Abc Assignment Help

Risk Management For the Global IT Solution business

Question 2 (350 marks) 

Overview Question 2 allows you to demonstrate your understanding of risk management principles and their application to real-world situations. It also the opportunity for you to demonstrate your written communication skills. There are two parts to this assessment: 

1. Written report (300 marks) 

2. Written communication and presentation (50 marks) The marking sheet for this assignment contains more a more detailed breakdown of marks. 

Scenario

Your task is to develop a risk management proposal for a specific organisation, nominated by you. This organisation can be one in which you are currently working or an organisation of your interest. The organisation can produce products or provide a service. It can be a utility company, a government authority, a construction/civil firm, IT provider, an educational institution, or any other engineering or technological company or organisation in which you have a specific interest in or work for. As an employee of the organisation and in a supervisory role (for example, project manager, process engineering, asset manager) you have been asked to provide a proposal for a Risk Management strategy for a new project, product, or service. The proposal is to be presented to the Organisation’s Board, at its monthly meeting on 09 October 2018. It is to be no more than 4,000 words in length, including appendices. 

Answer

Introduction 

The aim of the report is to provide a risk management details for the organisation Global IT Solutions. In the following sections of the report, there are information about the organisational background, business case, risk identification, risk evaluation, risk analysis, overall risk management proposal, list of risk management documents and reflection of the business. 

Organizational Background 

Global IT solution is a large IT solution provider with the HQ in the Sydney, Australia. The organisation has business units at many other locations within the Australia. There are 5 business units and more than 1000 employees working at those business units. Most of them are IT developers. The organisation provides IT services like software development, consultancy services to small to large enterprises from other industries across the globe. They are reputable in their domain and offers quality services to the clients. Security and privacy are two important requirements for the business. They need to keep sensitive data of their customers for delivering them with the IT services. So, the organisation keeps those information safely (Gibson 2010). 

The organisation has its own cloud computing infrastructure and allows employees BYOD or Bring Your Own Devices at offices. Some of its employees are remote workers. There is a VPN connecting the business units and the remote employees. The private cloud is deployed over the VPN and it allows access to the sensitive and protected company information, client and project details etc. There are the CTO of Chief Technical Officer. Then there are two levels of IT managers. The sensor IT managers are responsible in making strategic decisions,  participation in administrative decision making, communicating between the lower level of IT managers and the CTO. The CTO communicates with the CEO and board of directors. The lower level of management is responsible at operational decision making and communicating with the IT team leaders and the upper level of management. The team leaders communicates with the IT developers and IT staffs. They convey the messages and instructions from the upper levels to the staffs at the lower levels. The IT staffs and developers work under the IT team leaders. When a project comes and it is a large project, it is first allocated to a lower level of IT manager, the IT manager then appoints different team leaders and distributes the tasks of the project. The team leaders then gets their project team mates and it is their job to get the tasks done by the IT staffs and the IT developers. 


The hierarchy given above shows the structure of the organisation. 

Coming to the technological infrastructure, the organisation has support for cutting edge technologies. It has its own data center and some of the data centers subscribed from cloud service vendors. All applications and services are deployed for the clients on the cloud computing infrastructure. There are dedicated PaaS platforms and servers for the application development tasks. 

Information security is an important domain in the business. So, there is a project team formed for the risk analysis of the business from the perspective of information security. The investigation outcomes will be used in an information security audit in the following phases of the project.  

Scope of the Project 

The scope of the project is limited within the IT department of the organisation. It will cover the business operations of the IT department headed by the CTO. And it is focused on the information security infrastructure for the business. The project will assess different aspect of the organisation and its technical infrastructure to gauge the extent of information security solutions deployed in the business. It will help to understand where the business is and what the security loopholes are that are needed to be corrected and to correct the information security issues (Kouns & Minoli 2011). 

Other business operations not related to the IT operations and IT department are out of the scope of the business, so, the report won’t be focused on the profitability of the business and other administrative aspects. 

Objectives 

The primary objectives of the project are, 

  • Conducting a detailed risk analysis process for the business covering the IT operations and related operations that can cause some information security issues
  • Developing a detailed risk analysis report that will help in information security audit in future. 
  • Delivering a long term risk management proposal for the management. Based on the document the policies and procedures may be updated to keep it aligned with the risk management processes. 

Business Case

Feasibility Study 

The feasibility study covers the scope, effort, time and economic feasibility of the project. The schedule of the project is given below. 

WBS
Task Name
Duration
Start
Finish
WBS Predecessors
1
Global IT Solution Risk Analysis Project
143 days
Mon 08-10-18
Wed 24-04-19

1.1
   Project Initialization
12 days
Mon 08-10-18
Tue 23-10-18

1.1.1
      Feasibility Study 
5 days
Mon 08-10-18
Fri 12-10-18

1.1.2
      Preparing the Initial Project Plan 
5 days
Mon 15-10-18
Fri 19-10-18
1.1.1
1.1.3
      Signing off the project plan
2 days
Mon 22-10-18
Tue 23-10-18
1.1.2
1.2
   Requirement Analysis 
50 days
Wed 24-10-18
Tue 01-01-19

1.2.1
      Collecting Requirements Information
20 days
Wed 24-10-18
Tue 20-11-18
1.1.3
1.2.2
      Analysis of the Requirements
20 days
Wed 21-11-18
Tue 18-12-18
1.2.1
1.2.3
      Preparing the Requirement specification Document
10 days
Wed 19-12-18
Tue 01-01-19
1.2.2
1.3
   Risk Identification
25 days
Wed 02-01-19
Tue 05-02-19

1.3.1
      Identify the Risks
20 days
Wed 02-01-19
Tue 29-01-19
1.2.3
1.3.2
      Prepare Risk Register
5 days
Wed 30-01-19
Tue 05-02-19
1.3.1
1.4
   Risk Analysis
20 days
Wed 06-02-19
Tue 05-03-19
1.3.2
1.5
   Risk Evaluation
20 days
Wed 06-03-19
Tue 02-04-19
1.4
1.6
   Risk Management
12 days
Wed 03-04-19
Thu 18-04-19

1.6.1
      Planning
5 days
Wed 03-04-19
Tue 09-04-19
1.5
1.6.2
      Implementation
7 days
Wed 10-04-19
Thu 18-04-19
1.6.1
1.7
   Project Closure
4 days
Fri 19-04-19
Wed 24-04-19

1.7.1
      Submission of all Documents 
2 days
Fri 19-04-19
Mon 22-04-19
1.6.2
1.7.2
      Release of Resources
2 days
Tue 23-04-19
Wed 24-04-19
1.6.2,1.7.1


Organizational Feasibility 

The senior management is not directly involved in the project. But they have high level of interest and influence on the project. They will be in communication with the project manager and the risk analyst. The lower level of management is directly participating in the project. The success or failure of the project is significantly dependent on the risk analyst (Kouns & Minoli 2011). 

The project will he carried out with the help of in-house staffs, so they all will have commitment to the project. It is also their part of the job. The people who will work in the information security risk analysis project, will not be allocated to other projects of the organization and the clients. The administration needs the project to be carried out with utmost dedication and commitment. 

The project also needs contributions from other stakeholders who are the employees of the organization and from different departments. The administration has instructed all employees to help the project whenever needed. 

Hence, the project has good score for the organizational feasibility. So, it can be undertaken from the organizational point of view. 

Economic Feasibility 

The cost of the project has been calculated as, 

WBS
Task Name
Duration
Resource Names
Cost
1
Global IT Solution Risk Analysis Project
143 days

$108,920.00
1.1
   Project Initialization
12 days

$4,800.00
1.1.1
      Feasibility Study 
5 days
Project Manager 
$2,000.00
1.1.2
      Preparing the Initial Project Plan 
5 days
Project Manager 
$2,000.00
1.1.3
      Signing off the project plan
2 days
Project Manager 
$800.00
1.2
   Requirement Analysis 
50 days

$41,000.00
1.2.1
      Collecting Requirements Information
20 days
Other Resources[1],Risk Analyst 
$19,400.00
1.2.2
      Analysis of the Requirements
20 days
Risk Analyst 
$14,400.00
1.2.3
      Preparing the Requirement specification Document
10 days
Risk Analyst 
$7,200.00
1.3
   Risk Identification
25 days

$24,000.00
1.3.1
      Identify the Risks
20 days
Project team members ,Risk Analyst 
$19,200.00
1.3.2
      Prepare Risk Register
5 days
Project team members ,Risk Analyst 
$4,800.00
1.4
   Risk Analysis
20 days
Risk Analyst 
$14,400.00
1.5
   Risk Evaluation
20 days
Risk Analyst 
$14,400.00
1.6
   Risk Management
12 days

$8,720.00
1.6.1
      Planning
5 days
Project Manager 
$2,000.00
1.6.2
      Implementation
7 days
Project team members ,Risk Analyst 
$6,720.00
1.7
   Project Closure
4 days

$1,600.00
1.7.1
      Submission of all Documents 
2 days
Project Manager 
$800.00
1.7.2
      Release of Resources
2 days
Project Manager 
$800.00


So, the total cost of the project has been calculated as $108,920.00. The project cost will be borne by the project sponsor that is the Global IT Solution. They are the project sponsor and the project owner. 

The final calculation of the project budget is, 

Project Cost
$108,920.00
Contingency (10%)
$10,892.00
Total Cost
$119,812.00


The benefits from the project are, 

Tangible Benefits
$500,000.00
Intangible Benefits
$100,000.00
Total Cost
$600,000.00


The Global IT solution is ready to fund the project. Hence, the project is economically feasible. 

Technical Feasibility 

It is the process of validating the assumptions made on the technological requirements, design, and architecture of the project (Loosemore et al. 2012). The details of the technical feasibility of the project are summarized in the following table. 

Concept 
First, there must be a proof of the concept of the approach. The document is available and this is the risk management proposal. It includes all details of the approach to be taken for the project. 
Infrastructure 
The required information and communication technology infrastructure is already available with the company. As it is a large IT company. So, all IT resources are already there. 
Facilities 
The organization have made a commitment to provide all required help and information required for the project. They have arranged all facilities also. It has also asked its employees to co-operate the risk management project team as and when they would ask for. 
Data 
All relevant data will be collected from the system logs, network logs, and equipment and so on. 
Compliance 
It already complies with many laws and regulation. The risk management project will check whether it comply with all required laws and regulations or not. 
Platforms 
The required platforms like operating systems, APIs etc. are already available. 
Component 
The components for testing and prototyping are already available. 
Tools 
Some of the tools are already available. Some tools will be procured. 
Integration 
The process will be integrated with the current business processes. 
Information security
There will be a detailed evaluation of the information security infrastructure, design, architecture, components and products. 

So, the project has passed the technical feasibility checklist. It is ready to be undertaken. 

Terms of Reference for the Proposal 

The risk management process will follow a structured approach. The steps are given and described below. 

  • At first, there will be the feasibility study. It will help to understand whether, it is feasible to undertake the project or not. Once. The feasibility study is completed successfully, then the project initiation document will be created. The project initiation document must be signed off to kick-start the project (Jordan 2013). 
  • Once the project is started, the project manager will be selected and the project team will be created by the project manager and for assisting the project manager.
  • Then the risk management architecture will be selected and the risk management planning will be done accordingly. 
  • When the risk management architecture is selected, then the risk identification, analysis, and evaluation will be done. 
  • Once the risk management project is finished, then the detailed proposal for the risk management process. The proposal will be submitted directly to the system owner and sponsor of the project. 
  • Once the proposal is submitted, the company can work on updating their current policies, procedures and business operations to match with the proposal. However, the implementation of the proposal is out of the scope of the report and the project. 

Project Team 

The project will be carried out by an internal project team having ten employees. One lower level IT manager has been appointed as the project manager. He has some background in information system security and have experienced in carrying out such projects for the customers. He is also a part of the information security testing filed that is responsible for checking the information security implementations for the clients (Loosemore et al. 2012). 

The roles and responsibilities of the project team members are given below. 

Sl No.
Designation
Role in the Project
Responsibilities
1
Lower IT Manager
Risk Analyst
  • Analysis of the information security risks related to the project 
  • Communication with the project manager and the top level management. 

2
Team Leader 
Project Manager
  • Performing project management activities
  • Leadership and team management activities 
  • Planning for the project 
  • Communication with the other stakeholders of the project using some predefined communication plan. 

3
IT Staffs 
Project team members 
  • Following the instructions of the project manager


Risk Management Architecture 

The risk management architecture supports and makes the risk management strategies and policies operational. An organization like the Global IT Solution needs a complete holistic and situational awareness of risks across the processes, operations, and transactions related to the business. As data is an important asset for such organization, so the risk management is seen as a big picture related to the context of the performance and strategies of the organization. 

Modern businesses like the Global IT Solution is a dynamic, distributed, and disrupted business that needs the organization to take some strategic approach towards the risk management architecture. It defines how the processes, technologies and information are being structured to make the risk management process more efficient, agile, and effective across the organization and the related entities. There are three domains of risk management architecture. Those are, 

  1. Risk management process architecture 
  2. Risk management information architecture 
  3. Risk management technology architecture 

The risk management processes can be considered as the subset of the many other business processes. These processes are used to monitor and change the risk environments. The risk environments are ever changing. The risk management process architecture contains some structural design of processes. A process consists of input, output, and many other data processing activities. The architecture also contains various inventories to describe the risk management processes, the interactions and components for each process, and how various processes work together with other processes of the organization (Kouns & Minoli 2011). 

The five common and important processes of the risk management process architecture are, 

  • Risk identification process 

Risk identification process is a collection of many processes sharing the common aim to automate a standard and an objective to take appropriate approach to identify the risks related to a project or an organization. To identify risks, it needs to gain understanding of the environment and surroundings that are internal to a business. On the other hand, the external risks are identified by considering the domain in which the business is operating, the business strategies and an understanding of the objectives, short and long terms goals of the business and so on. 

Risk monitoring is an ongoing process. It is used for monitoring risks, business environments, regulatory and so on. One of the purpose of the risk identification process is to uncover the opportunities and the impact of the same on the business processes. There are various external factors that can affect a business and its external set-up. Examples of such risks are, risks related to economic, geo-political, environmental and regulatory (Jordan 2013). Such internal and external risks may lead to failure of an organization. Other potential risks are related to pricing, industry standards, industry development, disruptions, natural disasters, and the availability of commodity and so on. 

The order of the domains of the risk management architecture is very critical. The required information are often determined by the underlying business operations and processes. The types of information required are determined by those processes. It also defines how the information are gathered, used and reported (Loosemore et al. 2012). The combination of information and process architecture defines the requirements of the organization for the technology architecture. Many organizations make mistake by focusing on the technology architecture first and then the process and the information architecture. It leads to selection of a technology for the risk management rather than finding out the best suitable technology that matches with the information and process architecture. 


Risks Identification 

Following risks have been identified for the Global IT Solution are summarised in the following table. The positive risks are the opportunities and the negative risks are the threats. 

Risk ID
Risk Type
Risk Name
Description
1
Negative 
Inadequate funds
The organisation may have inadequate funds to run the organisation. This issue may be caused by internal fraud, loss of shares and so on. 
2
Negative
Quality assurance issues 
There may be internal issues that the internal process of quality assurance. As they work with clients from different countries, so there are chances that there may be differences in the quality standards
3
Negative
Compliance issues
Again, they work with clients from overseas. So, there may be different laws, regulations and compliances related to IT, software development etc. Issues may arise from there. 
4
Negative
Data protection issues 
The organisation stores and processes data from many clients. They also have high volume of data being generated from their own business process. There may be issues with the protection of those data. 
5
Negative
Privacy issues 
There may be privacy and security issues with the high volume of data being processed by the organisation. 
6
Negative
Malware and virus attacks 
There are chances of malware and virus attacks as they work with many clients, freelancer, and supports BYOD. 
7
Negative
Data breach incidents 
Attackers target organisations like Global IT solution as there are high volume of customers data, financial data etc. So, there are risks of data breach incident from external and internal sources. 
8
Negative
Insider attacks 
Any employee may occur a data breach incident willingly or unwillingly. 
9
Negative
Physical damage to equipment etc. 
The company has its own data centre. Any insider attack may cause physical damage to the data center or the organisational resources. 
10
Negative
Ransomware attacks 
Ransomware like WannaCry attack may be there to encrypt files and then asking for ransom. 
11
Negative
Organisational issues 
There may be internal organisational politics and management issues that affect the objective and the growth of the business. 
12
Negative
Resource related issues 
The resources may become inadequate for the business operations of the organisation. These are related to hiring, HR, employee retention issues. 
13
Negative
Regulations and changes in laws 
There may be sudden changes to the laws and regulations that may affect the business and its operations. 
14
Positive 
Disruptive technologies 
There may be some disruptive new technology in the market. In that case, the organisation can train their employees to work on the new technology and may gain the first mover advantages. 
15
Negative 
Natural Calamities 
There are risks of natural calamities, like flood, fire, etc. 


Risk Analysis 

The details of the risk analysis have been summarised in the following table. 

Risk ID
Risk Type
Risk Name
Chances of Occurrence 
Impacts 
1
Negative 
Inadequate funds
Low 
High
2
Negative
Quality assurance issues 
Low
High
3
Negative
Compliance issues
Low
High
4
Negative
Data protection issues 
High
High
5
Negative
Privacy issues 
High
High
6
Negative
Malware and virus attacks 
High
High
7
Negative
Data breach incidents 
High
High
8
Negative
Insider attacks 
High
High
9
Negative
Physical damage to equipment etc. 
High
High
10
Negative
Ransomware attacks 
High
High
11
Negative
Organisational issues 
Medium 
High
12
Negative
Resource related issues 
High 
Medium 
13
Negative
Regulations and changes in laws 
Low
Medium 
14
Positive 
Disruptive technologies 
Medium
High
15
Negative 
Natural Calamities 
Low
High


Risk Evaluation 

Risk evaluation, and risk treatment details are summarised in the following table. 

Risk ID
Risk Type
Risk Name
Risk Treatment  
1
Negative 
Inadequate funds
Arrangement of funds, keeping contingency fund and following suitable accounts a funding plan. 
2
Negative
Quality assurance issues 
Preparing and following a suitable quality assurance plan. It also needs to adhere to the plan continuously. 
3
Negative
Compliance issues
It needs to keep checking periodically whether the business complies with the rules and regulations related to the business. 
4
Negative
Data protection issues 
Needs to implement a suitable information security plan to protect data. 
5
Negative
Privacy issues 
Needs to implement a suitable information security plan to protect data and its privacy. 
6
Negative
Malware and virus attacks 
Needs to implement suitable anti-malware solution and IDS or Intrusion Detection System. 
7
Negative
Data breach incidents 
There must be adequate protection with firewalls, anti-malware, encryption etc. 
8
Negative
Insider attacks 
There must be monitoring on the sensitive areas within the office, employees must follow the required guidelines of BYOD and other facilities provided to them. 
9
Negative
Physical damage to equipment etc. 
There must be protection, CCTV, and security systems based on biometrics to restrict access to the data centers. 
10
Negative
Ransomware attacks 
There must be regular data backups for disaster recovery. 
11
Negative
Organisational issues 
The management must focus on resolving the issues that are hindering the growth of the business. 
12
Negative
Resource related issues 
Must focus on employee retention by implementing rewarding system, competitive pay scale etc.  
13
Negative
Regulations and changes in laws 
Must adhere to the required laws and regulations. 
14
Positive 
Disruptive technologies 
Must train the employees to take the advantage of the technology.
15
Negative 
Natural Calamities 
Disaster recovery and business continuity plan must be there. 


Risk Management Proposal 

  • Risk assessment 

Once the risks are identified, then it becomes easier to find out the reasons behind the occurrence of the risks and how the risks are affecting the business objectives. There are various techniques like risk analysis, heat map based analysis to identify the possible outcomes of the risks and the impacts from those outcomes. 

  • Risk treatment 

Once the risk assessment is completed, then the range of risks, the possible outcomes, the possible reasons etc. are understood. Then the organization must make decisions on how to handle the risks to minimize the effects of the risks. It also requires understanding and identification of the residual risks and how to minimize the harm from the residual risks. These risks are inherent (Wheeler 2011). 

There are various risk treatment available. For example, risk transfer, risk avoidance, and risk mitigation. The goal of any risk treatment is to minimize the value of the risk treatment and the impact of the risks and must help the business to increase the risk tolerance level. 

  • Risk monitoring 

An array of processes are there to monitor the performance of the risk treatment process and the overall progress of the risk management process. These are ongoing processes. 

  • Risk communication and attentions 

These are also ongoing processes for management, communication, and interactions to the risk owners during the risk management lifecycle. Periodically, many risk conditions get triggered. The process is focused on understanding the triggers and act accordingly. 

List of Risk Management Documents 

  • Risk register 
  • Risk management proposal 
  • Risk management plan 

Reflection 

The report contains the details of an effective risk management process for the Global IT Solution business. It gives a holistic awareness about the business risks. The defined list of risks across the business have been structured in the form of a risk register. It is a live document and updated time to time. It gives accountability of the risks to the business. The information technology architecture helps to monitor, communicate and manage the risks. The report will help to develop a risk culture and policy during the implementation of the risk management proposal. Once it is implemented, it needs to be revised time to time to keep it up-to-date and must be followed. The key risk indicators or the KRIs of the business are to ensure the implementation of suitable risk management policy, the risk appetite of the organisation, tolerance and capacity.  It will also help the business to make risk-intelligent business decisions. When the risk management strategies are integrated with business strategies, then it becomes an integral part of the responsibilities of the business. The risk assessment planning have been carried out for the strategic decision making by the business.  Risk ownership and accountability helps in the establishment of the risk management plan. Each risk must be handled at the process level. All risks must be communicated with the stakeholders. The archived records of the business shows the success of risk management against the risk tolerance and appetite. 

Customer Testimonials