Managing Information Technology Risks to Achieve Business Goals: A Case of Pharmaceutical Company

Abstract

Extant literature has shown that sectoral characteristics play a critical role in business value creation through information technology (IT). Therefore, managing IT and its associated risks needs to consider specific industrial traits to understand the distinct business nature and regulations that shape IT-enabled business value creation. This study presents an in-depth analysis of business goals, IT processes, and IT risks in the case of a pharmaceutical company through which appropriate controls are designed to ensure business value creation through IT. Drawing on a case study of a pharmaceutical company in Indonesia, we found that managing IT risks in the pharmaceutical industry entails two main objectives: 1) ensuring compliance with external laws and regulations as well as internal policies, 2) supporting the optimization of business functions, processes, and costs. Throughout one year of engagement during the project, this study identified ten risks associated with the operation of business processes. Risks are dominated by moderate levels given the current state of controls and appetite, most of which emerge from the company’s existing internal processes. Internal actors are involved in all risks, with most events occurring due to laws and regulations. Further, the study designs and elaborates IT risk controls by drawing from COBIT 5 Seven Enablers. Overall, IT risk management through cascading processes of analysis ensures the alignment of IT risk controls with achieving business goals in the pharmaceutical industry.