Keywords

1 Introduction

Nowadays, risk management is a key topic for most of the organizations. Qualitative and quantitative approaches of risk management can be deployed. Capability & Maturity Models (C&MM) contribute to the community of practice by providing instruments for measuring process capability throughout process assessment and enabling improvement. Many models tackle risk management and propose various ways and mechanisms for process improvement. Organizations wishing to improve risk management face the problematic of choosing and selecting the adequate approach aligned to their business challenges and market positioning. Related to the area of C&MM, the International Standardization Organization (ISO) have published many years ago the international standard series on Process assessment (ISO/IEC 15504 [1]), now revised and published in the ISO/IEC 330xx standard series [2]. The main normative documents of the series provides requirements for a very structured and systematic approach for process assessment, process reference and process assessment models description, and some guidance related to process assessment and improvement. This provides a consensus and was the basis for various initiatives proposing Process Reference Models (PRM) and Process Assessment Models (PAM) on the one hand at ISO level [3,4,5], and on the other hand at market level [6,7,8]. Among these various ISO/IEC 15504-330xx process models, none is dedicated to risk management. On top of that, in many IT organizations, management systems are needed and or required by the market in terms of certifications such as ISO/IEC 27001 [9] for information security management, ISO/IEC 20000-1 [10] for IT service management and ISO 9001 [11] for quality management. Project management remains a key concern in IT settings; even if it does not lead to ISO certification, the project management standard ISO 21500 [12] relies on a management system for mastering projects, including managing project risks. According to companies feedback and author experiences, these topics are the most commonly addressed by many IT organizations, whatever their size and domain; we have selected them for being part of our research.

In this context, we had investigated how to integrate risk management in IT settings within a management system context? in previous works [13]. By IT settings, we mean any IT department or IT organisation needing to integrate risk management activities. The authors made the assumption that an integrated risk management approach for IT settings will benefit organizations by being based on ISO standards which represent international consensus. They are the ground material of our research. With this background, our current research is investigating the following research question: how to improve risk management processes in IT settings, in an ISO-multiple standards context targeting quality management, project management, IT service management and information security management, from a management system perspective? For doing so, some more previous works have already cleared the field in order to identify processes for a new Integrated Risk Management process model for IT Settings (IRMIS) [14] based on the ISO 31000 standard for Risk management [15]. It is the international reference in the domain. With ISO 31000 as our guideline, the integration is considered regarding ISO 9001, ISO 21500, ISO/IEC 20000-1, and ISO/IEC 27001.

According to our research question, we aim at supporting Risk management processes improvement in IT settings, with a structured, integrated, interoperable, assessable, effective and efficient way via a PRM and a PAM as artefacts enabling process assessment and improvement. These two artefacts extend the ISO 31000 standard which is already process-oriented, but not structured neither organised for rigorous process assessment. So this paper presents the first results achieved with the development of a PRM and a PAM for IRMIS, implementing a Transformation process [16] supporting the design of process models according to ISO/IEC 15504/330xx. In order to develop these innovative artefacts, a Design Science Research Method [17] is followed.

After this introduction, Sect. 2 presents Related works and ISO standards inputs, and Sect. 3 the Design Science Research Method. Section 4 details the Transformation Process applied to ISO 31000, with the other ISO standards targeted in the IT settings scope of our research. Finally, Sect. 5 concludes the paper and presents research perspectives.

2 Related Work and ISO Standards Inputs

A lot of works have targeted Risk management in various domains. Capability & Maturity Models (C&MM) are amongst them. A recent paper presenting the LEGO approach to achieve a meta-model on Risk Management merging various sources, includes a survey on Risk management C&MM which has shown and compared their respective approaches [18]. There were not all similar in structure neither in levels. In order to avoid this, to ensure integration and consistency, to align with market demands and pressures related to certifications, we made the deliberate choice to focus on PRMs and PAMs fulfilling ISO/IEC 15504/330xx requirements on Process assessment and encompassing management systems principles. The economic benefits of standards is not to be anymore demonstrated in the industry [19], in particular with ISO certifications such as the most popular one: ISO 9001 [20].

We have studied existing and available PRMs & PAMs related to Risk management in C&MM context, based on ISO/IEC 15504/330xx and publicly available. Table 1 lists them.

Table 1. List of Risk management processes in existing Process models fulfilling ISO/IEC 15504-330xx requirements for PRM & PAM
Full size table

According to these processes, the risk management process, as tackled by the ISO 31000 standard, is very general. There is little difference among these processes, where risk identification is performed, and then analysis and evaluation, from the risk assessment perspective, and then risk treatment. There is not much detail in each of these PAM.

In addition to Table 1, some closely related works have been performed in the medical IT networks domain with a PRM and PAM for improving risk management, in order to allow Healthcare Delivery Organisations to assess the capability of their risk management processes against the requirements of IEC 80000-1 (application of risk management to IT-networks incorporating medical devices) [21]. There are 14 processes for different aspects of the life cycle risk management. In this process model, there are 4 processes dedicated to the risk management itself: Medical IT Network Risk Management, Risk Analysis & Evaluation, Risk Control, Residual Risk. This approach is targeting the medical sector with a particular objective of contribution to ISO 80000-1 but with a common overall goal with our works for improving risk management processes. We nevertheless address management systems from various selected ISO standards perspectives in an IT settings mind-set, as indicated in the next paragraph.

In previous works, the authors explored risk management in IT settings from the angle of selected relevant ISO standards driven by market demand and authors expertise (targeting quality management, project management, IT service management and information security management), with ISO 31000 as main theme. Table 2 provides the full list with identification numbers and titles of each considered standard, with an additional standard bringing valuable insights on information security risk management: ISO/IEC 27005 [22].

Table 2. List of relevant ISO standards supporting IRMIS PRM and PAM
Full size table

In previous works, the authors had shown that management system standards mechanisms are present in all quoted standards in Table 2. These mechanisms help integrating processes, and proposing common core processes as well as risk management dedicated processes in a single model addressing mechanisms for several types of risks (project, process, information security, IT services).

3 Research Method

This research is based on Design Science principles. According to Denning, Design science is a “problem-solving paradigm and seeks to create innovations that define the ideas, practices, technical capabilities and products through which the analysis, design, implementation, management and use of Information Systems can be effectively and efficiently accomplished” [23]. Design Science aims to “create things that serve human purposes, and then to create new and innovative artifacts” [24] such as constructs, models, methods, and instantiations. Each designed artefact is aiming at improving the environment and the way to measure this improvement is investigated. By applying design science principles, we aim to guarantee the value chain linking research and technological activities.

Peffers et al. proposes a model describing the Design Science Research Method (DSRM) with a set of six activities in a nominal sequence [17]. Table 3 details these activities for the creation of the PRM and PAM artefacts.

Table 3. Design activities of the IRMIS PRM & PAM
Full size table

After describing the six activities of the DSRM of our research works, next section will focus on the design and development of the artifacts.

4 Design and Development of a PRM and a PAM for an Integrated Risk Management Process Model Dedicated to IT Settings: A First Proposition

According to the Transformation process mentioned in Sect. 3, the PRM and PAM development has been performed. The first three steps have already been presented in [14], and are reminded here in order to provide a full view of the approach. Figure 1 provides an overview of the Transformation process, with the positioning of the various steps.

Fig. 1.
figure 1

Transformation process activities

Full size image

In order to illustrate the Transformation process, this section shows the application of the Transformation process steps to one exemplar process of ISO 31000: the Risk identification process. This process belongs to the overall Risk management process, as stated in ISO 31000. The ISO 31000 standard is the main thread for the Transformation Process. Other standards are considered in a second time, once the structure of each identified process is determined. Our assumption is that the PAM will be contextualised to each targeted domain in an IT setting: for instance project management or information security management. The nature of the managed risks varies, but the mechanisms of the practices for managing risks in a management system environment does not.

Step 1: Identify elementary statements in a collection of statements

The first step consists in identifying all of the statements under the form of a collection of elementary statements. ISO 31000 provides, for each clause, a set of statements which are formulated mainly with “should” statements, also with “may”, “can” or just information without any particular semantics format. The verbs in passive voice statements (revealing statements) were easily identified and split into elementary statements. Other sentences with a verb in present tense, clearly indicating an action to perform or a condition to be satisfied, were also considered elementary statements. When a sentence was composed of two parts separated by the coordination conjunction “and”, it was divided into two elementary statements. If there was an enumeration, each element of the list was identified as an elementary statement. For the particular case of the Risk identification process, ten elementary statements were identified (Table 4).

Table 4. Elementary statements of the ISO 31000 for the Risk identification clause
Full size table

Step 2: Organize, and structure the statements

During the second step, the elementary requirements were organized and gathered around the objects they are about in order to build a “statement tree” by applying mind mapping techniques. The elementary “should statements” were organized and structured under the form of a “mind map” for statement trees. A statement tree offers a graphical view of the connections between the components of each elementary statement. This “mind map” helped to have a graphical view of the elementary items having the same object (or component). A decision was made to distribute in various statement trees the set of statements; this was guided by the affiliation of statements within Clauses. These trees considered the Clauses and Sub-clauses titles, as well as the subject of each elementary item. This statement tree structuring was inspired by previous works where some groupings were similar. Risk identification was an “object” considered from the sub-clause (Fig. 2).

Fig. 2.
figure 2

Statement tree obtained for the Risk identification “object”

Full size image

Step 3: Identify common purposes upon those statements and organize them towards domain goals

From the statements tree, some common purposes were identified and the elementary statements were organized accordingly, taking the original meaning of the ISO 31000 statements into account. A goal tree was then built for each common purpose, in which the inter-related activities were properly grouped. At this stage, we were able to identify processes, at least for a first proposal of a process list which may be refined according to the various iterations that are possible all along the Transformation Process. Common processes were identified from the management system mechanisms. In terms of Risk assessment, domain goals appeared with: Risk identification, Risk analysis and Risk evaluation, and then Risk Treatment. Sub-clauses in ISO 31000 guided these risk management dedicated processes.

At this stage of our research works, we identified four processes for the Risk management process group. From a process assessment practitioner point of view, this may be reviewed at the validation phase, with aggregation in two or event one single process for usability, efficiency and assessability reasons (Fig. 3).

Fig. 3.
figure 3

IRMIS PRM proposed list of processes

Full size image

Step 4: Identify and factorize outcomes from the common purposes and attach them to the related goals

An outcome is an observable result of (1) the production of an artefact, (2) a significant change of state, or (3) the meeting of specified constraints. The outcomes of each process had to be factorized or merged, according to convenience and expert judgement, in order to define from 3 to 7 outcomes per process, and thus to follow the recommendations of ISO/IEC TR 24774 [25].

In some cases, the common purposes identified during step 3 were considered as the process outcomes and were attached to the related domain goals. In other cases, where a more detailed granularity level is wished, the common purpose supported the definition of a process purpose. Grouping of elementary statements then enable to identify outcomes.

The goal tree for the Risk identification process (Fig. 4) shows the resulting process outcomes before final proposition of 3 outcomes (Table 5).

Fig. 4.
figure 4

Goal tree obtained for Risk identification

Full size image
Table 5. The Risk identification process description in the IRMIS PRM
Full size table

Step 5: Group activities together under a practice and attach it to the related outcomes

The original input of the Transformation process (the statements from ISO 31000) contains information describing activities that should be conducted for implementing the processes. According to the number and level of detail of these activities, they were grouped as practices. Each practice represents a functional activity of the process. When implemented, a practice contributes to the achievement of at least one outcome of the performed process. During this step, we linked these activities or practices to the related outcomes and we kept traceability between each practice and the initial set of elementary statements. Indeed, it is possible that several elementary statements are related to (or hidden behind) only one practice of a process. The goal trees enable to keep that in mind for further activities, in particular, when questionnaires are being developed for supporting process assessment.

Step 6: Allocate each practice to a specific capability level

During this step and for each process, we review the practices and their linked outcomes in order to be sure that they contribute to the process performance attribute (capability level 1) of their associated process.

We ensured that our process descriptions are such that no aspects of the measurement framework beyond level 1 are contained or implied and thus, that the created process reference and process assessment models comply with ISO/IEC 33004.

Step 7: Phrase outcomes and process purpose

In order to create a process reference model that follows the guidelines of ISO/IEC TR 24774, each outcome has to be phrased as a declarative sentence using verbs at the present tense. Then, the purpose is phrased or refined if phrased when the process is identified to state a high-level objective for performing the process and provide measurable and tangible benefits to the stakeholders through the expected outcomes (process assessment concern). We also check that the set of outcomes is necessary and sufficient to achieve the purpose of the process. For the Risk identification process, the process description for the PAM is as follows:

The resulting IRMIS PRM is suitable for use in process assessment performed in accordance with the requirements for a PRM described in Clause 6.2 of ISO/IEC 33004.

  1. (a)

    The declaration of the domain is: Integrated Risk Management for IT settings.

  2. (b)

    The description of the processes is provided in the IRMIS PRM.

  3. (c)

    The IRMIS PRM describe at an abstract level the processes implied by ISO 31000. The purpose of the IRMIS PRM is to facilitate the development of a process assessment model for integrated risk management.

  4. (d)

    A description of the relationship between the processes defined within the IRMIS PRM is supported by a figure collecting all the processes by process groups.

The process descriptions are unique. The identification is provided by unique names and by the identifier of each process of the IRMIS PRM. Processes are described in terms of its purpose and outcomes. For all processes, the set of process outcomes are necessary and sufficient to achieve the purpose of the process. No aspects of the ISO/IEC 33030 Measurement Framework beyond level 1 are contained in process descriptions.

Once the PRM determined, critical aspects of integration with other selected ISO standards were tackled. The selected relevant standards were ISO 21500 and ISO/IEC 27001 supported by ISO/IEC 27005. ISO 21500 has a dedicated process for Risk identification. ISO/IEC 27001 does not provide much detail, but ISO/IEC 27005 does. So we used these standards for a PAM providing multi-application views.

Step 8: Phrase the Base Practices attached to Outcomes

Once the purpose and outcomes of a process is phrased, the process reference model is considered stable enough to phrase the base practices. Base practices are phrased as actions, starting with a verb at the infinitive, according to ISO/IEC 24774. During steps 8 and 9, we pay a particular attention to choose a wording that suits and that is commonly used for dealing with risk management in organizations in order to ensure a good adoption of the models. The context for Risk management will target project management in ISO 21500 and information security in ISO/IEC 27001.

Step 9: Determine Work Products among the inputs and outputs of the practices

A work product is an artefact associated with the execution of a process. During the steps 1 and 5, work products can be identified as one goes along. It is very clear that the main output work product for Risk identification is a “comprehensive list of risks”. It is mentioned as “Risk register” in ISO 21500.

Table 6 presents a proposal of the PAM with multiple views, illustrated for ISO 21500 and ISO/IEC 27001.

Table 6. The Risk identification process description in the IRMIS PAM
Full size table

The idea to provide views is to extend the ISO 31000 to the context of the other selected ISO standards, but to keep the ISO 31000 structure as the main line. The management systems mechanisms help the integration, but the specifics need to remain as such. The assessor will then be able to collect data with the appropriate context.

5 Conclusion

This paper has presented the work performed in order to develop an ISO/IEC 33004 compliant Integrated risk management in IT settings PRM and PAM (IRMIS) by applying a Transformation process. The resulting IRMIS PRM & PAM is covering the risk management guidance recommended by the ISO 31000 International Standard for the high level objectives of the PRM, and detailed and context-based indicators within the PAM, for process assessment purposes. The next stage of our research will consist in following all the steps of the DSRM in order to evaluate the results, and communicate them. This will allow companies to assess the capability of their risk management processes from an ISO-many fold perspective and then, to use the results as a basis for process improvement. For doing so, the IRMIS PRM & PAM will be validated through risk management expert opinion by collecting feedback. Other R&D experts working in process models for other domains are planned to be consulted. Demonstration and evaluation will also be carried out in industry. Different Risk management officers in IT settings (including Security officers of Information Systems, IT Project Managers and IT Service Managers) will be consulted about the suitability of the structure and contents of the IRMIS PRM and PAM. They will be asked to use these models in order to evaluate their effectiveness. Statement and goal trees could be used as a tool supporting validation of the models. All changes requested and comments obtained from the validation process will be incorporated into the final version of the IRMIS Framework.