Development of the ISR3M model for IS risk management evaluation using the Focus Area structure according to the MMDPIS generic process

Abstract: Risk management (RM) is one of the main IS governance pillars. However, to remain a center of profit and cost optimization for the company, this activity must be evaluated, monitored and improved continuously. Hence the interest to develop an IS risk management maturity model. This paper aims to address this need by providing the ISR3M (Information System Risk Management Maturity Model) model. After a summary of literature review, it presents the design approach, then describes the model and evaluates it.

“…Managing the risks of an information system involves managing the risks of its nine axes in relation to their evaluation elements. According to Elmaallam and Kriouile (2015), the evaluation elements of each axis are identified through (1) the missions and requirements of the work system framework as defined in the literature (Alter and Sherer, 2004), ( 2) the application of the theory Resource Based-View (RBV) (Wade and Hulland, 2004) on IS defined as WS considering both dynamic resources such as skills, as static as the technical infrastructure, (3) the IS risk factors (Alter and Sherer, 2004) and ( 4) interviews with IS experts. Table 1 lists the evaluation elements for each component.…”

“…Indeed: (1) Communication is considered as an activity inherent to every phase of the process (Sienou, 2009), (2) the cycle of management preserves its iterative character, but no longer requires synchronization of all stages with a monitoring phase (Sienou, 2009) and (3) Treatment may be the cause of a new iteration process (Sienou, 2009). The development of ISR3M model should provide answers to the problem of assessing IS risk management from two perspectives (Elmaallam and Kriouile, 2015). The first perspective is academic.…”

“…The proposed model should be easy to implement and comply with the best practices of risk management. This model is developed using MMDPIS process (Elmaallam and Kriouile, 2014) and aims to satisfy seven principal requirements: (1) Genericity, (2) Independence of application context, (3) adaptability, (4) transparency, (5): plan improvement, (6) Theoretical basis and (7) Need adequacy (IS RM topic) (Elmaallam and Kriouile, 2015). It's structured along two dimensions.…”

An Algorithm To Determine The Maturity Improvement Plan For Information System Risk Management. Application On A Case Study

“…Managing the risks of an information system involves managing the risks of its nine axes in relation to their evaluation elements. According to Elmaallam and Kriouile (2015), the evaluation elements of each axis are identified through (1) the missions and requirements of the work system framework as defined in the literature (Alter and Sherer, 2004), ( 2) the application of the theory Resource Based-View (RBV) (Wade and Hulland, 2004) on IS defined as WS considering both dynamic resources such as skills, as static as the technical infrastructure, (3) the IS risk factors (Alter and Sherer, 2004) and ( 4) interviews with IS experts. Table 1 lists the evaluation elements for each component.…”

“…Indeed: (1) Communication is considered as an activity inherent to every phase of the process (Sienou, 2009), (2) the cycle of management preserves its iterative character, but no longer requires synchronization of all stages with a monitoring phase (Sienou, 2009) and (3) Treatment may be the cause of a new iteration process (Sienou, 2009). The development of ISR3M model should provide answers to the problem of assessing IS risk management from two perspectives (Elmaallam and Kriouile, 2015). The first perspective is academic.…”

“…The proposed model should be easy to implement and comply with the best practices of risk management. This model is developed using MMDPIS process (Elmaallam and Kriouile, 2014) and aims to satisfy seven principal requirements: (1) Genericity, (2) Independence of application context, (3) adaptability, (4) transparency, (5): plan improvement, (6) Theoretical basis and (7) Need adequacy (IS RM topic) (Elmaallam and Kriouile, 2015). It's structured along two dimensions.…”

An Algorithm To Determine The Maturity Improvement Plan For Information System Risk Management. Application On A Case Study