E-GOVERNMENT RISK MANAGEMENT ANALYSIS USING PERMENPAN RB NUMBER 5 OF 2020 AT COMMUNICATION AND INFORMATION OFFICE OF XYZ REGENCY

Information Technology (IT) is often used by government agencies to support the achievement of gov-ernment goals, the higher the utilization of IT in government agencies, the higher the threats and risks that occur. The XYZ Regency Government is one of the government agencies that implement the Electronic-Based Government System (e-Government). The implementation of e-Government through the use of IT to provide services to users requires risk management. The use of IT based on risk management makes it eas-ier to achieve goals, reduce risks, and protect IT resources of government agencies. This study aims to identify potential risks that occur using the Regulation of the Minister of Administrative and Bureaucratic Reform Number 5 of 2020 concerning Guidelines for Risk Management of Electronic-Based Government Systems. The results show that there are 23 possible risks that occur, divided into two categories, includ-ing positive risks and negative risks. Positive risks include the suitability of e-Government services with the national e-Government master plan, flexibility of e-Government architecture, conformity of e-Government implementation with the vision and mission as well as re-lated regulations, employee work flexibility, suita-bility of e-Government


408
E-Government Risk Management Analysis Using Permenpan RB Number 5 Of 2020 At Communication And Information Office Of XYZ Regency infrastructure needs and agency priorities, timeliness of e-Government project completion, implementation of information security (data backup), and updating of e-Government business processes and services. A high impact negative risk analysis is the lack of IT training for staff organized by local governments. Based on the evaluation, it is necessary to have a risk mitigation plan for e-Government related to the lack of expertise of staff in accessing applications, phishing, breaking into local government websites, damage to hardware components, and mismatch of IT skills and e-Government needs.

I. INTRODUCTION
Information technology (IT) has become a very important requirement for organizations to increase their productivity [13]. The development of technology today offers many benefits. Individuals, institutions, and government agencies often use IT to support the achievement of organizational goals. This shows that in Indonesia, the use of IT has become an important part of the sustainability of an organization's business processes. In addition to the rapid development of IT, there are still many vulnerabilities and risks in IT implementation, the higher the application of IT in an organization, the higher the threats and risks that occur [14]. Some organizations are still unable to identify and manage threats and risks that will arise after the company implements IT. Therefore, there is a need for risk management that aims to facilitate the achievement of business goals, reduce risk and protect IT in the company [4].
In response to the development of information technology in Indonesia, the President of Indonesia issued Presidential Regulation (PERPRES) Number 95 of 2018 concerning Electronic-Based Government Systems with the aim of increasing the integration and efficiency of electronic-based government systems. In the implementation of e-government, local governments are required to carry out risk management according to Indonesian National Standards as stated in the Regulation of the Minister of Administrative Reform and Bureaucratic Reform (PERMENPAN RB) Number 5 of 2020 [5].
XYZ Regency is one of the local government agencies that has implemented an Electronic-Based Government System in its government system. E-government is the administration of government that uses information and communication technology to provide services to e-government users. E-government is aimed at realizing effective, efficient, and sustainable governance, as well as quality e-government services [2]. With the development of technology, it will certainly affect the XYZ government which relies on technology as its government system. Therefore, the XYZ Regency government needs to implement risk management to reduce and overcome IT risks that hinder the achievement of organizational goals related to the use of IT itself. Risk management can help develop SPBE so that the services used can work optimally [7]. Therefore, the authors conducted research on e-government risk management in the XYZ Regency Government using the PERMENPAN RB guidelines No. 5 of 2020. The purpose of this study was to take risks that occurred in the XYZ Regency Government by identifying sources of risk, estimating the impact and recommendations for management risk.
As also used in the journal entitled "E-government Operational Risk Management Design in the Risk Category of Infrastructure, Applications, Services, data and information (Case Study of Bandung City Government)", the approach method used both uses qualitative methods and uses both PERMENPAN RB guidelines no. 5 of 2020, but the journal is limited to the focus of the risk categories taken, namely infrastructure, applications, services, data and information only [5]. So in this study the researchers wanted to identify risks based on 16 e-government risk categories. So the results obtained will be different from previous studies.

A. Research Methodology
The research methodology is a discussion of the theoretical concepts of various methods, advantages and disadvantages, which in scientific work is followed by the selection of the method used [9]. The research method used in this research is qualitative. Qualitative research is a research procedure that produces descriptive data, in the form of writing or speech, and observed behavior. Qualitative research aims to obtain a comprehensive understanding of social reality from the participant's perspective [3].

Initiation Stage
At this stage the research begins by identifying the problem first. Problem Identification is a step in finding and identifying problems that must be investigated more deeply in the phenomenon. These problems will later be measured and linked to theories in accordance with existing research procedures [6]. Then the researcher conducted a literature study to strengthen the research basis. Literature study is a technique used to find ideas or references in research or problem solving by tracing information that has been previously written. In this study, researchers must have broad insight into the object to be studied. Otherwise, in a large-scale demonstration, the research is doomed to fail [8]. The field study used in this research is to conduct interviews and make direct observations of a particular object.

Analysis Stage
At this stage, the researcher analyzed the data that had been collected previously. Next, the researcher determined the context of the e-government, then continued with a risk assessment, where the risk assessment consisted of identifying risks, analyzing risks and evaluating risks [11]. This research was conducted at communication and Information office of XYZ Regency. With the data that has been collected, the analysis process is carried out using the PERMENPAN RB guidelines Number 5 of 2020. The following is the e-government risk management process. Based on Figure 2, the e-government risk management process can be explained as follows a. Communication and Consulting Communication and consultation is an ongoing iterative process to provide, share or obtain information, and engage in dialogue with stakeholders about e-government risks [1].

b. E-Government Risk Context Determination
The determination of the e-government risk context aims to determine the basic parameters and scope of the e-government risk application that must be managed in the e-government risk management process [1]. The following are the steps for determining the e-government Risk context. . E-Government Risk Assessment c. E-government risk assessment on the implementation of e-government is carried out through a process of identification, analysis and evaluation of e-government risk. The e-government risk assessment aims to understand the causes, possibilities and impacts of e-government risks that may occur in central and local government agencies [1]. The following are the stages of e-government risk assessment.
1. E-government Risk Identification E-government Risk Identification is a process of digging up information about the events, causes, and impacts of e-government Risks [1].

E-government Risk Analysis
E-government risk analysis is the process of assessing the e-government risks that have been identified previously. E-government risk analysis is carried out by determining the control system, the level of possibility and the level of impact of the occurrence of egovernment risk [1].

E-government Risk Evaluation
E-government risk evaluation is carried out to determine whether further efforts are needed to address e-government risks, and prioritize the handling of these risks. If there are several e-government risks with the same size, then the way of determining priority is based on expert judgment [1].

Monitoring and Review
Monitoring aims to monitor factors or causes that affect e-government risk and environmental conditions in central and local government agencies. The monitoring results can be used as a basis for readjusting the E-government risk management process. The review aims to control the suitability and accuracy of the implementation of the entire E-government risk management process in accordance with applicable regulations. The review is carried out according to the agreement of each central agency and local government [1].

E-Government Risk Management Stage
At this stage, it is carried out to compile or make recommendations for handling e-government risks.
Recommendations can be given to the Bandung city government after verification of conformity. Egovernment risk management is the process of modifying the causes of e-government risks. E-government risk management is carried out by identifying various options that can be applied and selecting one or more e-government risk treatment options [1]. Next, the recording and reporting process is carried out. Recording and Reporting is designed to communicate e-government risk management activities and outputs, inform decision making, improve the quality of e-government risk management activities, and monitor interactions with stakeholders, including e-government risk management responsibilities and accountability [1].

B. Data Collection Techniques
Data collection techniques in this study were carried out by conducting data analysis to collect information related to research needs. Furthermore, conducting interviews with informants in order to obtain the information needed to analyze data and make direct observations of a particular object. Then the data obtained from the Communication and Information Office of XYZ Regency was used in the analysis using PERMENPAN RB Number 5 of 2020. Document analysis is a method or activity to collect information about documents within the XYZ Regency Government related to research needs. The activity carried out is the analysis of documents needed to obtain relevant data and information as design materials in research [1].

Interview
An interview is a face-to-face conversation, in which one party gathers information from the other [15]. The purpose of this interview is to obtain correct information from sources, namely the Head of the Main IT Division and Staff related to e-government in the XYZ Regency Government regarding the Electronic-Based Government System to obtain the required data. Interviews were conducted by the interviewer asking several questions to the informants regarding the e-government risk conditions, questions asked about the description of the incident, causes, impacts, impact areas, level of possibility and level of impact of the risk conditions.

Observation
Observation as a data collection technique has specific characteristics compared to other techniques.
Observations made through direct observation to the location, such as the condition of the workspace and work environment, can be used to determine factors that are suitable for interviews and support questionnaires for job analysis [10].

Data Needs
The data used in this study are primary data and secondary data. Primary data is data taken from a study by conducting interviews and direct observations of a particular object. Secondary data is obtained through journals, books and archives both published and unpublished in general [12].

A. Determination of E-Government Risk Context
The determination of the e-government risk context aims to determine the basic parameters and scope of the egovernment risk application that must be managed in the e-government risk management process [1]. The stages of establishing the e-government Risk context consist of general information, objectives, risk management implementation structure, list of stakeholders, list of laws and regulations, risk categories, impact areas, probability criteria, impact criteria, risk matrix, risk level, and risk appetite. The following are the steps for determining the egovernment Risk context.
1. General Information Inventory General Information Inventory aims to provide an overview of work units that implement e-government risk management [1]. The Department of Communication and Information as the Risk Ownership Unit (UPR) of the e-government has the task of implementing the implementation of e-government risk management and has the function of compiling and determining the e-government risk assessment, implementing coordination and operations.

Identification of E-government Targets
Identification of e-government Targets aims to identify the objectives of the e-government as well as indicators and objectives that support the objectives of the work unit that is the e-government UPR [1]. The targets of the e-government UPR include the effectiveness of local government administration, public information disclosure, and the availability of data and information.

Determination of E-Government Risk Management Implementation Structure
Determination of the e-government Implementing Structure aims to identify the work unit responsible for implementing e-government risk management [1]. Communication and information office of XYZ Regency officials are involved as implementers, coordinators and managers of e-government risk management, including heads of offices, secretaries and heads of fields.

Identification of Stakeholders
Identification of Stakeholders aims to obtain information and understand the parties interacting with the egovernment UPR in order to achieve the e-government targets [1]. Stakeholders include relevant ministries, regional apparatus for managing ICT, regional apparatus for business process owners, and academics and practitioners.

Identification of Legislation
The identification of laws and regulations aims to understand the powers, duties, duties, functions and legal obligations that must be carried out by UPR e-government [

. Determination of E-Government Risk Category
The identification of e-government risk categories aims to make the process of identification, analysis, and evaluation of e-government risks comprehensively [1]. The e-government risk category consists of 16 categories including the national e-government master plan, e-government architecture, e-government plan map, business processes, plans and budgets, novation, compliance with regulations, procurement of goods and services, development/development projects, data and information, e-government infrastructure, egovernment applications, e-government security, e-government services and e-government human resources.

Determination of E-Government Risk Impact Area
Determination of Impact Areas aims to find out which areas in central and local government agencies are affected by e-government risk [1]. The impact area consists of 7 categories covering finance, reputation, performance, organizational services, ICT operations and assets, law and regulation, and human resources.

Determination of E-Government Risk Criteria
In determining the risk criteria, there are 2 criteria that are determined, namely the probability criteria and the impact criteria. The possible criteria are presented in the following table. Based on Table I, the criteria for the likelihood of an e-government risk are the magnitude of the probability of an e-government risk occurring within a certain period. The determination of the criteria may be carried out through a statistical probability percentage approach, the number of times the occurrence of an egovernment risk in units of time, or based on expert judgment [1]. After that, it is necessary to inventory the following impact criteria.  Table II, the criteria for the impact of e-government risk are the magnitude of the occurrence of an e-government risk that affects the e-government target [1].

E-Government Risk Analysis Matrix and E-Government Risk Level
The Risk Analysis Matrix contains a combination of the likelihood level and the impact level to determine the e-government risk [1]. Determination of the magnitude of e-government risk which is represented in the form of numbers such as the following risk matrix. Based on Table III, for blue is a risk with a very low level of risk, green is a risk with a low level of risk, yellow is a risk with a moderate level of risk, orange is a risk with a high level of risk, and red is a risk with a very high level of risk. B. E-Government Risk Assessment E-Government risk assessment on the implementation of e-government is carried out through a process of identification, analysis and evaluation of e-government risk. The e-government risk assessment aims to understand the causes, possibilities and impacts of e-government risks that may occur in central and local government agencies [1]. The following are the stages of e-government Risk assessment.

E-Government Risk Management Analysis Using Permenpan RB Number 5 Of 2020 At Communication And Information Office Of XYZ Regency
Risk Identification is the process of digging up information about the events, causes, and impacts of egovernment risks. In this process, risk is divided into two types, namely positive risk and negative risk. In this risk identification process, 9 positive risks and 13 negative risks were identified, with the details as set out in Table V below. Based on Table V, identified positive risks and negative risks along with risk categories and areas of impact from these risks. The results obtained from the risk identification process are the results of interviews and direct observations conducted previously, identified risks with an average risk of impacting on performance as well as ICT operations and assets. Next, the following risk analysis process is carried out.
C. Risk Analysis At this stage, the risks that have been identified are analyzed for their level of risk. An assessment is made of the frequency of risk occurrences, the magnitude of the impact of the occurrence of the risk, the determination of the risk magnitude and the Risk Level, obtained from a combination of the likelihood level and the impact level using the formula in the e-government Risk Analysis Matrix as described in Tables III and IV. The results of the analysis are described in Table VI below. Based on Table VI, identified 5 (five) positive risks with a very high level of risk, 3 (three) risks with a high level of risk, and 1 (one) risk with a moderate level of risk. Furthermore, identified 1 (one) negative risk with a high risk level, 1 (one) risk with a moderate risk level, 6 (six) risks with a low risk level and 1 (one) risk with a very low risk level. The identified risks are analyzed for their level of risk. The results of the analysis are as follows.

D. Risk Evaluation
At this stage, an analysis is carried out to make a decision whether or not further risk management efforts are needed and determine the priority for handling them. Risk management priorities are sorted by the magnitude of the risk. If there is more than one risk that has the same magnitude, the way of determining priority is based on expert judgment. The risk evaluation process is outlined in the following Table VII.  Based on Table VIII, there are five risks with risk id RN2, RN3, RN11, RN12 and RN13 with Escalation treatment option, five risks with risk id RN6, RN7, RN8, RN9, and RN10 with Mitigation treatment option and one risk with risk id RN4 with the option of handling Transfer.

F. Discussion
This study has similarities with the research conducted by Balya Haris Alfajri namely both using the same qualitative method and both using PERMENPAN RB guidelines no. 5 of 2020. The results of research conducted by Balya Haris Alfajri there are 6 positive risks and 10 negative risks, especially in the Application and service risk category, namely there are 4 negative risks, and 80% of negative risks are handled with options for management Escalation, Mitigation, Transfer, Avoidance and risk acceptance [5]. However, this journal is limited to focusing on the risk categories taken, namely infrastructure, applications, services, data, so the researcher wants to identify risks based on 16 e-government risk categories with 9 positive risks and 13 negative risks, the risk category that has the most risk is the source of the risk human resources with a total risk of 4 negative risks. A total of 11 negative risks with handling decisions were handled with the Escalation, Transfer and Mitigation management options.
IV. CONCLUSION XYZ Regency E-Government risk management analysis is based on PERMENPAN RB Number 5 of 2020. The risk assessment process is carried out through 3 processes, namely risk identification, risk analysis, risk evaluation, the results of which are useful as suggestions for risk management for possible risks that occur in the XYZ Department. From the results of risk identification, the XYZ Regency Government has 9 positive risks and 14 negative risks. Positive risk of 1 (one) moderate risk, 3 (three) high level risk and 5 (five) very high level risks Meanwhile, there are 6 (six) low-level risks, 5 (five) moderate-level risks, 1 (one) high-level risk, and 1 (one) very high-level risk.
The prioritized risks at Communication and Information office of XYZ Regency are RN3, RN13, RN11, and RN12. Where this risk must be handled as quickly as possible so that no adverse event occurs because this risk has a very large risk for the XYZ Regency. The results obtained in this study need improvement, because other risks can also occur in the same time frame or in a different time span. Therefore, further research is needed with a different point of view to get better results than before.