Risk Management in IS/IT Organizations: Challenges and Solutions

Verified

Added on 2023/06/03

AI Summary

This essay delves into the critical aspects of risk management within Information Systems and Information Technology (IS/IT) organizations. It emphasizes the evolution of risk management from a purely technological focus to a broader management responsibility, driven by the increasing complexity of modern business environments. The essay highlights the importance of proactive risk management plans, encompassing both risk identification and mitigation strategies. Using Reckon Limited as a case study, the essay examines the consequences of inadequate risk management, including data breaches and financial losses. It breaks down the risk management process into risk assessment and mitigation, discussing the sub-components of each. The essay also explores the significance of risk appetite and tolerance, and provides recommendations for improving security measures, such as investing in skilled employees and forming a dedicated technical panel. Ultimately, the essay concludes that effective risk management is essential for IS/IT organizations to maintain business integrity and adapt to evolving threats.

Running head: RISK MANAGEMENT IN IS/IT ORGANISATIONS
Risk management in is/it organisations
Name of the Student
Name of the University
Author Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1RISK MANAGEMENT IN IS/IT ORGANISATIONS
With the advancement in the science and technology in this modern world, there has been
a substantial amount of developmental changes all across the nations. Not only in the field of
generic business trends but also in the fields of Information System and Information Technology
there have several notable evolutions. This pacey world has generated a lot of new business
opportunities and innovative doorways for the business trends to be practiced by the
organisations. However, these business opportunities in a similar fashion has also led down to an
array of severe threats and risks that are to be mitigated by these organisations at any cost in
order to foster in the commercial market (Järveläinen 2013). Personally, I feel that risks are
something that cannot be avoided but can surely be mitigated with the help of certain risk
management plans and significant guidelines. The purpose of this essay is to talk about the
various aspects of the risk management within an organization.
In earlier days, the issues related to information security were analysed as a technological
context but with the modern period of time, the growing needs of the security have made the
analysts all across the industries to indulge in the management roles and responsibilities in the
domain of information security and management. The need for managing the security services
within an organization is significantly essential because these are the key aspects of any
organization that marks the safeguarding of the future of the company (Ross and Blumenstein
2013). Going through some of the articles online, I found that besides outlining a layout that
defines the company’s goals and objectives, it is equally important to devise a management plan
that is based on the proper identification of risks and threats. Identification of these risks and
threats will give the concerned organization an overview about how to combat these risks and
threats according to their level of impacts on the organisation.

2RISK MANAGEMENT IN IS/IT ORGANISATIONS
Reckon Limited is an Australian company whose business relies entirely on the supply of
desktop and cloud based software for the personal users, small and medium scale organisations,
bookkeepers and a the accountants (Brender and Markov 2013). This prestigious and famous
organisation is one of those business enterprises that make the Australian Securities Exchange
list. It is associated with more than sixty thousand businesses all across Australia and New
Zealand. This company was founded late back in the decade of eighties. It has been one of the
leading suppliers of the software services in the country but recently the company is facing a dip
in their profits and the sale margins have decreased severely. In a thorough investigation of the
company’s downfall in the recent times, I found that the company is lagging behind in some
areas where they are susceptible to risks and threats. It is mainly due to the reason that the
company was too reluctant to formulate a risk management plan where the risk management
strategies would have been framed out in a systematic manner.
As the company was a dealer of the software services for the several businesses and
indulges on the extensive usage of the cloud based platforms, it was essential to formulate a risk
management plan. A typical risk management ideology consists of two major components that
are the identification of the risks and the control of those risks (Soomro, Shah and Ahmed 2016).
The identification of the risks involves a process of examining the organisation’s existing
security infrastructure along with the technologies involved in maintaining the security of the
company. On the other hand, the control of the risks involves an application of the dedicated
steps to mitigate the risks that are generally associated with the organisation’s data and the
information systems.
Fathoming more in the investigation process, I found out that neither the identification of
the risks, nor the controlling of the risks was carried out by the management of the organisation.

3RISK MANAGEMENT IN IS/IT ORGANISATIONS
Break down of the risk management process is composed of the two major headings which are
the risk assessment and the risk mitigation process. Both the risk assessment and the risk
mitigation process can be further subdivided into three subheadings for each. The risk
assessment module can be further classified into risk identification, risk analysis and risk
prioritization (Edwards and Bowen 2013). On contrary to the risk assessment module, the risk
mitigation module can also be classified into three subheadings, which are the risk reduction,
emergency planning and the implementation of the techniques to combat the risks.
The Reckon Limited is one of those enterprises that work on the Software as a Service or
the SaaS cloud based technology. The recent dip in the profitability of the organisation was due
to the fact that the organisation comprehensively failed to look upon the various aspects that are
related to the information security. According to me, the organisation failed to properly preserve
the confidentiality, the availability and the integrity of the organisations (Schiller and Prpich
2014). It also lacked on other aspects such as validating the authenticity, non repudiation and the
accountability. It is due to the company had to go through a data breach when the secured socket
layer or the SSL of the company website was maliciously attacked. The attack led to an
outrageous data theft and a loss in the valuable insights of the company. Almost all the clients of
this company were either directly or indirectly affected due to this mishap.
The reputation of the company was severely damaged due to this incident. Although the
management of the company has been held responsible here, I feel that it was the utmost duty of
the regulatory body of the company to have a regular check on the security services of the
company in order to maintain the integrity of the cloud services (Lam 2014). At the same time, I
also feel that the databases of the company consisting of several customers insights should have
been securely encrypted with high security as the customers are the valuable assets of an

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4RISK MANAGEMENT IN IS/IT ORGANISATIONS
organisation. In addition to all this if my opinion is taken into consideration, I will say that
company engages in the implementation of the acceptance and rejection macro options. The
macro options ranging towards acceptance includes reduction, compensation and spreading
while the macro options ranging towards the rejection scale includes avoidance, delay and
transfer (Mikes and Kaplan 2013).
In order to clearly and properly frame out the risk statement for any organisation, it is
important to know about the assets, the threats, the vulnerabilities and the mitigation techniques
for the risk (Olson and Wu 2015). The assets and the threats in a company as that of the Reckon
Limited leads to the impacts I the organisation while the vulnerabilities and the mitigation
techniques leads to the probability of the threat in the concerned organisations. I feel that in
future, it will be better for the company to sketch out a matrix where these attributes related to
that of the risks will be mentioned. Assessment of the risks will enable the company to have a
formidable grip on the company’s security configurations and will aide to combat with the
similar situations arising in the future.
Besides assisting on the overall framework of the organisation, a risk management plan
also helps the company to determine the risk appetite for the company. Risk appetite in simple
words can be stated as the amount of risk that a particular organisation is will to accept while it is
on its operational workflow (Paape and Speklè 2012). Further, the risk management plan also
helps an organisation to determine the tolerance for each of the risks. Risk tolerance involves the
acceptance level of the company or the level of the risk that the company is ready to be exposed
to before the company decides to take necessary measures in order to combat with the situation.
In my investigation, I found that the Reckon Limited failed to determine the risk appetite and the

5RISK MANAGEMENT IN IS/IT ORGANISATIONS
risk tolerance for which it could not compensate with the negative impacts that the company was
exposed to.
The annual turnover of Reckon Limited is fifty million dollars, which clearly states that
the company had enough revenue to invest on the security infrastructures of the organisation
(Feng, Wang and Li 2014). However, it refrained from doing such by activities and depicted
complacency in their approach of mitigating with the risks. In order to avoid the futuristic
breakdowns in future, I feel that regulatory body of the Reckon Limited needs to invest on the
sophistication and the increase of security services. The governing body needs to figure out a
strategy by which the security of the SSLs could be kept intact. The proper implementation of
such a strategy will involve training and deployment of skilled employees. A separate technical
panel should be formed whose objective will be to look out for the technical and security
requirements of the company from time to time. Additionally, the probability and the impacts of
the risks formulated in the risk management process should be analysed and given importance
while implementing a new technical infrastructure into the system in future (Kutsch et al. 2013).
From the analysis of the several sections mentioned in this essay, it can be concluded that
it is very much essential for the organisations to consider an effective risk mitigation strategy. An
effective risk management strategy for the organisations related to Information Systems and
Information Technology will help them to be consolidated towards their business. As I have
mentioned above, it is seen that Reckon Limited was complacent towards showing equal
importance to their information systems for which they had to go through a series of risks that
negatively impacted their performance and reputation. According to my opinion, proper
formulation of a risk management plan will not only help an organisation to get familiar with the
upcoming risks but also will enable them to maintain the integrity of their workflow.

6RISK MANAGEMENT IN IS/IT ORGANISATIONS
References
Brender, N. and Markov, I., 2013. Risk perception and risk management in cloud computing:
Results from a case study of Swiss companies. International journal of information
management, 33(5), pp.726-733.
Edwards, P. and Bowen, P., 2013. Risk management in project organisations. Routledge.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems:
Causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, pp.57-73.
Järveläinen, J., 2013. IT incidents and business impacts: Validating a framework for continuity
management in information systems. International journal of information management, 33(3),
pp.583-590.
Kutsch, E., Denyer, D., Hall, M. and Lee-Kelley, E., 2013. Does risk matter? Disengagement
from risk management practices in information systems projects. European Journal of
Information Systems, 22(6), pp.637-649.
Lam, J., 2014. Enterprise risk management: from incentives to controls. John Wiley & Sons.
Mikes, A. and Kaplan, R.S., 2013. Towards a contingency theory of enterprise risk management.
Olson, D.L. and Wu, D.D., 2015. Enterprise risk management(Vol. 3). World Scientific
Publishing Company.
Paape, L. and Speklè, R.F., 2012. The adoption and design of enterprise risk management
practices: An empirical study. European Accounting Review, 21(3), pp.533-564.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7RISK MANAGEMENT IN IS/IT ORGANISATIONS
Ross, P. and Blumenstein, M., 2013. Cloud computing: the nexus of strategy and
technology. Journal of Business Strategy, 34(4), pp.39-47.
Schiller, F. and Prpich, G., 2014. Learning to organise risk management in organisations: what
future for enterprise risk management?. Journal of Risk Research, 17(8), pp.999-1017.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
pp.215-225.