Introduction
The following risk management plan is designed for the case of Flayton Electronics. Currently, the company is in a crisis of a hacked system and information for more than 1500 of its customers was accessed illegally. It is not clear at what point the information was hacked, and the persons responsible and the affected portfolios. The company CEO, Brett is in the bid to get to the core of the matter. The CEO believes that the company is compliant with the Payment Card Industry (PCI) standards, and further, the company has employed competent Information Technology personnel. Data breach may have occurred along the system and at various stages; the cash register, the card reader, bank – card reader interface, company computers, and stores – bank link, and an inside job. At the technological level, the risk remains wide and the responsible person has not been found. According to Sergei Klein, uncharged of IT, the company is not fully compliant with the PCI. He approximates at 75% and there remain the challenge of matching the dynamics in technology with the standardized systems. Sergei also noted that a firewall that is linked to the automated inventory system was disabled without his knowledge.
Read also Case Study: Risk Management on a Satellite Development Project
In perspective, Flayton Electronics is currently at great risk, because the number of affected clients is increasing, and the company will have to inform other institutions, stakeholders and either the bank of the company will notify the customers. The impact of the risk is both at the technological and management level.
Project description
The Risk management plan puts into perspective the case that is highlighted in the introduction. The plan will take six months and its budget is $100,000.
The objectives of the risk management plan includes
- To determine the components, interfaces, and eternal sources that may affect security of information at Flayton Electronics
- To develop an organizational policy on information security and robust optimizationTo review the degree and criteria of compliance with the International standards of practice
- To develop a strategy of hiring employees and termination of their services without jeopardizing the security of the company.
- To invest resources in specific technologies that increase safety of data.
- To develop a model and paradigm of organizational culture on information security.
Read also Swiss Cheese Model and the Role of Risk Management in Preventing Accidents
Application of the atom process
The following ATOM process will be used for the Flayton Electronics risk management plan.
- Initiation – Develop specific deliverables, assign responsibly to specific employees, time frame, provide requisite information, resources, and inform all the relevant authorities on specific issues of the plan.
- Identification – The following items are identified as potential risks; dismissed employees, degree of compliance with the technology standards, interface between Layton Electronics and Union Century Bank, the interface between Union century Bank and Inventory system, the electronic transaction cards, stolen computers, and review of the standard risk checklist
- Assessment
- Organizational culture – honesty, trust, responsibility, commitment,
- Service delivery – transaction security, searching the catalogues, and transactions
- Human resource – recruitment, applicant tracking, employee reporting, induction training, competence of employees, job termination process, and disciplinary action
- Software and systems – server supports, backup systems, database support, data interface, programming tool kit, documentation, application interfaces, and mobile/wireless technology support.
- Inventory management – pricing and discount calculations, item data elements, automated inventory system, lot and serial number generation, monitoring of returns
- Profiles of the vendor – time in business, financial records, custom software
Read also Super-Packs Company Risk Matrix – Project Risk Management Techniques
- Response planning
- Dismissed employees – to be investigated on whether they are linked to the current data breach. HRM to develop a model of recruitment and job relieve that will prevent employees form use of information against Flayton electronics.
- Degree of compliance with the technology standards – Sergei and the IT department should point bout the specific issues that prevents Flayton from being PCI compliant.
- Interface between Layton Electronics and Union Century Bank – to review the information shared during the transaction. There must be clarity on who owns the risk.
- The interface between Union century Bank and Inventory system – the plan seals the possible redirection of the transaction details to a different computer. Possibilities of ciphered account details leak cannot be ignored.
- The electronic transaction cards – the plan reviews the data stored in the cards and the possible uses of the data and the codes of the card. There must be clear information on the relationship between the card functionality and the PCI compliance.
- Stolen computers – risk management plan investigated the safety of information of stolen computers and other hardware. The information in computers should be secure and when stolen related information strains and links should be changed immediately.
Read also Assessing Organizational Readiness – Case of Flayton Electronics
- Reporting – this is done by the communications department, currently headed by Sally O’Connor. Timing, accuracy and the impact of the report should be determined.
- Implementation– implementation will consider the objectives, initiation, identification, and response planning.
- Review – review may be done by the top management of Flayton Electronics. The implementing team may also report to the CEO directly. Reviews may also be done by external regulators on the effectiveness of the system.
- Post project review – the review will be subject to the objectives. The project ought to achieve the objectives or gain the tendency towards secure system.
Risk tools and techniques
Project sizing tool
The projects are categorized as small, medium, and large. Total scores are used to determine the size of the business. This is explained as follows,
≥ 75, large project
35 -74, medium projects
˂ 35, small project
Read also The New Uses And Limitations Of Risk Assessments For Risk Management Decision Making
See appendix 1: project sizing tool by Hillson and Simon (2007) provides the details against which the following case interpretation.
Criterion |
Criterion value = 2, 4, 8, 16 |
score |
Reason from the case study |
| Strategic importance | The values that represent the four criteria values. They are linked to the characteristics of the project and the company in the case study – Flayton Electronics | 6 | Major contribution to business objectives
The money in the cards is protected by the issuing company. The effect of hacked information will affect the transactions if the hackers divert money from the customers’ account. |
| Commercial/ contractual complexity | 4 | Minor deviation from the existing commercial practices
The existing technology and customer service structures will not be overhauled. The company is already looking for a specific loophole that may have caused the breach of data. Therefore, fixing a specific issues will cause minor deviations on the commercial practices. |
|
| External constrains and dependencies | 6 | Key project objectives depend on external factors
The project depends on Secret service, the Technology regulators, the Banking sector, and the regulators in the banking sector |
|
| Requirement stability | 4 | Some requirement uncertainty, minor changes during the project
There will be changes in the training of new employees, compliance procedures, and the interface between the card reader – bank – inventory. |
|
| Technical complexity | 4 | Enhancement of the existing product/services
The company focused ensuring that the customers get better services compared with the services given by the competitors |
|
| Market sector regulatory | 6 | Challenging regulatory requirements
Flayton Electronics depends on the banking and technology companies. Each of the two industries have independent regulators. |
|
| Project value | 2 | Small project value (˂ $ 250)
The project budget is $ 100,000 |
|
| Project duration | 4 | Duration 3 – 12 moths
The project will take six months |
|
| Project resources | 8 | Large project team including external contractors
More than 15% of the customers were affected. This means that the company serves thousands of clients, the project team must be large to cater for all the clients. Technologies and banking services involve external entities |
|
| Post project liabilities | 4 | Acceptable exposure
This will depend with the way Flayton will communicate with the stakeholders and the company. The possibility of legal suites may also pose potential liabilities. |
|
| Total score | 48 | ||
The total score = 48. This indicates that the company will undertake a medium project. The project value is $100,000 which rates it at small project. Therefore, the current allocation is less than the amount expected for the project.
Organization, roles, and responsibilities for risk management
Project sponsor
They are concerned with the overall effect of the risk to the business. In the case study the sponsors may be concerned with the stock in the stores, the capital assets, the security of money in Flayton Electronics account, and the brand. The sponsor looks at the comeback strategy and the rebranding process in case there is such a need. The sponsors authorize the release of management reserves funds to fund the project where necessary.
Project manager
Project managers will deal with the strategic and policy matters of the plan. The strategies and the policies help the management plan meet the objectives. Project managers oversee and supervise the work of the employees. Evaluate the risk situation of the company and report to the top management, stakeholders, and the sponsors. The project managers ensure that the project resources are available at the right time.
Read also Critical Review Of A Research Paper – Recruiting Project Managers
Risk champion
The person or the internal organ directly in charge of the risk project
Risk owner
This refers to person, the internal organ, and external institution that bear the responsibility of implementation and communication on the progress of the project.
Project team member
The employees and the investigative agency officer who are responsible for the tactical and the actual activities on the project risk management.
Risk Tools and Techniques
These are tools that have been empirically tested and found fit to assess the risk of an entity or processes. In the case of Flayton Electronics, the risk tools and techniques will guide the project implementation in the following aspects
Read also National Infrastructure Protection Plan and Risk Management Framework
Gather and represent data. Gathering data will help the company establish the trends of information risks and behaviors of suspected persons.
- Interviews – interviews can be structured or non-structured. They are carried out formally by engaging the employees in inquests and using the services of the security agencies. Interviews can also be done in groups and teams during the workshops and seminars on organizational security.
- Questionnaires – are used to gather data that is analyzed to establish the state of organizational risk. Questionnaires can also serve in getting information from the employees on the most effective ways to improve information security and general operations. Questionnaires are used to gather both qualitative and quantitative data.
- Monte Carlo simulation techniques – this is a special risk assessment model on quantitative variables. It generates a probabilistic costs and schedules on undertaking the project.
Qualitative and quantitative analysis
The following table will be used to analyze the risk levels of breached data in Flayton Electronics. The risk components are derived from the standard risk breakdown structure (Hillson and Simon, 2007). The interpretation of the risk components is explained in the Appendix 2
Definitions of probability and impacts
RBS level 1 |
Risk specification |
Probability |
Impact |
Rationale |
|
| Technical risk | Degree of compliance with the technology standards
interface between Layton Electronics and Union Century Bank, The interface between Union century Bank and Inventory system, The electronic transaction cards, Breach of information from stolen computers |
Medium
High High High Low |
High
Very High Very High Very High Low |
The customers use the electronic cards for transactions with the company. A risk on the cards affect the transaction, their banking information and this may also impact on their trust in the company.
Technical risk has high probability of creating unexpected effects because the company may not know how the criminals will use the data. |
|
| Management risk | Dismissed employees
Standard risk checklist Miscommunication |
Medium
High Medium |
Medium
High Medium |
The probability of dismissed employees causing a risk can be minimized by monitoring and ensuring their departure is justified. | |
| Commercial risk | Competitors taking advantage of the situation
Number of the affected customers |
Medium
Low |
Medium
Low |
Commercial risk is manifested in low number of customers using the company outlets. Since the money of the customers is safe, the company and the bank can put in place measures to counter possible use of the information to divert money to other accounts. | |
| External risk | Legal suites
Failure by regulators |
Low
Low |
Low
Low |
The risks arre functional failures, they affect the individual company more than the clients and the partners. | |
Probabilistic assessment of the risk, very high ≥ 90 %; high = 80 %; medium = 50 %; Low = 20 %; very low = ≤ 10 %
Impact of the risk, very high ≥ 10 % ; high = 8 % ; medium = 4 %; Low = 2%; Very low ≤ 1 %
Technical risk probability = 50, 80, 80, 80, 20; average = 310/5 = 62 %
Technical risk impact = 8, 10, 10, 10, 1; average = 39/5 = 7.8 %
Management risk probability = 50, 80, 50; average = 180/3 = 60 %
Management risk impact = 4, 8, 4; average = 16/3 = 5.3 %
Commercial risk probability = 50, 20; average = 70/2 = 35 %
Commercial risk impact = 4, 2; average = 6/2 = 4 %
External risk probability = 20, 20; average = 40/2 = 20 %
External risk impact = 2, 2; average = 4/2 = 2 %
The company has high risk in the technical and management portfolios.
Qualitative risk factors
They are descriptive. They explain the level of risk to the company. For statistical analysis, the qualitative information may be represented on a likert scale. The following risk factors are qualitative: failure by the regulators, bad reputation, legal suites, and competitors taking advantage of the situation, miscommunication, and dismissed employees
Quantitative risk factors
They are represented numerically. They can be assessed and assigned a probabilistic value. the following quantitative factors: the number of affected customers, the monetary cost of legal processes, number of electronic transactions, the interface between Union Century Bank and Inventory system, and the percentage of compliance with the technology standards.
Read also Quantitative and Qualitative Risk Assessment of the HFI Company’s Network
Response mechanism
Threats |
Opportunities |
| Avoidable threats
Threats that affect the operations and organizational bank accounts Data breach |
Exploit
Trust of the customers Employee competence Brand name and competitive advantages |
| Transferrable threats
Threats coming from failed regulators Threats on contractual and outsourced services |
Share |
| Threats to mitigate
Replacement of failed operating systems and devices |
Enhance
The relationship with the security agencies |
Read also Preparing A Risk management plan
You can order a unique paper at an affordable price.
Get Your Custom Paper From Professional Writers. 100% Plagiarism Free, No AI Generated Content and Good Grade Guarantee. We Have Experts In All Subjects.
Place Your Order Now