Risk Management For the Global IT Solution business
The aim of the report is to provide a risk management details for the organisation Global IT Solutions. In the following sections of the report, there are information about the organisational background, business case, risk identification, risk evaluation, risk analysis, overall risk management proposal, list of risk management documents and reflection of the business.
Global IT solution is a large IT solution provider with the HQ in the Sydney, Australia. The organisation has business units at many other locations within the Australia. There are 5 business units and more than 1000 employees working at those business units. Most of them are IT developers. The organisation provides IT services like software development, consultancy services to small to large enterprises from other industries across the globe. They are reputable in their domain and offers quality services to the clients. Security and privacy are two important requirements for the business. They need to keep sensitive data of their customers for delivering them with the IT services. So, the organisation keeps those information safely (Gibson 2010).
The organisation has its own cloud computing infrastructure and allows employees BYOD or Bring Your Own Devices at offices. Some of its employees are remote workers. There is a VPN connecting the business units and the remote employees. The private cloud is deployed over the VPN and it allows access to the sensitive and protected company information, client and project details etc. There are the CTO of Chief Technical Officer. Then there are two levels of IT managers. The sensor IT managers are responsible in making strategic decisions, participation in administrative decision making, communicating between the lower level of IT managers and the CTO. The CTO communicates with the CEO and board of directors. The lower level of management is responsible at operational decision making and communicating with the IT team leaders and the upper level of management. The team leaders communicates with the IT developers and IT staffs. They convey the messages and instructions from the upper levels to the staffs at the lower levels. The IT staffs and developers work under the IT team leaders. When a project comes and it is a large project, it is first allocated to a lower level of IT manager, the IT manager then appoints different team leaders and distributes the tasks of the project. The team leaders then gets their project team mates and it is their job to get the tasks done by the IT staffs and the IT developers.
The hierarchy given above shows the structure of the organisation.
Coming to the technological infrastructure, the organisation has support for cutting edge technologies. It has its own data center and some of the data centers subscribed from cloud service vendors. All applications and services are deployed for the clients on the cloud computing infrastructure. There are dedicated PaaS platforms and servers for the application development tasks.
Information security is an important domain in the business. So, there is a project team formed for the risk analysis of the business from the perspective of information security. The investigation outcomes will be used in an information security audit in the following phases of the project.
Scope of the Project
The scope of the project is limited within the IT department of the organisation. It will cover the business operations of the IT department headed by the CTO. And it is focused on the information security infrastructure for the business. The project will assess different aspect of the organisation and its technical infrastructure to gauge the extent of information security solutions deployed in the business. It will help to understand where the business is and what the security loopholes are that are needed to be corrected and to correct the information security issues (Kouns & Minoli 2011).
Other business operations not related to the IT operations and IT department are out of the scope of the business, so, the report won’t be focused on the profitability of the business and other administrative aspects.
The primary objectives of the project are,
- Conducting a detailed risk analysis process for the business covering the IT operations and related operations that can cause some information security issues
- Developing a detailed risk analysis report that will help in information security audit in future.
- Delivering a long term risk management proposal for the management. Based on the document the policies and procedures may be updated to keep it aligned with the risk management processes.
The feasibility study covers the scope, effort, time and economic feasibility of the project. The schedule of the project is given below.
|WBS||Task Name||Duration||Start||Finish||WBS Predecessors|
|1||Global IT Solution Risk Analysis Project||143 days||Mon 08-10-18||Wed 24-04-19|
|1.1|| Project Initialization||12 days||Mon 08-10-18||Tue 23-10-18|
|1.1.1|| Feasibility Study ||5 days||Mon 08-10-18||Fri 12-10-18|
|1.1.2|| Preparing the Initial Project Plan ||5 days||Mon 15-10-18||Fri 19-10-18||1.1.1|
|1.1.3|| Signing off the project plan||2 days||Mon 22-10-18||Tue 23-10-18||1.1.2|
|1.2|| Requirement Analysis ||50 days||Wed 24-10-18||Tue 01-01-19|
|1.2.1|| Collecting Requirements Information||20 days||Wed 24-10-18||Tue 20-11-18||1.1.3|
|1.2.2|| Analysis of the Requirements||20 days||Wed 21-11-18||Tue 18-12-18||1.2.1|
|1.2.3|| Preparing the Requirement specification Document||10 days||Wed 19-12-18||Tue 01-01-19||1.2.2|
|1.3|| Risk Identification||25 days||Wed 02-01-19||Tue 05-02-19|
|1.3.1|| Identify the Risks||20 days||Wed 02-01-19||Tue 29-01-19||1.2.3|
|1.3.2|| Prepare Risk Register||5 days||Wed 30-01-19||Tue 05-02-19||1.3.1|
|1.4|| Risk Analysis||20 days||Wed 06-02-19||Tue 05-03-19||1.3.2|
|1.5|| Risk Evaluation||20 days||Wed 06-03-19||Tue 02-04-19||1.4|
|1.6|| Risk Management||12 days||Wed 03-04-19||Thu 18-04-19|
|1.6.1|| Planning||5 days||Wed 03-04-19||Tue 09-04-19||1.5|
|1.6.2|| Implementation||7 days||Wed 10-04-19||Thu 18-04-19||1.6.1|
|1.7|| Project Closure||4 days||Fri 19-04-19||Wed 24-04-19|
|1.7.1|| Submission of all Documents ||2 days||Fri 19-04-19||Mon 22-04-19||1.6.2|
|1.7.2|| Release of Resources||2 days||Tue 23-04-19||Wed 24-04-19||1.6.2,1.7.1|
The senior management is not directly involved in the project. But they have high level of interest and influence on the project. They will be in communication with the project manager and the risk analyst. The lower level of management is directly participating in the project. The success or failure of the project is significantly dependent on the risk analyst (Kouns & Minoli 2011).
The project will he carried out with the help of in-house staffs, so they all will have commitment to the project. It is also their part of the job. The people who will work in the information security risk analysis project, will not be allocated to other projects of the organization and the clients. The administration needs the project to be carried out with utmost dedication and commitment.
The project also needs contributions from other stakeholders who are the employees of the organization and from different departments. The administration has instructed all employees to help the project whenever needed.
Hence, the project has good score for the organizational feasibility. So, it can be undertaken from the organizational point of view.
The cost of the project has been calculated as,
|WBS||Task Name||Duration||Resource Names||Cost|
|1||Global IT Solution Risk Analysis Project||143 days||$108,920.00|
|1.1|| Project Initialization||12 days||$4,800.00|
|1.1.1|| Feasibility Study ||5 days||Project Manager ||$2,000.00|
|1.1.2|| Preparing the Initial Project Plan ||5 days||Project Manager ||$2,000.00|
|1.1.3|| Signing off the project plan||2 days||Project Manager ||$800.00|
|1.2|| Requirement Analysis ||50 days||$41,000.00|
|1.2.1|| Collecting Requirements Information||20 days||Other Resources,Risk Analyst ||$19,400.00|
|1.2.2|| Analysis of the Requirements||20 days||Risk Analyst ||$14,400.00|
|1.2.3|| Preparing the Requirement specification Document||10 days||Risk Analyst ||$7,200.00|
|1.3|| Risk Identification||25 days||$24,000.00|
|1.3.1|| Identify the Risks||20 days||Project team members ,Risk Analyst ||$19,200.00|
|1.3.2|| Prepare Risk Register||5 days||Project team members ,Risk Analyst ||$4,800.00|
|1.4|| Risk Analysis||20 days||Risk Analyst ||$14,400.00|
|1.5|| Risk Evaluation||20 days||Risk Analyst ||$14,400.00|
|1.6|| Risk Management||12 days||$8,720.00|
|1.6.1|| Planning||5 days||Project Manager ||$2,000.00|
|1.6.2|| Implementation||7 days||Project team members ,Risk Analyst ||$6,720.00|
|1.7|| Project Closure||4 days||$1,600.00|
|1.7.1|| Submission of all Documents ||2 days||Project Manager ||$800.00|
|1.7.2|| Release of Resources||2 days||Project Manager ||$800.00|
So, the total cost of the project has been calculated as $108,920.00. The project cost will be borne by the project sponsor that is the Global IT Solution. They are the project sponsor and the project owner.
The final calculation of the project budget is,
The benefits from the project are,
The Global IT solution is ready to fund the project. Hence, the project is economically feasible.
It is the process of validating the assumptions made on the technological requirements, design, and architecture of the project (Loosemore et al. 2012). The details of the technical feasibility of the project are summarized in the following table.
|Concept ||First, there must be a proof of the concept of the approach. The document is available and this is the risk management proposal. It includes all details of the approach to be taken for the project. |
|Infrastructure ||The required information and communication technology infrastructure is already available with the company. As it is a large IT company. So, all IT resources are already there. |
|Facilities ||The organization have made a commitment to provide all required help and information required for the project. They have arranged all facilities also. It has also asked its employees to co-operate the risk management project team as and when they would ask for. |
|Data ||All relevant data will be collected from the system logs, network logs, and equipment and so on. |
|Compliance ||It already complies with many laws and regulation. The risk management project will check whether it comply with all required laws and regulations or not. |
|Platforms ||The required platforms like operating systems, APIs etc. are already available. |
|Component ||The components for testing and prototyping are already available. |
|Tools ||Some of the tools are already available. Some tools will be procured. |
|Integration ||The process will be integrated with the current business processes. |
|Information security||There will be a detailed evaluation of the information security infrastructure, design, architecture, components and products. |
So, the project has passed the technical feasibility checklist. It is ready to be undertaken.
Terms of Reference for the Proposal
The risk management process will follow a structured approach. The steps are given and described below.
- At first, there will be the feasibility study. It will help to understand whether, it is feasible to undertake the project or not. Once. The feasibility study is completed successfully, then the project initiation document will be created. The project initiation document must be signed off to kick-start the project (Jordan 2013).
- Once the project is started, the project manager will be selected and the project team will be created by the project manager and for assisting the project manager.
- Then the risk management architecture will be selected and the risk management planning will be done accordingly.
- When the risk management architecture is selected, then the risk identification, analysis, and evaluation will be done.
- Once the risk management project is finished, then the detailed proposal for the risk management process. The proposal will be submitted directly to the system owner and sponsor of the project.
- Once the proposal is submitted, the company can work on updating their current policies, procedures and business operations to match with the proposal. However, the implementation of the proposal is out of the scope of the report and the project.
The project will be carried out by an internal project team having ten employees. One lower level IT manager has been appointed as the project manager. He has some background in information system security and have experienced in carrying out such projects for the customers. He is also a part of the information security testing filed that is responsible for checking the information security implementations for the clients (Loosemore et al. 2012).
The roles and responsibilities of the project team members are given below.
|Sl No.||Designation||Role in the Project||Responsibilities|
|1||Lower IT Manager||Risk Analyst|
|2||Team Leader ||Project Manager|
|3||IT Staffs ||Project team members |
Risk Management Architecture
The risk management architecture supports and makes the risk management strategies and policies operational. An organization like the Global IT Solution needs a complete holistic and situational awareness of risks across the processes, operations, and transactions related to the business. As data is an important asset for such organization, so the risk management is seen as a big picture related to the context of the performance and strategies of the organization.
Modern businesses like the Global IT Solution is a dynamic, distributed, and disrupted business that needs the organization to take some strategic approach towards the risk management architecture. It defines how the processes, technologies and information are being structured to make the risk management process more efficient, agile, and effective across the organization and the related entities. There are three domains of risk management architecture. Those are,
- Risk management process architecture
- Risk management information architecture
- Risk management technology architecture
The risk management processes can be considered as the subset of the many other business processes. These processes are used to monitor and change the risk environments. The risk environments are ever changing. The risk management process architecture contains some structural design of processes. A process consists of input, output, and many other data processing activities. The architecture also contains various inventories to describe the risk management processes, the interactions and components for each process, and how various processes work together with other processes of the organization (Kouns & Minoli 2011).
The five common and important processes of the risk management process architecture are,
- Risk identification process
Risk identification process is a collection of many processes sharing the common aim to automate a standard and an objective to take appropriate approach to identify the risks related to a project or an organization. To identify risks, it needs to gain understanding of the environment and surroundings that are internal to a business. On the other hand, the external risks are identified by considering the domain in which the business is operating, the business strategies and an understanding of the objectives, short and long terms goals of the business and so on.
Risk monitoring is an ongoing process. It is used for monitoring risks, business environments, regulatory and so on. One of the purpose of the risk identification process is to uncover the opportunities and the impact of the same on the business processes. There are various external factors that can affect a business and its external set-up. Examples of such risks are, risks related to economic, geo-political, environmental and regulatory (Jordan 2013). Such internal and external risks may lead to failure of an organization. Other potential risks are related to pricing, industry standards, industry development, disruptions, natural disasters, and the availability of commodity and so on.
The order of the domains of the risk management architecture is very critical. The required information are often determined by the underlying business operations and processes. The types of information required are determined by those processes. It also defines how the information are gathered, used and reported (Loosemore et al. 2012). The combination of information and process architecture defines the requirements of the organization for the technology architecture. Many organizations make mistake by focusing on the technology architecture first and then the process and the information architecture. It leads to selection of a technology for the risk management rather than finding out the best suitable technology that matches with the information and process architecture.
Following risks have been identified for the Global IT Solution are summarised in the following table. The positive risks are the opportunities and the negative risks are the threats.
|Risk ID||Risk Type||Risk Name||Description|
|1||Negative ||Inadequate funds||The organisation may have inadequate funds to run the organisation. This issue may be caused by internal fraud, loss of shares and so on. |
|2||Negative||Quality assurance issues ||There may be internal issues that the internal process of quality assurance. As they work with clients from different countries, so there are chances that there may be differences in the quality standards|
|3||Negative||Compliance issues||Again, they work with clients from overseas. So, there may be different laws, regulations and compliances related to IT, software development etc. Issues may arise from there. |
|4||Negative||Data protection issues ||The organisation stores and processes data from many clients. They also have high volume of data being generated from their own business process. There may be issues with the protection of those data. |
|5||Negative||Privacy issues ||There may be privacy and security issues with the high volume of data being processed by the organisation. |
|6||Negative||Malware and virus attacks ||There are chances of malware and virus attacks as they work with many clients, freelancer, and supports BYOD. |
|7||Negative||Data breach incidents ||Attackers target organisations like Global IT solution as there are high volume of customers data, financial data etc. So, there are risks of data breach incident from external and internal sources. |
|8||Negative||Insider attacks ||Any employee may occur a data breach incident willingly or unwillingly. |
|9||Negative||Physical damage to equipment etc. ||The company has its own data centre. Any insider attack may cause physical damage to the data center or the organisational resources. |
|10||Negative||Ransomware attacks ||Ransomware like WannaCry attack may be there to encrypt files and then asking for ransom. |
|11||Negative||Organisational issues ||There may be internal organisational politics and management issues that affect the objective and the growth of the business. |
|12||Negative||Resource related issues ||The resources may become inadequate for the business operations of the organisation. These are related to hiring, HR, employee retention issues. |
|13||Negative||Regulations and changes in laws ||There may be sudden changes to the laws and regulations that may affect the business and its operations. |
|14||Positive ||Disruptive technologies ||There may be some disruptive new technology in the market. In that case, the organisation can train their employees to work on the new technology and may gain the first mover advantages. |
|15||Negative ||Natural Calamities ||There are risks of natural calamities, like flood, fire, etc. |
The details of the risk analysis have been summarised in the following table.
|Risk ID||Risk Type||Risk Name||Chances of Occurrence ||Impacts |
|1||Negative ||Inadequate funds||Low ||High|
|2||Negative||Quality assurance issues ||Low||High|
|4||Negative||Data protection issues ||High||High|
|5||Negative||Privacy issues ||High||High|
|6||Negative||Malware and virus attacks ||High||High|
|7||Negative||Data breach incidents ||High||High|
|8||Negative||Insider attacks ||High||High|
|9||Negative||Physical damage to equipment etc. ||High||High|
|10||Negative||Ransomware attacks ||High||High|
|11||Negative||Organisational issues ||Medium ||High|
|12||Negative||Resource related issues ||High ||Medium |
|13||Negative||Regulations and changes in laws ||Low||Medium |
|14||Positive ||Disruptive technologies ||Medium||High|
|15||Negative ||Natural Calamities ||Low||High|
Risk evaluation, and risk treatment details are summarised in the following table.
|Risk ID||Risk Type||Risk Name||Risk Treatment |
|1||Negative ||Inadequate funds||Arrangement of funds, keeping contingency fund and following suitable accounts a funding plan. |
|2||Negative||Quality assurance issues ||Preparing and following a suitable quality assurance plan. It also needs to adhere to the plan continuously. |
|3||Negative||Compliance issues||It needs to keep checking periodically whether the business complies with the rules and regulations related to the business. |
|4||Negative||Data protection issues ||Needs to implement a suitable information security plan to protect data. |
|5||Negative||Privacy issues ||Needs to implement a suitable information security plan to protect data and its privacy. |
|6||Negative||Malware and virus attacks ||Needs to implement suitable anti-malware solution and IDS or Intrusion Detection System. |
|7||Negative||Data breach incidents ||There must be adequate protection with firewalls, anti-malware, encryption etc. |
|8||Negative||Insider attacks ||There must be monitoring on the sensitive areas within the office, employees must follow the required guidelines of BYOD and other facilities provided to them. |
|9||Negative||Physical damage to equipment etc. ||There must be protection, CCTV, and security systems based on biometrics to restrict access to the data centers. |
|10||Negative||Ransomware attacks ||There must be regular data backups for disaster recovery. |
|11||Negative||Organisational issues ||The management must focus on resolving the issues that are hindering the growth of the business. |
|12||Negative||Resource related issues ||Must focus on employee retention by implementing rewarding system, competitive pay scale etc. |
|13||Negative||Regulations and changes in laws ||Must adhere to the required laws and regulations. |
|14||Positive ||Disruptive technologies ||Must train the employees to take the advantage of the technology.|
|15||Negative ||Natural Calamities ||Disaster recovery and business continuity plan must be there. |
Risk Management Proposal
- Risk assessment
Once the risks are identified, then it becomes easier to find out the reasons behind the occurrence of the risks and how the risks are affecting the business objectives. There are various techniques like risk analysis, heat map based analysis to identify the possible outcomes of the risks and the impacts from those outcomes.
- Risk treatment
Once the risk assessment is completed, then the range of risks, the possible outcomes, the possible reasons etc. are understood. Then the organization must make decisions on how to handle the risks to minimize the effects of the risks. It also requires understanding and identification of the residual risks and how to minimize the harm from the residual risks. These risks are inherent (Wheeler 2011).
There are various risk treatment available. For example, risk transfer, risk avoidance, and risk mitigation. The goal of any risk treatment is to minimize the value of the risk treatment and the impact of the risks and must help the business to increase the risk tolerance level.
- Risk monitoring
An array of processes are there to monitor the performance of the risk treatment process and the overall progress of the risk management process. These are ongoing processes.
- Risk communication and attentions
These are also ongoing processes for management, communication, and interactions to the risk owners during the risk management lifecycle. Periodically, many risk conditions get triggered. The process is focused on understanding the triggers and act accordingly.
List of Risk Management Documents
- Risk register
- Risk management proposal
- Risk management plan
The report contains the details of an effective risk management process for the Global IT Solution business. It gives a holistic awareness about the business risks. The defined list of risks across the business have been structured in the form of a risk register. It is a live document and updated time to time. It gives accountability of the risks to the business. The information technology architecture helps to monitor, communicate and manage the risks. The report will help to develop a risk culture and policy during the implementation of the risk management proposal. Once it is implemented, it needs to be revised time to time to keep it up-to-date and must be followed. The key risk indicators or the KRIs of the business are to ensure the implementation of suitable risk management policy, the risk appetite of the organisation, tolerance and capacity. It will also help the business to make risk-intelligent business decisions. When the risk management strategies are integrated with business strategies, then it becomes an integral part of the responsibilities of the business. The risk assessment planning have been carried out for the strategic decision making by the business. Risk ownership and accountability helps in the establishment of the risk management plan. Each risk must be handled at the process level. All risks must be communicated with the stakeholders. The archived records of the business shows the success of risk management against the risk tolerance and appetite.