Menu
- Enterprise Risk Management Implementation
- Business Continuity Management System
- Risk Maturity Index Assessment
- Risk Dashboard
- Risk Assessment and Profiling
- Risk Early Warning System
- ESG (Environmental, Social, and Governance)
- Business Continuity Plan
- Contingency Plan
- Stress Testing
- Rencana Jangka Panjang Perusahaan (RJPP)
- ICOFR
- Good Corporate Governance
- IT Transformation
- Risk Awareness & Competency Building
- View All Services
Contoh Matriks COBIT: Goals Cascade, RACI, dan Matriks Assessment Kontrol TI
RWI Consulting – Matriks COBIT biasanya untuk 3 hal: (1) memetakan tujuan bisnis ke tujuan TI dan proses (goals cascade), (2) membagi peran dan akuntabilitas (RACI), dan (3) menilai kapabilitas proses serta bukti kontrol (assessment matrix). Di bawah ini contoh siap pakai yang bisa langsung Anda adaptasi.
Contoh Matriks COBIT
Contoh Matriks COBIT Goals Cascade (Enterprise Goal → Alignment Goal → Objective)
Format: baris = tujuan bisnis (Enterprise Goal/EG), kolom = tujuan TI (Alignment Goal/AG) dan tujuan tata kelola/management objectives COBIT (EDM/APO/BAI/DSS/MEA) yang biasanya jadi “mesin eksekusi”.
1A. Matriks EG ke AG (contoh ringkas)
| Enterprise Goal (EG) | Deskripsi fokus | Alignment Goals (AG) yang terkait (contoh) |
|---|---|---|
| EG01 | Nilai bisnis dari investasi | AG01 Realized benefits; AG08 Optimized internal business process support |
| EG03 | Risiko bisnis terkendali | AG02 Managed I&T-related risk; AG06 Transparency of I&T costs/benefits/risk |
| EG06 | Kontinuitas layanan bisnis | AG07 Security of information; AG10 Availability, reliability of I&T services |
| EG07 | Kepatuhan regulasi | AG07 Security of information; AG11 Compliance with external requirements |
| EG10 | Optimasi biaya | AG06 Transparency of I&T costs; AG12 Managed digital transformation programs |
Catatan pemakaian: pilih 5–8 EG prioritas, lalu turunkan ke 6–10 AG yang benar-benar terpakai sebagai KPI/OKR TI.
1B. Matriks AG ke Governance/Management Objectives COBIT (contoh praktis)
| Alignment Goal (AG) | Objective COBIT yang biasanya dominan (contoh) | Output yang dicari |
|---|---|---|
| AG01 Realized benefits | EDM02 Ensure Benefits Delivery; APO05 Managed Portfolio; BAI01 Managed Programs | portofolio inisiatif, business case, benefits tracking |
| AG02 Managed I&T-related risk | EDM03 Ensure Risk Optimization; APO12 Managed Risk; APO13 Managed Security | risk register TI, risk treatment plan, KRI |
| AG10 Availability & reliability | DSS01 Managed Operations; DSS02 Managed Service Requests/Incidents; DSS04 Managed Continuity | SLA, incident trends, DR/BCP test |
| AG07 Security of information | APO13 Managed Security; DSS05 Managed Security Services; MEA02 Managed System of Internal Control | kebijakan keamanan, kontrol operasional, audit trail |
| AG11 Compliance | MEA03 Managed Compliance; APO12 Managed Risk; DSS06 Managed Business Process Controls | daftar kewajiban, evidence compliance, kontrol proses |
Cara pakai cepat: ambil AG yang paling relevan untuk masalah/target tahun ini, lalu jadikan objectives di kolom kanan sebagai “scope COBIT” implementasi.
Contoh Matriks COBIT RACI (per Objective/Proses)
RACI = Responsible (R), Accountable (A), Consulted (C), Informed (I). Ini contoh template yang sering pakai untuk membagi akuntabilitas tata kelola TI.
2A. Definisi role (contoh role umum)
- BoD: Board/Dewan Komisaris
- CEO
- CIO/Head of IT
- CISO/Head of Security
- IT Ops: Kepala Operasi TI/Infrastructure
- Risk: Manajemen Risiko
- IA: Internal Audit
- BU Owner: Pemilik proses bisnis (user utama)
2B. Matriks RACI contoh untuk objectives inti (EDM/APO/DSS/MEA)
| COBIT Objective | BoD | CEO | CIO | CISO | IT Ops | Risk | IA | BU Owner |
|---|---|---|---|---|---|---|---|---|
| EDM03 Ensure Risk Optimization | A | C | R | C | I | R | C | I |
| APO12 Managed Risk | I | A | R | C | I | R | C | C |
| APO13 Managed Security | I | A | C | R | C | C | I | I |
| DSS02 Managed Service Requests & Incidents | I | I | A | C | R | I | I | C |
| DSS04 Managed Continuity | I | A | R | C | R | C | I | C |
| MEA02 Managed System of Internal Control | C | I | R | C | C | C | A | I |
| MEA03 Managed Compliance | C | A | R | C | I | C | C | C |
Interpretasi cepat:
- “A” hanya satu per baris (kalau ada dua, biasanya governance berantakan).
- “R” bisa lebih dari satu, tapi batasi agar eksekusi tidak kabur.
- Risk dan IA biasanya tidak “R” untuk operasi harian; mereka “C/A” di kontrol, assurance, dan monitoring.
2C. RACI contoh khusus skenario “insiden besar” (major incident)
| Aktivitas | CIO | CISO | IT Ops | Risk | IA | BU Owner | CEO |
|---|---|---|---|---|---|---|---|
| Deklarasi major incident | A | C | R | I | I | C | I |
| Isolasi & pemulihan layanan | C | C | R | I | I | I | I |
| Forensik & containment keamanan | C | A | C | I | I | I | I |
| Komunikasi pelanggan/regulator | C | C | I | C | I | C | A |
| Post-incident review & perbaikan kontrol | A | C | R | C | C | C | I |
Ini memaksa keputusan siapa yang “menyatakan krisis” dan siapa yang “menguasai panggung komunikasi”.
Contoh Matriks Assessment COBIT (Kapabilitas Proses × Bukti Kontrol)
Tujuan matriks ini: membuat penilaian tidak subjektif. Baris = level kapabilitas, kolom = jenis bukti.
3A. Matriks level kapabilitas (0–5) dan bukti minimal
| Level | Makna operasional | Bukti minimum yang biasanya diminta |
|---|---|---|
| 0 Incomplete | tidak berjalan/acak | tidak ada SOP, tidak ada log konsisten |
| 1 Performed | dilakukan tapi belum stabil | tiket insiden ada, namun tidak konsisten; bukti ad-hoc |
| 2 Managed | ada perencanaan & monitoring dasar | SOP dasar, SLA sederhana, metrik bulanan, eviden approval |
| 3 Defined | standar dan terintegrasi | prosedur terdokumentasi, training, kontrol perubahan, RACI jelas |
| 4 Quantitatively Managed | dikelola berbasis data | dashboard KPI/KRI, trend analysis, threshold/trigger, root cause metrics |
| 5 Optimizing | perbaikan berkelanjutan | program improvement, automation, audit finding turun, continuous control monitoring |
3B. Matriks bukti per objective (contoh DSS02 – incident management)
| Area kontrol | Bukti | Contoh isi yang dicari |
|---|---|---|
| Klasifikasi & prioritas | SOP + template | definisi severity, aturan eskalasi, major incident criteria |
| Eksekusi penanganan | Ticketing log | timeline, PIC, waktu respon, waktu pemulihan |
| Monitoring kinerja | KPI dashboard | MTTR, volume insiden, repeat incident rate |
| Perbaikan akar masalah | RCA report | 5-why/fishbone, tindakan permanen, due date |
| Kontrol perubahan | Change record | link insiden→change, approval, rollback plan |
Pola ini bisa ganda untuk APO13 (security), DSS04 (continuity), MEA02 (internal control), dan objective lain.
Template “Matriks COBIT” versi satu halaman (siap apply ke dokumen)
Kalau butuh satu tabel untuk steering committee, pakai format ini.
| Fokus prioritas | Tujuan bisnis (EG) | Tujuan TI (AG) | Objective COBIT | KPI/KRI utama | Owner (A) | Operator (R) | Evidence utama |
|---|---|---|---|---|---|---|---|
| Kontinuitas layanan | EG06 | AG10 | DSS04, DSS01 | uptime, DR test pass rate | CIO | IT Ops | laporan DR test, SLA |
| Risiko & keamanan | EG03/EG07 | AG02/AG07 | APO12, APO13, DSS05 | risk exposure, security incident rate | CEO | CISO | risk register, SOC report |
| Manfaat investasi | EG01 | AG01 | EDM02, APO05, BAI01 | benefits realized, schedule variance | CEO | CIO/PMO | business case, benefits report |
Ini “matriks COBIT” yang paling sering terpakai untuk membuat governance cepat terbaca oleh non-IT.
Baca juga:
- IT Maturity: Penilaian Tata Kelola TI BUMN Indonesia
- Jurnal Enterprise Risk Management (ERM)
- Contoh Risiko ESG di Perusahaan
- Format RKAP BUMN Berbasis Risiko
Related posts
