Implementing Information Technology Risk Management: A Case Study in the African Airline Industry

In the contemporary, ever-evolving global landscape, risk is a fundamental aspect of organizational operations (I​B​M​,​ ​2​0​0​8). Various factors such as mergers and acquisitions, partnerships, globalization, and continual technological advancements are identified as key contributors to risk (I​B​M​,​ ​2​0​0​8). These elements present challenges that organizations must navigate (A​m​a​n​s​o​u​,​ ​2​0​1​9). Consequently, there is an increasing emphasis on risk management within organizations, encompassing a spectrum of risks including human, commercial, economic, and political (A​m​a​n​s​o​u​,​ ​2​0​1​9).

The incorporation of information technology within businesses, while beneficial, necessitates the efficient management of IT-related risks to ensure the achievement of corporate objectives (S​a​e​i​d​i​ ​e​t​ ​a​l​.​,​ ​2​0​1​9). ITRM is inherently linked to overall enterprise risk management, as IT-related risks can have significant impacts on the enterprise. This underscores the importance of a framework that integrates IT risks into enterprise risk management (E​r​n​a​w​a​t​i​ ​e​t​ ​a​l​.​,​ ​2​0​1​2; S​u​r​o​s​o​ ​&​ ​R​a​h​a​d​i​,​ ​2​0​1​7).

The consequences of unmanaged IT risks on organizations can be severe. For instance, in 2017, an outage at Amazon Web Services disrupted numerous online services and websites, illustrating the risks associated with dependency on a single cloud service provider (W​e​i​s​e​,​ ​2​0​1​7). Similarly, British Airways experienced an IT outage in 2017 due to a power surge, which impacted their aging IT infrastructure, leading to widespread flight cancellations and delays (H​e​r​n​,​ ​2​0​1​7). Additionally, in 2016, Delta Air Lines faced significant operational disruptions and financial losses due to a power outage, highlighting the absence of a robust disaster recovery plan (C​B​S​ ​N​e​w​s​,​ ​2​0​1​6).

To address the need for effective ITRM, various standards and guidelines have been established. COSO, renowned for its expertise in internal control, introduced in 2017 a version specifically designed for enterprise risk management (COSO ERM), although it does not directly address ITRM (C​O​S​O​,​ ​2​0​1​3; C​O​S​O​,​ ​2​0​1​7; R​e​n​a​r​d​,​ ​2​0​1​2). ISO 31000, established in 2018, offers principles and guidelines for general risk management but also lacks specificity for ITRM (I​S​O​,​ ​2​0​1​8; S​u​t​r​a​,​ ​2​0​1​8). Conversely, COBIT, primarily focused on IT management and governance, addresses ITRM in its COBIT 5 framework. COBIT 5 provides best practices for ITRM, yet its implementation can be challenging due to its complexity and lack of a simplified, holistic approach (I​S​A​C​A​,​ ​2​0​1​2​a; I​S​A​C​A​,​ ​2​0​1​4; I​S​A​C​A​,​ ​2​0​1​3; W​a​l​i​d​ ​&​ ​B​a​s​i​l​,​ ​2​0​1​5).

Despite the existing literature on the application of COBIT 5, ISO 31000, and COSO ERM for ITRM, a comprehensive, specialized framework remains elusive. For example, K​o​z​i​n​a​ ​(​2​0​2​1​) in IT Risk Management in the enterprise using COBIT 5, proposed a methodology for managing IT risks by integrating COBIT 5 with the Balanced Scorecard. This methodology focuses on identifying potential IT risks, assessing risk acceptance levels, and aligning business and IT objectives, specifically emphasizing risk identification, assessment, and response.

The academic discourse on ITRM has seen notable contributions that apply various frameworks and standards. In Risk Assessment and Recommendation Strategy Based on COBIT 5 for Risk: Case Study SIKN JIKN Helpdesk Service (W​u​l​a​n​d​a​r​i​ ​e​t​ ​a​l​.​,​ ​2​0​1​9), the authors conducted a risk assessment for the SIKN JIKN helpdesk, employing COBIT 5 for risk, COBIT 5 Enabling Process, and COBIT 5 Framework guidelines. Their case study focused on the processes of DSS01 Manage Operations and APO12 Manage Risks. Notably, this method addressed only the risk assessment stage, omitting the EDM03 Ensuring Risk Optimization process, which is crucial for risk governance.

Furthermore, in Implementation of ISO 31000 for Information Technology Risk Management in the Government Environment (N​u​g​r​a​h​a​ ​&​ ​I​s​t​a​m​b​u​l​,​ ​2​0​1​9), the authors explored the application of ISO 31000 to manage IT risks in a governmental setting. Their methodology encompassed stages such as Risk Identification, Risk Analysis, Risk Evaluation, and Risk Treatment, focusing on identifying and addressing potential IT threats and risks.

The exploration of ITRM in various sectors continues to be a prominent theme in recent academic research. In Information Technology Risk Management in Educational Institutions Using ISO 31000 Framework (P​u​t​r​i​ ​&​ ​W​i​j​a​y​a​,​ ​2​0​2​3), the focus is on the application of the ISO 31000 framework in Indonesian educational institutions. The methodology outlined in this study encompasses the phases of Risk Identification, Risk Assessment, and Risk Treatment, providing a tailored approach to managing IT risks in an educational context.

Similarly, in A Study of Information Technology Risk Management of Government and Business Organizations in Thailand using COSO-ERM based on the COBIT 5 Framework (T​a​n​g​p​r​a​s​e​r​t​,​ ​2​0​2​0), the research evaluates IT security control within Thai government and business organizations. This study integrates COSO ERM with COBIT 5, specifically focusing on the principles of Risk Identification, Risk Assessment, and Risk Response. This approach offers insights into the performance and efficacy of IT security controls in a cross-sectoral context.

The cited research articles, while contributing significantly to the field of ITRM, exhibit common limitations as summarized in Table 1:

- Partial Coverage in Establishing ITRM: Each of the studies primarily concentrates on the initial stages of ITRM, such as Risk Identification, Risk Analysis, and Risk Treatment. This focus results in an incomplete portrayal of the ITRM process, as they do not fully develop or address the entire spectrum of ITRM and governance processes. This gap highlights the need for a more comprehensive approach that encompasses all stages of ITRM, from initial identification through to ongoing governance and monitoring.

- Absence of a Holistic End-to-End Approach: The studies lack a holistic, end-to-end approach to ITRM. This limitation is significant as it suggests that the research does not fully integrate or consider the interconnectedness of various risk management processes and their cumulative impact on the organization. A holistic approach would provide a more comprehensive understanding of IT risks, their interdependencies, and their overall impact on organizational objectives.

To address the identified limitations in existing ITRM research, ongoing work by B​e​r​r​a​d​a​ ​e​t​ ​a​l​.​ ​(​2​0​2​1​) aims to develop a holistic and simplified framework for ITRM. This work, encompassing publications such as Simplified IT Risk Management Maturity Audit System Based on COBIT 5 for Risk, RITM 23: A System to an IT Risk Management Implementation (B​e​r​r​a​d​a​ ​e​t​ ​a​l​.​,​ ​2​0​2​3), and Roadmap and System to Implement Information Technology Risk Management: RITM 23 (process of publication in progress, focuses on a novel approach called RITM 23.

RITM 23 is characterized as an integrated, holistic, and simplified methodological approach, combining standards like ISO 31000, COSO ERM, and COBIT 5. The primary objective of this article is to validate the efficacy of the RITM 23 approach, particularly in high-risk contexts such as the airline industry. The article presents a case study of RITM 23's implementation in an African airline, providing a practical demonstration of its application.

The structure of this article is as follows: The first section offers a concise overview of the RITM 23 methodological approach for establishing ITRM. This is followed by a detailed case study of its deployment in an African airline, with an analysis and comparison of the results against existing frameworks. Subsequent sections discuss the findings and highlight the contributions of the study. The final section concludes the paper and outlines future perspectives.

The methodology section outlines the process of implementing Information Technology Risk Management (ITRM) in an African airline using the RITM 23 approach. RITM 23 was selected due to its holistic and simplified nature, specifically tailored for ITRM implementation. While other known standards such as COSO ERM, ISO 31000, and COBIT 5 exist for ITRM, they are either too generic or complex for specialized ITRM deployment.

RITM 23 is an integrated approach, constructed by amalgamating three key standards for Enterprise Risk Management (ERM) and ITRM: ISO 31000 (I​S​O​,​ ​2​0​1​8), COSO ERM (C​O​S​O​,​ ​2​0​1​7), and COBIT 5 (I​S​A​C​A​,​ ​2​0​1​2​b; I​S​A​C​A​,​ ​2​0​1​3). Its holistic nature ensures comprehensive coverage of both management and governance processes essential for establishing ITRM in organizations.

The RITM 23 methodology encompasses five phases (see Figure 1):

(1) Project Scoping: This initial phase involves framing and organizing the project. Key activities include defining stakeholders, scheduling, and selecting methodological tools.

(2) Data Collection and Analysis: The second phase focuses on gathering IT risk data and organizing it by risk category, laying the groundwork for subsequent phases.

(3) Development of the ITRM System: In this phase, the identified IT risks are mapped in relation to the organization, forming the core of the ITRM system.

(4) Change Management, Communication, and Awareness: This phase aims to cultivate a risk-aware culture within the organization. It involves disseminating information about IT risks to enhance their effective management.

(5) Tracking and Monitoring: The final phase entails continuous tracking and monitoring of IT risks, enabling timely and effective responses to limit losses from IT-related events.

To assist in the implementation of Information Technology Risk Management, a simplified guide is provided in the appendix.

For comprehensive details on the proposed methodology, readers are encouraged to consult the article RITM 23: A System to an IT Risk Management Implementation (B​e​r​r​a​d​a​ ​e​t​ ​a​l​.​,​ ​2​0​2​3). This publication offers an in-depth exploration of the RITM 23 approach, contributing valuable insights into the field of ITRM.

The case study was undertaken at a prominent African airline, referred to as "Fly Africa" for confidentiality purposes. Fly Africa operates across Africa, Europe, Asia, and America, boasting a medium-sized fleet and employing approximately 2,000 personnel. The airline adopts an enterprise risk management strategy aligned with the COSO framework, which is also instrumental in managing IT-related risks.

The methodology of the study encompassed a blend of internal interviews and analysis of both internal and external documentation. Specifically, data and information were gathered through the following means:

- Qualitative Interviews: A series of 20 interviews were carried out with internal stakeholders at Fly Africa. These interviews included discussions with business line managers, business process owners, the Chief Risk Officer, IT risk leader, and IT process owners. The aim was to obtain qualitative descriptions and insights into the internal risk management processes and perceptions.

- Internal Documentation Analysis: An extensive review of Fly Africa's internal documentation was performed. This included an examination of budget guidance documents, ITRM maturity audit reports, risk management methodological kits, activity reports, IT incident databases, IT risk mappings, process mappings, and dashboards of Key Risk Indicators (KRIs).

- Analysis of Industry Peers' Published Documents: To gain a broader industry perspective, published documents of industry peers were also analyzed. This included reviewing annual reports from E​a​s​y​j​e​t​ ​(​2​0​2​1​), R​y​a​n​a​i​r​ ​(​2​0​2​0​), International Airlines Group (I​A​G​,​ ​2​0​2​1), and the L​u​f​t​h​a​n​s​a​ ​G​r​o​u​p​ ​(​2​0​2​1​), as well as universal registration documents from the A​i​r​ ​F​r​a​n​c​e​ ​K​L​M​ ​G​r​o​u​p​ ​(​2​0​2​0​), A​i​r​ ​F​r​a​n​c​e​ ​K​L​M​ ​G​r​o​u​p​ ​(​2​0​2​1​) and S​a​f​r​a​n​ ​(​2​0​2​1​).

This section details the application of RITM 23 within the context of “Fly Africa.” Extracts from the results and outputs achieved during the deployment are presented below.

Objectives and Expectations: An interview was conducted with Fly Africa's Director of Internal Control & Risk Management. The director emphasized that the primary objective was to deploy the RITM 23 approach for implementing an IT management system within the airline. Although COSO ERM was already in use for enterprise risk management, it did not fully address the specificities of IT-related risks. Hence, RITM 23 was chosen to evaluate its effectiveness compared to the existing framework. The project needed to align with the company's strategic directions, adhering to defined deadlines, quality standards, and budget constraints.

General Directions: According to the Strategic Director of Fly Africa, the airline's development strategy includes key strategic orientations:

- Optimization of the operating model.

- Growth in passenger revenue, particularly in the most profitable segments.

- Expansion of non-passenger and cargo revenues.

- Contribution to sustainable development.

Major Risks: The major risks facing Fly Africa were identified through an interview with the Director of Internal Control & Risk Management and an analysis of the annual risk management report. The airline operates in an environment characterized by:

- Macroeconomic and geopolitical risks.

- Risks specific to the air transport industry.

- Risks related to group processes.

- Legal risks.

- Market risks.

The Director of Internal Control & Risk Management established the primary objectives and expectations for the project. Operational details were further defined in an interview with the Chief Risk Officer, who identified the project team members, key stakeholders, and the project timeline.

Project Team: The project team is composed of various organizational functions integral to the deployment of the RITM 23 approach, participating in all stages of the project. The team includes:

- Chief Risk Officer: As the head of the risk management entity, the CRO is responsible for steering and coordinating the project and ensuring adherence to the methodological approach.

- IT Risk Leader: Tasked with deploying the proposed methodological approach.

- IT Process Owners: Providing necessary business expertise in IT for the project's deployment.

Stakeholders: Successful deployment of the roadmap requires the involvement of stakeholders beyond the project team, who will offer support and expertise in their respective areas. These include:

- Business Line Managers: Responsible for steering the project, making decisions, and assisting in disseminating the risk culture throughout the organization.

- Business Process Owners: Offering business expertise in their specific fields.

Project Schedule: The RITM 23 deployment involves five consecutive phases, with an exception for phase 4, which starts alongside phase 2 and continues through phase 5. The planning is benchmarked against similar projects, with phase 3 typically requiring more time than phases 1 and 2 to adequately develop the ITRM system. A three-month execution schedule is anticipated for the project (as depicted in Figure 2). However, phases 4 and 5 are expected to continue beyond the project's formal conclusion.

The ITRM methodological framework within the RITM 23 approach is designed to determine the appropriate scales for evaluating risk parameters, such as likelihood, impact, control effectiveness, and criticality. The framework proposes three options for rating scales to cater to the specific needs of each organization: 4-level, 5-level, or 6-level scales.

For Fly Africa, the decision was made to adopt a 5-level scale to align with the existing scales used in the airline's global risk management system, as suggested by the Director of Internal Control & Risk Management and the Chief Risk Officer. This alignment ensures consistency across different risk management domains within the organization.

Likelihood Rating Scale: The adopted likelihood rating scale (illustrated in Figure 3) consists of 5 levels of qualitative assessment. These levels range from level 1, indicating the lowest likelihood, to level 5, signifying the highest likelihood of risk occurrence.

Impact Rating Scale: Similarly, the impact rating scale (shown in Figure 4) also features 5 levels of qualitative assessment. This scale ranges from level 1, representing the lowest level of impact, to level 5, indicating the most significant impact.

Scale of Control Effectiveness: The scale for rating the effectiveness of controls (depicted in Figure 5) includes 5 levels of qualitative assessment. These levels vary from level 1, which denotes the least effective controls, to level 5, which represents the most effective controls in mitigating risks.

Criticality Level: In the context of the RITM 23 approach, criticality is a measure directly linked to risk exposure, which is determined by the product of the risk's probability of occurrence and its impact. The criticality scale used at Fly Africa (illustrated in Figure 6) includes four distinct levels, regardless of the rating scales utilized for assessing probability of occurrence, impact, or control effectiveness. These levels are:

- Minor Risk: Represents the lowest level of criticality.

- Moderate Risk: Indicates a moderate level of criticality.

- Major Risk: Denotes a high level of risk but not the utmost severity.

- Critical Risk: Signifies the highest level of risk criticality.

These criticality levels are represented in the risk matrix as different colored zones, often referred to as temperature zones. They play a crucial role in defining the levels of risk acceptance and the corresponding risk treatment strategies. In Fly Africa's case, risks categorized as minor and moderate are deemed acceptable, whereas major and critical risks are considered unacceptable and necessitate mitigation.

Risk Matrix: The risk matrix (shown in Figure 7) serves as a graphical representation of the organization's mapped risks. Each risk is plotted within the matrix based on its probability of occurrence and impact. The matrix is divided into several color-coded zones corresponding to the selected criticality levels:

- Red Zone: Indicates critical risks requiring immediate attention and action.

- Orange Zone: Represents major risks that are of significant concern but less urgent than critical risks.

- Yellow Zone: Encompasses moderate risks that are manageable within normal risk management processes.

- Green Zone: Includes minor risks, which are generally acceptable and require minimal intervention.

Data for this study were meticulously gathered from a variety of sources, as illustrated in Figure 8. These sources included universal registration documents and annual reports of industry competitors, a range of internal documents from Fly Africa, and interviews with key stakeholders within the airline.

The comprehensive analysis of the collected data led to the development of a summary table (Table 2). This table methodically categorizes the risks and includes critical details such as the description of each identified risk, its specific category, the underlying risk factors, and assessments of both the likelihood and impact of each risk according to the predefined scales.

The process of risk mapping for Fly Africa encapsulated a comprehensive identification and specification of various IT risk attributes. These included factors such as risk sources, potential consequences, existing control activities, associated macro and specific processes, risk categories, KRIs, control effectiveness, likelihood and impact of each risk, and potential risk response options.

To construct the IT risk map for Fly Africa, a multifaceted approach was adopted. This approach involved utilizing standard IT risk scenarios as defined in COBIT 5, conducting detailed interviews with the project team members, analyzing pre-existing IT risk mappings at Fly Africa, and integrating potential IT risks identified in phase 2. Additionally, the steps outlined in the RITM 23 approach were meticulously followed (as illustrated in Figure 9), ensuring a systematic and thorough development of the ITRM system.

Some examples of IT risks identified by Fly Africa are described in Table 3.

The following illustrates a detailed example of a risk, encompassing all the attributes that have been integrated into the IT risk mapping for Fly Africa. This example is comprehensively documented in Table 4, Table 5, Table 6, and Table 7.

Part 1 of the risk mapping extract illustrates the relationship of the identified risk to specific processes and macro-processes within Fly Africa. It also details how the risk is categorized, including a precise risk indicator for a comprehensive understanding of its context and relevance.

Part 2 of the risk mapping extract delineates the risk factors and the potential consequences of the identified risk, along with a description of the existing control activities in place.

Part 3 of the risk mapping extract focuses on evaluating the likelihood and impact of the risk, as well as the effectiveness of existing controls. This assessment is crucial for calculating the overall risk exposure, thereby determining the risk's criticality. In the provided example, the risk is assessed as critical, indicating the necessity for implementing a comprehensive risk mitigation plan.

Part 4 of the risk mapping extract is dedicated to evaluating potential risk response options. This evaluation includes scoring various response strategies, taking into account factors such as cost and benefit. In the example given, the favored risk response is one that represents a balance of medium cost and high benefit in its implementation.

Mapping of Applications, Processes and It Infrastructures Related to Critical Sub-Processes: This section involves mapping applications, processes, and IT infrastructures that are related to critical sub-processes. It is essential to identify business processes, assess their criticality, and understand their interrelations with IT applications, processes, and infrastructures. In the case of Fly Africa, an existing business process mapping serves as a foundation. For each identified process, corresponding IT applications, processes, and infrastructures were defined. Critical processes were then pinpointed to facilitate the implementation of necessary action plans (as detailed in Table 8).

An illustrative case is the identification of the "Personnel Payroll Management" process within the "HR Operations" macro-process as critical. This necessitates the formulation of an action plan to ensure continuous availability and functionality of the system. Potential measures might include installing a backup server, implementing multi-level validation for the authorizations matrix, and appointing dedicated personnel for the functional and technical administration of the system.

IT Incident Database: The IT incident database is a key tool in this process. It chronicles various IT incidents that have occurred, accompanied by detailed descriptions of each incident's characteristics. While Fly Africa already maintains such a database, it requires further enrichment with additional attributes like corresponding risks, both qualitative and quantitative estimated impacts, detailed action plans, and the progress of these plans.

Subsequently, an extract from the IT incident database is provided, showcasing these incidents along with their attributes (Table 9 and Table 10).

The essential attributes to be defined for each incident in the IT incident database are as follows:

- Linking to Risk: This attribute establishes a connection between the incident and its associated risk. This linkage is vital for updating the probability of the risk, its impact, and the effectiveness of existing controls as the situation surrounding the incident evolves.

- Incident Causes: Identifying the root causes of the incident is crucial for developing an effective action plan. This involves understanding the underlying factors that led to the incident, thereby enabling targeted response strategies.

- Incident Impact: Assessing the impact of the incident is key to determining its criticality and overall significance. This evaluation helps in gauging the extent of the incident's effect on the organization's operations and objectives.

- Action Plan: Formulating an action plan is necessary not only to mitigate the impact of the current incident but also to reduce the likelihood of similar incidents occurring in the future. This plan should include specific steps and measures tailored to address the identified causes and impacts of the incident.

Communication Plan: The communication plan outlines a series of actions designed to highlight the significance of ITRM within the organization. It specifies the objectives of these actions, identifies the target audience, assigns responsibility for implementation to specific individuals, sets deadlines for completion, and tracks the rate of progress for each action.

The following is an example of a communication campaign (Table 11).

Risk Reporting Procedure: This procedure is a crucial component of ITRM, detailing the process and information to be reported and communicated regarding IT risks to relevant stakeholders. The risk reporting procedure developed for Fly Africa encompasses several key elements:

- Objective

- Scope

- Management rules

- Key stakeholders

- Flowchart

- Detailed process description

KRI Dashboard: An essential tool in ITRM, the KRI dashboard facilitates the monitoring of KRIss, enabling the ongoing updating of risk mapping to reflect changes in risk probability and impact. The dashboard, detailed in Table 12, includes:

- A listing of all KRIs defined in the IT risk mapping (output of phase 3).

- Specific calculation formulas for each KRI.

- Identification of the entity responsible for producing each KRI.

- A description of the process for obtaining, transmitting, and updating these indicators.

- The frequency with which these indicators are measured and reviewed.

IT Risk Analysis Report: A key element in communicating and providing information on IT risks to stakeholders is the IT risk analysis report. This report is meticulously crafted and filled with accurate data to effectively convey the state of IT risks within the organization.

The report aggregates various IT risk analyses that have been conducted. It is generated based on the IT risk mapping, which is an output of phase 3 of the RITM 23 process. To ensure that stakeholders are kept informed and can make timely decisions, the report is disseminated quarterly, or more frequently if requested, to business line managers and IT process owners.

Examples of some graphics can be seen in Figure 10, Figure 11, and Figure 12, which present various aspects of the IT risk landscape in an accessible and informative manner.

Figure 10 offers a detailed breakdown of risks by category, main categories containing a significant number of risks are: IT expertise and skills, information, software, personnel operations.

Figure 11 presents the risks categorized within the Farmer matrix. In this matrix, risks are divided into four distinct categories: 5 are identified as critical, 31 as major, 83 as moderate, and 8 as minor. The matrix provides a closer look at the critical and major risks, detailing the specific mitigation action plans that need to be implemented for these higher-priority risks.

Figure 12 displays the distribution of risks based on the effectiveness of existing controls. It reveals that the majority of risks are managed with satisfactory controls. However, there are 32 risks identified with ineffective controls, highlighting the need for actions to enhance control effectiveness.

Business Continuity Plan (BCP): The BCP is a critical document devised by the organization to ensure the sustained operation of essential activities. Its primary function is to outline the strategy and necessary actions to be taken in the event of an IT incident that disrupts regular operations. The goal is to initiate a downgraded mode of operation, maintaining a minimum level of service, and to efficiently manage the recovery process and return to normal operations. For Fly Africa, the IT BCP was collaboratively developed by IT process owners, business process owners, and the risk management function. Following its development, the plan was subsequently validated by the business line managers. The IT BCP for Fly Africa includes several key sections:

- Define the organizational context

- Define the scope

- Management involvement and commitment

- BCP policy and objectives

- Provision of resources and skills

- Control and document management

- Organizational impact analysis

- Crisis and continuity management strategy

- Risk treatment strategies

- Exercises and tests

Incident Analysis Report: The report encompasses a range of analyses of IT incidents that have occurred within the organization. Compiled from the IT incident database, which is a deliverable of phase 3, this report is routinely communicated to business line managers and IT process owners on a quarterly basis or upon request. An extract from the incident analysis report is provided in Table 13 and Table 14.

Notably, the initial analysis in this report classifies incidents based on the estimated impact of the damage, as detailed in Table 13.

The second analysis in the IT Incident Analysis Report delves into the causes that triggered each incident, as well as the action plans implemented to mitigate their impacts. This detailed analysis is presented in Table 14.

This stage encompasses a series of actions undertaken for risk monitoring and surveillance. A risk monitoring report, compiled based on the outputs of the previous phases, is regularly communicated to business line managers and IT process owners, either quarterly or as requested. An extract from this report, including various graphs and tables, is represented in Table 15, Table 16, Table 17, Table 18, and Table 19.

Table 15 in the risk monitoring report enumerates the control activities associated with each identified risk and tracks the progression of the corresponding mitigation plans. For critical and major risks, designated risk relays within the respective areas are tasked with initiating second-level controls to ascertain the effectiveness of the existing control activities.

The KRI dashboard is designed to facilitate the monitoring of risk indicators in accordance with the specified frequency for each KRI. This tool enables the implementation of necessary corrective actions whenever deviations from the established targets are observed.

Within the scope of tracking and monitoring activities, the ongoing monitoring of recorded incidents plays a crucial role. This process allows for the assessment of the progress of the incident response plan, ensuring that the incident is effectively managed and under control. Additionally, incident tracking includes the task of updating the quantified impact of each incident, maintaining an accurate and current understanding of its ramifications.

Monitoring and controlling risk also involves tracking the progress of objectives that are linked to identified risks. This is a key aspect of our risk management activities.

The implementation of the RITM 23 approach at Fly Africa has culminated in the establishment of a comprehensive system for ITRM. This system encompasses both the management and governance processes of IT risks, transcending the conventional phases of identification, assessment, and treatment typically observed in existing research. Notably, RITM 23, an amalgamation of COSO ERM, ISO 31000, and COBIT 5 standards, facilitated a streamlined deployment, dovetailing with Fly Africa's existing COSO ERM-based methodological approach. The alignment of RITM 23 with these three standards has been instrumental in creating an environment tailored for ITRM, yielding pertinent and direct analyses.

Advantages of utilizing RITM 23 in comparison to existing frameworks are observed in various phases:

Project Framing: The extant framework permits only a 5-level rating scale. In contrast, RITM 23 introduces a flexible approach with three types of scales (4-level, 5-level, or 6-level) within its methodological framework, adaptable to organizational needs.

Data Collection and Synthesis: Absent in the existing framework, this phase in RITM 23 involves a thorough analysis of the organization's internal and external environment, identifying potential IT risks.

Development of ITRM System: In the existing framework, IT risk identification primarily relies on brainstorming by IT process owners. However, RITM 23 adopts a more comprehensive and structured approach for this purpose. This approach leverages generic COBIT 5 scenarios and incorporates an in-depth analysis of organizational specifics, external and internal factors, IT incidents, and competitor IT risk assessments. Unlike the existing framework, which utilizes generic risk categories, RITM 23 employs categories more tailored to IT concerns, such as Infrastructure/Software, Information (encompassing data breach, data leakage, and access issues), and Malware. Furthermore, RITM 23 enhances the risk profile by identifying critical business processes and correlating them with relevant IT applications, processes, and infrastructures. This alignment facilitates the development of action plans aimed at ensuring the continuous availability of these critical processes.

Change Management, Communication, and Awareness Raising: While an enterprise communication plan already exists, RITM 23 introduces a risk culture awareness tool specifically tailored to IT risks. This tool complements the existing framework, offering more frequent and detailed insights. In contrast to the annual production of the existing risk analysis report, the IT risk analysis report under RITM 23 is communicated quarterly. It features comprehensive analyses, including the categorization of IT risks, an evaluation of their net criticality, a focus on the top 10 IT risks, and an assessment of the ITRM process's effectiveness. The report also highlights IT risks with inadequate control effectiveness, particularly those with major or critical net criticality, and summarizes the findings of objective assessments, internal audits, and quality assurance reports, with special attention to IT risks escalating to major or critical status. Furthermore, unlike the annual update of IT risk mapping in the existing framework, RITM 23 mandates updates to the IT risk mapping with every new report or incident, ensuring a more dynamic and responsive ITRM process.

Monitoring and Surveillance: RITM 23 introduces the development of a BCP based on IT incidents, a feature absent in the existing framework. Unlike the current approach, which primarily maintains an IT incident database, RITM 23 utilizes an IT incident analysis report. This report categorizes IT incidents, aiding in the prioritization of necessary action plans. Additionally, RITM 23 fosters a more integrated approach to ITRM. Each component is interconnected, meaning changes in one area automatically trigger updates in related components. For instance, recording a new IT incident in the database directly leads to modifications in the IT risk mapping, ensuring a cohesive and responsive risk management system.

This article has delineated the successful implementation of Information Technology Risk Management (ITRM) at Fly Africa, utilizing the RITM 23 approach. This approach, integrating standards such as COSO ERM, ISO 31000, and COBIT 5, provided a holistic and streamlined method tailored for ITRM. The deployment process encompassed not only the ITRM processes but also extended to IT risk governance procedures.

The initial phase involved the project's conceptual framing, followed by the meticulous collection and structuring of internal and external IT risk-related data. Subsequently, the development of the ITRM framework was undertaken. Concurrently, from the data collection phase through to the project's conclusion, efforts were concentrated on communication and awareness-raising activities in relation to ITRM. Finally, tools were prepared and continually updated for the effective monitoring of IT risk evolution.

A significant outcome of this implementation was the creation of a comprehensive IT risk mapping. This mapping proved more advantageous than the previous version, which was primarily derived from IT process owners' brainstorming without reference to an established IT risk database. The new IT risk analysis report, offering detailed and pertinent analyses, surpasses the existing framework in terms of frequency and content, enabling better ITRM. This report is designed for dynamic updating in response to changes impacting IT risks, as opposed to the annual updates of the previous report. Another noteworthy advancement is the integration of all ITRM data within the RITM 23 system, ensuring that any modification in one component automatically updates corresponding elements, thus providing a constantly current view of IT risk trends.

RITM 23 demonstrates its potential as a standalone framework suitable not only for aviation but also for other industries. Looking ahead, this methodological approach could be applied across various sectors to validate its efficacy further. Additionally, the implementation at Fly Africa highlighted the necessity for business process owners' expertise in executing the stages of the RITM 23 approach. Future iterations could explore the integration of Artificial Intelligence to further automate the approach and reduce reliance on IT experts. This potential advancement could significantly enhance the efficiency and effectiveness of ITRM implementation in diverse organizational contexts.