David C. Wyld et al. (Eds): CSTY, SIGI, MaVaS - 2021 pp. 101-111, 2021. CS & IT - CSCP 2021 DOI: 10.5121/csit.2021.112209 RISK ANALYSIS IN THE PREPARATION OF A BUSINESS CONTINUITY PLAN (BCP) IN IT SERVICES: A CASE STUDY OF UNIVERSITAS INDONESIA Akmal Gafar Putra, Betty Purwandari and Farisya Setiadi Magister of Information Technology, Universitas Indonesia, Depok, Indonesia ABSTRACT Based on the Horizons Scan Report 2021 by BSI, the top 6 threats to organizations today are pandemics, health incidents, safety incidents, IT and telecommunications outages, cyber- attacks, and extreme weather. Universitas Indonesia (UI), as a modern, comprehensive, and open campus, strives to become a leading research university globally. As the IT service manager at UI, the Directorate of Information Systems and Technology (DSTI) has the task of strengthening service management by implementing risk management and security management in line with relevant laws and policies. The main problem for DSTI as an IT service at UI is that there are no documents related to risk management and information security management, resulting in IT services’ failure. This year, there have been four data center failures due to power and UPS problems. DSTI wants to improve IT services at UI by implementing risk management and Business Continuity Management System (BCMS). This study aims to conduct a risk analysis to design a Business Continuity Plan (BCP) for IT services at the University of Indonesia. The research was conducted using mix method. The OCTAVE qualitative method was carried out in finding a list of risks on critical assets in IT services at UI. A quantitative approach is needed to rank the risk list using a questionnaire and FMEA calculations to get a risk priority number. This study separates the risk of general assets and information system assets. For critical assets, it is generally found that two are at a very high level, one is high, eight risks are at a low level, and 12 are at a very high level, for information system assets found 12 assets with very high risk, three medium and one low. KEYWORDS Risk Analysis, OCTAVE, FMEA, ISO 22301:2019, Business Continuity Plan. 1. INTRODUCTION Universitas Indonesia, abbreviated as UI, is a modern, comprehensive, open, multi-cultural, and humanist university. UI simultaneously and continuously trying to become the world's leading research university. The vision stated in the statutes [1] is: "To become a center of science, technology, and culture" superior and competitive, through efforts to educate the nation's life to improve the welfare of the community, thereby contributing to Indonesian development people and the world. UI has developed three strategic goals that are expected to realize the goals of UI 2024. The three strategic targets in internal business processes are relevant and high-quality education, research-based Tridharma, and effective governance [2]. The Directorate of Information Technology and Systems, abbreviated as DSTI, is a directorate entrusted with being a trusted institution in the management of information technology infrastructure and data