SP003 Coca Cola Company

User Generated

Zbunzznqnu

Business Finance

Description

In this Performance Task Assessment, you will analyze a case study in order to demonstrate your ability to assess information systems security, legal, and ethical risks and develop plans for mitigating information systems risks. You are strongly encouraged to use the Academic Writing Expectations Checklist when completing this Assessment.

Professional Skill: Written Communication, Critical Thinking and Information Literacy are assessed in this Competency.

Your response to this Assessment should:

  • Reflect the criteria provided in the Rubric.
  • Adhere to the required length.
  • Conform to APA style guidelines. You may use Walden Writing Center’s APA Course Paper Template.

This Assessment requires submission of one file. Save your file as SP003_ firstinitial_lastname (for example, SP003_ J_Smith).

When you are ready to upload your completed Assessment, use the Assessment tab on the top navigation menu.

Part 1:

Select an organization of your choice with which you are familiar, or for which you can find sufficient information about its business information systems. Identify one or more information systems for analysis. The information system(s) should be enterprise-scale and cross-functional, or linked to external suppliers, customers, or partners. For the selected business information system(s), prepare a 3- to 5-page risk management analysis and evaluation that addresses the following. In each section, make sure to support your positions with reasoning, evidence, citations, and references.

  • Identify and describe global and domestic security, legal, and ethical risks related to the selected business information system(s), and their potential impacts. Include financial impacts as well as other types of impacts.
  • Compare and contrast approaches to mitigating or managing the security, legal, and ethical risks you identified. Include at least two approaches to managing each risk.

Part 2:

Read the “Engro Chemicals Pakistan Limited Case Study.” Considering the same organization and business information system(s) you selected above, prepare a 5- to 7-page disaster recovery and business continuity plan that addresses the following. In each section, make sure to support your positions with reasoning, evidence, citations, and references.

  • Identify and evaluate at least two options for disaster recovery. Compare and contrast the strengths and weaknesses of each option (2–3 pages).
  • Using the preferred option(s) from your evaluation, develop a comprehensive plan for disaster recovery and business continuity for the business information system(s) you selected above (3–4 pages).


Unformatted Attachment Preview

S w 909E24 ENGRO CHEMICALS PAKISTAN LIMITED — BUSINESS DISASTER OVERCOME Muntazar Bashir Ahmed wrote this case solely to provide material for class discussion. The author does not intend to illustrate either effective or ineffective handling of a managerial situation. The author may have disguised certain names and other identifying information to protect confidentiality. Ivey Management Services prohibits any form of reproduction, storage or transmittal without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Ivey Management Services, c/o Richard Ivey School of Business, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@ivey.uwo.ca. Copyright © 2009, Ivey Management Services Version: (A) 2009-12-14 On October 20, 2007, Ruhail Mohammed, vice-president and chief financial officer (CFO) of Engro Chemical Pakistan Limited (Engro) was preparing his notes to present at the management committee meeting on November 1, 2007. A critical item on the agenda was that on August 19, 2007, a fire in the PNSC building, which housed the Engro head office, had destroyed a substantial portion of the company’s hard-copy records relating to the financial years 2004/05 and 2005/06, as well as the period from January 1, 2007, to August 19, 2007; however, the electronic data had remained largely intact. The end of the company’s financial year was December 31, and the external auditors were due to commence their work in December 2007, as the deadline to publish the annual financial report was February 20, 2008. The company was listed on the Karachi Stock Exchange (KSE) and, being a blue chip company, had informed the stock exchange of the date it would announce its final results for 2007. Mohammed had to update the management committee on the progress that had been made under a plan according to which the company’s critical accounting and control systems and data would be restored, so as to keep company operations uninterrupted. The auditors had pointed out that, since they had earlier conducted a review of the financial records as of June 30, 2007, they would rely on that work and not need any records for the first six months. Their main focus would be on the second half of the year, and this would require that the company provide them with all the information that they requested in order to form an opinion for the annual audit report. As the records for 2005/06 were also destroyed, they were concerned that the company could be in breach of the statutory provisions in the Companies Ordinance1 relating to the minimum period that a publicly-listed company’s records were required to be retained. Engro was launching a number of new projects, and the auditors needed to be satisfied that the plans would 1 The corporate sector in Pakistan is governed by the Companies Ordinance 1984, which was promulgated on October 8, 1984 and major amendments made via the Companies (Amendment) Ordinance, 2002. The objectives of the Companies Ordinance 1984 were inter alia to consolidate and amend the law relating to companies and certain other associations for the purpose of healthy growth of corporate enterprises, protection of investors and creditors, promotion of investment and development of economy. The detailed provisions of the Companies Ordinance, 1984 sought to meet these objectives and have been amended and updated from time to time to keep in line with the changing circumstances. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 2 9B09E024 not be affected by the loss of records. The CFO was confident in the company’s documented disaster recovery plan (DRP) that had been activated, and he felt that matters were under control. COMPANY BACKGROUND Engro Chemical Pakistan Ltd. had been incorporated in 1965 as Esso Pakistan Fertilizer Company Ltd. The core business of Engro was the manufacturing and marketing of fertilizers and it was the second largest producer of urea in the country, which was produced at the plant site in Daharki (a small town 570 kilometers from Karachi). Engro also produced NPK2 (Zarkhez) at the plant in Port Qasim, a few kilometers from Karachi, and marketed two other brands of fertilizer: MAP under the brand name Zorawar and DAP. Owing to the continuously declining margins in seed business, the management had decided to exit from this business in a phased manner. This demonstrated the management’s proactive business approach of conducting a continuous review of operations and realigning corporate strategy according to changing business dynamics. During 2007, all of Engro’s businesses grew rapidly. The principal business of the company remained in the manufacturing and marketing of fertilizers. Its joint ventures and subsidiary companies were engaged in a variety of businesses: chemical terminals and storage, PVC resin manufacturing and marketing, control and automation, foods and energy businesses. A brief review of the main business and the new projects underway follows: The fertilizer sold by the company was of two types: Urea: During 2007, a total of 4.76 million tons of urea was produced in the country, of which Engro produced 954,000 tons while in the process of further expansion. The urea plant expansion was the largest private sector investment that had been made in the history of Pakistan. In 2007, it was on track for completion in 2010, and with key contracts and financing in place, the construction work had begun. Phosphates: Engro sales up to the third-quarter of 2007 indicated that it would be in a good position as the market leader, as it expected to capture 35 per cent of the phosphates market for the full year. This fertilizer was imported and its price was susceptible to fluctuations in the international market. The activities of subsidiary and joint venture companies were as follows: Engro Polymer & Chemicals Ltd (EPCL): This subsidiary was involved in the manufacturing and sales of poly vinyl chloride (PVC) and was also being expanded: its backward integration project was expected to be completed by mid-2009. Engro Vopak Terminal Ltd (EVTL): This was a 50:50 joint venture with Royal Vopak of the Netherlands. This subsidiary had commenced building the country’s first cryogenic ethylene storage facility. Avanceon: Engro owned 63 per cent of Avanceon, which was a leader in industrial automation business. It had acquired facilities in the United States and was in the process of seeking to serve customers as an offshore outsourced vendor. 2 NPK is a fertilizer consisting of nitrogen , phosphorus and potassium. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 3 9B09E024 Engro Foods Limited (EFL) : This was a wholly-owned subsidiary of Engro and 2007 was its first complete year of operations. It had continued its expansion by adding to its brand portfolio, milk production and distribution capacity. Engro Energy (Pvt) Ltd: This was also a wholly-owned subsidiary of Engro and had concluded the formalities to set up an innovative and cost-effective power plant: their target was to add 217 megawatts to the national grid. Engro Eximp (Pvt) Ltd: This was a wholly-owned subsidiary of Engro and was engaged in the trading of phosphatic fertilizers. Engro was publically listed on the three stock exchanges in Pakistan: Karachi, Lahore and Islamabad. Its earnings had grown steadily over the last 10 years (see Exhibit 1), as shown by the increasing trend in the annual earnings per share (see Exhibit 2). A leading Pakistani business conglomerate known as the Dawood Group (DG) held the majority 42 per cent of shares in Engro, while the ownership of Engro employees and employee trust shareholding was eight per cent. Engro’s board of directors comprised five members from its own management: two from DG and three other non-executive directors (see Exhibit 3). During 2006, Hussain Dawood, chairman of DG, was elected as the chairman of Engro. The association of DG, which also owned other chemical businesses, had augmented the capacity of the board to guide the management in formulating its long-term strategy. MANAGEMENT The company was managed through the following principle management committees: Board Compensation Committee: This committee was responsible for reviewing and recommending all the elements of compensation, organization and employee development policies relating to the executives and approving all matters relating to remuneration of executive directors and members of the management committee. This committee (see Exhibit 3) consisted mainly of non-executive directors and had met four times during 2007. Board Audit Committee: This committee consisted of four independent non-executive directors (see Exhibit 3). The chief executive officer (CEO) and the CFO only attended if they were invited. As part of its work, the committee met with the external auditors at least once per year. During 2007, this committee had met seven times and had been informed by the CFO of the data loss the company had incurred, and that the DRP was being implemented. In addition, the following committees were set up at the operational level and functioned in advisory capacity in order to provide recommendations to the CEO relating to business and employee matters. Corporate HSE Committee: This committee was responsible for providing leadership and strategic guidance on all health, safety and environment (HSE) improvement initiatives and was responsible for monitoring compliance against regulatory standards and selected international benchmarks. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 4 9B09E024 Management Committee: This committee was responsible for reviewing and endorsing long-term strategic plans, capital and expenses budgets, development and stewardship of business plans and reviewing the effectiveness of the risk management processes and the system of internal control (see Exhibit 3). COED Committee: This committee was responsible for the review of compensation, organization and employee development (COED) matters for all employees excluding directors and executives. BUSINESS RISKS During 2007, the management committee undertook a review of the major financial and operating risks faced by the company. Internal controls were recognized by the company as being an important responsibility of the board of directors. As no system could be totally risk-free, the company recognized that the system of controls was there to minimize risk of material misstatement or loss, but could not eliminate it completely. The detailed design and operation of the system of internal control had been delegated to the CEO while the board retained the overall responsibility of the risks involved. The control framework consisted of: • • • • Clear organization structure; Established authority limits and accountabilities; Well-understood policies and procedures; Budgeting and review processes. The external and internal auditors’ reports were received by the board audit committee (BAC), and the managing committee reviewed the processes and ensured that the controls were effective. BUSINESS CONTROL SYSTEMS Engro’s business transaction data processing and communications was based on using information technology (IT) resources at two locations: 1. Head office in PNSC Building at Karachi. 2. Plant site at Daharki, which was 570 kilometers away. All systems were linked so that the IT applications installed on servers in the head office were being accessed by users at various locations: • • • Daharki plant; Zarkhez plant at Port Qasim; Other regional offices. IT INFRASTRUCTURE AT HEAD OFFICE The IT assets at the head office consisted of computer equipment linked via an online data communication network on which different application systems were being used. The company staff occupied three floors, in the multistory PNSC building, and computer users were spread over all three floors. Computing equipment on each of these floors was connected by means of a fibre optics backbone and each floor had This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 5 9B09E024 its own network control equipment such as switches. The head office was also connected to different locations through a wide area network (WAN) (see Exhibit 4). The details of these links for various locations were as follows: • • • • • 256 kilobits per second (kbps) DXX3 link with plant site at Daharki; 64 kbps radio link with Zarkhez plant at Port Qasim; 64 kbps DXX link with regional office at Multan; 64 kbps DXX link with regional office at Hyderabad; 64 kbps data link with regional office at Lahore. The server room was on the seventh floor where all communication links terminated onto the central router in that room. Engro’s two joint venture companies EPCL and EVTL had their head offices close to Engro in the Bahria Complex4. Systems of these two companies were also connected with the Engro network by a digital subscriber line (DSL) link through a firewall mainly for exchanging e-mails with Engro and to access the Internet. There were two Internet connections: one with the Internet service provider (ISP) CyberNet over radio link for Internet bound e-mails and connectivity with Lahore regional office, the other based on DSL technology with the ISP Multinet and being used for Internet traffic. A firewall was used to protect Engro’s network from various Internet threats. The following Engro communication and financial application systems were located at the head office: • • • Lotus Notes-based e-mail system; MIDAS system for sales; SAP ERP system (see Exhibit 5) for accounting transactions. IT INFRASTRUCTURE AT DAHARKI PLANT All the key buildings at the Daharki plant were connected through optical fibre backbone and each building had its own network equipment. All servers were located in a server room which was located in the administration building. The Daharki network was connected to the head office network by a data communication link. This link was based on DXX technology and consisted of a last mile radio link between the plant and the local Daharki telephone exchange. The staff at the Daharki plant connected to the router in the server room over dial-up telephone lines to access the Internet. 3 Digital cross-connect: A network device used by telecom carriers and large enterprises to switch and multiplex low-speed voice and data signals onto high-speed lines and vice versa. It is typically used to aggregate several T1 lines into a higherspeed electrical or optical line as well as to distribute signals to various destinations; for example, voice and data traffic may arrive at the cross-connect on the same facility, but be destined for different carriers. Voice traffic would be transmitted out one port, while data traffic goes out another. Cross-connects come large and small, handling only a few ports up to a few thousand. Narrowband, wideband and broadband cross-connects support channels down to DS0, DS1 and DS3 respectively. 4 Bahria Complex was a set of office buildings, owned by the Pakistan Navy, in which various companies had rented space for their offices. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 6 9B09E024 APPLICATION SYSTEMS AT HEAD OFFICE E-mail Setup Engro’s e-mail system was based on IBM’s Lotus Domino technology, and Lotus Notes was used as a front-end client to access the e-mail server (see Exhibit 4). Users in the Karachi office, Zarkhez plant and all the regional offices except the Daharki region accessed the e-mail server in the head office. The head office server was connected to the e-mail server in Daharki over a wide area network (WAN). It was also connected to EVTL and EPCL’s e-mail servers over a DSL-based virtual private network (VPN) link. All Internet e-mails for Engro Karachi staff, plant staff at Daharki and regional office users EVTL, EPCL and EFL were received by the head office server through a firewall. Similarly, all outgoing e-mails were sent to the relay server by the e-mail server at the head office. The Engro infrastructure was used by a number of subsidiaries to route their business communications. MIDAS Setup MIDAS was an in-house application developed using Oracle Developer, linking to the back-end Oracle database. MIDAS used two servers in the head office: an application server and a database server. The head office users accessed the database server through the Oracle client directly while all remote users (regional offices and Zarkhez plant staff) accessed MIDAS through the application server via an Internet browser. There was one MIDAS server at the plant, which was accessed by the plant distribution department for the detailing of urea orders to the truckers and for processing their invoices. Key activities performed by different users through MIDAS at the head office were the following: • • • • • • Master data (new-product setup, urea pricing); Bank guarantee handling; Management of dealers account; Payroll allowance entry; Product shipment from the port and Zarkhez plant; Monthly closing. All information entered in the head-office MIDAS server was automatically replicated to the plant MIDAS server using a replication feature created by Oracle. Similarly, any information entered at the plant (such as trucker detailing, etc.) was replicated to the head-office MIDAS database server automatically. SAP Setup SAP was being used by the finance and human resource (HR) sections at the head office and by the Industrial Relations Department at the plant to facilitate their operational needs (see Exhibit 5). Only two modules of SAP — namely HR and financial control (FICO) — were in use on the Red Hat Linux Advanced Server operating system. The following key tasks were performed using SAP at head office: • • • Accounts payable (invoice processing, payments, vendor payment, cash receipts, cheque printing); General ledger; Financial control; This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 7 • • • 9B09E024 Asset management; Payroll processing (all Engro employees); Compensation and benefit administration (all Engro employees). APPLICATION SYSTEMS AT PLANT The applications installed on servers at the Daharki plant were accessed mainly by users at the plant, consisting of the following systems: • • • MAXIMO computerized maintenance management system (CMMS), also used by the purchasing section at the head office. MIDAS sales and distribution system which was used to update the shipments of goods and other related information. E-mail systems. MAXIMO SETUP MAXIMO was a state of the art CMMS software system used by various organizations worldwide for computer-based maintenance management: this system was installed at the Engro plant. The main modules that were used kept a detailed record of company assets, controlled the use of the stores and spares inventories and assisted in purchasing functions. The manufacturing division located at the plant and the purchasing section located at the head office used this software extensively. All other departments that used MAXIMO were at the plant: maintenance, operations and technology and the warehouse section. DISASTER RECOVERY PLAN As the August 2007 fire at Engro head office had spread very quickly, it destroyed everything, including all desktop computers and high-performance servers that contained daily business transaction data. Earlier in 2005, as part of a risk mitigation effort, the IT department had developed a DRP to recover from a disaster (see Exhibit 6). In accordance with the DRP instructions, the plan was activated by Mohammed on August 20, as the company senior management realized that quick actions were required by all concerned. TEMPORARY OFFICES The IT department consisted of two sections, each with its own particular skill: one section was dedicated to managing the IT infrastructure, and the other consisted of functional specialists dealing with information systems (IS) applications (SAP, MAXIMO and MIDAS). The DRP required that the recovery site be at the Daharki plant, where spare servers similarly configured to the destroyed servers had been kept for use in an emergency. Management revised the plan, however, by deciding to use the following four locations: 1. Engro guest houses in Karachi: There were two guest houses, one of which became a base for HR functions and the executives, while the other became a temporary base for accounting and other transactional functions. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 8 9B09E024 2. Engro plant at Daharki: The sales accounting staff that used the internally-developed MIDAS system were moved there as the complete backup of MIDAS and the necessary computing capacity was already in place. 3. Engro Polymer offices at the Bahria building in Karachi: The backup servers kept at Daharki, with SAP software already installed, were brought to the Bahria building in order to set up the critical accounting systems. The related staff were also shifted to the offices of this subsidiary company. As there was a computing infrastructure already available, Engro’s e-mail system was expected to become functional quickly,establishing all communication as before. The IT infrastructure staff then had to make sure that adequate computing facilities were available. This was a monumental task, as sophisticated servers and other peripherals were required quickly. They asked their key vendor Inbox Business Technologies (Pvt) Limited (Inbox) for assistance and Inbox staff worked closely with Engro IT staff to reestablish the infrastructure. The Inbox team ensured timely and swift delivery of the required services, workstations, laptops, low-end servers, wireless LAN/WAN, uninterruptible power supplies (UPS), printers and other necessary products. DATA RECOVERY The Engro core accounting system consisted of the following: 1. Three modules of SAP (HR, financial accounting (FI) and controlling (CO), the last two jointly referred to as FICO); 2. The MIDAS system; 3. The MAXIMO system. The top priority was to make all the SAP modules operational on the backup servers at the Engro Polymer offices in Karachi. The sales system, MIDAS, was being operated from the plant in Daharki where all the head office sales staff had relocated. MAXIMO was located at the plant and had not been affected by the disaster. The backup regime for SAP applications data had consisted of saving copies of the data on a weekly, monthly and annual basis using tapes that were stored at an off-site location. The data was also backed up on tapes by the IT staff on a daily basis and kept in the head office in a fire-proof storage cabinet. On a weekly basis, the tape relating to the last business day in the week was sent off-site for storage. The daily backup was destroyed as it was in the head office building. Some data relating to a short period of time was also lost due to corruption of weekly data tapes, and this had to be carefully identified and recreated. The MIDAS sales system was installed at the head office and at Daharki. The backup regime, in addition to daily, weekly and monthly tape backups, included the data synchronization between head office and Daharki servers using Oracle’s replication feature, so that there was complete backup available at both locations. Hence the sales staff were sent to Daharki to use the MIDAS system from there. Accounting records that were destroyed included the physical records such as vendor invoices, contracts and working papers. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 9 9B09E024 Engro used an outsourced service provider for processing the share and corporate secretarial records, therefore protecting that information. After setting up temporary offices, the company then launched an initiative to recreate significant lost records for the period January 1, 2007, onwards. EXTERNAL AUDIT The external auditors were due to carry out their final audit checks in December, and the senior accounts advisor Farhan Akram, who was in charge of recreating the documents related to SAP, was confident that the documents supporting the transactions data for the period of January to August 19, 2007 would be fully recreated. He had split his finance team located at the guest house into two sections: 1. Day to day accounting staff: The ongoing daily business transactions related to accounting of sales and purchases were processed on the reinstalled systems, including MIDAS, MAXIMO and SAP. This was facilitated by the reestablished electronic links, e-mail and Internet in the Bahria building office. As the systems were not fully integrated, their restart and recovery was simpler than if all the systems had been integrated. 2. Data recreation staff: One of the leading public accounting firms was hired to provide temporary accounting staff who had four to five years of training experience. This staff was given the specific task of reconciling duplicate invoices received from all major vendors. Once the veracity had been thoroughly checked, the documents were passed on to Engro employees for entry into the SAP modules. Similarly, the payment records for the lost data were obtained from the banks that were used for payment, and after checking and reconciling this data, the payments were entered in the systems. Data had to be recreated only for SAP applications, and that too was facilitated as the company was able to obtain the records from its banks. The company found the process of generating document records to be a tedious and time-consuming task requiring external resources, and it was therefore decided that only the current year’s data needed to be recreated, as it was necessary for the year’s audit. The company felt that there would be no purpose in incurring a huge cost for regenerating physical documents, as the prior years’ records had been audited and the data was safe in electronic form. The company had also informed their taxation office, the Large Taxpayers Unit, of the fire and its consequences. The auditors insisted that the physical records for 2005 and 2006 would be required, as Companies Ordinance stipulated that data must be kept for 10 years. They said that a qualified audit opinion stating noncompliance with the statutory regulations related to historic data would be given. CORPORATE GOVERNANCE AT ENGRO In its draft annual report for 2007, the company intended to include the compliance statement required for statutory purposes. This specifically addressed the following areas: Risk Management Process In 2007, a major review of the financial and operating risks facing the company was undertaken by the management committee. As soon as the fire broke out and it was clear that the office accounting records would be destroyed, the company activated its DRP, which was developed by the IT section in 2005. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 10 9B09E024 Internal Control Framework The board audit committee received the reports on the system of internal controls from the external and internal auditors, and also reviewed the process of monitoring the internal controls. The internal audit function carried out reviews on the financial, operational and compliance controls, and reported the findings to the CEO and divisional management. The annual internal audit program was based on an annual risk assessment of the operating areas. The board audit committee approved the audit program and, during the year, it received reports related to all material issues which were discovered. There was a company-wide policy regarding approval of investment expenditure and asset disposals, and post-completion reviews were performed on all material investment expenditure. CONCLUSION Mohammed assessed the situation and started writing his report for the meeting. It began, “All computers and the data on them in the head office was destroyed and the company has had to rely on backup copies of the data.” Mohammed related the following data recreation steps: • • • • • A core team had been formed which analyzed gaps in the electronic data. Help had been obtained from a public accounting firm, which provided temporary accounting staff. Banks, through which payments had been made, were approached to obtain copies of their records. All key vendors had been asked to send duplicate invoices. Data consisting of the necessary details was being re-entered into the related SAP modules based on the cut-off date. The meeting of the management committee on November 1 was the regularly scheduled meeting, but Mohammed knew that all senior management was concerned over the tremendous loss of entire office facilities and that they were scrutinizing the progress of data recovery. He felt that simply focusing on the accounting data was inadequate, as the destruction had been catastrophic and the entire office had been destroyed. The board audit committee had suggested that Mohammed start working to create comprehensive security policies to manage all kinds of business risk. The DRP was related to the IT section only, and it was clear that the plan would need to be revised to cover other areas of business operations. Mohammed wanted to address the various aspects of how the DRP was to be converted into a business continuity plan. He was writing a brief report on the steps that had been taken and those that were planned. A new office building had been chosen, and alterations to meet Engro’s requirements were to begin: Mohammed wanted to list the key risk factors that had to be met by the new office building. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 11 9B09E024 Exhibit 1 ENGRO CHEMICAL PAKISTAN LIMITED: RECENT PERFORMANCE (in millions of rupees) Half Year 2007 2006 2005 2004 2003 2002 2001 2000 Net sales revenue 9,031 17,602 18,276 12,798 11,884 10,620 8,006 8,080 Operating profit 1,230 2,756 2,641 2,233 2,534 2,327 1,736 1,914 Profit before tax 997 3,445 3,220 2,315 2,323 1,836 1,191 1,350 Profit after tax 650 2,547 2,319 1,611 1,557 1,133 1,064 1,126 950 804 795 749 673 594 544 4,633 4,168 3,911 3,457 3,062 2,266 1,762 251 215 156 168 113 69 71 6,643 6,462 823 - 435 - 578 -- Employee costs Taxes, duties and development surcharge Workers funds Assets and Liabilities Property, plant and equipment 10,770 Capital expenditure 6,318 6,351 391 377 6,492 520 - 6,648 370 6,865 Long-term investments 5,056 1,480 748 85 Long-term liabilities 8,840 1,800 2,890 2,580 3,236 3,323 2,992 3,070 Net current assets 1,871 2,042 2,211 1,618 1,796 1,252 1,194 993 Shareholders’ funds Shares at year-end (millions) Dividend per share (rupees) 8,248 9,370 7,376 6,586 6,199 5,817 5,727 5,582 na 168 153 153 153 139 139 121 na 9.0 11.0 8.5 8.0 7.5 7.5 7.0 Dividend payout ratio na 59% 73% 81% 79% 92% 98% 75% Bonus shares na 0 0 0 0 10% 0% 15% na 969 912 870 955 852 790 808 na 945 890 891 930 846 779 800 na 108 157 121 72 73 31 0 Dividends And Shares Engro urea production (thousands of metric tons) Engro urea sales (thousands of metric tons) Zarkez/ Engro NP (thousands of metric tons) Source: Company financial statements. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 12 9B09E024 Exhibit 2 ANNUAL EARNINGS PER SHARE Amount in rupees Earnings per share Dividend per share 2004 (restated) 10.12 8.50 2005 (restated) 13.82 11.00 2006 (restated) 15.13 9.00 2007 (restated) 16.51 7.00 Source: Company records. Exhibit 3 PRINCIPAL BOARD COMMITTEES AND MEMBERS Name Title Hussain Dawood Chairman Non-executive director Non-executive director Non-executive director Chief executive officer Non-executive director Non-executive director Shabbir Hashmi Arshad Nasar Asad Umar Shahzada Dawood Isar Ahmad Board Compensation Committee Member Board Audit Committee Member Member Member Member Member Member Member Source: Company records. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 13 9B09E024 Exhibit 3 (continued) PRINCIPAL OPERATION COMMITTEES AND MEMBERS Name Title in Engro Asad Umar Chief executive officer Asif Qadir Khalid S.Subhani Senior vice-president Senior vice-presidentmanufacturing Senior vice-president General managermarketing General manager Legal and company secretary Vice-president Vice-president Khalid Mansoor Khalid Mir Andalib Alavi S.Imran ul Haq Syed Ahsan Uddin Sarfaraz A.Rehman Ruhail Mohammed Asif Tajik Imranullah Naveed Khan Tahir Jawaid Chief executive officer - Engro Foods Limited Chief financial officer General manager manufacturingDaharki General manager of expansion project General managerHuman resources and public affairs Management Committee Member (chairman) Member Member Corporate HSE Committee Member COED Committee Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Source: Company records. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 14 9B09E024 Exhibit 4 SYSTEMS INFRASTRUCTURE NETWORK AT HEAD OFFICE MIDAS This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 15 9B09E024 Exhibit 4 (continued) EMAIL AT HEAD OFFICE Source: Company records. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 16 9B09E024 Exhibit 5 SAP MODULES: FI AND CO The SAP FI module has the capability of meeting all the accounting and financial needs of an organization. It is within this module that financial managers as well as other managers within your business can review the financial position of the company in real-time, as opposed to legacy systems, which often requires overnight updates before financial statements can be generated and run for management review. The real-time functionality of the SAP modules allows for better decision-making and strategic planning. The FI module integrates with other SAP modules such as materials management, production planning, sales and distribution, plant maintenance and project systems. The FI Module also integrates with HR, which includes personnel management, time management, and travel management. Payroll transactions occurring within the specific modules generate account postings via account determination tables. The FI Module Components The FI Module comprises several sub-modules as follows: • • • • • • • • • Accounts receivables; Accounts payable; Asset accounting; Special purpose ledger; Travel management; Bank accounting; Consolidation; Funds management; General ledger. The SAP CO module provides supporting information to management for the purpose of planning, reporting and monitoring the operations of their business. Management decision-making can be achieved with the level of information provided by this module. Components of the CO module are as follows: • • • • • • • Cost element accounting; Cost centre accounting; Internal orders; Activity-based costing (ABC); Product cost controlling; Profitability analysis; Profit centre accounting. Note: The above exhibit lists all the functionality of SAP, not all of which was being used by Engro. Source: SAP literature. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 17 9B09E024 Exhibit 6 EXTRACT FROM THE IT DISASTER RECOVERY PLAN 1.2 Objective: The primary objective of this Disaster Recovery Plan (DRP) is to document the various recovery steps to be followed in order to resume key IT operations as quickly as possible, in the following scenarios: 1. Disaster at head office (making the location unavailable for use) 2. Disaster at Daharki server room / administration building (making the Daharki (DHK) IT setup unavailable for use) 1.3 Scope: The DRP acts as a working document in the event of the above-mentioned disaster scenarios and provides specific routines for action that will assist in the early and effective response to disaster(s). This document does not provide any plans for: • The recovery of business functions / operations other than IT Circumstances that produce the following results shall indicate a disaster situation for Engro: - Non-availability of MIDAS at Karachi or Daharki for one week - Non-availability of MAXIMO at Karachi of Daharki for one week - Non-availability of SAP for one week Engro IT DRP (extracts) Assumption: Head office building is not available for use as a result of a disaster (such as a fire incident, an earth quake or an act of terrorism). Key points of the plan: 1. DHK plant site shall be used as recovery site for IT applications. 2. Only MIDAS, MAXIMO and SAP applications shall be made available to the organization for usage at the recovery site. 3. Key users of SAP, MIDAS and MAXIMO shall move to the DHK recovery site. 4. An IT recovery team will be formed that will supervise all DRP related activities. 5. SAP recovery team shall be responsible for the recovery of SAP. 6. MIDAS recovery team shall be responsible for the recovery of MIDAS. 7. The following measures have been taken to minimize the recovery time: a. Spare servers have been placed at the DHK plant site in the security building outside plant (to be used to recover SAP, MIDAS and MAXIMO). b. Complete backup of SAP (FICO and HR modules) and MIDAS system is sent to recovery site on tape cartridges on a weekly basis. Limitations: 1. No e-mails within as well as outside the organization for head office, Zarkhez plant and all regional office users (excluding DHK). 2. No Internet e-mail exchange for DHK, EFL project site, SUK (Engro Foods plant at Sukkur), EVTL, EPCL and regional office DHK users. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Page 18 9B09E024 Exhibit 6 (continued) Invoking the Plan: Following Individuals are authorized to invoke the IT services recovery plan in case of disaster at head office: 1. Chief Executive Officer Engro 2. GM Finance & IT Engro IT Recovery Team: IT Recovery team primarily shall be responsible to: • • Review the action plan given in manual and to make necessary amendments if deemed necessary before its commencement. Review the project progress and to take necessary corrective actions. The IT Recovery Team shall consist of the following individuals: 1. 2. 3. 4. 5. 6. GM Finance Team Leader I & E Manager – DHK Member Admin Manager – KHI Member Admin Manager – DHK Member IT Coordinator Secretary (IS Advisor shall be the IT Coordinator. His backup would be Systems Officer – DHK) MIDAS Recovery: 1. MIDAS shall be available at recovery site (DHK) only, therefore, all key users from KHI and regional offices shall move to DHK. 2. Each regional office (except DHK) shall send one Office Assistant to recovery site to do all the data entry for his region. 3. As soon as MIDAS is available to users at recovery site, they will run the relevant reports from the list in Appendix II to find out the last document entered in the system. All missing documents will have to be re-entered. 4. Regional office shall send all the documents (such as Customer orders, PER, PDAs, Payment Instruments – DDs etc) to the recovery site at DHK. 5. Required MIDAS reports shall be either faxed or couriered to regional office. The MIDAS Recovery Team shall be responsible to start the MIDAS related operations as quickly as possible. SAP Recovery: One server for SAP recovery has been placed at plant site – DHK. Complete backup of SAP server in head office is sent to DHK on tape cartridge on weekly basis (Every Monday). In order to give the latest data to the SAP users, the SAP data from the weekly tape cartridge (at DHK) shall be uploaded to the SAP recovery server. SAP client shall be installed on PCs to enable the access to SAP recovery servers. All SAP users shall run the relevant reports to find out the last document / vouchers (such as vendor payment etc) available in the system. Source: Company records. This document is authorized for use only in Angela Montgomery's CMBA SP003-Risk Management and Business Information Systems course at Laureate Education - Baltimore, from September 2017 to November 2018. Academic Writing Expectations Checklist The faculty Assessor will use this checklist to evaluate whether your written responses adhere to the conventions of scholarly writing. Review this checklist prior to submitting your Assessment to ensure your writing follows academic writing expectations. Click the links to access Writing Center resources: Sentence-Level Skills Constructing complete and correct sentences Note: See an explanation of sentence components and how to avoid sentence fragments and run-ons. Using and spelling words correctly Note: See a list of commonly misused words and information on MS Word’s spell check. Using punctuation appropriately Note: See the different types of punctuation and their uses. Using grammar appropriately Note: See a Grammarly tutorial to catch further errors. Paragraph-Level Skills Using paragraph breaks Note: See a description of paragraph basics. Focusing each paragraph on one central idea (rather than multiple ideas) Note: See an explanation of how topic sentences work. Use of Evidence Using resources appropriately Note: See examples of integrating evidence in a paper. Citing and referencing resources accurately Note: See examples of citing and referencing resources in a paper. Paraphrasing (explaining in one’s own words) to avoid plagiarizing the source Note: See paraphrasing strategies. Formatting Written Assignments Using appropriate APA formatting, including title page, margins, and font Note: See APA overview and APA template from the Writing Center. Comments: ©2014 Walden University 1 SP003: Risk Management and Business Information Systems Competency Statement: Assess information systems security, legal, and ethical risks and develop plans for mitigating information systems risks. Assessment Rubric 0 Not Present 1 Needs Improvement 2 Meets Expectations 3 Exceeds Expectations Part I: Risk Management and Analysis and Evaluation Sub-Competency 1: Identify and describe business information systems security, legal, and ethical risks and their potential impact on organizations. Learning Objective 1.1: Identify and describe global and domestic security, legal, and ethical risks in business information systems management. Learning Objective 1.2: Describe the potential impacts of security, legal, and ethical risks. Identification and description of security, legal, and ethical risks in business information systems management is missing. Description of the potential impacts of security, legal, and ethical risks is missing. Response provides a vague or partial description of security risks, legal risks, and/or ethical risks. Response is not supported academic/professional resources or the resources are not relevant. Response provides a vague or partial description of potential impacts. Response is not supported academic/professional resources or the resources are not relevant. ©2015 Walden University Response provides a clear and complete description of at least two security risks, at least two legal risks, and at least two ethical risks. Response is supported by relevant academic/professional resources. Response provides a clear and complete description of at least one potential impact for each risk identified. Response is supported by relevant academic/professional resources. Response demonstrates the same level of achievement as “2,” plus the following: The risks identified are further justified with evidence and supportive reasoning explaining why they are more important than other risks not selected. Response demonstrates the same level of achievement as “2,” plus the following: The impacts described are further justified with evidence and supportive reasoning explaining why they are more significant 1 0 Not Present 1 Needs Improvement 2 Meets Expectations 3 Exceeds Expectations than other impacts not selected. Sub-Competency 2: Evaluate approaches for managing business information systems risks. Learning Objective 2.1: Identify and describe approaches to mitigating security, legal, and ethical risks. Identification and description of the approaches to mitigating security, legal, and ethical risks is missing. Response provides a vague or partial description of approaches to mitigating security risks, legal risks, and ethical risks. Response is not supported academic/professional resources or the resources are not relevant. Learning Objective 2.2: Evaluate and compare approaches to mitigating security, legal, and ethical risks. Evaluation and comparison of the approaches is missing. Response provides a vague or partial evaluation and comparison of approaches to mitigating security risks, legal risks, and ethical risks. Response is not supported academic/professional resources or the resources are not relevant. Response provides a clear and complete description of at least two approaches each to mitigating security risks, legal risks, and ethical risks. Response is supported by relevant academic/professional resources. Response provides a clear and complete evaluation and comparison of at least two approaches each to mitigating security risks, legal risks, and ethical risks. Response is supported by relevant academic/professional resources. Response demonstrates the same level of achievement as “2,” plus the following: The approaches identified are further justified with evidence and supportive reasoning explaining why they are more effective than other approaches not selected. Response demonstrates the same level of achievement as “2,” plus the following: Response includes recommendations for implementing the approaches and suggestions and overcoming potential obstacles and threats to their implementation. Part II: Disaster Recovery and Business Continuity Planning Sub-Competency 3: Develop plans for disaster recovery and business continuity. ©2015 Walden University 2 Learning Objective 3.1: Evaluate options for disaster recovery and business continuity. Learning Objective 3.2: Develop a plan for disaster recovery and business continuity. 0 Not Present The evaluation of options for disaster recovery and business continuity is missing. The plan for disaster recovery and business continuity is missing. 1 Needs Improvement Response provides a vague or partial evaluation and comparison of options for disaster recovery and business continuity. 2 Meets Expectations Response provides a clear and complete evaluation and comparison of at least two options each for disaster recovery and business continuity. Response is not relevant to the business case presented. Response is relevant to the business case presented. Response is not supported academic/professional resources or the resources are not relevant. Response is supported by relevant academic/professional resources. Response provides a vague or partial description of the options chosen or a superficial description of how they will be implemented. Response provides a clear and complete plan describing the options chosen and detailing how they will be implemented. Response is not relevant to the business case presented. Response is not supported academic/professional resources or the resources are not relevant. Response is relevant to the business case presented. Response is supported by relevant academic/professional resources. 3 Exceeds Expectations Response demonstrates the same level of achievement as “2,” plus the following: The options identified are further justified with evidence and supportive reasoning explaining why they are more effective than other options not selected. Response demonstrates the same level of achievement as “2,” plus the following: Response includes recommendations for implementing the plan and overcoming potential obstacles and threats to its implementation. PS001: Written Communication: Demonstrate graduate-level writing skills. ©2015 Walden University 3 0 Not Present Multiple major and minor errors in grammar, spelling, and/or mechanics are highly distracting and seriously impact readability. 1 Needs Improvement Multiple minor errors in grammar, spelling, and/or mechanics are distracting and negatively impact readability. Learning Objective PS 1.2: Organize writing to enhance clarity. Writing is poorly organized and incoherent. Introductions, transitions, and conclusions are missing or inappropriate. Writing is loosely organized. Limited use of introductions, transitions, and conclusions provides partial continuity. Learning Objective PS 1.3: Apply APA style to written work. APA conventions are not applied. APA conventions for attribution of sources, structure, formatting, etc., are applied inconsistently. Learning Objective PS 1.4: Use appropriate vocabulary and tone for the audience and purpose. Vocabulary and tone are inappropriate and negatively impact clarity of concepts to be conveyed. Vocabulary and tone have limited relevance to the audience. Learning Objective PS 1.1: Use proper grammar, spelling, and mechanics. 2 Meets Expectations Writing reflects competent use of standard edited American English. Errors in grammar, spelling, and/or mechanics do not negatively impact readability. Writing is generally wellorganized. Introductions, transitions, and conclusions provide continuity and a logical progression of ideas. APA conventions for attribution of sources, structure, formatting, etc., are generally applied correctly in most instances. Sources are generally cited appropriately and accurately. Vocabulary and tone are generally appropriate for the audience and support communication of key concepts. 3 Exceeds Expectations Grammar, spelling, and mechanics reflect a high level of accuracy in standard American English and enhance readability. Writing is consistently well-organized. Introductions, transitions, and conclusions are used effectively to enhance clarity, cohesion, and flow. APA conventions for attribution of sources, structure, formatting, etc., are applied correctly and consistently throughout the paper. Sources are consistently cited appropriately and accurately. Vocabulary and tone are consistently tailored to the audience and effectively and directly support communication of key concepts. PS005: Critical Thinking and Problem Solving: Use critical-thinking and problem-solving skills to analyze professional issues and inform best practice. ©2015 Walden University 4 Learning Objective PS 5.1: Analyze assumptions and fallacies. Learning Objective PS 5.2: Generate reasonable and appropriate assumptions. Learning Objective PS 5.3: Assess multiple perspectives and alternatives. Learning Objective PS 5.4: Use problem-solving skills. 0 Not Present Analysis of assumptions is missing. 1 Needs Improvement Response is weak in assessing the reasonableness of assumptions in a given argument. 2 Meets Expectations Response generally assesses the reasonableness of assumptions in a given argument. 3 Exceeds Expectations Response clearly and comprehensively assesses the reasonableness of assumptions in a given argument. Response does not adequately identify and discuss the implications of fallacies or logical weaknesses in a given argument. Response does not adequately present and discuss key assumptions in an original argument. Response identifies and discusses the implications of fallacies and/or logical weaknesses in a given argument. Response provides a detailed and compelling analysis of implications of fallacies and logical weaknesses in a given argument. Response justifies the reasonableness and need for assumptions in an original argument. Assessment of multiple perspectives is missing. Response does not identify nor adequately consider multiple perspectives or alternatives. Response identifies and considers multiple perspectives and alternatives. Response justifies selection of chosen alternative relative to others. Problems and solutions are not identified. Response presents solutions, but they are ineffective in addressing the specific problem. Response presents solutions that are practical and work in addressing the specific problem. Response presents compelling supporting arguments for proposed solutions. Assumptions are missing. Response presents and discusses key assumptions in an original argument. PS006: Information Literacy: Apply appropriate strategies to identify relevant and credible information and data in order to effectively analyze issues and make decisions. Learning Objective PS 6.1: Identify credible ©2015 Walden University Credible sources are missing. Some sources are credible, appropriate, and relevant to the topic. Most sources are credible, appropriate, and relevant to the topic. All resources are credible, appropriate, and relevant to the topic. 5 0 Not Present sources. Learning Objective PS 6.2: Analyze findings from relevant sources. ©2015 Walden University Analysis is missing. 1 Needs Improvement 2 Meets Expectations Analysis superficially reflects relevance of findings to the identified problem, issue, or purpose. Analysis clearly reflects relevance of findings to the identified problem, issue, or purpose. 3 Exceeds Expectations Analysis clearly reflects relevance of findings to the identified problem, issue, or purpose, and synthesizes findings to generate new insights. 6
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

OUTLINE
INTRODUCTION
BODY
CONCLUSION


Running Head: COCA-COLA

1

Information System Analysis in Coca-Cola Company

Student’s Name

Institution Affiliation

Date

COCA-COLA

2

PART ONE

Coca-Cola Company Suffers Significant Global, Local, Ethical and Legal Risks.
Over the last few years, the Coca-Cola Company has undergone through a major cyber
breach. The attacks are maximizing in effect and are taken mainly by experienced attackers that
sometimes have access to the organization’s information system by the help third parties. These
hackers harm the company business and cause significant operational, financial and brand damage. As
one of the most significant bottling operations in the Coca-Cola structure, the information security
department holds positions in some highest-risk markets that include India and China. It is therefore
authoritative for the department to continue tackling this problem across the whole enterprise and
utilize a wide-ranging method to create common and walkable safety resolutions across the bottling
system. The company is not immune to both domestic and global threats even though their principal
role lays in the manufacturing, sale, and delivery of the organization’s collection of brands. The
company uses technology to innovate their business at every level, that is, customer relation, supply
chain, communication, plant floor, and management and therefore prone to the cyber attacker at all
these levels. The company increasingly relies on data to operate the business and thus, a successful
cyber breach will result in operational disruptions and financial losses.
Legal Risks
The company suffers from increased regulatory scrutiny, legislation and lawsuits from the
customers and even the government in their area of operations. In May 2003 for instance, the
company’s license was revoked in India prohibiting its activity in Plachimada village as they alleged
that the company was causing drinking water scarcity and environmental problems. The New York
City’s embargo of sugary drinks in saving lager than 16 ounces will not be the end of proposed
regulatory scrutiny and legislation against soft drinks, but just the beginning.
Ethical Risks
Coca-Cola company has faced a lot of pressure concerning moral issue that involve,
misinterpretation of market tests, racial discrimination among workers, abuse of workers,

COCA-COLA

3

manipulation of earning and disruption of long-term contractual arrangement with the distributors.
These ethical issues have made them charged in courts of law; primarily the racial discrimination
matter and they had to pay millions of cash to rebuild their reputation.
Approaches in Managing and Mitigating Security Risks
The used of secure software that are not prone to attack like, SAP R/3 and ERP system. These
IT solutions have enabled the company to operate faster and reduce the cost of operation. All the
entries that is, Accounting, Marketing, Human resources, and Inventory have a common system that
enables a...


Anonymous
Just what I needed. Studypool is a lifesaver!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags