{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T18:52:10Z","timestamp":1775069530991,"version":"3.50.1"},"reference-count":45,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2022,4,30]],"date-time":"2022-04-30T00:00:00Z","timestamp":1651276800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The process of identifying and managing Information and Communication Technology (ICT) risks has become a concern and a challenge for public and private organizations. In this context, risk management methodologies within the Brazilian Federal Public Administration organizations have become indispensable to help the managers of these organizations in decision making, especially in the distribution of public funds, elaboration of public policies focused on transparency, social actions contemplating indemnities, and social benefits, among others. In addition, the various ICT projects controlled by the public administration need a methodology to perform their management of ICT resources. In this article, we present the Governance and Risk Management methodology used to model the Administrative Council for Economic Defense (CADE) macro processes. The proposed methodology used the risk management process aligned to the ISO 31000 standards. This alignment was necessary for mapping CADE\u2019s risk events, regardless of their complexity. The modeled ICT risk processes will support the organization\u2019s managers in decision making and may be used or customized by any other organization of the Brazilian Federal Public Administration.<\/jats:p>","DOI":"10.3390\/info13050231","type":"journal-article","created":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T06:23:08Z","timestamp":1651386188000},"page":"231","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["ICT Governance and Management Macroprocesses of a Brazilian Federal Government Agency"],"prefix":"10.3390","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2159-339X","authenticated-orcid":false,"given":"Edna Dias","family":"Canedo","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"},{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0303-6004","authenticated-orcid":false,"given":"Ana Paula Morais","family":"do Vale","sequence":"additional","affiliation":[{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7129-8874","authenticated-orcid":false,"given":"Rog\u00e9rio Machado","family":"Gravina","sequence":"additional","affiliation":[{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8300-401X","authenticated-orcid":false,"given":"Alessandra","family":"de Vasconcelos Sales","sequence":"additional","affiliation":[{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7423-6695","authenticated-orcid":false,"given":"Bruno J. G.","family":"Praciano","sequence":"additional","affiliation":[{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8730-4207","authenticated-orcid":false,"given":"Vinicius Eloy","family":"dos Reis","sequence":"additional","affiliation":[{"name":"General Coordination of Information Technology (CGTI), Administrative Council for Economic Defense (CADE), Bras\u00edlia 70770-504, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7100-7304","authenticated-orcid":false,"given":"F\u00e1bio L\u00facio Lopes","family":"Mendon\u00e7a","sequence":"additional","affiliation":[{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1101-3029","authenticated-orcid":false,"given":"Rafael Tim\u00f3teo","family":"de Sousa J\u00fanior","sequence":"additional","affiliation":[{"name":"National Science and Technology Institute on Cyber Security, Electrical Engineering Department, University of Bras\u00edlia (UnB), P.O. Box 4466, Bras\u00edlia 70910-900, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,4,30]]},"reference":[{"key":"ref_1","unstructured":"(2018). Risk Management\u2014Guidelines (Standard No. ISO\/IEC 31000:2018). Available online: https:\/\/www.iso.org\/standard\/65694.html."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"463","DOI":"10.1590\/1413-2311.291.97046","article-title":"Proposal to build a maturity model in ICT governance and management","volume":"26","author":"Santos","year":"2020","journal-title":"REAd. Rev. Eletr\u00f4nica Adm. (Porto Alegre)"},{"key":"ref_3","unstructured":"Netto, S., and Fernandes, A. (2013). Proposta de artefato de identifica\u00e7 ao de riscos nas contrata\u00e7 oes de TI da Administra\u00e7 ao P\u00fablica Federal, sob a \u00f3tica da ABNT NBR ISO 31000: Gest ao de riscos. Univ. Bras\u00edlia, Available online: https:\/\/repositorio.unb.br\/handle\/10482\/13252."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1109\/MITP.2013.29","article-title":"Government Risk Management Lags behind Vendor Practices","volume":"15","author":"Anderson","year":"2013","journal-title":"IT Prof."},{"key":"ref_5","unstructured":"Chavas, J.P. (2004). Risk Analysis in Theory and Practice, Elsevier."},{"key":"ref_6","unstructured":"Clausen, B.S. (2020). Gest ao de riscos na Administra\u00e7 ao P\u00fablica como instrumento de combate \u00e0 corrup\u00e7 ao. Univ. Fed. Santa Catarina, Available online: https:\/\/repositorio.ufsc.br\/handle\/123456789\/218918."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Martins, A.D.F., da Silva Barros, P.V., Monteiro, J.M., and de Castro Machado, J. (October, January 28). LGPD: A Formal Concept Analysis and its Evaluation. Proceedings of the Anais do XXXV Simp\u00f3sio Brasileiro de Bancos de Dados, SBBD 2020, Online.","DOI":"10.5753\/sbbd.2020.13651"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Ferr ao, S.\u00c9.R., Carvalho, A.P., Canedo, E.D., Mota, A.P.B., Costa, P.H.T., and Cerqueira, A.J. (2021). Diagnostic of Data Processing by Brazilian Organizations\u2014A Low Compliance Issue. Information, 12.","DOI":"10.3390\/info12040168"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Canedo, E.D., do Vale, A.P.M., Gravina, R.M., Patr ao, R.L., de Souza, L.C., dos Reis, V.E., de Mendon\u00e7a, F.L.L., and de Sousa, R.T. (2021, January 26\u201328). An Applied Risk Identification Approach in the ICT Governance and Management Macroprocesses of a Brazilian Federal Government Agency. Proceedings of the 23rd International Conference on Enterprise Information Systems (ICEIS)-Volume 1, SCITEPRESS, Online. Available online: https:\/\/www.scitepress.org\/Papers\/2021\/104759\/104759.pdf.","DOI":"10.5220\/0010475902720279"},{"key":"ref_10","first-page":"204","article-title":"Implementando a gest ao de riscos no setor p\u00fablico","volume":"1","author":"Miranda","year":"2017","journal-title":"Belo Horiz. F\u00f3rum"},{"key":"ref_11","unstructured":"Tribunal de Contas da Uni\u00e3o (2021, August 15). Manual de Gest\u00e3o de Riscos do TCU, Available online: https:\/\/portal.tcu.gov.br\/planejamento-governanca-e-gestao\/gestao-de-riscos\/manual-de-gestao-de-riscos\/."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1080\/09540962.2017.1407128","article-title":"Public sector reform implications for performance measurement and risk management practice: Insights from Australia","volume":"39","author":"Rana","year":"2019","journal-title":"Public Money Manag."},{"key":"ref_13","unstructured":"(2021, July 20). Instru\u00e7\u00e3o Normativa Conjunta Minist\u00e9rio da Economia, Controladoria-Geral da Uni\u00e3o n. 01, de 2016, Available online: https:\/\/repositorio.cgu.gov.br\/handle\/1\/33947."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"783","DOI":"10.1080\/00207543.2019.1600762","article-title":"Risk management in the automotive supply chain: An exploratory study in Brazil","volume":"58","author":"Vanalle","year":"2020","journal-title":"Int. J. Prod. Res."},{"key":"ref_15","first-page":"11","article-title":"Business Risk Management in Government: Pitfalls and Possibilities","volume":"1","author":"Hood","year":"2000","journal-title":"SSRN Electron. J."},{"key":"ref_16","unstructured":"Biljanovic, P., Butkovic, Z., Skala, K., Mikac, B., Cicin-Sain, M., Sruk, V., Ribaric, S., Gros, S., Vrdoljak, B., and Mauher, M. (2015, January 25\u201329). Security Risk Management in complex organization. Proceedings of the 38th International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2015, Opatija, Croatia."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"2089763:1","DOI":"10.1155\/2019\/2089763","article-title":"Emerging Risk Management in Industry 4.0: An Approach to Improve Organizational and Human Performance in the Complex Systems","volume":"2019","author":"Brocal","year":"2019","journal-title":"Complexity"},{"key":"ref_18","unstructured":"El-Kiki, T., Lawrence, E., and Steele, R. (2005, January 13). A management framework for mobile government services. Proceedings of the CollECTeR, Sydney, Australia."},{"key":"ref_19","unstructured":"El-Kiki, T., and Lawrence, E. (2021, August 20). Mobile User Satisfaction & Usage Analysis Model of MGovernment Services. Verified OK. Consortium International. Available online: http:\/\/hdl.handle.net\/10453\/6900."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Kiki, T.E., and Lawrence, E. (2006, January 10\u201312). Government as a mobile enterprise: Real-time, ubiquitous government. Proceedings of the Third International Conference on Information Technology: New Generations (ITNG\u201906), Las Vegas, NV, USA.","DOI":"10.1109\/ITNG.2006.68"},{"key":"ref_21","first-page":"168","article-title":"Avalia\u00e7 ao de Riscos do Processo de Planejamento da Contrata\u00e7 ao de TI: Uma proposta para \u00d3rg aos Governamentais Brasileiros","volume":"9","author":"Silva","year":"2016","journal-title":"Rev. Bras. Sist. Inf. Rio Jan."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"451","DOI":"10.1080\/03003930.2017.1294071","article-title":"Adoption of comprehensive risk management in local government","volume":"43","author":"Oulasvirta","year":"2017","journal-title":"Local Gov. Stud."},{"key":"ref_23","first-page":"91","article-title":"Risk Management in Private Sector","volume":"22","author":"Nadikattu","year":"2019","journal-title":"SSRN Electron. J."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"163964","DOI":"10.11606\/issn.1982-6486.rco.2020.163964","article-title":"Gest ao de riscos no setor p\u00fablico brasileiro: Uma nova l\u00f3gica de accountability?","volume":"14","author":"Junior","year":"2020","journal-title":"Rev. Contab. Organ."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"770","DOI":"10.1108\/BPMJ-03-2019-0102","article-title":"Enterprise risk management and bow ties: Going beyond patient safety","volume":"26","author":"Elamir","year":"2019","journal-title":"Bus. Process. Manag. J."},{"key":"ref_26","unstructured":"Audy, J.L.N. (2007). Desenvolvimento Distribu\u00eddo de Software, Elsevier."},{"key":"ref_27","first-page":"114","article-title":"Um Modelo de Gerenciamento de Riscos para Projetos de Software com Equipes Distribu\u00eddas","volume":"13","author":"Filippetto","year":"2020","journal-title":"iSys-Braz. J. Inf. Syst."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1108\/JEIM-07-2018-0159","article-title":"The role of knowledge and organizational support in explaining managers\u2019 active risk management behavior","volume":"32","author":"Kim","year":"2019","journal-title":"J. Enterp. Inf. Manag."},{"key":"ref_29","unstructured":"(2013). Information Technology\u2014Security Techniques\u2014Information Security Management Systems\u2014Requirements (Standard No. ISO\/IEC 27001:2013). Available online: https:\/\/www.iso.org\/standard\/54534.html."},{"key":"ref_30","first-page":"4","article-title":"Implanta\u00e7 ao da Gest ao de Riscos no Governo do Distrito Federal\u2013GDF: Uma Iniciativa de Inova\u00e7 ao da Gest ao P\u00fablica","volume":"10","year":"2019","journal-title":"Rev. Processus Estud. Gest Jur\u00eddicos Financ."},{"key":"ref_31","first-page":"55","article-title":"Opera\u00e7 oes Banc\u00e1rias: Riscos e incertezas Operacionais","volume":"5","author":"Gallis","year":"2018","journal-title":"Rev. Eletr\u00f4nica Dep. Ci\u00eancias Cont\u00e1beis Dep. Atu\u00e1ria M\u00e9todos Quant. (REDECA)"},{"key":"ref_32","unstructured":"de Villiers, C., and Smuts, H. (2019, January 17\u201318). Maximizing the Organization\u2019s Technology Leverage through Effective Conflict Risk Management within Agile Teams. Proceedings of the South African Institute of Computer Scientists and Information Technologists, SAICSIT 2019, Skukuza, South Africa."},{"key":"ref_33","first-page":"179","article-title":"Gest ao de riscos no setor p\u00fablico","volume":"12","year":"2014","journal-title":"Rev.-Controle-Doutrina Artig."},{"key":"ref_34","first-page":"80","article-title":"Uma base para o desenvolvimento de estrat\u00e9gias de aprendizagem para a gest ao de riscos no servi\u00e7o p\u00fablico","volume":"23","author":"Hill","year":"2003","journal-title":"Cad. ENAP"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Okonofua, H., and Rahman, S. (2018, January 1\u20133). Evaluating the Risk Management Plan and Addressing Factors for Successes in Government Agencies. Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/12th IEEE International Conference on Big Data Science and Engineering, TrustCom\/BigDataSE 2018, New York, NY, USA.","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00230"},{"key":"ref_36","first-page":"464","article-title":"An Empirical Examination of the Effects of IT Leadership on Information Security Risk Management in USA Organizations","volume":"Volume 58","author":"Lee","year":"2019","journal-title":"Proceedings of the 34th International Conference on Computers and Their Applications, CATA 2019, EPiC Series in Computing"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1016\/S1048-9843(03)00030-4","article-title":"Context and leadership: An examination of the nine-factor full-range leadership theory using the Multifactor Leadership Questionnaire","volume":"14","author":"Antonakis","year":"2003","journal-title":"Leadersh. Q."},{"key":"ref_38","unstructured":"Presid\u00eancia da Rep\u00fablica (2021, August 01). Decreto N\u00ba 9.203, de 22 de Novembro de 2017, Available online: http:\/\/www.planalto.gov.br\/ccivil_03\/_ato2015-2018\/2017\/decreto\/d9203.htm."},{"key":"ref_39","unstructured":"Presid\u00eancia da Rep\u00fablica (2021, May 01). PORTARIA N\u00ba 283, DE 11 DE MAIO DE 2018, Available online: https:\/\/www.in.gov.br\/web\/guest\/materia\/-\/asset_publisher\/Kujrw0TZC2Mb\/content\/id\/14551033\/do1-2018-05-16-portaria-n-283-de-11-de-maio-de-2018-14551029."},{"key":"ref_40","unstructured":"(2019). Risk Management\u2014Risk Assessment Techniques (Standard No. ISO\/IEC 31010:2019). Number ISO\/IEC 31010:2019 in ISO\/TC 262 Risk Management."},{"key":"ref_41","unstructured":"Conselho Administrativo de Defesa Econ\u00f4mica (2022, March 01). Plano Diretor de Tecnologia da Informa\u00e7\u00e3o e Comunica\u00e7\u00e3o (2021\u20132024), Available online: https:\/\/cdn.cade.gov.br\/Portal\/centrais-de-conteudo\/publicacoes\/tecnologia-da-informacao\/Plano%20Diretor%20de%20TIC%20do%20CADE%202021-2024%20-%20v1.pdf."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Canedo, E.D., do Vale, A.P.M., Patr ao, R.L., de Souza, L.C., Gravina, R.M., dos Reis, V.E., de Mendon\u00e7a, F.L.L., and de Sousa, R.T. (2020). Information and Communication Technology (ICT) Governance Processes: A Case Study. Information, 11.","DOI":"10.3390\/info11100462"},{"key":"ref_43","unstructured":"(2018). Information Technology\u2014Governance of IT for the Organization (Standard No. ISO\/IEC 38500:2018). Available online: https:\/\/www.iso.org\/standard\/62816.html."},{"key":"ref_44","unstructured":"Presid\u00eancia da Rep\u00fablica (2021, May 01). Instru\u00e7\u00e3o Normativa n. 01, 05 de Abril de 2019, Available online: https:\/\/repositorio.cgu.gov.br\/handle\/1\/63755."},{"key":"ref_45","unstructured":"(2018). Information Technology\u2014Security Techniques\u2014Information Security Risk Management (Standard No. ISO\/IEC 27005:2018). Available online: https:\/\/www.iso.org\/standard\/75281.html."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/13\/5\/231\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T23:05:16Z","timestamp":1760137516000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/13\/5\/231"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,30]]},"references-count":45,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2022,5]]}},"alternative-id":["info13050231"],"URL":"https:\/\/doi.org\/10.3390\/info13050231","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,30]]}}}