FR | NL | EN
   About us     Contact     Glossary index     Sitemap   

   Home > Assessment of the information risks in the railway sector

Assessment of the information risks in the railway sector     Print


The assignment consisted of the identification and evaluation of risks associated with the use of information systems in the field of railway transport, as well as developing an action plan to mitigate those risks. The assignment began with an information systems’ audit and the development of the business model covering all business and support functions. The risk assessment formed the basis for the development of a risk map. An action plan has been prioritised and an IT balanced scorecard (BSC) was developed incorporating the key indicators.


Thalys is a railway organisation for managing the rail connections between France, Belgium, Germany and the Netherlands around the axis Paris-Brussels.. Thalys is a service offered jointly by the Belgian, French, Dutch and German railways.


2009: IT Audit and development of the business model

2010: Assessment of IT risks

Methodology – Assessment of IT risks

The methodology of risk assessment is based on the Risk IT repository, developed by ISACA (This framework is now integrated into the CobiT 5):
  1. Understanding of key processes and development of a business model showing the process drivers and the key business processes, i.e. transport, fleet management, booking, sales, marketing, electronic commerce, call centre, help desk, traffic services on board and support processes (human resources, finance, legal services and IT);
  2. The mapping of application systems and data, and the collection of basic information on the software operation;
  3. Risk identification by means of interviews with key people;
  4. Risk estimation for each business and support software based on four criteria listed in the associated diagram:
    • Design effectiveness
    • Operational effectiveness
    • Impact of risk
    • Likelihood of risk
  5. Risk mapping on the business model to indicate visually the risk areas;
  6. The development of an action plan to mitigate unacceptable risks;
  7. Prioritisation of the plan based on the complexity and cost of implementation and the urgency in terms of business risk;
  8. The elaboration of a Balanced Scorecard (BSC) with key indicators in order to monitor the implementation of the action plan.

QAP has an extensive experience in governance, project and program management, as well as in control and risk management.

For more information, contact Patrick Soenen via p.soenen[at]

QAP © 2010 | advice[at] | audit[at]
   Audit     Advisory     Training     Change     Disclaimer     Copyright