Extant literature has shown that sectoral characteristics play a critical role in business value creation through information technology (IT). Therefore, managing IT and its associated risks needs to consider specific industrial traits to understand the distinct business nature and regulations that shape IT-enabled business value creation. This study presents an in-depth analysis of business goals, IT processes, and IT risks in the case of a pharmaceutical company through which appropriate controls are designed to ensure business value creation through IT. Drawing on a case study of a pharmaceutical company in Indonesia, we found that managing IT risks in the pharmaceutical industry entails two main objectives: 1) ensuring compliance with external laws and regulations as well as internal policies, 2) supporting the optimization of business functions, processes, and costs. Throughout one year of engagement during the project, this study identified ten risks associated with the operation of business processes. Risks are dominated by moderate levels given the current state of controls and appetite, most of which emerge from the company’s existing internal processes. Internal actors are involved in all risks, with most events occurring due to laws and regulations. Further, the study designs and elaborates IT risk controls by drawing from COBIT 5 Seven Enablers. Overall, IT risk management through cascading processes of analysis ensures the alignment of IT risk controls with achieving business goals in the pharmaceutical industry.

K. K. Ganju, P. A. Pavlou, and R. D. Banker, “Does information and communication technology lead to the well-being of nations? A country-level empirical investigation,†MIS Q., vol. 40, no. 2, pp. 417–430, 2016.

P. C. Verhoef et al., “Digital transformation: A multidisciplinary reflection and research agenda,†J. Bus. Res., vol. 122, no. September 2019, pp. 889–901, 2021, doi: 10.1016/j.jbusres.2019.09.022.

Marsh&McLennan, “A New Definition of Catastrophic Risk: Technology Industry Risk Study 2020,†2020.

W. A. Cram, M. K. Brohman, and R. B. Gallupe, “Information systems control: A review and framework for emerging information systems processes,†J. Assoc. Inf. Syst., vol. 17, no. 4, pp. 216–266, 2016, doi: 10.17705/1jais.00427.

A. Yeow, C. Soh, and R. Hansen, “Aligning with new digital strategy: A dynamic capabilities approach,†J. Strateg. Inf. Syst., vol. 27, no. 1, pp. 43–58, 2018, doi: 10.1016/j.jsis.2017.09.001.

H. C. Chae, C. E. Koh, and K. O. Park, “Information technology capability and firm performance: Role of industry,†Inf. Manag., vol. 55, no. 5, pp. 525–546, 2018, doi: 10.1016/j.im.2017.10.001.

N. Melville, K. L. Kraemer, and V. Gurbaxani, “Review: Information Technology and Organizational Performance: An Integrative Model of IT Business Value,†MIS Q., vol. 28, no. 2, pp. 283–322, 2004.

K. J. Dooley and A. H. Van de Ven, “Explaining Complex Organizational Dynamics,†Organ. Sci., vol. 10, no. 3, pp. 358–372, 1999.

M. D. Stoel and W. A. Muhanna, “IT capabilities and firm performance: A contingency analysis of the role of industry and IT capability type,†Inf. Manag., vol. 46, pp. 181–189, 2009, doi: 10.1016/j.im.2008.10.002.

A. E. Brown and G. G. Grant, “Framing the Frameworks: A Review of IT Governance Research,†Commun. Assoc. Inf. Syst., vol. 15, no. May, 2005, doi: 10.17705/1cais.01538.

A. Tiwana and S. K. Kim, “Discriminating IT Governance,†Inf. Syst. Res., vol. 26, no. 4, pp. 656–674, 2015, doi: 10.4018/978-1-60566-026-4.ch315.

V. Sambamurthy and R. W. Zmud, “Arrangements for information technology governance: A theory of multiple contingencies,†MIS Q., vol. 23, no. 2, pp. 261–290, 1999, doi: 10.2307/249754.

J. E. Gerow, J. B. Thatcher, and V. Grover, “Six types of IT-business strategic alignment: An investigation of the constructs and their measurement,†Eur. J. Inf. Syst., vol. 24, no. 5, pp. 465–491, 2015, doi: 10.1057/ejis.2014.6.

P. Weill, “Don’t just lead, govern: How top-performing firms govern IT,†MIS Q. Exec., vol. 8, no. 1, pp. 1–21, 2004, doi: 10.2139/ssrn.664612.

R. Kohli and V. Grover, “Business Value of IT: An Essay on Expanding Research Directions to Keep up with the Times,†J. Assoc. Inf. Syst., vol. 9, no. 1, pp. 23–39, 2008.

V. Grover and R. Kohli, “Cocreating IT value: New capabilities and metrics for multifirm environments,†MIS Q., vol. 36, no. 1, pp. 225–232, 2012.

R. S. Kaplan and D. P. Norton, “Using the Balanced Scorecard as a Strategic Management System,†Harv. Bus. Rev., vol. Jan-Feb, pp. 75–85, 1996.

ISACA, COBIT 5: A business framework for the governance and management of enterprise IT COBIT 5. ISACA, 2012.

L. Ramadani and A. Almaarif, “Considering context in information systems research: Understanding the conditions of developing country scholarship,†Electron. J. Inf. Syst. Dev. Ctries., vol. 88, no. 1, pp. 1–17, 2022, doi: 10.1002/isd2.12200.

C. Avgerou, “Contextual explanation: Alternative approaches and persistent challenges,†MIS Q., vol. 43, no. 3, pp. 977–1006, 2019, doi: 10.25300/MISQ/2019/13990.

K. Srinivas, “Process of Risk Management,†Perspect. Risk, Assess. Manag. Paradig., pp. 0–16, 2019, doi: 10.5772/intechopen.80804.

ISACA, COBIT 5 for Risk. ISACA, 2013.

T. Kude, M. Lazic, A. Heinzl, and A. Neff, “Achieving IT-based synergies through regulation-oriented and consensus-oriented IT governance capabilities,†Inf. Syst. J., vol. 28, no. 5, pp. 765–795, 2018, doi: 10.1111/isj.12159.

S. De Haes, W. Van Grembergen, and R. S. Debreceny, “COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities,†J. Inf. Syst., vol. 27, no. 1, pp. 307–324, 2013, doi: 10.2308/isys-50422.

Z. Alreemy, V. Chang, R. Walters, and G. Wills, “Critical success factors (CSFs) for information technology governance (ITG),†Int. J. Inf. Manage., vol. 36, no. 6, pp. 907–916, 2016, doi: 10.1016/j.ijinfomgt.2016.05.017.

N. Z. Firdaus and Suprapto, “Evaluasi Manajemen Risiko Teknologi Informasi Menggunakan COBIT 5 IT Risk (Studi Kasus : PT . Petrokimia Gresik),†J. Pengemb. Teknol. Inf. dan Ilmu Komput., vol. 2, no. 1, pp. 1–10, 2018.

N. D. Setyaningrum, Suprapto, and A. Kusyanti, “Tampilan Evaluasi Manajemen Risiko Teknologi Informasi Menggunakan Framework COBIT 5 (Studi Kasus : PT. Kimia Farma (Persero) Tbk – Plant Watudakon),†J. Pengemb. Teknol. Inf. dan Ilmu Komput., vol. 2, no. 1, pp. 143–152, 2018.

P. P. Thenu, A. F. Wijaya, C. Rudianto, U. Kristen, and S. Wacana, “Analisis Manajemen Risiko Teknologi Informasi Menggunakan COBIT 5 (Studi Kasus: PT Global Infotech),†J. Bina Komput., vol. 2, no. 1, pp. 1–13, Feb. 2020, doi: 10.33557/BINAKOMPUTER.V2I1.799.

R. K. Yin, “Case Study Research and Applications Design and Methods Sixth Edition,†2018.

M. Majdalawieh and J. Gammack, “‘An Integrated Approach to Enterprise Risk: Building a Multidimensional Risk Management Strategy for the Enterprise,’†Int. J. Sci. Res. Innov. Technol., vol. 4, no. 2, pp. 2313–3759, 2017.