Tutorial 1

Question 1

PDCA cycle has its applicability in information security as an important framework to provide

the overall platform for reducing the risk threats. According to this cycle a security platform is

planned, tested through its implementation, and all the aspects are checked to get recognition

about all framework. This cycle is executed after consideration of valid and effective results.

Risk management is an art to plan, organize, controlling and monitoring the overall risk which

might be reduced through effective strategies.( Daud, W. N. 2010) These are two shortcoming of

PDCA Cycle: the entire process of improvement is simplified, and some results are based on

assumptions.

Question 2

These are some risks which are associated to my daily travel from home to workplace

- There might be possibility of any strike which will lead to stop me at home

- There could be chance of unavailability of conveyance

- My bike may not start and I will have to wait for public transport

- The increase in traffic can lead to any serious accident

Tutorial 2

Exercise 1

Question 1

The implication of security concepts can be considered as an important factor in risk

management. The security concepts of owner, vulnerabilities, assets and can be employed in an

authenticated manner.( Fabozzi, F. J., 2003) The owner will be considered as the shareholder,

vulnerability can be identified as the fluctuation in results and assets can be thought as resources

utilized by any company for its business operations.

Question 2

Asset classification in risk management can be recognized as the framework which will reduce

the overall risk and will lead to provide the maximum return. The return could be attained and

can be enhanced through utilization of maximum asset classes which would have their associated

risk and return level.

Exercise 2

There would be different risk threats which could be associated with daily life of any couple.

There could be any threat which might be reduced and managed through the utilization of

efficient and effective resources.

The standards can be considered as the benchmark points which would have their relative

policies to be accepted and compared from any organization of same functionalities.

Organizations use these standards for making its overall system fully standardized and effective

for comparison to rival firms. Risk management provides an effective framework to reduce the

loss level and maximize profit volume. These standards would be considered as the efficient and

effective units to modernize the accounting and strategic system.

Tutorial 3 There are different key factors which can be listed and considered as an effective model for

measurement and management of risk from different aspects. These points can be considered as

the important elements of Risk model of IS/IT environment. Threat source can be recognized as

an element which would have its contribution for any organization. This threat source could be

considered as an important element which can be varied over time.( Cagno, E., Caron, F.,

Mancini, M. 2007) Threat source is mostly becomes the reason of fluctuation in expected and

estimated results of any business/organization or project.

Threat event can be considered as the experiences gained by any organization in its business

operations and it would have its effective management plan to control the risk. The implication

of this threat can be reduced and managed would be effective and efficient to control the risk.

There could be different conditions which may lead to fluctuate the stock value of any I/T

environment. I/T environment could be stable or unstable because there are number of updates

which are being occurred in any industry. The scope of risk management will provide an

implementation and organizing plan for any organization to change and meditate its level of risk.

Tutorial 4 This table can be used to record different risk level:

Deterrent Preventive Detective Corrective Recovery Compensating

Administrative 5 4 2 1 0 3

Technical 4 4 3 5 3 2

Physical 3 2 4 4 1 5

0-5

There could be different duties and responsibilities required to be performed by different

authorities in this scenario.

As an I.T manager I can integrate some filters with the sending portfolio of employee according

to which they would be able to send the emails on to the relevant persons. The subject portion

can also be considered as filter for sending and receiving the mails. There might be also usage of

a hidden message which could not be shown to the receiver if they have received accidently any

wrong message.

As CIO, I will have to upgrade the overall structure and implement some important causes which

will ensure about the quality and quantity of any message. There could be meetings with all the

employees to making them inform that whenever they have received any email from any

irrelevant address they should not open it and this will also reduce the chances of virus risks.

As CEO, I will have to monitor and control the activities of all the employees so best quality

work can be performed in an authenticated manner. The implication of training events within

organization will provide effective skills to the employees for performance of their jobs and

duties.( Wirthin, R. 2006) There could also be some precautions showed to the relevant

employees according to which they will be informed about the circumstances which may occur

because of their any miscommunication. The implication of penalty can also reduce threat of

miscommunication.

Tutorial 5

Exercise 1

Risk Assessment

Risk assessment can be considered as a framework which identifies the level of risk included in

any project. It covers three scenario of risk management; risk identification, risk analysis and risk

prioritization

Risk mitigation

Risk mitigation is recognized as combination of different tactics to reduce the risk level

associated with any project/task. It covers three scenarios like; risk reduction, emergency

planning and implementation.

Exercise 2

Due care is recognized as the security implication which is done for caring information of

establishment controls. There might be security practices or laws to control the privacy of clients

or employees. Due diligence is known as investigation about the clients and employees so there

could be availability of all information required to inspect the elements of risks.( Hess, S.M.,

Gaertner, J. P. 2006) There might be association of different threats which can be provided by

the clients if information has not been gained according to the specific laws. We can see the

example of banking industry which is required to gain information from customers before

opening their accounts.

Tutorial 6

EXERCISE 1

Risk mitigation is recognized as a process which has potential to eliminate or reduce the risk

associated with business operations of any organization. These are five key principles of risk

mitigation;

- Risk identification; it is the first and crucial step according to which risk is identified

associated with any project(LLP, P. 2004)

- Cost & Benefit Analysis: Cost benefit analysis is performed to get the weightage of

different benefits and costs associated.

- Excess of Benefits: It is important to reveal that costs must be less than the benefits

associated with any project

- Unnecessary risk: Unnecessary risk should be ignored

- Management level: The management of Vita crux will identify evaluate and assess the

risk level to get recognition about associated risks and returns and make a final decision

to accept or reject the project.

EXERCISE 2

Enterprise risk management will help the organization to ensure that performance of entities is

effectively reported and also according to the rules and regulations. Four objectives of enterprise

risk management includes; strategic efficiency, operations effectiveness, reporting according to

the standards and compliance to the law. (Belinda. 2011)

Effectiveness and the Merits of a Qualitative Assessment

A qualitative assessment is used to prioritize the risks associated with projects by using a defined

scale. The evaluation can be performed through this method from all aspects of any project, there

could be determination of financial value through asset, observation and level of risk can also be

identified through this. The calculation methods are mostly simple and understandable.( Elena,

R. S. 2011) A quantitative assessment provides information about the framework which is

numerical and a qualitative assessment recognizes the aspects of risk from different angles

without any numerical evaluation.

Tutorial 7

Exercise 1

The concept of governance and management in an I.T environment can be considered as a leader

and follower respectively. Governance of any organization has its independent duties according

to which they will have to perform some strategic business operations. They perform decision

making in an organization and also develop future directions for organization. The management

can provide suggestions to the governance in different matters like information security system

and their suggestion could be considered effectively and also analyzed and used or might be

rejected. The managers would have to perform whatever have been commanded by the

governance in an I.T environment.

Exercise 2

There might be different ways in which the organizational information security and information

security can be used like there could be different filters which can be used to organize the

budgeting plan. The marketing department can get recognition about target market. The change

in any culture of organization can be inspired through different panels and might be tolerated as

permanent change. There could be usage of security firewall which may identify and eliminate

the risk threats. There could be different security certificates which will inspire the customers for

being more authenticated for performing any transaction with organization.( Uta Jttner, 2003)

The customers could be able to perform in an automatic environment and will emerge to use the

trends for their daily activities. There might be different aspects or challenges which might be

faced by the organization for any structure change. There could be cost increase if new structure

has been implemented, different restrictions will be required by the certificate issuance company

and to follow these costs, will increase the overall cost of all business operations.

Tutorial 8 How is strategic risk different from other types of risk?

The strategic risk is different from other types of risk because other risks have their different

quantitative aspects but this type of risk is based on the qualitative aspect which will increase the

overall total cost. Strategic risk is associated with every business operation and has its

implementation for all business operations of any organization.

2. Why the increased urgency, if strategic risk has always been a part of business?

The strategic risk is recognized as the risk which must be eliminated or reduced at risk

identification level because strategic risk has always different authenticity. Whenever any

strategic risk is faced by the organization it is required to eliminate in such a manner that there

would be usage of resources in an efficient way and maximum resources can be used to eliminate

the risk and removed bottleneck from business operations.

3. How are companies responding to this new focus on strategic risk?

As discussed earlier that strategic risk is mostly faced at the initial stage so companies eliminate

this type of risk by effective decision making plans.

4. What was wrong with the old way of managing risk?

The old way was based on some customized tools which cannot be implemented in every

organization.

5. Which strategic risks is the most critical today?

These strategic risks are varied from company to company but it is realized that information

security system and trade secrets are recognized as the most critical strategic risks.

Tutorial 9

Question 1

A contingency plan has its effective implementation in an organization because it provides

information about all the aspects which can be authenticate or implemented in any organization.

(Gordon, L. A., 2009)The implication of contingency plan should be crucial and must provide an

effective program to reduce and remove it.

Question 2

There are number of sub plans which are governed under a contingency plan and these plans are

required to monitor under the contingency plan. The implication of contingency plan will be

effective and efficient to modernize the overall structure within organization. These sub plans

could be considered as an optimal way to monitor different aspects of any organization. These

sub plans are also considered as an important framework for identification and evaluation of risk.

There would be different threats which might be reduced and managed in an organization.

Question 3

There are different business operations operated by every organization and they should be

performed in such a manner that overall risks can be reduced. An organization should prefer to

invest in a warm site which would have no requirement of huge investment because huge

investment can also provide loss.

Tutorial 10

Question 1

A well-developed response capability will monitor and emerge the implementation plan in an

effective manner. There could be consistent and constant communication which will provide an

effective plan to reduce the risk in short time.

Question 2

An incident example can be coded in form of a person who has skipped some information and

did not complete the due diligence process.( DAS, T.K. 1998) A disaster can be considered as

crash of a database of any organization.

Question 3

These stakeholders can be considered for communication plan; developer, I.T manager, CIO,

CEO, and customers. Communication map can be shown as

Tutorial 11

Question 1

The risk is conceptualized as chance of threat or any other negative loss which may impact the

overall business operations of any organization and might be associated with any project of

organization.

Question 2

Developer I.T Manager CIO CEO Information

Secretary

Customers

Risk is considered as a probability of threat or any other negative impact in any

organization/community or company. There are different projects or operations performed by

any organizations which have their associated risk level that might be increased or decreased

over a time period.( Hyung, N., and C. G. de Vries, 2002) It is also important to reveal here

whenever there is any increase in risk it will also increase the level of return because there is

always a direct relationship among risk and return for any organization from its different projects

operated and performed by it over a significant time period.

The risk management plan of company is mostly a simple two step purpose; 1st

determining what risks are associated with any uncertainty and 2nd taking the best suitable action

for achieving the organizational objectives in an efficient and effective way. These both steps are

occurred on every decision process of organization whenever any uncertainty occurs. It is

recognized that risk management plan is used by every department of the organization; financial

department for identifying financial risk, strategic department for designing strategies, credit

department for issuing credit line, and all other department for overall organizational objectives.

Risk management has various purposes for the company and these all purposes are

expected to be achieved by the management by adopting the risk analyzing techniques in an

effective way. The most important purpose of risk management within organization is to identify

the possible risks which can reduce the efficiency of business operations of the company. This

identified risk is reduced or allocated by the corporate governance for providing best responsive

business environment for the organization. Rational basis decisions are taken by the management

after identification and analysis of uncertain events.

Risk management plan shows different levels of threats and opportunities which might be

occurred in future. There are strategic and financial objective integrated with risk management

plan of company. Corporate governance and senior management of every company has accepted

the importance of risk management framework. It is realized by the management that risk

management plan of company provides a complete framework of actions to be performed in

efficient and effective way can grow the level of market share and can gain competitive

advantage for the company.

It is realized that strategic planning is result of risk management and every company is

performing its all actions according to the analysis provided by financial and risk managers of

company. Whenever any risk is identified by the research department of organization, all the

information about that risk is provided to the analysts of organization.( Bark, Hee-Kyung K.

1991) They analyze the risk by getting recognition about all the aspects of risk. Risk is not

analyzed only on the basis of prevailed information, but also on the basis of future expectation,

forecasts, and projections. These all forecasts are based on different strategic techniques or past

history of these risks.

Monitoring of risk management framework is crucial for the risk, financial and strategic

departments of company. Coordination between these all departments provides opportunity to

analyze the performance of risk management framework. Monitoring provides assistance for the

strategic unit to perform according to the given guidelines and perform in such a way that

organizational objective can be achieved. This provides an organized framework for identifying

more gaps and capturing more opportunities. Risk management can be performed by association

of all the relevant department or stakeholders of any organization.

Performance measurement is referred as process of quantification effectiveness and efficiency of

actions for defining the comparison of actual results again expectations. It is process of

assessment towards achievement of predetermined financial and strategic objectives designed by

the company. There are different factors involved in measurement of performance of risk

management framework. The comparison of results is done on the basis of efficiency of used

resources, quality of outcomes, and effectiveness of business operations performed in terms of

directions provided by the results of risk management plan. Performance measurement is

assumed by the company management for assessing the progress of gaining objectives by

including both; financial and strategic objectives.

Risk management and risk evaluation instruments used by the company management is expected

to use and monitor in an authenticated way. To get most effective risk management plan

management requires learning about efficient quantitative and qualitative techniques. Monitoring

of risk management plan can be done in an effective way when there is a governing body to

investigate about risk uncertainties and risk opportunities. It is crucial for the company to

identify the risk threats or opportunities, evaluate the validity of these risks, analyze all the

possible outcomes and design strategies which must be based on the results of analysis. It can be

concluded that effective and efficient adoption of risk management plan can provide best

outcomes for the company in form of market growth, market expansion and competitive

advantage.

References

Daud, W. N. 2010, The Effect Of Chief Risk Officer (CRO) On Enterprise Risk

Management (ERM) Practices, Evidence From Malaysia, International Business &

Economics Research Journal (IBER), 9 (11).

Fabozzi, F. J., 2003, Financial management and analysis, (Vol. 100): John Wiley & Sons

Inc.

Gordon, L. A., 2009, Enterprise risk management and firm performance, A contingency

perspective, Journal of Accounting and Public Policy, 28 (4), 301-327

Uta Jttner, 2003, SUPPLY CHAIN RISK MANAGEMENT: OUTLINING AN

AGENDA FOR FUTURE RESEARCH, International Journal of Logistics : Research &

Applications, Vol. 6, No. 4, 2003, pp197-210

DAS, T.K. 1998, Resource and risk management in the strategic alliance making process,

Journal of Management, 24, (1), pp. 21-42

Hyung, N., and C. G. de Vries, 2002, Portfolio Diversification Effects and Regular

Variation in Financial Data, Allgemeines Statistisches Archiv / Journal of the German

Statistical Society 86, 6982

Bark, Hee-Kyung K. 1991, Risk, Return, and Equilibrium in the Emerging Markets:

Evidence from the Korean Stock Market, Journal of Economics and Business, November,

Vol. 43, No.4, pp. 353-62.

Belinda. (2011, March 23). QUALITATIVE RISK ANALYSIS VS QUANTITATIVE

RISK ANALYSIS (PMP CONCEPT 2). Retrieved from Passionate project management:

https://www.passionatepm.com/blog/qualitative-risk-analysis-vs-quantitative-risk-

analysis-pmp-concept-1

- Elena, R. S. (2011, December ). Advantages and Disadvantages of Quantitative and.

Bucharest, Romania. Retrieved from David publishing.

- LLP, P. (2004, September). Enterprise Risk Management Integrated Framework. Canada.

- Wirthin, R. 2006,Managing Risk and Uncertainty: Traditional Methods and the Lean

Enterprise. MIT/LAI, Presentation April 18, 2006.

- Hess, S.M., Gaertner, J. P. 2006, Application of risk management as a cornerstone in

ensuring nuclear plant safety, Proc. of the 8th International Conference on Probabilistic

Safety Assessment and Management, May, 14 18, 2006, New Orleans, paper PSAM-

0477.

- Cagno, E., Caron, F., Mancini, M. 2007, A multi-dimensional analysis of major risks in

complex projects. Risk Management: 118.