Design of Risk Management in SPBE Infrastructure Based on PAN-RB Ministerial Regulation Number 5 of 2020 (Case Study: XYZ Institution)

ABSTRACT


INTRODUCTION
The Internet, which began to enter Indonesia in the early 1990s, has made major changes in various areas of life in society [1] [2] [3].The rapid development of the Internet has begun to change the paradigm of society in communicating and exchanging information towards the digital era.Now, the advent of the Industrial Revolution 4.0 has not only accelerated the digitalization of industry and manufacturing, but also had a broader impact on various sectors, including government."Revolution" is a term to describe major and radical change where economic systems and societal structures undergo significant changes because of new inventions and emerging technologies [4].The phrase "Industry 4.0" was initially used during the Hannover Fair in April 2011 [5].The German government uses this phrase to refer to the utilization of technology aid in moving the industrial field (smart factories) to the next level [6].Schwab (2016), however, pointed out that the fourth industrial revolution is not only about "smart factories", but has a far broader reach [4].Technological megatrends will reshape the industrial and social sectors, as well as governments and agencies, education, transportation, logistics, and other fields [4].
As a government administrator, the Government of the Republic of Indonesia must be able to adapt and follow the flow of change by utilizing advances in communication and information technology to organize good governance.To answer these challenges, the Government of the Republic of Indonesia began to pioneer digital transformation by issuing Presidential Instruction Number 3 of 2003 concerning National Policy and Strategy for the development of e-government [7].Through the implementation of e-government, the Government wants to take advantage of advances in communication and information technology to eliminate bureaucratic barriers and form a network of work systems and processes that enable government agencies to work in an integrated manner to simplify access to all information and public services [7].Presidential Instruction Number 3 of 2003 mandates Ministers, Heads of Institutions, and Heads of Regions to carry out e-government development in accordance with their duties, functions, authorities, and resource capacities [8].
However, the results of a study on the implementation of e-government or Electronic-Based Government Systems (SPBE) conducted in 2018 showed that the development of SPBE in Central Agencies and Local Governments is still at a relatively low level of maturity [8].The problem arises due to several factors, such as the absence of a SPBE governance system, the application of SPBE in government administration and public services that is not yet optimal, the uneven coverage of ICT infrastructure, and the lack of civil servants with ICT skills [8].Therefore in 2018, the Government of the Republic of  [8].SPBE was created to realize clean, effective, transparent and accountable governance as well as quality and reliable public services [8].Implementation of Electronic-Based Government Systems in Central Agencies and Regional Governments is not without obstacles [9] [10].The complexity of the bureaucracy and government structure as well as the rapid development of digital technology in the current Industrial Revolution 4.0 era can create a number of risks that will hinder the optimal and comprehensive implementation of SPBE in the government sector.Meiyanti et al. (2018) categorized the obstacles to implementing SPBE into six categories: IT infrastructure, managerial issues, digital culture, budgeting, laws & regulations, and human resources [11].Arief and Abbas (2021) found three other obstacles in their literature review, namely political, geographical, and cultural aspects [9].These various obstacles and risks that arise must be managed properly so that they do not become threats that can endanger the Central Agency and Regional Government as SPBE organizers [10] [12].
In order to address these issues, the Ministry of State Apparatus Empowerment and Bureaucratic Reform (PAN-RB) issued Ministerial Regulation Number 5 of 2020 about SPBE Risk Management Guidelines which adopts standards and provisions from ISO 31000:2018 [13] and Cobit 5 for Risk [14] which are then adapted to the prevailing governance arrangements in Indonesia [12].COBIT (Control Objective for Information and Related Technology) is a standard and framework for IT governance developed by ISACA and ITGI, a nonprofit that specializes in IT governance [15].It also serves as a set of widely recognized measurements for IT management procedures [15].This guideline was created to serve as a guide for Central Agencies and Regional Governments in preparing SPBE risk management in their environment [12].PAN-RB Ministerial Regulation No. 5 of 2020 regulates the SPBE Risk Management Framework, which contains basic components to assist the integration of SPBE Risk Management in the organization, the SPBE Risk Management Process, which contains the stages of preparing SPBE Risk Management, SPBE Risk Management Structure, which contains the parties authorized and responsible for SPBE Risk Management, and the implementation of a Risk Awareness Culture in the organization [12].
XYZ Institute, as one of the government organizations of the Republic of Indonesia, has the duty and function to carry out digital transformation through the implementation of SPBE in accordance with Presidential Regulation No. 95 of 2018 on Electronic-Based Government Systems..To support the implementation of SPBE in these institutions, it is necessary to design a SPBE Governance and Management system that adopts the characteristics of the institution.XY Work Unit, one of the work units in XYZ Institute, is responsible for carrying out tasks and functions in the IT field within the organization.However, based on the results of the Focus Group Discussion (FGD), until now the XY Work Unit does not yet have SPBE Risk Management guidelines so that the work unit has difficulty identifying, preventing and providing management of risks that occur.In addition, with the SPBE Risk Management guidelines, work units can map the current P.ISSN: 2086 -4981 E.ISSN: 2620 -6390 tip.ppj.unp.ac.id conditions, identify sources of risk as well as weaknesses and strengths they have, close security gaps, and carry out handling according to the priority of risks that may and will occur.Based on the results of the FGD with the XY Work Unit, the SPBE Risk Assessment will be carried out on 3 (three) elements, namely SPBE Infrastructure, SPBE Applications, and SPBE Security.However, of these three elements, this research only focuses on designing Risk Management for the SPBE Infrastructure in the XY Work Unit based on PAN-RB Ministerial Regulation Number 5 of 2020.

RESEARCH METHOD
This study uses a qualitative method approach that focuses on quality and in-depth observations so as to produce a more comprehensive study [3] [16].Through qualitative research, in-depth information can be explored and open to various responses [17].In practice, this research was divided into several stages as depicted in Figure 1.

Problem Identification
Problem identification is carried out to define problems that will become the focus of research obtained from the results of analysis of the needs of work units related to the SPBE Infrastructure based on existing documents, applicable regulations, Focus Group Discussions (FGD), as well as the duties and functions of the XY Work Unit.

Literature Study
At this stage a literature study is carried out to determine with what steps the problem will be solved and solved by studying references from various sources such as books, journals, international standards, regulations, and work unit documents to produce a theoretical framework that will become a guide in conducting research.

Data collection
At this stage data collection was carried out through interviews, Focus Group Discussion (FGD), direct observation, discussion, and review of existing documents.

SPBE Risk Context
The results of the Focus Group Discussion are used to identify the fundamental parameters and scope of SPBE risk, which will later serve as a reference when compiling a risk assessment, to determine the SPBE risk context [12].

SPBE Risk Assessment
SPBE risk assessment stages are divided into three, namely SPBE risk identification, SPBE risk analysis, and SPBE risk evaluation [12] [18].The SPBE risk identification process is carried out to obtain information regarding the types of SPBE risks, the forms of events and their causes, the categories of SPBE risks that occur, as well as the impacts and areas affected by SPBE risks in the XY work unit [19].SPBE risk analysis is carried out to assess the control system that exists in XY work unit, the level of possibility, the level of impact, as well as the magnitude of the SPBE risk and its level [19].SPBE risk evaluation is made to determine if further SPBE risk management is needed [19].The SPBE risk assessment stages are obtained from the results of direct observation, document review, and repeated discussions with the Head of the XY Work Unit, the Head of the Sector, and the IT staff who are responsible for the SPBE Infrastructure of the XYZ Institute.

SPBE Risk Handling
At this stage, the selection of SPBE risk management options is carried out, making action plans, implementation schedules and determining the responsible unit for each action plan made [20].P.ISSN: 2086 -4981 E.ISSN: 2620 -6390 tip.ppj.unp.ac.id

RESULTS AND DISCUSSION
This chapter contains the Risk Management Design for the SPBE Infrastructure in the XY Work Unit based on the Minister of Administrative and Bureaucratic Reform Regulation Number 5 of 2020 as mandated by the Indonesian Government.

SPBE Risk Context Determination
The SPBE Risk Context Determination process for Work Unit XY is divided into the following steps [12]:

General Information Inventory
An inventory of general information is carried out to identify information regarding the XY Work Unit as the SPBE Risk Owner Unit (UPR) such as the name of the SPBE UPR, the duties and functions of the SPBE UPR on the implementation of SPBE in the XYZ Institute, as well as the period of implementation of SPBE Risk Management in the XY Work Unit.

SPBE Target Identification
SPBE Target Identification is designed to provide information about the goals to be achieved and the indicators to be used in implementing SPBE at XYZ Institute.This information contains the following elements: a. SPBE UPR targets, filled with XY Work Unit targets related to SPBE.The SPBE UPR target is derived from the strategic objectives of the XYZ Institute and is made in accordance with the duties and functions of the XY Work Unit, namely as a work unit that carries out tasks and functions in the field of data and information.b.The SPBE target, in this case, is filled in with the target of the XY Work Unit related to the SPBE and is obtained from the XY Work Unit's Key Performance Indicator (KPI) document.c.The SPBE Performance Indicator is filled in with the Main Performance Indicator of the XY Work Unit listed in the KPI document.d.The SPBE Performance Target is filled with the value/measurement of the SPBE Performance Indicator obtained from the XY Work Unit KPI document draft.

SPBE Risk Management Implementation Structure
Based on the FGD results, it was determined that the XY Work Unit is the SPBE Risk Owner Unit, which will develop and implement SPBE Risk Management.The SPBE Risk Management Implementing Structure includes the SPBE Risk Owner Unit, SPBE Risk Owner, SPBE Risk Coordinator, and SPBE Risk Manager.P.ISSN: 2086 -4981 E.ISSN: 2620 -6390 tip.ppj.unp.ac.id

Identification of Stakeholders
Stakeholder identification is needed to find out which parties interact with the XY Work Unit and influence the achievement of the SPBE targets, where these parties can come from internal work units, external work units, government, or non-government agencies.Based on the FGD results, 8 stakeholders have been identified, namely the Head of XYZ Institution, the Chief Secretary, Echelon I & II Leaders, XYZ Institution employees, XY Work Unit, third parties, institution partners, and the National SPBE Coordination Team.

Identification of Regulations
Identification of regulations must be carried out so that the XY Work Unit understands the authorities, duties and functions, responsibilities, as well as legal regulations that need to be implemented and obeyed.The regulations upon which the SPBE Risk Management Guideline is based are: a) Law of the Republic of Indonesia No. 19

SPBE Risk Categories
According to PAN-RB Ministerial Regulation Number 5 of 2020, there are 16 SPBE risk categories that have been determined so that the process of identifying, analyzing, and evaluating SPBE risks can be carried out comprehensively.

SPBE Risk Impact Areas
It is necessary to determine the SPBE Impact Areas to see which areas or parts of the XY Work Unit or XYZ Institute are affected by the SPBE risk.Referring to the SPBE Risk Management Guidelines belonging to the Ministry of PAN -RB and based on the results of the FGD, the XY Work Unit determined that there were 7 impact areas consisting of: a) financial, b) reputation, c) performance, d) organizational services, e) operational and ICT assets, f) laws and regulations, and g) human resources.

SPBE Risk Criteria
The determination of SPBE risk criteria is carried out to measure how likely a risk is to occur and its impact on achieving the XY Work Unit's targets.In determining the SPBE P.ISSN: 2086 -4981 E.ISSN: 2620 -6390 tip.ppj.unp.ac.idPossible Risk Criteria, the XY Work Unit uses 5 types of probability levels as well as the probability percentage approach and the probability of events occurring in one year as shown in Table 1

Frequency of Occurrence in
One Year

5.
Very Likely X > 50% X > 24 The SPBE Risk Impact Criteria is a combination of the SPBE Risk Impact Area and Impact Level.The XY Work Unit uses 5 levels of impact, namely Not Significant, Less Significant, Moderately Significant, Significant, and Very Significant.

SPBE Risk Analysis Matrix and Risk Level
The SPBE risk analysis matrix is obtained from the results of an assessment of the likelihood level and impact level that have been predetermined and represented in numerical form (SPBE Risk Amount) as in Table 2.The SPBE Risk Amount is then grouped in the form of SPBE Risk Levels and each level contains a range of SPBE Risk Amount values.Based on the results of the FGD, the range of values for each label was determined as follows:

Risk Appetite
SPBE's risk appetite is made to be a minimum threshold reference for risks that must be addressed.If the SPBE Risk Amount has exceeded or equal to the predetermined risk appetite value, then the risk must be handled, applicable both to negative risks and positive risks.Meanwhile, based on the results of the FGD meeting, the risk appetite for SPBE belonging to the XY Work Unit is as follows:

SPBE Risk Analysis
SPBE Risk Analysis is conducted to determine the control system, the likelihood, and the impact of SPBE Risk.The determination of the control system is based on the results of observations and discussions with the SPBE risk owner, as well as the determination of the level of likelihood and level of impact, as shown in Table 5.

SPBE Risk Evaluation
After the SPBE risk analysis is completed and the Magnitude value of each SPBE Risk is obtained, the next stage of the risk assessment process is the SPBE Risk Evaluation.At this stage the researcher together with the person in charge of SPBE Risk discusses and decides whether it is necessary to carry out further handling of the SPBE Risk that has been analyzed and determines the priority of the risks.SPBE Risk Prioritization in this study is determined by prioritizing the risks that have the largest SPBE Risk Magnitude value first.From the research results, there are 6 SPBE risks with a very high level, 20 SPBE risks with a medium level and are above the threshold/risk appetite so that SPBE risk handling needs to be done, 1 SPBE risk with a medium level that is below the SPBE risk appetite, 7 SPBE risks with a low level, and 13 SPBE risks with a very low level so that the risk is accepted and no risk handling is made.

Figure 1 .
Figure 1.Research Stages of 2016 on Amending Law No. 11 of 2008 concerning Electronic Information and Transactions, b) Presidential Regulation No. 95 of 2018 concerning Electronic-Based Government Systems, c) PAN-RB Ministerial Regulation No. 5 of 2020 about SPBE Risk Management Guideline, d) Presidential Regulation about XYZ Institution, e) XYZ Institution Regulations concerning the Organization and Work Procedures, f) Vision, Mission, Strategic Goals and Key Performance Indicators of XYZ Institution for 2022-2024, and g) Implementation of SPBE in XYZ Institution.
Indonesia issued Presidential Regulation Number 95 of 2018 concerning Electronic-Based Government Systems which regulates SPBE Governance, SPBE Management, ICT Audit, SPBE organizers, SPBE acceleration and SPBE monitoring and evaluation [8].According to Presidential Decree Number 95 of 2018, an Electronic-Based Government System is one of P.
ISSN: 2086 -4981 E.ISSN: 2620 -6390 tip.ppj.unp.ac.id the state's efforts in administering government by utilizing information and communication technology to provide services to SPBE users

No SPBE Risk Categories Minimum Threshold for risk to be handled (Negative SPBE Risk)
SPBE Risk Identification is carried out to gather information regarding events/predictions of events that will occur (hereinafter referred to as SPBE Risk), causes, types of SPBE risks, SPBE risk categories, impacts, and areas of impact in accordance with the SPBE Risk Context which has been defined in Section 3.1.The SPBE Risk Assessment https://doi.org/10.24036/tip.v16i2.72450 P.ISSN: 2086 -4981 E.ISSN: 2620 -6390 tip.ppj.unp.ac.id results are obtained through an iterative discussion process, either through meetings or direct discussions with the Head of Division and/or IT staff in the XY Work Unit.Table 5 shows the results of the SPBE risk assessment at the XYZ Institute Data Center and Intra Network which are arranged based on handling priority.There are 47 Negative SPBE Risks which are divided into 15 SPBE Risks in the XYZ Institute Data Center (N.1 -N.15) and 32 SPBE Risks in the XYZ Institute Intra Network (N.16 -N.47).26 Some of the SPBE risks are above the SPBE Risk Appetite value so that they must be handled further and recommendations for SPBE Risk Management are made.

Table 5 .
SPBE Risk Assessment on XYZ Institute Data Centers and Intra Networks