SUBDOMAINS: 325.3 SOLVING PROBLEMS & MAKING DECISIONS 326.3 EVALUATING ECONOMICS OF MANAGEMENT DECISIONS 326.4 MANAGING ENTERPRISE RISK & CONTINUITY 329.5 USING INFORMATION SYSTEMS FOR COMPETITIVE ADVANTAGE Competencies: 325.3.4: Problem Solving The graduate applies the problem solving process to solve organizational and team problems, and develops strategies to avoid decisionmaking pitfalls. 326.3.1: Decision Analysis The graduate analyzes risks and values and uses a variety of decision analysis tools and decision theory to evaluate alternatives during decisionmaking processes. 326.4.1: Enterprise Continuity The graduate analyzes enterprise continuity plans and the continuity planning process to ensure the inclusion of essential elements, processes, and stakeholder roles. 326.4.2: Continuity and the Global Marketplace The graduate applies international standards to company operations and assesses and recommends strategies for maintaining organizational stability and continuity in the global marketplace. 326.4.3: Contingency Planning The graduate develops and analyzes organizational contingency plans for responding to sudden and rapid environmental changes. 326.4.4 Risk Evaluation and Mitigation The graduate evaluates internal and external risks and recommends risk mitigation strategies and techniques to an organization. 326.4.5: Organizational Risk Management Programs The graduate develops and assesses enterprise risk management programs for organizations and incorporates industry best practices in risk management processes and programs. 326.4.6: Risk Optimization The graduate uses risk control and risk optimization analytics and strategies to maximize returns relative to risk for organizations. 329.5.3: Ethics and Information Technology Security The graduate makes ethical decisions for the use of information technology and creates processes to maintain the security of data in information technology systems. Introduction: As a newly hired consultant, you have been tasked with the duties of creating and presenting a risk management/business contingency plan for your first client. The legal department and the IT department have both expressed concerns regarding the ethical use and protection of sensitive data, customer records, and other information systems content. In the interest of creating confidence and job satisfaction in this new position, your new employer has decided to let you select your first client. For this task, you may select your client from your actual place of employment, a local small business, or a well known public company. The client must operate internationally in at least some aspects of its business. Note: Any information that would be considered confidential, proprietary, or personal in nature should not be included. Do not include the actual names of people, suppliers, the company, or other identifiable information. Fictional names should be used. Also, companyspecific data, including financial information, should not be included, but may be addressed in a general fashion if appropriate. Task: Note: Your submission may be in a variety of formats (e.g., report, multimedia presentation, video presentation). Parts A, B, and C should all be submitted to TaskStream at the same time, but as three individual documents. A. Create a risk register with eight risks currently facing the business to include the following. 1. Explain how one of the identified risks emanates from an aspect of the company's global marketplace activities (e.g., manufacturing uncertainties, problems with suppliers, political instability, currency fluctuations). 2. Discuss the source(s) of each risk. 3. Evaluate the risk level for each risk in terms of severity of the impact, likelihood of occurrence, and controllability. 4. Develop an appropriate risk response for each risk to reduce the possible damage to the company. Note: This section should be included as a separate, detailed discussion to accompany the risk register. B. Create a business contingency plan (BCP) that the company would follow if faced with a major business disruption (e.g., hurricane, tornado, terrorist attack, loss of a data center, the sudden loss of a call center in a foreign country, the collapse of a financial market or other catastrophic event) in which you include the following: 1. Analyze strategic preincident changes the company would follow to ensure the wellbeing of the enterprise. 2. Analyze the ethical use and protection of sensitive data. 3. Analyze the ethical use and protection of customer records. 4. Discuss the communication plan to be used during and following the disruption. 5. Discuss restoring operations after the disruption has occurred (postincident). C. Create an implementation plan in which you recommend ways of implementing, monitoring, and adjusting the BCP. Note: Remember that the client insists on maintaining the security of data in information technology and that the potential for ongoing issues is based on global marketplace concerns. D. When you use sources, include all intext citations and references in APA format. Note: When bulleted points are present in the task prompt, the level of detail or support called for in the rubric refers to those bulleted points. Note: For definitions of terms commonly used in the rubric, see the Rubric Terms web link included in the Evaluation Procedures section. Note: When using sources to support ideas and elements in a paper or project, the submission MUST include APA formatted intext citations with a corresponding reference list for any direct quotes or paraphrasing. It is not necessary to list sources that were consulted if they have not been quoted or paraphrased in the text of the paper or project. Note: No more than a combined total of 30% of a submission can be directly quoted or closely paraphrased from sources, even if cited correctly. For tips on using APA style, please refer to the APA Handout web link included in the General Instructions section. RISK MANAGEMENT Introduction: Risk Management intends to encourage the trading of data and mastery crosswise over nations and crosswise over controls. It is used to create thoughts and to advance the great practice for those who are included in the matter of danger. Very quickly evaluations of danger are created and results of misunderstanding things can be not kidding and which includes loss of business, loss of the notoriety and even the life. The diary looked at both the issues and the arrangements. 2 Overseeing dangers on projects is a procedure that incorporates hazard evaluation and an alleviation system for those dangers. Risk assessment incorporates both the recognizable proof of potential danger and the assessment of the potential effect of the danger. A danger relief arrangement is intended to kill or minimize the effect of the danger occasionsevents that have a negative effect on the undertaking. Distinguishing danger is both an innovative and a taught process. The imaginative procedure incorporates meetings to generate new ideas where the group is solicited to make a rundown from everything that could turn out badly. All thoughts are welcome at this stage with the assessment of the thoughts impending later. [1] Risk Register: S . N o Risk Description Emanates From Reason For Emanation (Source) Risk Level Action Score after mitig ation Time for implementing the action 1 . 15 property, liability or personnel loss exposures. Hazard Risk: Arises from Manufacturin g happening can be the consequence of absence of the right capability, shortage of staff or wrong number of staff, wrong mental mentality of individuals or individual ? Unsettling influences Severe ? Buying insurance ? Select a building which is not subjected to flood, storm, earthquakes 1 2 days mischances or wounds. Moreover absence of good administration and poor organization society falls into this class. ? Disappointment of suppliers can bring about unsettling influences both regarding late conveyances or poor item quality. 2 . Control risks can be explained as risks where the outcomes contain a degree of uncertainty Manufacturin g Level of uncertainty on delivery and budget Controllabi lity Clear soundness between foreseen result and result and genuine result 3 1 month 3 . Opportunity Risk: risk with the hope of a gain Manufacturin g At the point when picking the top open door, most respondents picked advancement in items, administrations and operations Likelihood Can be avoided by picking right opportunity at right time. [2] 2 7 days 4 . Exchange Rate Risk: arise due to fluctuation in currency rate Economic Organizations with abroad branches, or those that exchange universally, are helpless before worldwide cash variances. Right now case with private ventures, changes in transformation rates can wipe out benefits or build picks up. Controllabl e contract Regularly monitor The changes, lock into a conversion scale for a settled time of time by setting up a forward [3] 2 24 hrs 5 Tax change Political The main reason behind this is political instability. Due to Controllabl Tax should be paid on 3 6 months instability change in government, tax always fluctuates. e time by the Organization. [4] 6 Capital Control Political Security & Capital controls are government measures that limit the development of capital all through a nation by forcing charges, quantitative limitations or different measures. Controllabl e Organizations ought to along these lines consider the area of budgetary speculations and/or financial balances and the effect that capital and trade controls may have on them. 1 2 days 7 3 Normal operations are disrupted by uncontrollable external factors like snow, flu and Olympics Likelihood ? 3 Personnel Weather change is the major reason behind this. Business Continuity Plan Disaster Recovery Plan Staff issued with business cards containing log in and password for Secure site. Project group in place to assess the impact of The Olympics on normal operations. 2 1 day 8 3 maintenance of secure and confidential data leads to major data loss on IT ? Any technical problem ? Whenever hacker hacks the data. Severe 3 Poor and adverse impact Codes of practice relating to data security and robust internal controls Regular staff Reminders Laptop encryption Business Continuity plan Daily backup Plan (BCP) 6 [5] reputation Business Contingency Introduction: The motivation behind adding to a Business Continuity Plan is to guarantee the continuation of your business amid and taking after any those outcomes 6 basic episode in interruption to your typical operational capacity. This aide will help you to attempt a Risk Management Plan (RMP) and Business Impact Analysis (BIA), and to make the Incident Response and the Recovery Plans for the business. Objective: Objectives serve as a method for illuminating the motivation behind your arrangement and ought to depict the planned result. An illustration of arrangement goals are recorded beneath: The destinations 1 of this arrangement are to: undertake hazard administration evaluation define and organize your basic business capacities detail your quick reaction to a basic occurrence Detail methodologies and moves to be made to empower you to stay in business review and upgrade this arrangement on regular basis Insurance: Right now 1 your risk management arrangement you have to figure out what sorts of protection are accessible and put set up the protection your business needs. Insurance type Policy covered Policy exclusions Insurance company and contact Last review date Payments due Full Business Insurance Business interruption due to: ? fire ? flood ? theft ? terrorism ? tsunami ? landslide ? Earthquake Birla Sunlife, A Person Ph: year 12 9845363826 04/07/2015 $200 per Backup Strategy: Data for backup Frequency of backup Backup media/ service Person responsible Backup procedure steps Full database Personnel ? Remove tape 1 After two day Tape Media, Cloud IT drive from fire safe ? Copy data from Customer database ? Return tape drive to fire safe Business entrepreneurs ought to embrace 1 Continuity Plan: Right now the Business Continuity Plan a Business Impact Analysis which will utilize the data in your Risk Management Plan to evaluate the recognized dangers and effects in connection to discriminating exercises of your business and focus essential recuperation prerequisites. Discriminating exercises may be characterized right now works that must proceed keeping in mind the end goal to bolster your business. All customer data is online (in database) In case of risk the whole business will be lost. Min. 1 year required for business to perform without performing this movement. At this very moment 1 your Business Impact Analysis you ought to relegate Recovery Time Objectives (RTO) to each capacity. RTO is time through which emergency or calamity 1 operational so as to we can pronounce an to the time that the basic business capacity must be completely evade genuine budgetary misfortune. The accompanying inquiries may help us to focus critical activities. Following are critical system activities: 9 Business Process Description Pay vendor invoice Procedure of committing stores, issuing check or electronic installment and recognizing receipt Pay Check Report that a representative gets either right now that the immediate store exchange has experienced Cash Flow Statement The Cash Flow Statement demonstrates how the organization is paying for its operations and future development, by enumerating the "stream" of money between the organization and the outside world; positive numbers speak to trade streaming in for cold hard currency, negative numbers speak to money streaming out. Following are losses if business activities not provided: PaPyrocess Loss Income will lessen. Reasons customer confidence Impact Severe Business BVeillns dor oice Start 8 to lose $3- $500,000 every day in interest alone. of an outage We can start 8 borrowing on the second day Severe Book Cash Without strong income then again costs increment exponentially in the brief time of time. Within 8 days we would have to borrow money which could increase our costs and overhead. Moderate Paychecks Will influence brand values Unable to pay salaries to the employees in 10 days. Moderate 5 Downtime: Maximum Tolerable Downtime (MTD). The MTD speaks to the aggregate sum of time pioneers/chiefs are willing to acknowledge for a business process blackout or disturbance and incorporates all effect contemplations. Deciding MTD is vital in light of the fact that it could leave progression organizers with uncertain heading on (1) choice of a suitable recuperation system, 5 and (2) the profundity of subtle element which will be obliged when creating recuperation systems, including their extension and substance. Recovery Time Objective (RTO). RTO characterizes the greatest measure of time that a framework asset can stay occupied before there is an unsatisfactory effect on other framework assets, bolstered business forms, and the MTD. Deciding the data framework asset RTO is critical for selecting fitting innovations that are most appropriate for meeting the MTD. 17 Business Process MTD RTO RPO Pay vendor invoice 60 hours 9 hours 12 hours (last backup) Bills 20 hours 10 hours 12 hours (last backup) Book Cash 32 hours 20 hours 24 hours (last backup) Paychecks 12 Days 5 days Last month backup 1 Incident Response Plan: This is to set you up for an auspicious reaction to basic episodes and lessen the effect of those occurrences on your already distinguished business operations. It likewise gets ready key work force to give a compelling reaction to guarantee insignificant interruption to operations in the occasion of crisis. 1 Immediate Response 45 Checklist: INCIDENT RESPONSE ??ACTIONS TAKEN Have you: ? assessed the seriousness of the episode? ? ? evacuated the site if important ? ? Does it accounted for everybody? ? ? identified any wounds to persons? ? ? contacted Emergency ? ? implemented the Response Plan Incident? ? ? Have it started the Event Log? ? ? activated staff individuals and assets? ? ? appointed a represented? ? ? gained more data as a need? ? ? briefed colleagues on episode? ? ? allocated particular parts and obligations? ? ? identified any harm? ? ? identified discriminating exercises that have been upset? ? ? kept staff educated? ? ? contacted key partners? ? ? understood and consented to any administrative/agreeability necessities? ? ? Does it initiate media ? Evacuation Procedure: We have 1 to have appropriate evacuation strategies that provide food for both staff and guests. This methodology ought to be put away in a spot available to all staff. The target of a departure arrangement is to give a situated of strategies to be utilized by site inhabitants as a part of the occasion of a basic episode. We ought to: 1 start with a story arrangement of the site clearly distinguish the area of crisis ways out develop systems for furnishing help to persons with incapacities make beyond any doubt that everybody recognizes 1 what to do if clearing is important select and show a meeting spot (clearing point) far from the site test the arrangement on regular basis included ought to 1 Roles and Responsibilities: The staff individuals then be given this table to comprehend their parts and presently task list for culmination of pre- crisis arranging and crisis errands. You ought to redo 4 this table to suit your business' requirements and structure. ROLE Team Leader DESIGNATED EMPLOYEES Name: Bill Smith Contact Information: 45678354567 ALTERNATE Name: John Jones Contact Information: 5678936543 Emergency Responsibilities: ? ? ? ? ? ? ensure that Business Continuity Plan has been actuated oversee smooth usage of the reaction and recuperation segment of the arrangement determine the requirement for and actuate the utilization of another operation site and other coherence assignments communicate with key partners as required provide critical data to the Communication Officer for appropriation keep key staff advised of any progressions to. ROLE IT Personnel DESIGNATED EMPLOYEES ALTERNATE Name: Junaid Contact Information: 6788262778 Name: Mrs.Aiden Contact Information: 78726727947 1 Contact List: Person Contact number/s Email Responsibilities - Bill Smith 0400 555 000 Bill.Smith@widgets.net. us BC Team Leader - John Jones 0400 321 001 John.Jones@widgets.net. us Alternate BC Team Leader References 1. Introduction - What is risk management? [ONLINE] Available at - http://pm4id.org/11/2/ [Accessed on - 4th July 2015] 2. Opportunity Risk - What are opportunity risk? [ONLINE] Available at - 14 http://www.diva- portal.org/smash/get/diva2: 606971 /FULLTEXT01.pdf [Accessed on - 4th July 2015] 3. Exchange Rate Risks - What are exchange rate risks? [ONLINE] Available at - - 13 http://performance.ey.com/2013/02/11/the-top-risks- and-opportunities-facing-business/ [Accessed tax change risks? 11 on - 4th July 2015] 4. Tax change - What are [ONLINE] Available at - http://www.euroinvestor.com/ei- news/2012/07/17/how-exchange- rate-fluctuations-affect-companies/19796 [Accessed on - 4th July 2015] 5. IT Risks - What are capital control risks? [ONLINE] Available at - 16 http://www.lpfa.org.uk/Files/Files/What we publish/ PF 1539 Risk Committee Annex 2 Corporate Risk Register -Strategic and Business risks.pdf [Accessed on - 4th July 2015] 6. BCP Format - [ONLINE] Available at - 7. 7 https://www.google. co.in /url? sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved= 0CCIQFjAB &url=https:/ /www.business.qld.gov.au/__data/assets/word_doc/0005/15296/Business- continuity- plan- template .doc&ei= giSXVfnZFpK4uATBgbXIBA &usg= AFQjCNErCTR9CyDQqfGCrFWxSrNWeB _0vA&bvm=bv. 96952980 ,d. Evaluation Summary for Risk Management: Final Score: Does not Meet Overall comments: 07/08/15: Eight risks (tax changes issues, data loss issues and other items) are properly included in the risk register. Several prompts require additional content to explain the following: specific communication methods, communication stakeholders, steps to restore operations, risk levels and risk responses. Detailed Results A. Risk Register (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does not provide a risk register with 8 risks currently facing the business. The candidate provides a risk register with 8 risks currently facing the business, with no detail. The candidate provides a risk register with 8 risks currently facing the business, with limited detail. The candidate provides a risk register with 8 risks currently facing the business, with adequate detail. The candidate provides a risk register with 8 risks currently facing the business, with substantial detail. Criterion Score: 2.00 Comments on this criterion: 07/08/15: Exchange rate risk, tax changes issues, data loss issues, external disruption of operations and etc. are properly identified as risks. A3. Risk Level (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does not provide a logical evaluation of the risk level for each risk in terms of severity of the impact, likelihood of occurrence, and controllability. The candidate provides a logical evaluation, with no support, of the risk level for each risk in terms of severity of the impact, likelihood of occurrence, and controllability. The candidate provides a logical evaluation, with limited support, of the risk level for each risk in terms of severity of the impact, likelihood of occurrence, and controllability. The candidate provides a logical evaluation, with adequate support, of the risk level for each risk in terms of severity of the impact, likelihood of occurrence, and controllability. The candidate provides a logical evaluation, with substantial support, of the risk level for each risk in terms of severity of the impact, likelihood of occurrence, and controllability. Criterion Score: 1.00 Comments on this criterion: 07/08/15: Risk levels are listed as: severe, medium and etc. Additional content is required to explain all elements of risk levels (severity, controllability. and likelihood of occurrences). A4. Risk Response (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does not provide an appropriate risk response for each risk to reduce the possible damage. The candidate provides an appropriate risk response, with no detail, for each risk to reduce the possible damage. The candidate provides an appropriate risk response, with limited detail, for each risk to reduce the possible damage. The candidate provides an appropriate risk response, with adequate detail, for each risk to reduce the possible damage. The candidate provides an appropriate risk response, with substantial detail, for each risk to reduce the possible damage. Criterion Score: 2.00 Comments on this criterion: 07/08/15: Actions are briefly discussed for each risk. A detailed risk response is necessary for each risk. B. Business Contingency Plan (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does not provide a business contingency plan that the company would follow if faced with a major business disruption. The candidate provides a business contingency plan, with no detail, that the company would follow if faced with a major business disruption. The candidate provides a business contingency plan, with limited detail, that the company would follow if faced with a major business disruption. The candidate provides a business contingency plan, with adequate detail, that the company would follow if faced with a major business disruption. The candidate provides a business contingency plan, with substantial detail, that the company would follow if faced with a major business disruption. Criterion Score: 2.00 Comments on this criterion: 07/08/15: Recovery Time Objectives and other items are appropriately incorporated into the BCP. Additional content is necessary for several prompts to explain communication methods and other items. B3. Customer Records (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does not provide a plausible analysis of the ethical use and protection of customer records. The candidate provides a plausible analysis, with no detail, of the ethical use and protection of customer records. The candidate provides a plausible analysis, with limited detail, of the ethical use and protection of customer records. The candidate provides a plausible analysis, with adequate detail, of the ethical use and protection of customer records. The candidate provides a plausible analysis, with substantial detail, of the ethical use and protection of customer records. Criterion Score: 1.00 Comments on this criterion: 07/08/15: Business records and sensitive data are discussed. However, specific references to customer records are not included. Additional content is necessary to address customer records and methods to protect these records. B4. Communication Plan (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does not provide a logical discussion of the communication plan. The candidate provides a logical discussion, with no detail, of the communication plan. The candidate provides a logical discussion, with limited detail, of the communication plan. The candidate provides a logical discussion, with adequate detail, of the communication plan. The candidate provides a logical discussion, with substantial detail, of the communication plan. Criterion Score: 1.00 Comments on this criterion: 07/08/15: A contact list template is included. Additional content is necessary to explain stakeholders and specific communication methods. B5. Restoration of Operations (0) Unsatisfactory (1) Does Not Meet Standard (2) Minimally Competent (3) Competent (4) Highly Competent The candidate does The candidate The candidate The candidate The candidate not provide a logical discussion of restoring operations. provides a logical discussion, with no detail, of restoring operations. provides a logical discussion, with limited detail, of restoring operations. provides a logical discussion, with adequate detail, of restoring operations. provides a logical discussion, with substantial detail, of restoring operations. Criterion Score: 2.00 Comments on this criterion: 07/08/15: Evacuation procedures and a checklist are discussed in a general matter. Specific steps to restore operations after a major disruption are required