The research method used is qualitative, where data collection is done by interviewing informants related to risk findings and identification of the root of the problem using fishbone analysis with category 6M (Man, Money, Machine, Material, Method, Measurement). The results of the identification of the root causes are included in the risk quadrant with the risk probability categories (high, medium, low) and risk impact categories (high, medium, low). After getting the data needed, the stages of creating a risk management model that is mapping the results of identifying the root causes with the COBIT 5 framework. The results of interviews related to the risks experienced by small and medium enterprises obtained as many as 19 risks and the results of fishbone analysis (identification of the root causes) obtained as many as 48 root causes, but this study took a quadrant I-VI with a total of 24 root causes. This research produces a risk management model in the form of COBIT 5 process that is in line with the root of the problem that occurs in small and medium-sized enterprises, namely EDM03 (Ensure Risk Optimization), APO12 (Manage Risks), BAI02 (Manage Requirements Definition), DSS05 (Manage Security Service) , MEA02 (Monitor, Evaluate and Assess the System of Internal Control).