WIXLIB

International Journal of Computer Applications (0975 – 8887)Volume 183 – No. 23, September 2021enterprise risk management (ERM). This processconsists of APO12.01 (Collect Data), APO12.02(Analyse Risk), APO12.03 (Maintain A Risk Profile),APO12.04 (Articulate Risk), APO12.05 (Define a RiskManagement Action Portfolio) and APO12.06 (Respondto Risk).2.5 Capability LevelThe measurement criteria are based on the measurementpoints that exist in the COBIT 5 self-assessment template, therating scale that will be used in the measurement at each levelwhich will later be used to meet the value at each point asshown in the following table 1: [10]Table 1. Rekapitulasi Hasil Capability Level1.KodeKeteranganRangeNNot achieved0-15%PPartially achieved 15-50%LLargely achieved 50-85%FFully achieved 85-100%N (Not achieved)In this category there is no or little evidence of theachievement of the process attributes. The range ofvalues achieved in this category ranges from 0 – 15%.2.P (Partially achieved)In this category, there is some evidence regarding theapproach, and several attribute achievements for theprocess. The range of scores achieved in this categoryranges from 15-50%.3.𝐇𝒙 𝟏𝟎𝟎%𝐉𝐑Description:C: Recapitulation of answers to the Capability Levelquestionnaire (in the form of percentages for each answerchoice a, b, c, d, e or f in each activity).H: The number of answers to the Capability Levelquestionnaire for each answer choice a, b, c, d, e or f in eachactivity.JR: Number of Respondents/Resources.Calculating Capability Scores and Levels𝐍𝐤 𝐱 𝐋𝐏 𝒂 𝑵𝒌 𝒙 𝑳𝑷 𝒃 𝑵𝒌 𝒙 𝑳𝑷 𝒄 𝑵𝒌 𝒙 𝑳𝑷 𝒅 𝑵𝒌 𝒙 𝑳𝑷 𝒆 (𝑵𝒌 𝒙 𝑳𝑷)𝒇𝑵𝑲 𝟏Description:NK: Capability value in IT processLP: Level percentage (Percentage level in each distributionofquestionnaire answers capability level).Nk: The capability value listed in the answer mapping table,value and capability level.3. METHODOLOGYIn this study, the author will use quantitative researchmethods. The reason in this study using quantitative methodsis because in data processing this research produces values inthe form of numbers and calculation analysis using statistics.In this study the author will divide several steps in the processof data collection. The following are the steps in the datacollection process: [17]L (Largely achieved)In this category there is evidence of a systematicapproach, and significant achievements in the process,although there may still be insignificant weaknesses.The range of scores achieved in this category rangesfrom 50-85%.4.𝑪 1.Observation is a complex data collection methodbecause it involves various factors in itsimplementation. In this study, observations were madeby studying or understanding the Kelurahan andKecamatan Service Information System at the KotagedeSubdistrict Office, Yogyakarta.2.Literature study is a method of collecting data that is notaddressed directly to the research subject. Collectingdata and information from sources related to theresearch topic.3.Interview is a data collection technique that is carriedout through face-to-face and direct questions andanswers between researchers and resource persons. Thisinterview was conducted with the aim of obtainingaccurate information from trusted sources.4.Questionnaire is a method of collecting data by giving aset of questions or written statements to respondents toanswer.F (Fully Ahieved)In this category there is evidence of a systematic andcomplete approach, and full achievement of theattributes of the process. There are no weaknessesrelated to the attributes of the process. The range ofscores achieved in this category ranges from 85-100%.2.6 Likert Scale Calculation MethodThis study uses a measurement scale with a Likert scale.According to Azwar (2011), the Likert Scale is an attitudestatement scaling method that uses the response distribution asthe basis for determining the scale value. The scale is namedafter its creator Rensis Likert, who published a reportdescribing its use.In determining the value and capability level of the EDM03and APO12 processes, the researcher uses the Likert scalecalculation method used by Krisdanto Suhendro in his bookentitled Implementation of IT Governance.Calculating the Recapitulation of Answers to theQuestionnaire3.1 Data Analysis MethodThis research will use primary data and secondary data.Primary data were obtained through interviews, observationsand questionnaires distributed to the Kotagede District Office,Yogyakarta. While secondary data is obtained from theinternet, from institutions or agencies and also obtained fromtrusted articles to assist in the process of collecting data. Thecollection of primary and secondary data is very important to40

International Journal of Computer Applications (0975 – 8887)Volume 183 – No. 23, September 2021be carried out and collected to make research materials andthese stages must be carried out correctly so that there are noerrors in data collection that will be used as material forfurther research. Then the data will be analyzed related to therisk assessment of the SIM Jogja Smart Service.3.2 Data Analysis StagesThe data analysis method used in identifying the capabilitylevel to be carried out, to find gaps and determine appropriaterecommendations, researchers used Assessment ProcessActivities based on the COBIT 5 framework which consists ofseven process stages and seven stages of this process must becarried out correctly and thoroughly. Here are the sevenstages: [10]1.Initiation this stage describes the drivers in theorganization. Identify current change drivers and changeneeds at the executive management level. The goal is togain an understanding of the current organization.2.Planning the Assessment The second stage is to carryout an assessment plan that aims to obtain the results ofthe evaluation of the capability level assessment. Thisstage carries out an assessment plan that aims to obtainthe data needed for EDM03 (Ensure Risk Optimization)and APO12 (Manage Risk).3.Briefing In this third stage, the researcher providesdirection to the respondents in the RACI diagram so thatthey understand the inputs, processes and outputs in theorganizational unit and explain the schedule.4.Data Collection The fourth stage is collecting data fromthe findings contained in the agency/organization whichaims to obtain evidence of evaluation assessment onprocess activities that have been carried out.5.Data Validation The fifth stage is data validation whichaims to determine the results of the questionnairecalculations in order to obtain an evaluation of thecapability level assessment.6.7.Process Attribute Level The sixth stage is the process ofassigning a level to the attributes that exist in eachindicator, which aims to show the capability levelresults from the results of the questionnaire calculationsin the previous stages and perform a gap analysis at thenext stage.Reporting the Result The seventh stage At this stage theresearcher reports the results of the evaluation that hasbeen carried out by providing a report on the results ofrisk identification and gap analysis which can be used asa company to achieve the expected level.3.3 Research stageFigure 2.Research stage1.The first stage of research begins with a literature study.Literature study was conducted in order to get anoverview of the relevant agencies that became the objectof the research and to find the COBIT 5 theory thatsupports this research. Literature studies are obtainedthrough theses, journals and books that support thisresearch.2.The second stage is identifying the problem. After thefirst task has been completed, it will be followed by thestage of identifying the problem that serves to get theproblem to be solved by the author. Then the author willidentify problems using the COBIT 5 process bydetermining the process subdomains, namely APO12and EDM03 to determine the RACI Chart.3.The third stage is making the RACI Chart obtained fromthe respondents in the study. The RACI Chart will beused for decision making and assist in identifying theroles and responsibilities of each respondent.4.The fourth stage is data collection. After the writerdefines the problem, the next step is to collect data inorder to solve the problem by conducting observations,interviews, and questionnaires.5.The fifth stage is analyzing the data. After collecting therequired data from observations, interviews, andquestionnaires. The next step is to analyze the data byanalyzing the expected maturity value and also byanalyzing the current maturity value.6.The sixth stage is the analysis of the GAP value. TheGAP value is the difference value obtained after theauthor performs the calculation of the expected maturityvalue analysis with the current maturity value analysis.7.The last stage is making conclusions from all activitiescarried out in research and suggestions for furtherresearch.Below are the research stages shown in Figure 2.3.4 Risk Assessment MethodRisk Assessment Method used in this study uses the COBIT 5framework. Cobit 5 is used because it is in accordance with41

International Journal of Computer Applications (0975 – 8887)Volume 183 – No. 23, September 2021the risk assessment process to be carried out. This riskassessment focuses on the Jogja Smart Service IntegratedService SIM which is located in the Kotagede sub-district ofYogyakarta as a place of research. This research wasconducted by focusing on 2 domains, namely EDM03 (EnsureRisk Optimization) and APO12 (manage risk). Theassessment process in the assessment process in EDM03(Ensure Risk Optimization) age. The assessment process inthe assessment process in EDM03 (Ensure Risk Optimization)ensures risk optimization, namely to ensure that agency riskscan be understood, articulated and communicated againstagency values related to the use of IT that are identified andmanaged properly.Meanwhile, APO12 (manage risk) focuses more onidentifying, assessing, and reducing IT-related risks within thetolerance level determined by agency management. Theresults of this study are expected to provide recommendationsand mitigation measures to improve quality control to reducethe risks that may occur. The following are the stages of theassessment carried out during the research process.4. RESULTS AND DISCUSSION4.1 Analysis ResultsDetermination of Capability Levels TheThe following is the determination of the EDM03 capabilitylevel based on the results of the calculation of the capabilityvalue contained in each sub-process. The results of eachprocess in EDM03 can be seen in the table by identifying thecapability value and capability level. Then look at the currentcondition (as is) and the expected condition (to be). Thefollowing explanation can be seen in table 2.Table 2. Determination of the capability level of EDM03Figure 3. Graph of the EDM03 processBased on the figure 3 graph above, it is known that the currentcondition of the EDM03 (Ensure Risk Optimization) processis at level 2 with a capability value of 1.63, at this level theIntegrated Service SIM has implemented a Managed Processwhile the expected conditions (to be) is at level 3 with acapability value of 2.60 which at this stage has beenimplemented Established Process.The following is the determination of the APO12 capabilitylevel based on the results of the calculation of the capabilityvalue contained in each sub-process.Determination of APO12capability level can be seen in table 3.Table 3. Determination of APO12 capability levelNilai KapabilitasCapability LevelSub-DomainAs isTo beAs isTo 2.2412APO12.041.552.5523Nilai KapabilitasCapability LevelAs isTo beAs isTo a1.422.441.332.5Rata-Rata1.632.6023Sub-DomainBased on the table 2 above, it is known that the EDM03.01process capability level is currently at level 2 with a capabilityvalue of 1.54, in the EDM03.02 process the capability level iscurrently at level 2 with a capability value of 1.79, in theEDM03.03 process capability level. currently at level 2 with acapability value of 1.56. From From the three sub-processescontained in COBIT 5, from the results of research on theIntegrated Service SIM Jogjja Smart Service, it is known thatthe capability value for the EDM03 process is 1.63.Based on the table 3 above, it is known that in sub -processAPO12.01 capability level is currently at level 2 with acapability value of 1.64, in sub -process APO12.02 capabilitylevel is currently at level 1 with a capability value of 1.21, insub -process APO12 .03 capability level is currently at level 1with a capability value of 1.24, in sub -process APO12.04capability level is currently at level 2 with a capability valueof 1.55, in sub -process APO12.05 capability level is currentlyat level 1 with a capability value of 1.33, in the sub -processAPO12.06 capability level is currently at level 2 with acapability value of 2.56. From the six sub-processes containedin COBIT 5, from the results of research on the IntegratedService SIM Jogjja Smart Service, it is known that thecapability value for the APO12 process is 1.42.42

International Journal of Computer Applications (0975 – 8887)Volume 183 – No. 23, September 2021improvement in order to achieve the expected conditions foreach process in accordance with COBIT 5 standards.4.2 EDM03 Process Gaps andRecommendationsThe value obtained in the capability level assessment is atlevel 2 with the expected conditions at level 3, to achieve thecapability level, these gaps and recommendations are obtainedfrom the results of fulfilling the process that has beendescribed at the Process Attribute Level stage so that therecommendations given are in accordance with the needs.current organization. The results of the recapitulation are asfollows. Capability level in the EDM03 process can be seen intable 5.Figure 4.Graph of the APO12 processBased on the figure 4 graph above, it is known that the currentcondition of the APO12 process (Manage Risk) is at level 1with a capability value of 1.42, at this level the IntegratedServices SIM division has implemented the PerformedProcess while the expected conditions (to be) is at level 2 witha capability value of 2.44 which at this stage has implementedManaged Process.Table 5. Capability level in the EDM03 processCapability Level and GapBased on the data from the questionnaire that has beenvalidated with interview data and observations of supportingevidence or documents. The result is the capability level ofIntegrated Service SIM in Kotagede District, Yogyakarta. Thecurrent Capability Level (as is) in the EDM03 Ensure RiskOptimization process is at level 2 (Managed Process) with acapability value of 1.63 while the expected capability level (tobe) is at level 3 (Established Process) with a capability valueof 2.60. Meanwhile, the current Capability Level (as is) in theAPO12 Manage Risk process is at level 1 (PerformedProcess) with a capability value of 1.42 while the expectedcapability level (to be) is at level 2 (Managed Process) with acapability value of 2. ,44.Capability Level ResultsRecapitulation can be seen in table 4.Table 4. Capability Level Results RecapitulationNama ProsesEDM03 (Ensure RiskOptimisation)APO12 (Manage Risk)As isTo beGap231121Based on the table 5 above, it is known that the capabilityindicator at level 1 has reached 100% in thecategory FullyAchieved, so that further assessment is carried out at thefollowing level. The capability indicator at level 2 has 2points that must be met, namely Performance Managementand Work Product Management , both of which have reached66.67% and 100%. So thevalue capability level at level 2 isstill included in thecategory Largely Achieved with apercentage of 83.33%. Before focusing on achieving at theexpected level. The SIM for Integrated Services in KotagedeDistrict is recommended to fulfill the gaps in the previouslevels. The following are the recommendations given by theresearchers in accordance with the findings obtained at thestage of fulfilling the capability indicators. Gaps andRecommendations EDM03 can be seen in table 6.Table 6. Gaps and Recommendations EDM03EDM03 Ensure Risk OptimisationGapsThere is no action to adjustthe performance of theriskoptimization processRekomendasiSIM for the IntegratedServices of Kotagede District,it is recommended to make areport to assess theperformance related to theoptimization of risks that existin the services used.The absence ofidentification related to theresponsibility for the riskoptimization process for theSIM Integrated Service SIMin Kotagede District, it isrecommended to make a riskprofile document inaccordance with the RACIChart in order to handle theexisting risks, who isresponsible and has theauthority in this process.4.1 Capability Level Analysis ResultsThe following are the results of the overall capability levelassessment of the processes that have been assessed:1.2.The current Capability Level (as is) in the EDM03Ensure Risk Optimization process is at level 2(Managed Process) with a capability value of 1.63 whilefor The expected capability level (to be) is at level 3(Established Process) with a capability value of 2.60.The current capability level (as is) in the APO12Manage Risk process is at level 1 (Performed Process)with a capability value of 1.42 while the expectedcapability level (to be) is at level 2 (Managed Process)with a capability value 2.44.Based on the data from the assessment results in each process,the authors then provide recommendations as suggestions forBased on the table 6 above, it is known that there are 2 gapsthat must be met by the Integrated Service SIM in Kotagede43

International Journal of Computer Applications (0975 – 8887)Volume 183 – No. 23, September 2021District in order to meet the requirements for level 3 in theEDM03 process.4.3 APO12 Process Gaps andRecommendationsThe value obtained in theassessment capability level is atlevel 1 with the expected conditions at level 2, to achieve thiscapability level, these gaps and recommendations are obtainedfrom the results of the fulfillment of the process that has beendescribed at thestage Process Attribute Level so that therecommendations given are in accordance with the needs.current organization. The results of the recapitulation are asfollows. Capability level in the APO12 process can be seen intable 7.Table 7. Capability level in the APO12 processThe absence of reports tostakeholders related to riskanalysis and risk profileof the Integrated Service SIMin Kotagede District, it isrecommended to make areport to assess performancerelated to the optimization ofexisting risks. In order to begiven to stakeholders relatedto risk analysis and profiles.Based on the table 8 above, it is known that there are 3 gapsthat must be met by the Integrated Service SIM in KotagedeDistrict in order to fulfill the requirements to level 2 in theprocess APO12.5. CONCLUSIONBased on the table 7 above, it is known that the capabilityindicator at level 1 has only reached 76.67% so that it is inthecategory Largely Achieved, but there are still several WorkProducts that must be met so that the assessment at level 1reaches 100%. Before focusing on achieving at the expectedlevel. The SIM for Integrated Services in Kotagede District isrecommended to fulfill the gaps in the previous levels. Thefollowing are recommendations given by researchers inaccordance with the findings obtained at the stage of fulfillingcapability indicators. Gaps and Recommendations APO12 canbe seen table 8.Table 8. Gaps and Recommendations APO12APO12 Manage RiskGapsThere is no document thatexplains the scopeofanalysis. Especially forthe IT scope.There is no assessmentresult by a third party.RekomendasiThe SIM for IntegratedServices in Kotagede Districtis recommended to determi

the COBIT 5 framework which aims to analyze risk assessment so that organizations can choose a mitigation approach to risks that may occur and provide recommendations. The risk management assessment in this study uses the COBIT 5 process domain framework EDM03 (Ensure Risk Optimization) and APO12 (Risk Management).