International Journal of Computer Applications (0975 – 8887) Volume 174 – No. 30, April 2021 25 IT Risk Management Maturity Model for SOA Rafael de Almeida Azevedo Master Program in System and Computing Salvador University SalvadorBA, Brazil Paulo Caetano da Silva Master Program in System and Computing Salvador University Salvador/BA, Brazil André Magno de Costa Araújo Department of Information Systems Federal University of Alagoas Penedo/AL, Brazil ABSTRACT Risk management is an important area of knowledge in corporate environments, allowing risks to be known and adequately mitigated and addressed. A structured information technology risk management environment can influence the improvement of the flexibility and adaptability of an organization's business processes. In this context, the concept of service-oriented architecture (SOA), aims at the union of organizational processes with the resources provided by information technology (IT). Although SOA has been widely debated and applied in organizational environments, it realizes little attention has been paid to the investigation of a risk management model to assess the maturity of business processes in information technology based on SOA. This work presents a risk management maturity model, formed by the union of good information technology risk management practices and existing maturity models, to be applied in a service-oriented architecture. The proposed model aims to assist in assessing the level of risk management maturity in the SOA scope. To evaluate the proposed model, the scenario of a health organization was used, and the results showed that, the level of IT risk management maturity based on SOA was measured, which provided a holistic view of risk management on the dimensions, people, processes, and technology. General Terms Service Oriented Architecture. Keywords Maturity Models, IT Risks Maturity Models, SOA. 1. INTRODUCTION Risk management is an important area of knowledge in corporate environments, allowing risks to be known and adequately mitigated and addressed. A structured information technology risk management environment can influence the improvement of the flexibility and adaptability of an organization's business processes [1]. Risk management in information technology (IT) has been widely debated and applied in organizational environments, this is because business processes are increasingly dependent on technological resources and tools as they expand, evolve, and become more present in the daily life of society [2]. In this context, it is necessary for organizations to implement an effective risk management process, subjecting it to continuous assessment through a maturity model appropriate to the organizational culture in question [3]. Due to the operational and strategic support provided by IT to an organization's business processes, much has been discussed about the use of maturity models that put together organizational processes with information and communication technology resources [4-5]. In this sense, service-oriented architecture (SOA), consists of a technological architectural model that aims to align IT resources with strategic organizational objectives. However, in service-oriented architecture, there is a range of components and factors that exposes this environment to a series of risks, which makes it necessary to carry out risk management, and to assess the maturity of IT risks for SOA [6]. As identified in the state of the art, IT and SOA risk management maturity models have been approached and applied in the most diverse areas of knowledge, such as healthcare [4], supply chain management [5] and e- government portal [6], among others. Although the disclosure of SOA maturity models and risk management has grown considerably in recent years [3], it is noted in the state of the art, that little attention has been paid to the specification of an IT risk management maturity model in the SOA framework and their respective sizes, which are: process, people, and technology. It is noticeable even in the state of the art that, many organizations have adopted risk management practices, however, there is a lack of studies to implement methods to measure the level of maturity organizational their practices in risk management based on SOA [7]. Based on this open issue identified in the state of the art, this work specifies an IT risk management maturity model for SOA called SDRMM (SOA Dimension Risk Maturity Model). The proposed model addresses SOA risk management in its dimensions and implements an assessment tool to measure the level of organizational maturity. To evaluate the proposed model, a real scenario of a health institution in Brazil was used, and the main results are: the level of IT risk management maturity based on SOA was measured, which provided a view holistic approach to risk management on dimensions, people, processes, and technology. This paper is organized as follows: Section 2 describes the basic concepts used to develop this work, while Section 3 presents and describes the SDRMM model. Section 4 show the assessment of SDRMM Model. Finally, final considerations and future work suggestions are found in Section 5. 2. BACKGROUND AND RELATED WORKS This section contextualizes SOA (Section 2.1), conceptualizes risks maturity models (Section 2.2), and provides an analysis of related works identified both in Academia and Industry (Section 2.3). 2.1 SOA Service Oriented Architecture (SOA) resembles a system with an independent set of cooperating subsystems or services. SOA encompasses the consolidation and reuse of software assets, the reduction of infrastructure complexity and,