ON INFORMATICS

— Extant literature has shown that sectoral characteristics play a critical role in business value creation through information technology (IT). Therefore, managing IT and its associated risks needs to consider specific industrial traits to understand the distinct business nature and regulations that shape IT-enabled business value creation. This study presents an in-depth analysis of business goals, IT processes, and IT risks in the case of a pharmaceutical company through which appropriate controls are designed to ensure business value creation through IT. Drawing on a case study of a pharmaceutical company in Indonesia, we found that managing IT risks in the pharmaceutical industry entails two main objectives: 1) ensuring compliance with external laws and regulations as well as internal policies, 2) supporting the optimization of business functions, processes, and costs. Throughout one year of engagement during the project, this study identified ten risks associated with the operation of business processes. Risks are dominated by moderate levels given the current state of controls and appetite, most of which emerge from the company’s existing internal processes. Internal actors are involved in all risks, with most events occurring due to laws and regulations. Further, the study designs and elaborates IT risk controls by drawing from COBIT 5 Seven Enablers. Overall, IT risk management through cascading processes of analysis ensures the alignment of IT risk controls with achieving business goals in the pharmaceutical industry.


I. INTRODUCTION
Contemporary organizations worldwide are using information technology (IT) to transform their business, with most of them considering IT indispensable in day-to-day activities [1], [2]. However, the increasing reliance on information technology carries risks that stem from various sources or factors ( Fig. 1) [3]. The failure to manage these IT risks could cost a company tangible and intangible losses. For instance, if product manufacturing data in a quality control division is unavailable or insufficient, the marketed product will be denied permission to be distributed to the public. Consequently, businesses need to perform IT risk management to ensure that their business goals are achievable [4], [5].
Performing IT risk management requires an in-depth understanding of the nature and dynamics of business sectors [6], [7]. Each business sector might have unique characteristics, ranging from the dynamics of competition, regulations, and internal and external contextual factors [8], [9]. In this regard, implementing the available IT risk management framework, like any IT governance framework, needs to be context-sensitive and cannot be taken for granted [10]- [12]. As such, literature has called for empirical studies to provide rich insights from diverse business sectors [6], [13] and enhance the overall understanding of the underlying business value creation process through IT [14]- [16].
This study responds to this call through an in-depth case study of IT risk management in the pharmaceutical industry. This study explores a State-Owned Enterprise pharmaceutical company in Indonesia, specializing in manufacturing a variety of medicine distributed across the nation. The study identifies business goals across the four balanced scorecards [17], IT capabilities to support business goals, and subsequent IT risks [18]. The study then assesses each risk to develop appropriate controls to be implemented by the company. Overall, this study provides rich empirical insights into the literature on IT risk management from the pharmaceutical industry [6] and the nation's contextual settings [19], [20]. The next section two describes the method used in this study. Section three provides the study's results which consist of the case study profile, the company's business goals, identification of IT capabilities, identification of IT risk, risk analysis, and risk control. Finally, section five provides the conclusion. JOIV : Int. J. Inform. Visualization, 7(2) -June 2023 345-355 Fig. 1 The major concern of IT risks [3] II. THE MATERIALS AND METHOD

A. Theoretical Foundations
Risk is generally defined as the product of an event's probability and its consequence of unforeseeable events that could positively or negatively impact the project or enterprise's objectives [21], [22]. Risk management is a planned and structured process that aims to assist the project team in making the best decision possible at the right time by identifying, classifying, quantifying, and then managing and controlling risks. The objective is to maximize the project's value in terms of cost, time, and quality by balancing the input required to manage risks against the benefits of such action [4], [23].
COBIT 5 for Risk, a worldwide IT governance framework specifically intended for IT risk management, defines IT risk as business risk, more precisely, the risk to the enterprise associated with the use, ownership, operation, involvement, influence, and adoption of IT [24]. IT risk refers to IT-related events that may disrupt the business. IT risk occurs with an unknown frequency and magnitude and obstructs achieving strategic goals and objectives. IT risk is always present, regardless of whether an enterprise detects or recognizes it [22], [25].
Information technology risk management consists of five processes: 1) risk identification, 2) risk analysis, 3) risk prioritization, 4) risk response, and 5) risk monitoring. As shown in Fig. 2, COBIT 5 for risk includes seven enablers that assist businesses in achieving their business objectives. Each enabler in COBIT 5 for risk has the following objectives: 1) Principles, Policies, and Frameworks, 2) Processes, 3) Organizational Structure, 4) Culture, Ethics, Behavior, 5) Information, 6) Services, Infrastructure, and Applications and 7) People, Skills and Competencies [22].  [18] While previous studies have examined IT risks in the manufacturing sector, few attempts have been made to investigate the pharmaceutical industry specifically. For example, Firdaus et al. [26] and Setyaningrum et al. [27] examined the risks associated with information technology in the manufacturing industry. Both organizations use COBIT 5 for risk management to assess information technology risk management. For instance, Firdaus et al. [26] identified the risks associated with using ERP-based SAP applications. They found that the company has corporate governance and risk management services. However, no management or team has been formed specifically for information technology risks, and not all information technology risks have been adequately documented and managed.
Similarly, Setyaningrum et al. [27] suggest that the use of information systems entails numerous risks, and the risks entail making work processes inefficient and lowering the company's quality. Another study by Thenu et al. [28] found that because information technology is used to support the business in the organization, IT-related risks can occur at any time. Risk management is the best strategy for mitigating losses should this problem occurs.

B. Research Design and Data Collection
This study is designed as a qualitative case study [29]. We conducted the study in PharmaCo (pseudonym), one of the largest pharmaceutical companies in Indonesia. We focused on PharmaCo's core business in production and quality assurance. This study consists of four stages: 1) research planning and identification, 2) data collection, 3) risk identification and analysis, and 4) IT risk controls design.
Data collection methods include observation, interview, and document analysis. The primary sources are interviews and observation. The research participants are managers, assistant managers, and staff from the Quality Assurance and Regulatory Compliance Department of PharmaCo. Following COBIT 5, we identified Enterprise Goals (EG) and its subsequent IT-Related Goals and IT-Related Processes. The whole IT Risk Management activities consist of five stages: 1) Risk identification: In this step, risks are identified and listed to understand and determine the risk factors involved in a decision or project.
2) Risk analysis: Risk analysis is conducted based on its likelihood and probability according to company's ongoing risk management.

3) Risk prioritization:
Risk prioritization is conducted based on company's risk appetite and categorized to low, medium, and high risk.

4) Risk response: Risk response is categorized to:
 Stop all potentially hazardous activities (Risk Avoidance).  Take action to reduce the likelihood or impact (Risk Reduction).  Take steps to transfer some or all of the risks to a third party, such as through insurance or outsourcing (Risk Sharing or Risk Transfer).  Accepting the risk or failing to take risk-mitigation action (Risk Acceptance)

5) Risk monitoring:
Once risk responses are established, the risk must be monitored and reviewed to see the possibility of changes that cause other risks to arise.

C. IT Risk Management Recommendation
We developed IT risks controls on PharmaCo's using COBIT's seven enablers. The existing condition is evaluated using the current process documents used during the risk analysis process. After determining the current situation, risk controls and recommendations are generated based on each of the existing risks, tailored to the requirements of each associated enabler.

A. Case Profile
PharmaCo (pseudonym) is a State-Owned Enterprise pharmaceutical company based in Indonesia that manufactures and distributes medicine and its derivative products across the nation. The company operates and manages its business processes using an ERP-based SAP application. Several risks associated with applications are frequently encountered, including less-than-optimal ERP operational technicalities, communication problems between users and servers, etc. PharmaCo has implemented guidelines based on the ISO 9001 framework to manage all types of risks that could disrupt business processes and result in losses.
PharmaCo has implemented its risk management procedures to ensure the security of its data and processes as a manufacturer of health products. The information technology risk management condition at PharmaCo's Quality Assurance Division requires research. The Quality Assurance Division utilizes the COBIT 5 risk framework, which is a risk management framework for information technology risk management. This study aimed to ascertain the state of information technology risk, conduct risk analysis, and make design recommendations for information technology risk management using COBIT 5 For Risk in the Quality Assurance Division of PharmaCo's Regulatory Compliance Division.

B. Aligning COBIT 5 Enterprise Goals with Enterprise
Objectives of PharmaCo Using a balanced scorecard, this section identifies the quality assurance and regulatory compliance divisions' enterprise goals (EG) to the COBIT 5 enterprise goals. The mapping of the COBIT 5 enterprise goals revealed that the enterprise goals aligned with the regulatory compliance section's quality assurance division based on workflow and risk. The selected enterprise goals are adapted to the current state of the QA Division of the Regulatory Compliance Division using balanced scorecard references. There are four Enterprise Objectives (EO) presented in Table 1. The company's strategic goal is mapped to Balance Scorecard (BSC) dimension, which consists of Finance, Customer, Internal and Learning and Growth dimension. The detail is provided in Table 2.

EO1
Becoming the first-choice healthcare company that integrate and create sustainable value

EO2
Conducting business activities in the chemical and pharmaceutical industries, trade and distribution network, pharmaceutical retail and health services, and asset optimization.

EO3
Managing the company with Good Corporate Governance and operational excellence supported by professional Human Resources (HR). EO4 Providing added value and benefits for all stakeholders. The Balanced Scorecard dimension is divided into seventeen enterprise goals. Tables 3, 4, 5 and 6 map each enterprise objective to the enterprise goals based on each BSC dimension. We only selected BSC enterprise goals that are related to enterprise objectives. The company applies the FMEA method to identify and address risks that may occur in products and processes, as well as RPN, which is a system for assessing risk levels

EG5
The company implements a Whistleblowing System (WBS) to prevent acts of fraud by reporting violations and encouraging a culture of honesty and openness

EO2 EG2
The estimated period between the occurrence of an event and the identification of a loss is determined by management for each identified portfolio.

EG4
The company refers to BPOM RI regulation No. 24 of 2017 concerning criteria and procedures for drug registration

EO3 EG1
PharmaCo's commitment to continuously improving the quality and competence of human resources

EO4 EG1
PharmaCo is always committed to increasing stakeholder involvement to increase shareholder value and other stakeholders.

EO1 EG6
The Company establishes a specific work culture (core value)

EG7
Conduct weekly or monthly meetings to discuss orders, timeliness of production, ability to carry out production, and approval of drug manufacture

EG8
The company launched the PharmaCo mobile application which allows customers to obtain health services using only their gadgets

EG9
Using the website based NDE (Nota Dinas Elektronik) application in decision making EO2 --

EO3 EG6
Improving the Risk Culture through training and Professional Certification. EO4 EG10 Conducting a customer satisfaction survey PharmaCo applies end-to-end digitalization by developing Information Technology (IT) as one of the key enablers in realizing business strategy, including IoT, QR Code, Track and Trace

EG13
The transformation from a pharmaceutical company to a healthcare company EO Internal

EG15
The company will rely on four pillars: research and development, automation and technology, human resources, and good corporate governance.

EO2 EG11
The company encourages the realization of sustainable growth with maximum achievement and makes efforts to optimize working capital

EG13
Focusing on product development and upgrading production machines to make production more effective and efficient. PharmaCo focuses on producing traditional medicines, while the changes/additions are in the manufacture of cosmetics and drinking water.

EO3 EG11
Ensuring that all operational activities of the company are carried out by implementing aspects of Good Corporate Governance

EG12
The company has an appropriate improvement program for each division.

EG15
The company implements a GCG (Guidelines of Corporate Governance) system with the principles of leadership and good corporate governance built on Responsibility, Accountability, Fairness, and Transparency.

EO
Learning and Growth

EO1 EG17
The company encourages the realization of sustainable growth with maximum achievement and makes efforts to optimize working capital

EO2 EG16
PharmaCo already has an employee appraisal system that refers to performance as a step to motivate employees to give their best output.

EG17
The Plant factory produces products related to COVID-19 such as favipiravir and remdesivir to increase people's immunity.

EG16
The Company already has a Talent Management program, namely an education and training program (Diklat) to improve and develop employees' competencies, skills, and attitudes to achieve PharmaCo's strategic goals. Improving the competency of human resources through professional training & certification programs to build a risk culture for all PharmaCo personnel and improve the implementation of an effective & efficient Risk Management System. The company encourages the realization of sustainable growth with maximum achievement and makes efforts to optimize working capital

EG17
The company encourages the realization of sustainable growth with maximum achievement and makes efforts to optimize working capital EO4 --After mapping the enterprise objective to BSC enterprise goals, we select the BSC enterprise goals that suit this study case. Four BSC enterprise goals are selected as shown in Table 7. Compliance with external laws and regulations 11 Optimization of business process functions 12 Optimization of business process costs 15 Compliance with internal policies

D. Mapping of IT-Related Goals at PharmaCo
The mapping of selected Enterprise Goals and IT Related Goals resulted in eleven goals, as shown in Table 8.   TABLE VIII  THE SELECTED IT-RELATED GOALS   ITG IT-related goals 1 Alignment of IT and business strategies 2 IT compliance and support for business compliance with external laws and regulations 4 Manage business risks associated with information technology 6 Transparency regarding the costs, benefits, and risks associated with information technology 7 Delivering information technology services following business requirements 8 Adequate use of application, information, and technology solutions 9 IT can adapt to changes quickly 10 Security and information, infrastructure, and applications 11 Optimization of IT assets, resources, and capabilities 12 Utilization and support of business processes through the integration of applications and technology 15 IT compliance with internal policies

E. Mapping of IT-Related Process
The next step is to identify organizational processes associated with IT-Related Goals. We identified six IT Processes related to Quality Assurance in PharmaCo, which are presented in Table 9. The total score is calculated based on the 'primary value' based on the mapping between IT Related Goals and IT Processes. This step identifies ITrelated processes that are highly related to internal-external compliance and internal processes in PharmaCo.

F. Risk Identification
Risk identification is a process of finding, recognizing, and recording risks. Risk identification aims to identify events or situations that may affect the achievement of organizational goals, including causes and sources of risk, descriptions of risk events, and their impact on organizational goals. Identification is conducted by developing risk scenarios based on the positive and negative sides of the risk. We identified a total of ten risks, which are presented in Table 10. Detailed risk identification, including actor, threat type, event, asset, and timing, is presented in Table 11. Loss of data/documents due to an error in the application BAI09, APO13

QA 09
The work process is not following the established procedures. APO02, DSS06 QA 10 Too much workload APO07

G. Risk Scenario
IT risk scenario is a description of an event related to IT that can cause a business impact according to the possible time of the risk occurrence. Risk scenarios consist of two types based on whether the impact is positive scenarios or negative scenarios. The positive scenario represents the impact should the risk not occur, thus leading to smooth and optimal business processes. On the other hand, the negative scenario represents the impact should the risk occurs, resulting in disruption to business processes. Scenarios are created for each type of risk. Table 12 presents the risk scenarios at PharmaCo. Risk handling can be done quickly and precisely so that documents are immediately verified.
The document preparation was not to the applicable directives and regulations in that so many errors were found, which could result in the distribution permit not being issued. QA 02 The regulatory compliance department revises documents in a timely manner.
The shared document is not the latest revised document but is urgently needed.

QA 03
The use of the document has been approved by the regulatory compliance department so that the document can be distributed immediately.
The use of documents that regulatory compliance parties have not verified makes the legality of documents questionable.

QA 04
Every time there is a change in processes, tools, materials or other things, each division notifies the regulatory compliance department.
Changes made without confirmation will cause business processes to go out of control and may impact other divisions.

QA 05
The handling of changes is carried out appropriately and immediately verified so that these changes can be implemented immediately.
Changes that occur are not monitored. This can impede the work of related divisions and have an impact on these changes.

QA 06
Handling of violations runs smoothly in accordance with procedures so as not to impede workflow.
There are repeated violations of the rules QA 07 Customers can submit complaints which will then be resolved by regulatory compliance in a timely manner.
The number of customer complaints is because they are not handled immediately, so the service business process becomes impeded. QA 08 Application systems and databases are very effective, and maintenance is often carried out.
Data that has been stored is lost due to an application system error, so data backup must always be done. QA 09 The workflow is in accordance with fixed procedures so that the entire process is properly recorded.
Procedures are still not followed properly, which causes not all procedures to be carried out on time.

QA 10
The use of IT can be used to do various jobs.
Many job descriptions do not match the work being done, which can cause a process to take more time.

C. Risk Assessment Criteria
The risk criteria are a standard measure of the probability, frequency, or likelihood of the occurrence of a certain risk as well as the consequences that may result should the risk occurs. Table 13 presents a matrix of risk impact and probability, while criteria for probability and impacts are presented in Tables 14 and 15. The level of impact is assessed through FMEA (Failure Mode Effect Analysis) method in that we assess the current controls implemented in the company and the stakeholders' risk appetite.

D. Risk Analysis
Further analysis is conducted to relate the identified risks with organizational processes. Table 16 presents the risk analysis at PharmaCo.

E. Risk Prioritization and Response
Risk prioritization is conducted to classify the risk level and identify the risk responses for each risk according to organizational processes. Risk responses are determined based on four risk management options: accept, mitigate, transfer, or avoid. Table 17 presents the results of risk prioritization and response. After risk prioritization, a mapping between the alignment of strategies and the risk approach is performed to determine the process domain that best fits the overall risk. This step aims to determine the processes that need to be managed related to IT risk management. The risk priority ranking is summarized in Table 18.  Figure 3 shows that the priority/main process domains for IT risk management at PharmaCo are EDM03 Ensure Risk Optimization, APO12 Manage Risk, and BAI06 Manage Changes. Each of these processes is briefly discussed next.
EDM03: Ensure Risk Optimization is one of the five domain processes of Evaluate, Direct, and Monitor.EDM03 focuses on stakeholder-related objectives to ensure that enterprise risk categories and tolerances are understood, articulated, and communicated and that risks to enterprise value associated with the use of IT are identified and managed. In addition, EDM03 ensures that the company's ITrelated risks do not exceed its risk appetite and risk tolerance, the impact of IT risks on company value is identified and managed, and the potential for failure is minimized [30].
APO12: Manage Risk is one of 13 process domains associated with the Align, Plan, and Organize (APO) management areas. APO12 identifies, assesses, and mitigates IT-related risks within tolerance levels established by the company's executive management. In addition, APO12 integrates IT-related enterprise risk management with overall ERM, balancing the costs and benefits of IT-related enterprise risk management. In addition, all company activities have risk exposures, which means that the company's stakeholder approach to risk needs to be written down to show how the company will deal with the risks it faces.
BAI06: Manage Changes is a process that manages all changes in a controlled manner, including standard changes and emergency maintenance related to business processes such as standard change procedures, impact assessment, authorization, emergency change, tracking, and documentation. The goal of the BAI06 process is to make changes to the business quickly and make sure there aren't any risks that could harm the environment.

F. Designing IT Risk Management at PharmaCo
Assessment of existing conditions is carried out based on documents related to the current risk mitigation strategy. The design of IT Risk Controls for PharmaCo is based on COBIT's seven enablers that emerge from three perspectives:  People: Organization, people/skill/competencies, culture  Process: principle, policies, and frameworks, process  Technology: information, services/infrastructure, and application  reviewing and approving procedures related to SOPs for Risk Assessment, Regulatory Management, and Quality Manuals.  Plant Manager (A). The Plant Manager is responsible for checking, approving, and ensuring the SOP is executed properly, ensuring that the management system complies with applicable standards.  Supervisor Compliance (I/ R). Supervisor Compliance is responsible for compiling, reviewing periodically, and ensuring that the SOP for risk assessment is carried out consistently, properly, and correctly. The supervisor of each sub-section is also responsible for carrying out risk management following the established Risk Assessment SOP.

4) Culture, Ethics, and Behavior:
Existing behavior and related risk management are carried out based on the risk appetite that has been set in the Risk Assessment SOP

5) Information
SOP for Risk Assessment. The process that occurs in risk assessment is the process of risk assessment, risk control, and risk assessment using the Ishikawa Diagram tools. The results of the risk assessment are prepared according to the FMEA form. After the risk assessment is completed, it is submitted to the Assistant Manager of Quality Assurance for approval and documentation of the risk assessment list form and FMEA form.
SOP for Regulatory Management. In the regulatory procedure, there is a process of preparing and sending registration documents. This process produces an output, namely a Memo of product batch number and a Drug Registration Document, which will be submitted to the Head Office Regulatory Section, which consists of:

G. Design of IT Risk Management
At this stage, recommendations are developed based on the data analysis results and the business's current state, as categorized by the seven enablers. Recommendations focus on risks that have been mitigated and the portion of the system that has not yet reached its optimal state or has gaps that require improvement. Table 19 presents the recommendations for IT risk management at PharmaCo.

Services, Infrastructure, and Applications
The regulation module is added to the existing application to categorize related documents according to the division and make attachments in the submodules.

QA04 Uncontrolled change
Processes SOP Control: Adding details of what changes must be reported and what the references are. BAI06: Manage all changes in a controlled manner, including standard changes and emergency maintenance related to business processes. Such as standard change procedures, impact assessment, emergency changes, tracking, and documentation.

Services, Infrastructure, and Applications
It added change updates in the application dashboard so that all employees can know the changes made in real-time and up to date. QA06 Exceptions to applicable regulations occur frequently

Culture, Ethics, and Behavior
To conduct routine socialization in offline and online seminars to discuss regulations and properly handle irregularities.
QA07 Customer complaints that are not following the established SLA

Information
• To update customer satisfaction survey documents tailored to the conditions and relationships between PharmaCo and customers.
• To process information related to customer complaints through the information system Services,

Infrastructure, and Applications
To add the Customer Complaints module to the Deviation Control & Customer Complaints sub-section to be accessed in the application and do checklists and updates related to handling customer complaints. QA08 Loss of data/documents due to an error in the application

Processes
Recommendations based on the process domain related to risk: • BAI09: manage assets throughout their life cycle to ensure they provide value at an optimal budget, are physically recorded and protected, and are critical to supporting existing service capabilities. Manage software licenses to ensure optimal numbers and software installed following the agreement. • DSS05: complies with security policies regarding its own IT assets.

Services, Infrastructure, and Applications
Regularly perform application maintenance. • Change passwords periodically to prevent other parties from seeing internal data. • Each division's backup data or documents use Drive, Flash disk, and Hard Disk.

IV. CONCLUSION
This research identifies ten IT risks, mainly related to the company's goals on regulatory compliance and internal process optimization. All risks have internal actors, with most events occurring due to rules and regulations factors. Most of the identified risks are dominated by a moderate level of risk. IT risk controls are designed based on various aspects of the seven enablers and customized for each risk. In terms of process, IT risk controls include details on creating work process flows and the enabling principles, policies, and framework sections. In terms of Services, Infrastructure, and Applications, IT risk controls include acquiring more efficient document storage and a dashboard for tracking changes. This entails storing data and processes about customer complaints in an application system in information technology. Finally, in terms of Culture, Ethics, and Behavior, IT risk controls include training and skill improvement related to rules and regulations to avoid overlapping or repeated abnormality/violation.