Post on 06-Mar-2016
Tutorial 1
Question 1
PDCA cycle has its applicability in information security as an important framework to provide
the overall platform for reducing the risk threats. According to this cycle a security platform is
planned, tested through its implementation, and all the aspects are checked to get recognition
about all framework. This cycle is executed after consideration of valid and effective results.
Risk management is an art to plan, organize, controlling and monitoring the overall risk which
might be reduced through effective strategies.( Daud, W. N. 2010) These are two shortcoming of
PDCA Cycle: the entire process of improvement is simplified, and some results are based on
assumptions.
Question 2
These are some risks which are associated to my daily travel from home to workplace
- There might be possibility of any strike which will lead to stop me at home
- There could be chance of unavailability of conveyance
- My bike may not start and I will have to wait for public transport
- The increase in traffic can lead to any serious accident
Tutorial 2
Exercise 1
Question 1
The implication of security concepts can be considered as an important factor in risk
management. The security concepts of owner, vulnerabilities, assets and can be employed in an
authenticated manner.( Fabozzi, F. J., 2003) The owner will be considered as the shareholder,
vulnerability can be identified as the fluctuation in results and assets can be thought as resources
utilized by any company for its business operations.
Question 2
Asset classification in risk management can be recognized as the framework which will reduce
the overall risk and will lead to provide the maximum return. The return could be attained and
can be enhanced through utilization of maximum asset classes which would have their associated
risk and return level.
Exercise 2
There would be different risk threats which could be associated with daily life of any couple.
There could be any threat which might be reduced and managed through the utilization of
efficient and effective resources.
The standards can be considered as the benchmark points which would have their relative
policies to be accepted and compared from any organization of same functionalities.
Organizations use these standards for making its overall system fully standardized and effective
for comparison to rival firms. Risk management provides an effective framework to reduce the
loss level and maximize profit volume. These standards would be considered as the efficient and
effective units to modernize the accounting and strategic system.
Tutorial 3 There are different key factors which can be listed and considered as an effective model for
measurement and management of risk from different aspects. These points can be considered as
the important elements of Risk model of IS/IT environment. Threat source can be recognized as
an element which would have its contribution for any organization. This threat source could be
considered as an important element which can be varied over time.( Cagno, E., Caron, F.,
Mancini, M. 2007) Threat source is mostly becomes the reason of fluctuation in expected and
estimated results of any business/organization or project.
Threat event can be considered as the experiences gained by any organization in its business
operations and it would have its effective management plan to control the risk. The implication
of this threat can be reduced and managed would be effective and efficient to control the risk.
There could be different conditions which may lead to fluctuate the stock value of any I/T
environment. I/T environment could be stable or unstable because there are number of updates
which are being occurred in any industry. The scope of risk management will provide an
implementation and organizing plan for any organization to change and meditate its level of risk.
Tutorial 4 This table can be used to record different risk level:
Deterrent Preventive Detective Corrective Recovery Compensating
Administrative 5 4 2 1 0 3
Technical 4 4 3 5 3 2
Physical 3 2 4 4 1 5
0-5
There could be different duties and responsibilities required to be performed by different
authorities in this scenario.
As an I.T manager I can integrate some filters with the sending portfolio of employee according
to which they would be able to send the emails on to the relevant persons. The subject portion
can also be considered as filter for sending and receiving the mails. There might be also usage of
a hidden message which could not be shown to the receiver if they have received accidently any
wrong message.
As CIO, I will have to upgrade the overall structure and implement some important causes which
will ensure about the quality and quantity of any message. There could be meetings with all the
employees to making them inform that whenever they have received any email from any
irrelevant address they should not open it and this will also reduce the chances of virus risks.
As CEO, I will have to monitor and control the activities of all the employees so best quality
work can be performed in an authenticated manner. The implication of training events within
organization will provide effective skills to the employees for performance of their jobs and
duties.( Wirthin, R. 2006) There could also be some precautions showed to the relevant
employees according to which they will be informed about the circumstances which may occur
because of their any miscommunication. The implication of penalty can also reduce threat of
miscommunication.
Tutorial 5
Exercise 1
Risk Assessment
Risk assessment can be considered as a framework which identifies the level of risk included in
any project. It covers three scenario of risk management; risk identification, risk analysis and risk
prioritization
Risk mitigation
Risk mitigation is recognized as combination of different tactics to reduce the risk level
associated with any project/task. It covers three scenarios like; risk reduction, emergency
planning and implementation.
Exercise 2
Due care is recognized as the security implication which is done for caring information of
establishment controls. There might be security practices or laws to control the privacy of clients
or employees. Due diligence is known as investigation about the clients and employees so there
could be availability of all information required to inspect the elements of risks.( Hess, S.M.,
Gaertner, J. P. 2006) There might be association of different threats which can be provided by
the clients if information has not been gained according to the specific laws. We can see the
example of banking industry which is required to gain information from customers before
opening their accounts.
Tutorial 6
EXERCISE 1
Risk mitigation is recognized as a process which has potential to eliminate or reduce the risk
associated with business operations of any organization. These are five key principles of risk
mitigation;
- Risk identification; it is the first and crucial step according to which risk is identified
associated with any project(LLP, P. 2004)
- Cost & Benefit Analysis: Cost benefit analysis is performed to get the weightage of
different benefits and costs associated.
- Excess of Benefits: It is important to reveal that costs must be less than the benefits
associated with any project
- Unnecessary risk: Unnecessary risk should be ignored
- Management level: The management of Vita crux will identify evaluate and assess the
risk level to get recognition about associated risks and returns and make a final decision
to accept or reject the project.
EXERCISE 2
Enterprise risk management will help the organization to ensure that performance of entities is
effectively reported and also according to the rules and regulations. Four objectives of enterprise
risk management includes; strategic efficiency, operations effectiveness, reporting according to
the standards and compliance to the law. (Belinda. 2011)
Effectiveness and the Merits of a Qualitative Assessment
A qualitative assessment is used to prioritize the risks associated with projects by using a defined
scale. The evaluation can be performed through this method from all aspects of any project, there
could be determination of financial value through asset, observation and level of risk can also be
identified through this. The calculation methods are mostly simple and understandable.( Elena,
R. S. 2011) A quantitative assessment provides information about the framework which is
numerical and a qualitative assessment recognizes the aspects of risk from different angles
without any numerical evaluation.
Tutorial 7
Exercise 1
The concept of governance and management in an I.T environment can be considered as a leader
and follower respectively. Governance of any organization has its independent duties according
to which they will have to perform some strategic business operations. They perform decision
making in an organization and also develop future directions for organization. The management
can provide suggestions to the governance in different matters like information security system
and their suggestion could be considered effectively and also analyzed and used or might be
rejected. The managers would have to perform whatever have been commanded by the
governance in an I.T environment.
Exercise 2
There might be different ways in which the organizational information security and information
security can be used like there could be different filters which can be used to organize the
budgeting plan. The marketing department can get recognition about target market. The change
in any culture of organization can be inspired through different panels and might be tolerated as
permanent change. There could be usage of security firewall which may identify and eliminate
the risk threats. There could be different security certificates which will inspire the customers for
being more authenticated for performing any transaction with organization.( Uta Jttner, 2003)
The customers could be able to perform in an automatic environment and will emerge to use the
trends for their daily activities. There might be different aspects or challenges which might be
faced by the organization for any structure change. There could be cost increase if new structure
has been implemented, different restrictions will be required by the certificate issuance company
and to follow these costs, will increase the overall cost of all business operations.
Tutorial 8 How is strategic risk different from other types of risk?
The strategic risk is different from other types of risk because other risks have their different
quantitative aspects but this type of risk is based on the qualitative aspect which will increase the
overall total cost. Strategic risk is associated with every business operation and has its
implementation for all business operations of any organization.
2. Why the increased urgency, if strategic risk has always been a part of business?
The strategic risk is recognized as the risk which must be eliminated or reduced at risk
identification level because strategic risk has always different authenticity. Whenever any
strategic risk is faced by the organization it is required to eliminate in such a manner that there
would be usage of resources in an efficient way and maximum resources can be used to eliminate
the risk and removed bottleneck from business operations.
3. How are companies responding to this new focus on strategic risk?
As discussed earlier that strategic risk is mostly faced at the initial stage so companies eliminate
this type of risk by effective decision making plans.
4. What was wrong with the old way of managing risk?
The old way was based on some customized tools which cannot be implemented in every
organization.
5. Which strategic risks is the most critical today?
These strategic risks are varied from company to company but it is realized that information
security system and trade secrets are recognized as the most critical strategic risks.
Tutorial 9
Question 1
A contingency plan has its effective implementation in an organization because it provides
information about all the aspects which can be authenticate or implemented in any organization.
(Gordon, L. A., 2009)The implication of contingency plan should be crucial and must provide an
effective program to reduce and remove it.
Question 2
There are number of sub plans which are governed under a contingency plan and these plans are
required to monitor under the contingency plan. The implication of contingency plan will be
effective and efficient to modernize the overall structure within organization. These sub plans
could be considered as an optimal way to monitor different aspects of any organization. These
sub plans are also considered as an important framework for identification and evaluation of risk.
There would be different threats which might be reduced and managed in an organization.
Question 3
There are different business operations operated by every organization and they should be
performed in such a manner that overall risks can be reduced. An organization should prefer to
invest in a warm site which would have no requirement of huge investment because huge
investment can also provide loss.
Tutorial 10
Question 1
A well-developed response capability will monitor and emerge the implementation plan in an
effective manner. There could be consistent and constant communication which will provide an
effective plan to reduce the risk in short time.
Question 2
An incident example can be coded in form of a person who has skipped some information and
did not complete the due diligence process.( DAS, T.K. 1998) A disaster can be considered as
crash of a database of any organization.
Question 3
These stakeholders can be considered for communication plan; developer, I.T manager, CIO,
CEO, and customers. Communication map can be shown as
Tutorial 11
Question 1
The risk is conceptualized as chance of threat or any other negative loss which may impact the
overall business operations of any organization and might be associated with any project of
organization.
Question 2
Developer I.T Manager CIO CEO Information
Secretary
Customers
Risk is considered as a probability of threat or any other negative impact in any
organization/community or company. There are different projects or operations performed by
any organizations which have their associated risk level that might be increased or decreased
over a time period.( Hyung, N., and C. G. de Vries, 2002) It is also important to reveal here
whenever there is any increase in risk it will also increase the level of return because there is
always a direct relationship among risk and return for any organization from its different projects
operated and performed by it over a significant time period.
The risk management plan of company is mostly a simple two step purpose; 1st
determining what risks are associated with any uncertainty and 2nd taking the best suitable action
for achieving the organizational objectives in an efficient and effective way. These both steps are
occurred on every decision process of organization whenever any uncertainty occurs. It is
recognized that risk management plan is used by every department of the organization; financial
department for identifying financial risk, strategic department for designing strategies, credit
department for issuing credit line, and all other department for overall organizational objectives.
Risk management has various purposes for the company and these all purposes are
expected to be achieved by the management by adopting the risk analyzing techniques in an
effective way. The most important purpose of risk management within organization is to identify
the possible risks which can reduce the efficiency of business operations of the company. This
identified risk is reduced or allocated by the corporate governance for providing best responsive
business environment for the organization. Rational basis decisions are taken by the management
after identification and analysis of uncertain events.
Risk management plan shows different levels of threats and opportunities which might be
occurred in future. There are strategic and financial objective integrated with risk management
plan of company. Corporate governance and senior management of every company has accepted
the importance of risk management framework. It is realized by the management that risk
management plan of company provides a complete framework of actions to be performed in
efficient and effective way can grow the level of market share and can gain competitive
advantage for the company.
It is realized that strategic planning is result of risk management and every company is
performing its all actions according to the analysis provided by financial and risk managers of
company. Whenever any risk is identified by the research department of organization, all the
information about that risk is provided to the analysts of organization.( Bark, Hee-Kyung K.
1991) They analyze the risk by getting recognition about all the aspects of risk. Risk is not
analyzed only on the basis of prevailed information, but also on the basis of future expectation,
forecasts, and projections. These all forecasts are based on different strategic techniques or past
history of these risks.
Monitoring of risk management framework is crucial for the risk, financial and strategic
departments of company. Coordination between these all departments provides opportunity to
analyze the performance of risk management framework. Monitoring provides assistance for the
strategic unit to perform according to the given guidelines and perform in such a way that
organizational objective can be achieved. This provides an organized framework for identifying
more gaps and capturing more opportunities. Risk management can be performed by association
of all the relevant department or stakeholders of any organization.
Performance measurement is referred as process of quantification effectiveness and efficiency of
actions for defining the comparison of actual results again expectations. It is process of
assessment towards achievement of predetermined financial and strategic objectives designed by
the company. There are different factors involved in measurement of performance of risk
management framework. The comparison of results is done on the basis of efficiency of used
resources, quality of outcomes, and effectiveness of business operations performed in terms of
directions provided by the results of risk management plan. Performance measurement is
assumed by the company management for assessing the progress of gaining objectives by
including both; financial and strategic objectives.
Risk management and risk evaluation instruments used by the company management is expected
to use and monitor in an authenticated way. To get most effective risk management plan
management requires learning about efficient quantitative and qualitative techniques. Monitoring
of risk management plan can be done in an effective way when there is a governing body to
investigate about risk uncertainties and risk opportunities. It is crucial for the company to
identify the risk threats or opportunities, evaluate the validity of these risks, analyze all the
possible outcomes and design strategies which must be based on the results of analysis. It can be
concluded that effective and efficient adoption of risk management plan can provide best
outcomes for the company in form of market growth, market expansion and competitive
advantage.
References
Daud, W. N. 2010, The Effect Of Chief Risk Officer (CRO) On Enterprise Risk
Management (ERM) Practices, Evidence From Malaysia, International Business &
Economics Research Journal (IBER), 9 (11).
Fabozzi, F. J., 2003, Financial management and analysis, (Vol. 100): John Wiley & Sons
Inc.
Gordon, L. A., 2009, Enterprise risk management and firm performance, A contingency
perspective, Journal of Accounting and Public Policy, 28 (4), 301-327
Uta Jttner, 2003, SUPPLY CHAIN RISK MANAGEMENT: OUTLINING AN
AGENDA FOR FUTURE RESEARCH, International Journal of Logistics : Research &
Applications, Vol. 6, No. 4, 2003, pp197-210
DAS, T.K. 1998, Resource and risk management in the strategic alliance making process,
Journal of Management, 24, (1), pp. 21-42
Hyung, N., and C. G. de Vries, 2002, Portfolio Diversification Effects and Regular
Variation in Financial Data, Allgemeines Statistisches Archiv / Journal of the German
Statistical Society 86, 6982
Bark, Hee-Kyung K. 1991, Risk, Return, and Equilibrium in the Emerging Markets:
Evidence from the Korean Stock Market, Journal of Economics and Business, November,
Vol. 43, No.4, pp. 353-62.
Belinda. (2011, March 23). QUALITATIVE RISK ANALYSIS VS QUANTITATIVE
RISK ANALYSIS (PMP CONCEPT 2). Retrieved from Passionate project management:
https://www.passionatepm.com/blog/qualitative-risk-analysis-vs-quantitative-risk-
analysis-pmp-concept-1
- Elena, R. S. (2011, December ). Advantages and Disadvantages of Quantitative and.
Bucharest, Romania. Retrieved from David publishing.
- LLP, P. (2004, September). Enterprise Risk Management Integrated Framework. Canada.
- Wirthin, R. 2006,Managing Risk and Uncertainty: Traditional Methods and the Lean
Enterprise. MIT/LAI, Presentation April 18, 2006.
- Hess, S.M., Gaertner, J. P. 2006, Application of risk management as a cornerstone in
ensuring nuclear plant safety, Proc. of the 8th International Conference on Probabilistic
Safety Assessment and Management, May, 14 18, 2006, New Orleans, paper PSAM-
0477.
- Cagno, E., Caron, F., Mancini, M. 2007, A multi-dimensional analysis of major risks in
complex projects. Risk Management: 118.