The research examined different types of risk through interviews with experts. The risks studied include business interruption risk, process interdependency risk and system security risk. The decision making trial and evaluation laboratory is used to find the relationship among risks and combined with the analytic network process to select the optimal measures for reducing risks. The results indicate that information technology (IT) consultants prefer the Disaster Recovery Plan (DRP). They usually use the remote replication or High Availability (HA) to protect data. IT personnel believe that all of the IT risk controls are important. Auditors indicate that data access control is very important because users have to execute data access every day. Users of IT express a preference towards data input/output control as the most important control. The results achieved from all experts indicate that the most important controls overall are data input/output control, data access control and so on. Managers need to consider these risks to avoid any potential problems.