measure the technology component, where the technology is the computer related
hardware, software, servers and network facilities utilized in mitigating risks in IT governance.
Table 4 Technique Metrics
Technique Metrics
T1=Time
T2=Cost
T3= Dependability
T4= Predictability
T5=Flexibility
T6= Complexity

Description
Duration for a specific activity to be carried out in supporting risk mitigation.
The monetary value spent when applying a technique for mitigating risks.
If the technique depends on another technique to provide specified services when mitigating
risk.
The ability to predict results of risk mitigation
Ability for the technique to adapt to possible or future changes in its approach for mitigating
risks.
Ability of the technique to be complex or simple in supporting risk mitigation.
6|P a g e

T7=Effectiveness

The technique response time and availability in mitigating risks.

Table 4 shows the metrics that are used to measure the technique component, where the techniques are the existing activities and
strategies implemented in the institutions in mitigating risk.
Table 5 Management Metrics
Management Metrics
Ma1=Policy
Ma2= Awareness
Ma3= Resources
Ma4= Incentives

Description
Guidelines, rules, regulations, laws, principles, or directions for team members in mitigating
risks.
Decisions makers knowledge about risks from past events, or based on information or
experience.
Available people, materials, equipment, finance, knowledge and time for risk mitigation.
How much pay the management allocates to team members to boost their performance.

Table 5 shows the metrics that are used to measure the management component. The management is defined as the decision
makers and stakeholders in the institutions that make IT governance rules and regulations on how practitioners and other employees can
utilize IT infrastructures and IT facilities effectively in accomplishing the aims and objectives of the institution.
Table 6 Method Metrics
Methods Metrics
M1=Suitability
M2= Opportunities
M3= Consequence
M4=Consistency

Description
The method is suitable for mitigating risks.
The benefits the risk mitigation method provides.
The method provides disadvantages or negative effects.
The method results are always at the same level or standard.

Table 6 shows the metrics that are used to measure the method component, where the method is mostly the procedures
implemented by practitioners in mitigating risks in IT governance.
Table 7 Risk Mitigation Metrics
Risk Mitigation Metrics
RM1=Redundancy
RM2= Competency
RM3= Maintainability
RM4= Adaptability
RM5= Integrity

Description
The duplication of critical process with the intention of increasing reliability in risk
mitigation.
The ability of the risk mitigation software or process to mitigate risk successfully,
efficiently or properly.
How easy to add new functions to the existing risk mitigation process without causing any
issues.
Ability of the risk mitigation process to change or be changed to work better in some
cases.
Ability of the risk mitigation process to work alongside with other system in mitigating
risk.

Table 7 shows the metrics that are used to measure the risk mitigation component, which is the dependent variable as stated
previously. It is influenced by other variables in the model, as shown in Figure 2. The risk mitigation component is the existing approach
utilized by practitioners in mitigating risks in their institution. The risk mitigation component is enhanced in the model, which is the main
aim of this research paper. This is accomplished by adopting the components in the model.
Tables 2 to 7 show and describe the components and their respective metrics. The metrics are utilized to create questions for the
questionnaire, which are used to verify each of the models components as seen in the next section.
5.0 COMPONENT MODEL VERIFICATION
The risk mitigation components are verified to ensure the quality of the identified components. Figure 3 outlines the process
implemented to verify the developed model.

Figure 3 Model Verification Steps

Each of these steps is briefly discussed hereafter.
7|P a g e

Design Survey Questions: In this phase of the research, the authors implemented the initial creation of risk mitigation questions
to be used to verify the model components. Each of the components is based on questions derived from the related metrics. After
developing the questionnaire for the survey, the questionnaire items were sent to three different experts in the authors research group to
check each component items (metrics questions) to ensure that the questions are easily understood by respondents in the actual survey
session.
Choose Sampling Method: After expert checking of the questionnaire, the research proceeded to choose a suitable sampling
method. The researchers decided to choose non-probability sampling, also known as purposive sampling, where the respondents for the
survey were selected based on their experience and skills in mitigating risk in the organization they belong to, either presently or
previously.
Specify Respondents for Verification: Then the research study proceeded to choose the respondents mainly from ICT division
in each selected institutions across Malaysia. Not all institutions were contacted for the survey since not all institutions possess an ICT
division whose sole aim is to carryout IT governance, management and maintenance processes. Thus only institutions that have their own
ICT division were contacted.
Collect Data: The researchers proceeded to locate and visit each of their website to get official information on the respondents
that are made available to the public. This is comprised of their name, email address, office telephone number, current position,
designation and responsibility in their institution. The invitation to partake in the survey was sent to their official email address several
times within the period of February 2015 to May 2015.
Data Analysis and Presentation: The collected data was analyzed and the results of each component and its related metrics were
retrieved from Survey Monkey. The risk mitigation components were verified using the expert/accreditation approach as suggested by
Hallie and Darlene, (2005) whereby the authors suggested that a minimum number of three experts and a maximum of unlimited experts is
suitable to verify a research model. In this research the experts for verification were IT practitioners from the ICT divisions of selected
Malaysian institutions. The risk mitigation components rely on expert opinion to determine the quality of the components in relation to risk
mitigation in IT governance. Thus the purpose is to provide professional judgments of quality. The question addressed in this kind of
evaluation is: How would professionals rate the components based on their associated metrics? The risk mitigation component model
was verified based on the data collected from an online survey tool that was applied to measure the metrics of each component. The online
survey tool was developed to collect data and measure the metrics within Malaysian institutions only.
Where survey is derived from paper-based questionnaires in this research. The respondents in the surveys are chosen based on
purposely sampling as stated previously; where the respondents are selected based on their experience and skill in risk mitigation practices
in their institution. Therefore IT practitioners in ICT divisions in selected Malaysia-based institutions; mainly the staffs in the ICT division
were selected for data collection. By using this instrument, data collection is instantaneous as the results are automatically sorted out.
The results of the survey can be viewed directly and quickly from analyzed data process instantly. The URL address of the online
survey instrument for risk mitigation components and related metrics measurement can be located by assessing this permanent link by
navigating to the following Web address: https://www.surveymonkey.com/s/8RFMDTM.
5.1 Component Model Verification Results
The survey comprises the risk mitigation components. The metrics being measured are based on their degree of importance and
level of implementation based on a five-point Likert scale, where one (1) is not very important and not implemented and five (5) represents
very important and fully implemented. Each of the five components in the surveynamely people, technology, technique, method, and
organizationand one dependent variable, which is risk mitigation metrics, are measured based on the five-point Likert scale ranging from
1 to 5. Respondents were required to give feedback on 35 questions in relation to risk mitigation practices in their institution. Table 7
shows the total number of respondents (IT practitioners) from 12 Malaysian institutions who were involved in the survey.
Table 8 Distribution of Respondents for Online Survey
Institution
1
2
3
4
5
6
7
8
9
10
11

Respondents
1
2
2
2
2
2
3
1
4
2
1

Position
IT Systems Analyst
ICT Officer
Network Administrator
Head of IT Projects
ICT Director
Head of ICT unit
ICT Manager
Head of ICT unit
IT Security Auditor
Head of ICT unit
Head of IT department
8|P a g e

12
Total Respondents =

Head of IT Unit

23

As seen in Table 8, a total of 23 respondents agreed to participate in the online survey to verify the model. About 80 requests was
sent to the email address of the practitioners and experts in selected Malaysian institutions to partake in the survey which took place from
February 2015 - May 2015 as stated previously, but only 23 practitioners responded to the survey. The respondents for the survey are
shown in Table 8.
To ensure each of the selected respondents are experts in risk mitigation, each respondent presented their post, qualifications and
working experience. After that, an official email containing a letter from the project leader, an overview of the research, reasons for the
survey and link to the survey was sent to the respondents official email address.
The survey comprises the risk mitigation components metrics measured based on their degree of importance and level of
implementation. There are five independent components in the survey namely people, technology, technique, method, organization and one
dependent component which is risk mitigation. Respondents were required to give feedback on 35 questions in relation to risk mitigation
practices. The results from the survey components are shown in Figures 4 to Figure 9.

Figure 4 Measurement of People Component in Mitigating Risk

As seen in Figure 4, 70% of respondents agreed that people component metrics, namely, trust and cooperation, are important in
mitigating risk. Only 80% believe that the other metrics: supportability, commitment, collaboration, capabilities and communication, are
very important and fully implemented in risk mitigation in IT governance.

Figure 5 Measurement of Technology Component in Mitigating Risk

Figure 5 shows that 85% of respondents agreed that technology component metricsnamely interoperability; efficiency,
performance, security and data integrityare very important and are fully implemented in mitigating risk. 75% believe that the metrics on
reliability, responsiveness and functionality are very important and are implemented in risk mitigation in IT governance, but not fully.
9|P a g e

Figure 6 Measurement of Technique Component in Mitigating Risk

Figure 6 shows that 85% of respondents agree that the technique component metrics: time, cost, dependability, predictability,
flexibility, complexity and effectiveness are very important and are implemented in mitigating risk in IT governance.

Figure 7 Measurement of Methods Component in Mitigating Risk

Figure 7 shows that 80% of respondents agree that the method component metricssuitability, opportunity and consequences
are very important and are implemented in mitigating risk in IT governance, whereas 70% believe that consistency is very important but
not fully implemented.

Figure 8 Measurement of Management Component in Mitigating Risk

Figure 8 shows that 90% agree that management component metrics, namely policy and resources, are very important and are fully
implemented in mitigating risk in IT governance, whereas 85% believes that the other two metrics awareness and incentives is very
important but not fully implemented in mitigating risk in IT governance.
10 | P a g e

Figure 9 Measurement of Risk Mitigation Component

Figure 9 shows that 95% of the 23 respondents agreed that the current approach implemented in their institutional process for risk
mitigation component metrics, namely redundancy, competency maintainability, adaptability and integration, are very important but not
fully implemented in mitigating risks in IT governance. Thus there is a need for a model for mitigating risks. The model should be
competent, easy to maintain, adaptable, and integrated to mitigate risks in IT governance.
6.0 DISCUSSION
Risks are a combination of the likelihood of an incident and its effects (Mirela, 2011). In IT governance, the lack of open
communication, a forward-looking attitude, team involvement, proper management the knowledge of typical problems exposes IT
infrastructures (hardware, software, network devices and other peripherals) to operational and technical risks (Lee, Lim and Chung, 2006).
Risk mitigation in IT governance begins with the identification of existing operational and technical risks. Once the risks are identified,
they are evaluated and measured. Then, appropriate mitigation actions are planned and executed. Risk mitigation facilitates the
development of a comprehensive IT governance plan by focusing on the unseen risks and opportunities accompanying the risk mitigation
decisions, which are basically ignored in the IT governance process. Therefore, risk mitigation is important in order to facilitate effective
decision making in institutions regarding the identified risks (Lainhart, 2010; ISACA, 2013).
Risk mitigation emphasizes taking action early in IT governance to prevent the occurrence of undesired events or to reduce the
consequences of their occurrence. These mitigating actions should be appropriately planned, and such plans should include estimating and
planning the schedule, resources, and funding for mitigation (Wood, 2013). Since most risks can be mitigated in quite a few different ways,
each of which may require different resources at different times. Therefore, selecting the best mitigation action is not an easy task for
practitioners. Thus there is need to provide practitioners with a model for mitigating risks in IT governance.
7.0 RESEARCH IMPLICATION AND LIMITATION
Effective risk mitigation process in IT governance can assist practitioners to increase their effectiveness and incorporate
improvements aimed at better understanding, improved communication and more effective management in IT governance. This assists in
better mitigation of operational and technical risks (Solms, 2005). This is so because todays institutional environment is turbulent. It
requires effective risk mitigation for its IT governance process in order to better manage opportunities and threats (Robinson, 2005). Jabiri
et al. (2008) mentioned that effective risk mitigation prevents poorly defined requirements that cause IT governance to fall behind
schedule, go over budget and result in poor output specification.
Therefore this research developed a component model to mitigate risks in IT governance. However, this research is associated
with some implications and limitations. One of the implications and limitations of this research is based on the fact that the verification is
based on recommendations by Hallie and Darlene (2005) who are leading authors on the evaluation of research models, approaches and
designs. This research study adopted one of the suggested approaches called the Expert/Accreditation Approach which was followed to
verify the components. Only 23 respondents were involved in verifying the component model. The results from the verification process are
not conclusive and can only be referred to as an initial results and not the final result. There is still a need to validate the developed
component model involving a larger scale of respondents.
Another limitation is that this research considers respondents from only Malaysia-based institutions that mitigate risk in their
institutional process to ensure proper IT governance process. There is a need to involve other institutions in neighboring countries across
the Asia-Pacific region that adopt IT governance polices and strategies in their institutions daily processes. Lastly the research study is
based on a quantitative approach, using surveys to collect data. There is a need to implement a qualitative study by carrying out in-depth
case studies on selected institutions that implement risk mitigation in their IT governance process. This will ensure that each of the risk
mitigation components and related metrics can be investigated further.
11 | P a g e

8.0 CONCLUSION AND FUTURE WORK

The goal of the risk mitigation component model is to support practitioners to identify, measure, control and treat operational and
technical risks associated with IT governance. Risk mitigation includes risk identification, risk decision, risk treatment, risk monitoring,
and applying risk tasks such as measuring the risk either qualitative or quantitative approaches, finding risk-treatment measures, and
making decisions related to the risk. The components and related metrics for mitigating risk in IT governance have been presented by
researchers. Practitioners could use the risk components and metrics for a cost-benefit analysis of risk mitigation hardware, software and
network infrastructure that they plan to procure and implement. Secondary data was collected through the review of existing literatures on
risk mitigation practices.
The components for risk mitigation were verified using an online survey. Data was collected regarding the risk mitigation
metrics. The components for risk mitigation were verified by 23 practitioners in 12 selected Malaysian institutions. By using the metrics,
IT practitioners could justify resource allocation. Also, the components and related metrics could also be used for risk control. This
accomplishment may be valuable for businesses and academic circles to follow and refer to. It is hoped that this research can offer a
guideline for information on risk mitigation suitable for enterprise and can be used as a reference for internal auditors and IT practitioners.
Future work will involve collecting data from more respondents for the verification of the component model, since data was only
collected from 23 respondents. There is a need to include other institutions from other neighboring countries across the Asia-Pacific
region. Lastly the authors plan to carry out an in-depth case study on selected institutions to provide more data to investigate and verify the
developed models components and associated metrics as presented in Figure 2 since this research paper is only based on initial results.
REFERENCES
Abdullahi-Mohamud, S. and S. Basri, 2011. A Study on Risk Assessment for Small and Medium Software Development Projects. International Journal on
New Computer Architectures and Their Applications. 1(2): 325-335.
Ahdieh, S. K. and S. H. Ow, 2012a. An innovative Model for optimizing Software Risk Mitigation Plan: A case Study. Sixth Asia Modelling Symposium
IEEE. 220-224.
Ahdieh, S. K. and S. H. Ow, 2012b. A Novel Model for Software Risk Mitigation Plan to Improve the Fault Tolerance Process. Int. J. Inform. Technol.
Comput. Sci. 5(1): 38-42.
Alexandre, A., S. D. A. Eduardo, R. D. L. M. Silvio, 2006. Quality Attributes for a Component Quality Model. Centre for Advance Studies and System.
Brazil. 1-8.
Basit, S., S. Abdullah and M. Al, 2010. Risk Identification, Mitigation and Avoidance Model for Handling software Risk. International Conference on
Computational Intelligence, Communication Systems and Networks, IEEE Computer Society. 191-196.
Bharat, S., D. S. Kapil and C. Subhash, 2012. A New Model for Software Risk Management. Int.J.Computer Technology & Applications. 3(3): 953-956.
Bill, C. and T. H. George, 2001. Component-based software engineering. Addison-Wesley.
Bodnar, G. H., 2008. IT Governance. Internal Auditing. 18(3). 27-32.
Chi-Chun, L. and C. Wan-Jia, 2012. A hybrid information security risk assessment procedure considering interdependences between controls. Expert
Systems with Applications. 247257.
Daya, G. and S. Mohd, 2008. Software Risk Assessment and Estimation Model. International Conference on Computer Science and International
Technology. 963-967.
Dirk, S., 2009.The Risk IT Framework Excerpt. ISACA Journal USA. 234-343.
Emmanuele, Z., D. Bolzoni, S. Etalle and M. Salvato, 2009. Model-Based Mitigation of Availability Risks. BDIM'07. 2nd IEEE/IFIP International
Workshop, 75-83.
Eugene, W. and V. L. Johan, 2006. IT Governance: Theory and Practice. Proceedings of the conference on information technology in tertiary education,
Pretoria, South Africa. pp. 1-14.
Gary, S., A. Goguen and A. Feringa, 2002. Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of
Standards and Technology. 434-470.
Hallie, P. and R. E. Darlene, 2005. Building Evaluation Capacity Evaluation Models, Approaches, and Designs. SAGE Publications, Inc. City: Thousand
Oaks.
ISACA, 2013. Issues COBIT 5 Governance Framework. ISACA.org. retrieved online. 1-10.
ITGI, 2008. Board Briefing on IT Governance. IT Governance Institute, Retrieved from http://www.itgi.org.
Jabiri, K. B., C. Magnussen , C. N. Tarimo and L. Yngstrm, 2008. The Mitigation of ICT Risks Using Emitl Tool: An Empirical Study. IFIP TC-11 WG11.1
&WG 11.5 Joint Working Conference. 157-173.
Junchao, X., L. J, Osterweil, J. Chen, Q. Wang and Li. Mingshu, 2013. Search Based Risk Mitigation Planning in Project Portfolio Management.
Proceedings of the 2013 international conference on software and system process. 146-155.
, H. E., S. H. Lee, H. J. Lim and T. M. Chung, 2006. Qualitative Method-Based the Effective Risk Mitigation Method in the Risk Management. International
Conference on Computational Science and Its Applications. Springer Berlin Heidelberg. 239-248.
Lainhart, IV. J. W., 2010. Why IT governance is a top management issue. The Journal of Corporate Accounting & Finance. 11 (5): 33-40.
Lientz, B. P and L. Larssen, 2006. Risk Management for IT projects: how to deal with over 150 issues and risks. Risk management practices. 1(1): 1-15.
Mirela, G., 2011. Risk Management in IT Governance Framework. The Bucharest Academy of Economic Studies, Romania. 14(3): 545-552.
Moeinzadeh, P. and A. Hajfathaliha, 2009. A Combined Fuzzy Decision Making Approach to Supply Chain Risk Assessment. World Academy of Science,
Engineering and Technology. 519-535.

12 | P a g e

Mohd, N. F., D. K. Banwet and R. Shankar, 2007. Information risks management in supply chains: an assessment and mitigation framework. Journal of
Enterprise Information Management. 20(6): 1741-0398.
Mohd, S. and W. A. Mohd, 2010. Software Risk Assessment and Evaluation Process (SRAEP) using Model Based Approach. International Conference on
Networking and Information Technology. 171-177.
Pankaj, R. S., L. E. Whiteman and D. Malzahn, 2004. Methodology to mitigate supplier risk in an aerospace supply chain. Supply chain management an
international journal. 9(2):154-168.
Pricewaterhouse, C. 2007. IT Governance in Practice Insight from leading CIOs. Pricewaterhouse Coopers International Limited. 1-13.
Robinson, N., 2005. IT excellence starts with governance. The Journal of Investment Compliance. 6(3): 45-49.
Ronke, O., 2012. Effective IT Governance through the Three Lines of Defence, Risk IT and COBIT. ISACA Journal. 5(4):10-21.
Sailesh, N., T. Eshahawil, N. Gindyl, Y. K. Tang, S. Stoyanov, S. Ridout, and C. Bailey, 2008. Risk Mitigation Framework for a Robust Design Process. 2nd
Electronics System integration technology conference.1075-1080.
Sandip, P. and Z. Jigish, 2010. A Risk-Assessment Model for Cyber Attacks on Information Systems. Journal of Computers. 5(3): 352-359.
Say-Wei, F. and M. Armugam, 2000. Software Risk assessment Model. Proceedings of the 2000 IEEE International Conference. 536-544.
Shan, L., T. Chen, Y. Liu and J. Zhang, 2009. Evaluating and Mitigating Information Systems Development Risk through Balanced Score Card.
International Symposium on Information Engineering and Electronic Commerce. 1-10.
Sneh, P. and R. Ujjawal, 2009. Software Risk Evaluation and Assessment using Hybrid Approach. National Workshop-Cum-Conference on Recent Trends in
Mathematics and Computing (RTMC) Proceedings. 6-8.
Solms, B. V., 2005. Information Security governance: COBIT or ISO 17799 or both?. Journal of Computers & Security Elsevier Advanced Technology
Publishers. 1-10.
Vu, T. and D. B. Liu, 2007. A Risk-Mitigating Model for the Development of Reliable and Maintainable Large-Scale Commercial-Off-The-Shelf Integrated
Software Systems. Proceedings Annual Reliability and Maintainability Symposium. 361367.
Weill, P., and J. W. Ross, 2005. IT Governance on One Page. CISR Working Paper.1-349.
Wei-Ming, M. 2010. Study on Architecture Oriented Information Security Risk Assessment Model. In International Conference on Computational Collective
Intelligence. 218226.
Wood, D. J., 2013. Assessing IT Governance Maturity: The Case of San Marcos, Texas. Applied Research Projects, Texas State University-San Marcos
Luis. 626-632.
XU, R., N. Pei-Yao, S. Ying, Q. Le-Hong and L. Yun-Ting, 2005. Optimizing Software Process Based on Risk Assessment and Control. Fifth International
Conference on Computer and Information Technology. 1-6.

13 | P a g e