INFORMATION TECHNOLOGY GOVERNANCE IN A SHARIA MICROFINANCE INSTITUTION: AN EVALUATION BASED ON COBIT 5 FRAMEWORK

This research aimed to analyze the implementation of Information Technology (IT) management and to measure the level of IT management in Bina Ummat Sejahtera KSPPS BMT (SavingLoan Cooperation and Sharia Financial Baitul Maal Wat Tamwil) using the COBIT framework 5. Bina Ummat Sejahtera KSPPS BMT is one of the Sharia Micro Finance Institutions in Central Java. The process capability model in COBIT 5 was used to measure the level of IT management in Bina Ummat Sejahtera KSPPS BMT. This research applied a qualitative approach using interviews and documentation to collect data. The results show that Bina Ummat Sejahtera KSPPS BMT has implemented the management process and met all the process domains in the COBIT 5 framework. Also, the level of IT governance at Bina Ummat Sejahtera KSPPS BMT is currently at level 3 (established process), the defined process level. Overall, the management process can only reach the level of "largely achieved" (L) so that it makes assessment unable to proceed to the next level, which is the deployment process. The results are expected to provide information and input to Bina Ummat Sejahtera KSPPS BMT in optimizing the implementation of its IT management.


INTRODUCTION
Information technology (IT) plays a vital role in organizations. Both profitoriented and non-profit organizations use information technology in assisting their business operations; because information technology can improve the efficiency and effectiveness of business processes. Also, enterprises can improve their growth and performance by exploiting information technology (Turban, Wood, & Volonino, 2015). In financial institutions, information technology plays a vital role in operations and providing services to customers. Currently, all transactions required by customers can be done using information technology, for example, through ATM (automated teller machines), EDC (electronic data capture), internet banking, and mobile banking. Therefore, IT investment is vital for the development of the organization. However, not all organizations are successful in making IT investments. One of the reasons for the failure is due to inadequate information technology governance within the organization (IT Governance Institute, 2008;Islam, 2016).
Organizations need to have effective IT governance so that their IT investments provide expected benefits. IT governance is the leadership, organizational structure, and processes that ensure that information technology supports corporate strategy and objectives (IT Governance Institute, 2003;Hawariyuni & Kassim, 2016). Organizations can ensure that information technology supports business goals, maximizes IT investment, and appropriately manages IT-related risks and opportunities through effective IT governance (ISACA, 2012a).
In Indonesia, one of the Sharia microfinance institutions that first developed is known as Baitul Maal wa Tamwil (BMT). BMT is one of the Islamic financial institutions that have a social (Baitul Maal) and commercial mission (Baitul Tamwil) and operated by using the principle of profit sharing (Ibrahim, Ashal, & Nanda, 2016). The Chairperson of the Board of Management of the Indonesian BMT Association revealed to Kompas that the growth of the BMT branch in the first quarter of 2017 was relatively not high (Nadril, 2017). The low growth may be due to many large financial institutions have entered the micro-market, thus increasing the competition within the market. The increased competition forced microfinance institutions and BMT to innovate to compete with the macro-financial institutions.
This study analyzes the application of IT governance and measures the level of IT governance in a micro Islamic financial institution in Indonesia. The financial institution used in this study was a BMT in Central Java named Bina Ummat Sejahtera KSPPS BMT (KSPPS BMT BUS). Currently, KSPSS BMT BUS is focusing on improving its IT governance. The organization makes use of information technology for operations and providing services to customers and also integrating data from its various branches (116 branches in Java and Kalimantan). KSPPS BMT BUS has offered technology-based services using an ATM, EDC, and virtual account. Based on the initial interview with the executive secretary, the IT implementation was supported by third parties. However, some problems occurred in the process of IT implementation. In addressing the problems, evaluation needs to be done to assess the level of IT governance at KSPPS BMT BUS. Therefore, this study aims to analyze the implementation and level of IT governance at KSPPS BMT BUS.
This study used the COBIT (Control Objective for Information and Related Technology) 5 framework. According to De Haes, Van Grembergen, & Debreceny (2013), COBIT covers the governance, strategic, and tactical lifecycles in the IT domain, while the governance framework like COSO only covers governance and organizational issues. Other IT governance frameworks like Tick IT (the standard used to assess the quality of software development), ITIL (Information Technology Infrastructure Library), and CMMI (Capability Maturity Model Integration) relate to management issues that tend to tactical management rather than strategic management as shown in Figure 1. COBIT 5 is a framework that assists organizations to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk level and resource use (ISACA, 2012a). In COBIT 5, there are process reference models that divided into two main process domains, that is evaluated, direct, and monitor (EDM) at governance process and 1) align, plan, and organize (APO); 2) build, acquire, and implement (BAI); 3) deliver, service, and support (DSS); and 4) monitor, evaluate, and assess (MEA) at the management process.
Several studies on IT governance in financial institutions using the COBIT framework have been conducted, such as (Vugec, Spremic, & Bach, 2017;Hanief, 2013;Winardi, 2012), but the three did not study Sharia Micro Finance Institutions using the COBIT 5 framework. Vugec, Spremic, & Bach (2017) researched two banks and two insurance companies using the COBIT framework, while Hanief (2013) researched Islamic banks in Bali and Winardi (2012) in Sharia Micro Finance Institutions in Yogyakarta utilizing the COBIT 4.1 framework. Also, this study conducted in Sharia Micro Finance Institution using the latest COBIT framework, i.e., COBIT 5.
This study aims to answer two primary questions which are 1) how is the implementation of IT governance in KSPPS BMT BUS assessed using COBIT 5 framework, and 2) how is IT management level according to COBIT 5 on KSPPS BMT BUS. This paper consists of five sections. The first section discusses the importance of IT governance in a financial institution, including the research questions. The second sections contain a literature review on IT governance using the COBIT 5 framework that reinforces and underpins this research. The third section discusses the methodology that is used in this study. The fourth section explains the finding and analyses the problem so that the research questions answered. The last section contains the conclusion and recommendation for KSPPS BMT BUS.

IT Governance
There are several definitions of IT governance. Weill & Woodham (2002) define IT governance as the determination of decision-making authority and accountability framework to encourage desirable behavior in IT usage.
Furthermore, according to Van Grembergen (2002), IT governance is a process carried out by directors, executive management, and IT management to control the implementation of IT strategies and ensure that information technology supports business strategies.
IT governance is an important thing. It can help ensure that information technology support business goals, maximize investment in IT, and manages the risks and opportunities that arise with IT (ISACA, 2011). The organization will succeed when the board of directors (BOD) and executives pay attention to information technology like other significant parts of doing business (ISACA, 2012a). Therefore, BOD and management, together with IT departments within companies, must collaborate and work together, so that information technology is included in corporate governance and management.

COBIT 5
COBIT (Control Objectives for Information and Related Technology) is a set of guidelines for conducting IT management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) (Hartono & Abdillah, 2011). COBIT provides a comprehensive framework in the management and IT governance so that it can help companies achieve their goals (ISACA, 2012a, p. 13). This is because COBIT helps companies create optimal value from IT by maintaining a balance between the profit realization and optimizing the level of risk and the resources used.
The latest edition of COBIT, COBIT 5.0, was released in 2012. COBIT 5 provides end-to-end business descriptions, enabling companies to manage information technology holistically for the whole company (ISACA, 2012a, p. 13). COBIT 5 was designed by ISACA and ITGI based on the COBIT framework version 4.1, which was integrated with Val IT and Risk IT. COBIT 5 consists of 2 main parts, namely governance, and management. The COBIT 5 framework can be used for all types of companies both on a large scale and SMEs, profit-oriented or not, even the public sector.

Process Reference Model in COBIT 5
COBIT 5 has two main areas, namely, governance and management. These areas have their respective domains. Governance area has one domain, namely evaluate direct, and monitor (EDM). The EDM domain encompasses the IT governance process by ensuring that the company receives optimal value with acceptable risk and available resources. Also, this domain ensures that corporate objectives agreed by stakeholders can be achieved (ISACA, 2012b). Furthermore, the management area consists of four domains, namely: 1) Align, Plan, and Organize (APO); 2) Build, Acquire, and Impellent (BAI); 3) Deliver, Service, and Support (DSS); and 4) Monitor, Evaluate, and Assess (MEA).

Align, Plan, and Organize (APO)
The APO domain includes IT adjustment, planning, and procurement processes. It determines the best way to use IT to help achieve goals by considering the capabilities and circumstances of the company (ISACA, 2012b;Novianda, Pranomo, and Nugroho, 2014).

Build, Acquire, and Impellent (BAI)
The BAI domain includes the process of identifying IT-related needs in companies, obtaining technology and IT-related needs and their implementation (ISACA, 2012b;Novianda, Pranomo, and Nugroho, 2014) Deliver, Service, and Support (DSS) The DSS domain includes the process of managing IT operations and overcoming problems that arise related to IT so that the services provided are maximized (ISACA, 2012b) SHARE | Volume 9 | Number 1 | Jan -Jun 2020

Monitor, Evaluate, and Assess (MEA)
The MEA domain includes three processes. First, assessment process IT strategies and services in meeting agreed on needs and goals within the company. Second, monitor and evaluate internal control. Last, evaluate IT processes and IT-supported business processes following applicable regulations and requirements (ISACA, 2012b) This model is a model that represents all the processes that are usually found in companies related to IT activities. This model is also a general model that can be understood by operational IT and business managers. Having an operational model for all parts of the company involved in IT activities is one of the essential things to achieve good governance. It can also be a framework for measuring and monitoring IT performance, communicating with third parties who provide services, and integrating best management practices (ISACA, 2012b).

Process Capability Model in COBIT 5
Six levels can be achieved by a process in the Process Capability Model.

Level 0: Incomplete process
A process at level 0 means that the process was not implemented or failed in achieving its objectives. At this level, there is little or no evidence of achieving the goals of the systematic process (ISACA, 2012a).

Level 1: Performed process
Processes that reach level 1 mean that the process can be implemented and achieve its objectives (ISACA, 2012a).

Level 2: Managed process
Processes at this level mean they can be implemented and managed (planned, monitored, and adjusted). The results of the process can be determined, controlled, and maintained appropriately (ISACA, 2012a).

Level 3: Established process
The process that reaches level 3 is a process that has reached the level previously applied and subsequently knows the process that can achieve the specified process results (ISACA, 2012a).

Level 4: Predictable process
The process at this level is a process that is defined at the previous level and has reached the limits set to achieve the results of the process (ISACA, 2012a).

Level 5: Optimising process
The process that reaches level 5 is a process that has reached the previous level and is enhanced to achieve current and determined business goals for the future (ISACA, 2012a). This model can measure the performance of governance and management processes. Also, this model can help to identify improvements (ISACA, 2012a).

Research Design
This research is qualitative research with the study case method. Qualitative research is an approach that uses to examine people's experiences in detail by using a set of research methods such as in-depth interviews, focus group discussions, observation, content analysis, visual methods, and history life or biographies (Hennink et al., 2011: 8-9). Further, a case study is a method that use to evaluate (Yin, 2014: 2).

Data Types and Sources
The types and sources of this research data are primary and secondary data. Primary data are interview results. Interviews are semi-structured conducted to various parties as to the president director, operational and financial director, head of information technology division, IT division staff of network and hardware parts, and IT division staff software development section, which numbered five people. Each will be interviewed separately using questions that have been arranged based on the processes in each domain in the COBIT 5.
Furthermore, secondary data obtained by the researcher through document analysis. Required documents such as policies and procedures, accountability reports, organizational structures, and other relevant documentation.

Data Analysis Technique
This research uses the data analysis method, according to Miles and Huberman (2014) consist of data condensation, data display, and conclusion drawing. Data condensation has done by thematic analysis. According to Braun and Clarke (2006), there are six phases in the thematic analysis as follows: familiarizing yourself with your data, generating initial codes, searching for themes, reviewing themes, defining and naming themes, producing the report.

Data Analysis Tool
This research uses the COBIT 5 framework as a data analysis tool to evaluate IT governance at KSPPS BMT BUS. COBIT 5 has two main areas of governance and management. The governance area has one domain, is evaluate, direct, and monitor (EDM). Furthermore, the management area consists of 4 domains, namely 1) align, plan, and organize (APO), 2) build, acquire, and implement (BAI), 3) deliver, service, and support (DSS), and 4) monitor, evaluate, and assess (MEA). The five domains have several processes, as shown in Figure 2. The processes in figure 2 are described in Table 1. Table 1. Process Reference Model in COBIT 5.

Domain Process
Description EDM 01 ensure governance framework setting and maintenance Analyze and articulate the requirements for the governance of enterprise IT and put in place and maintain effective enabling structures, principles, processes, and parties with clear responsibilities and authorities to achieve the enterprise's mission, goals, and objectives.

EDM 02 ensure benefit delivery
Optimize value contributions to the business from business processes, IT services and IT assets resulting from IT investments at acceptable costs EDM 03 ensure risk optimization Ensure that the risk chosen by the enterprise is understood, articulated, and communicated and that risk to enterprise value related to the use of IT is identified and managed EDM 04 ensure resource optimization Ensure that IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost EDM 05 ensure stakeholder transparency Ensure that the enterprise's IT performance, measurement, and reporting compliance is done transparently, with stakeholders approving the goals, metrics, and the necessary remedial actions.
APO 01 manages the IT management framework Implement and maintain mechanisms and authorities to manage information and the use of IT in the enterprise in support of governance objectives in line with guiding principles and policies.

APO 02 manage strategy
Provide a holistic view of the current business and IT environment, the future direction, and the initiatives required to migrate to the desired future environment.
APO 03 manage the enterprise architecture Establish a common architecture consisting of business process, information, data, application, and technology architecture layers for effectively and efficiently realizing enterprise and IT strategies by creating key models and practices that describe the baseline and target architectures.

SHARE | Volume 9 | Number 1 | Jan -Jun 2020
Domain Process Description APO 04 manage innovation Analyze what opportunities for business innovation or improvement can be created by emerging technologies, services, or IT-enabled business innovation, as well as through existing established technologies and by business and IT process innovation.
APO 05 manage portfolio Execute the strategic direction set for investments in line with the enterprise architecture vision and the desired characteristics of the investment and related services portfolios, and consider the different categories of investments and the resources and funding constraints APO 06 manage budget and costs Manage the IT-related financial activities in both the business and IT functions, covering budget, cost and benefit management, and prioritization of spending through the use of formal budgeting practices and a fair and equitable system of allocating costs to the enterprise.

APO 07 manage human resources
Provide a structured approach to ensure optimal structuring, placement, decision rights, and skills of human resources. This includes communicating the defined roles and responsibilities, learning and growth plans, and performance expectations, supported with competent and motivated people.

APO 08 manage relationships
Manage the relationship between the business and IT in a formalized and transparent way that ensures a focus on achieving a common and shared goal of successful enterprise outcomes in support of strategic goals and within the constraint of budgets and risk tolerance.

APO 09 manage services agreements
Align IT-enabled services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of IT services, service levels, and performance indicators.
APO 10 manage suppliers Manage IT-related services provided by all types of suppliers to meet enterprise requirements, including the selection of suppliers, management of relationships, management of contracts, and reviewing and monitoring of supplier performance for effectiveness and compliance.
APO 11 manage quality Define and communicate quality requirements in all processes, procedures, and related enterprise outcomes, including controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts.
APO 12 manage risk Continually identify, assess, and reduce IT-related risk within levels of tolerance set by enterprise executive management.
APO 13 manage security Define, operate, and monitor a system for information security management.

SHARE | Volume 9 | Number 1 | Jan -Jun 2020
Domain Process Description BAI 01 manage programs and projects Manage all programs and projects from the investment portfolio in alignment with enterprise strategy and in a coordinated way. Initiate, plan, control, and execute programs and projects, and close with a post-implementation review.
BAI 02 manage requirements definition Identify solutions and analyze requirements before acquisition or creation to ensure that they are in line with enterprise strategic requirements covering business processes, applications, information/data, infrastructure, and services.

BAI 03 manage solutions identification and build
Establish and maintain identified solutions in line with enterprise requirements covering design, development, procurement/sourcing, and partnering with suppliers/vendors.

BAI 04 manage availability and capacity
Balance current and future needs for availability, performance, and capacity with cost-effective service provision.

BAI 05 manage organizational change enablement
Maximize the likelihood of successfully implementing sustainable enterprise-wide organizational change quickly and with reduced risk, covering the complete life cycle of the change and all affected stakeholders in the business and IT.

BAI 06 manage changes
Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications, and infrastructure.
BAI 07 manage change acceptance and transitioning Formally accept and make operational new solutions, including implementation planning, system, and data conversion, acceptance testing, communication, release preparation, promotion to the production of new or changed business processes and IT services, early production support, and a post-implementation review.
BAI 08 manage knowledge Maintain the availability of relevant, current, validated, and reliable knowledge to support all process activities and to facilitate decision making.
BAI 09 manage assets Manage IT assets through their life cycle to make sure that their use delivers value at optimal cost, and they remain operational (fit for purpose), they are accounted for and physically protected. Those assets that are critical to support service capability are reliable and available.

BAI 10 manage configuration
Define and maintain descriptions and relationships between key resources and capabilities required to deliver IT-enabled services, including collecting configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository.
DSS 01 manage operations Coordinate and execute the activities and operational procedures required to deliver internal and outsourced IT services, including the execution of pre-defined standard operating procedures and the required monitoring activities.

SHARE | Volume 9 | Number 1 | Jan -Jun 2020
Domain Process Description DSS 02 manage service request and incidents Provide a timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfill user requests; and record, investigate, diagnose, escalate, and resolve incidents.

DSS 03 manage problem
Identify and classify problems and their root causes and provide timely resolution to prevent recurring incidents. Provide recommendations for improvements.
DSS 04 manage continuity Establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue the operation of critical business processes and required IT services and maintain the availability of information at a level acceptable to the enterprise.

DSS 05 manage security services
Protect enterprise information to maintain the level of information security risk acceptable to the enterprise under the security policy.

DSS 06 manage business process controls
Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements.
MEA 01 monitor, evaluate and assess performance and conformance Collect, validate, and evaluate the business, IT, and process goals and metrics. Monitor that processes are performing against agreedon performance and conformance goals and metrics and provide reporting that is systematic and timely.
MEA 02 monitor evaluate and assess the system of internal control Continuously monitor and evaluate the control environment, including self-assessments and independent assurance reviews. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions.
MEA 03 monitor, evaluate and assess compliance with external requirements Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.
Source: (ISACA, 2012b) Assessments of the capability level were done based on interview data and criteria on each level. Measuring the capability level is based on a set of process attributes under the domain process on COBIT 5 by using the Process Capability Model. According to ISACA (2012a), there are six levels of capability that a process can achieve.
1) Level 0: Incomplete process, the process is not implemented or fails to achieve its purpose. 2) Level 1: Performed process, the process is implemented and achieve its process purpose.
3) Level 2: Managed process, the process is implemented and manage. Further, its work products are appropriately established, controlled, and maintained. 4) Level 3: The Established process is the previous process implemented using a defined process that is capable of achieving its process outcome. 5) Level 4: Predictable process is a previously implemented process that operates within defined limits. 6) Level 5: Optimising process is a previously implemented process that continuously improved to meet relevant current and projected business goals.
According to IT Governance Network levels of achievement of the process attributes are scored as follow: 1) Not achieved (N)the achievement of the process attributes is 0 until 15%.
2) Partially achieved (P)the achievement of the process attributes is more than 15% until 50%. 3) Largely achieved (L)the achievement of the process attributes is more than 50% until 85%. 4) Fully achieved (F)the achievement of the process attributes is more than 85% until 100%.
The assessment of the capability level was done gradually from each level. Assessment can be continued at the next level is that the process attributes can be achieved fully (F).

Data Validity Technique
This research used triangulation and member checking to do data validity. Triangulation is a technique of data validity by collecting data from various sources such as interviews, observation, and document analysis (Creswell 2014). Also, Creswell (2014) suggests using member checking to determine the accuracy of qualitative findings. Member checking was performed by taking the final report or specific descriptions or themes back to participants and determining whether these participants feel that they were accurate. Therefore, after the data is collected, the results of interviews are conducted by member checking, and the results are used for the next technique, triangulation by comparing it with the results of observations and document analysis.

IT Governance at KSPPS BMT Bina Ummat Sejahtera
IT governance currently being conducted by KSPPS BMT BUS assessed using the COBIT 5 framework will be described in

IT Management Level at KSPPS BMT Bina Ummat Sejahtera
Level 0: Incomplete Process Based on Tabel 2, we can see that all domains of the IT governance process, according to the COBIT 5 framework, have been performed on KSPPS BMT BUS. However, not all domain processes performed well. There are still some processes that need to be improved. These processes are: ensures governance framework setting and maintenance (EDM 1), manage risk (APO 12), manage security (APO 13), manage solutions identification and build (BAI 03), and manage the problem (DSS 03).
Further, the governance process has been assessed based on each level. The governance process at KSPPS BMT BUS was considered to pass the level 0 capability level, and the assessment continued at the next level. This means that the IT governance process, following the COBIT 5 framework, has been implemented by KSPPS BMT BUS. A process is at level 0 when the process is not implemented at all, or the implementation process is incomplete so that it fails to reach the goal.

Level 1: Performed Process
The first level performed process means the process is implemented and achieved a predetermined objective. At this level, the process has a work product, and there are inputs, processes, and output in producing work products. Based on Table 2, it can be seen that all IT governance practices in KSPPS BMT BUS assessed using COBIT 5 framework have work products. Thus, it can be concluded that the practice of IT governance on KSPPS BMT BUS is at level 1, and the assessment of the level of IT governance process capability can be continued to level 2.

Level 2: Managed Process
At level 2 of the managed process, the implemented process has been planned, monitored, and adjusted to achieve the specified objectives. According to COBIT 5, level 2 requires two criteria; that is, the performance is managed (PM), and work products are managed (WPM). Each level has attributes that must be met. Assessment at level 2 and beyond is done by giving a predicate level of attainment of process attributes, as follows.
1) Not achieved (N)the achievement of the process attributes is 0 until 15%.
2) Partially achieved (P)the achievement of the process attributes is more than 15% until 50%. 3) Largely achieved (L)the achievement of the process attributes is more than 50% until 85%. 4) Fully achieved (F)the achievement of the process attributes is more than 85% until 100%.
IT governance process can rise to a higher level if it has fully achieved. At this level, IT governance assessment on KSPPS BMT BUS is performed by assessing the process of governance based on process attributes at each level. The assessment is presented briefly in Table 3. From the whole domain process, there are 6 (six) domains that get predicate largely achieved, whereas most of the process domain get the predicate fully achieved. Therefore, the overall assessment of IT governance capability level in KSPPS BMT BUS at level 2 was considered fully achieved, so the assessment can be continued at level 3 that is established process.

Level 3: Established Process
At level 3, the IT governance process that has been implemented is built on a predefined standard process to achieve the outcome of the process. At this level, there are two levels to be met, namely the process definition (PDef) and the process deployment (PDEP). Both levels have their respective attributes that must be met. Assessment is performed sequentially from the process definition level and then proceeds to the process deployment if at the process definition level IT governance process can be fully achieved. The assessment is presented briefly in Table 4.  Assessment of the capability level of the IT governance process at level 3 was only performed at the definition process level and was not continued at the process deployment level. This was because, at the process definition level, the overall IT governance process was not achieved fully, but can only be largely achieved. However, some processes can be fully achieved. Based on Table 3, there are 18 (eighteen) processes that are largely achieved, and 2 (two) partially achieved processes. These processes need improvement so that KSPPS BMT BUS can reach the level of capability of the next process.

CONCLUSIONS
KSPPS BMT BUS has implemented most of the governance and management processes following the COBIT 5 framework. All process domains within the COBIT 5 framework have been implemented. Although currently, the development of IT is not self-developed but in collaboration with other parties who have the ability in their fields. The results of the study showed that IT governance and management processes in KSPPS BMT BUS are at level three of the five levels in COBIT 5.0.
Corrective actions that can be carried out by BUS KSPPS BMT to achieve the next process capability level (level 4 and 5) are: first, prepare a roadmap as a guide and guidance in developing more strategic and more accessible IT to be implemented. In the roadmap, it is necessary to add a schedule so that the IT development plan is more apparent when it will be carried out and more comfortable in evaluating the effectiveness and suitability of the process. Second, determine the standard processes that need to be carried out together with the sequence of processes to manage the capacity of IT resources and manage the problem process. Finally, determine the right method to monitor the effectiveness and suitability of each governance process that has been carried out with the company's needs. Further research is expected to involve more BMTs and use a survey approach to improve external validity from the research.