Risk Assessment Assignment

Anonymous
timer Asked: Oct 18th, 2018
account_balance_wallet $40

Question Description

This is the first individual assignment that will start to inform your phased group activity. Using the business scenario information provided by your instructor, each member of the group will identify and prioritize four critical business processes for each business area and perform a risk assessment following the Risk Assessment Form provided by the instructor and as identified by further research.

  • Your business areas should be well defined and appropriate to the case studies. The four critical processes per business area should be clearly explained and correctly relates to the case study.
  • You should conduct a risk assessment for the business area and four critical processes, ensuring that these are well defined and appropriate to the business scenario provided in your content area.
  • The risk assessment categories (columns) should be complete and measures clearly defined.
  • The mitigation strategy, additional measures, and contingency plan for the risk should be well defined and mapped to the business area and four critical processes.

Unformatted Attachment Preview

BCP-DR Project Scenario The following is the scenario you are to use for your individual analysis assignment and your team project. Anita Diamond was hurriedly leaving the office of John Newman, the Chairman and CEO of OptiPress Corporation. As the newly hired CIO she had not expected her second meeting with Mr. Newman would be so soon or under such disturbing circumstances. Mr. Newman had been waiting for her arrival in this morning with the news of the fire at Host Point, Inc. last week. Host Point provides web hosting services for a number of companies in the Philadelphia area including the local Philadelphia Eagle’s Arena Football Team to which Mr. Newman has an ownership stake. The fire had been devastating, turning the 75 servers in the web hosting data center into a mass of melted plastic and metal. “It has been seven days and the Eagle’s website is still down and so are our opening day ticket sales.” Mr. Newman had stated in the call that brought Anita to the 8:00 am meeting. “What would we do if something like that happened here?” he asked. Anita asked her Executive Assistant to grab a copy of the company’s Business Recovery Plan so she could bring it to her meeting with Mr. Newman. It only took about two minutes for Mr. Newman to realize that the plan was written before the merger with Bright Mail Marketing three years ago, which had more than doubled the size of OptiPress. Not only did it fail to cover the company in full but the changes to the business practices and support systems, in particular the move to the Internet and World Wide Web, were not even discussed. Further, while the plan was strong on Disaster Recovery for situations such as that at Host Point, it was almost silent on Business Continuity. The one advantage to being on the job for four weeks was she was not the focus of Mr. Newman’s ire. On the other hand she quickly realized that she was not knowledgeable enough of the company’s operations to update this plan without significant involvement from the various departments in the company. OptiPress Corporation is a mail marketing /web advertising company operating seven different facilities in three states. The company has over 2000 clients of varying sizes and portfolios. Mail marketing involves mailing and distribution of advertising as well as promotional products ordered through the mail, television or Internet. Net income last year exceeded 100 million dollars for the first time in spite of the economic situation. There are currently about 6200 employees, with 800 headquartered in Philadelphia, Pennsylvania. Its largest operations are in Cleveland, Ohio and Annapolis, Maryland with 3100 and 1800 employees in each area respectively. The merger with Bright Mail occurred 27 months ago. Although financial data has been directed to the headquarters datacenter, operational data is still retained at three locations in Philadelphia, Annapolis, and Cleveland. Each facility is supported by the geographically closest data center with three in Pennsylvania, two in Maryland and two in Ohio. Over the past two years the major focus of the IT department has been to standardize the IT infrastructure and software across the company. Human Resources, Accounting and Payroll have been centralized in Philadelphia as have been all of the web server operations. Marketing and Operations have been standardized but data are unique at each hub location where data centers reside. Select data for the Corporate MIS is automatically fed from the hubs. Although there were a few hurdles in implementing the current environment, for the past three months things have been working quite smoothly which probably in part resulted in Anita’s predecessor’s decision to retire. Anita had been looking to further consolidate Marketing and Operations before this latest discussion with Mr. Newman who highlighted a much more pressing issue, the disaster recovery planning. At the 2 PM Executive Council Meeting, this became the number one issue on Mr. Newman’s agenda. Anita was asked what she needed to make this happen. She would assign her sharpest project manager to lead a focus group to update the Company’s Disaster Recovery Plan and to develop an effective Business Continuity Plan given the current and projected future operational environment and needs. She highlighted the need for the executives of each department to assign a knowledgeable expert to assist in this effort. She made it clear that these individuals will need to be empowered to obtain the support 06/28/2017 necessary from their counterparts anywhere in the organization. Mr. Newman endorsed Anita’s initiative and informed the Council that next month’s key agenda item would be to review the completed plan for implementation costs and schedule. 06/28/2017 RISK ASSESSMENT FORM Project Name Prepared By Date Business Area Business processes associated with area (identify four or more processes associated with the business area) Risks Identified Manage Customer Accounts Probability of Occurrence The web servers are damaged in a flood In order to charge clients for payment, each service provided by OptiPress must have a billing invoice created to track and report all charges. Human Resources, Accounting and Payroll and all the web servers have been centralized at the Headquarters. If the web servers are damaged, all three business areas cannot operate. Unlikely: 11-40% Data Center Power Outage caused by tornado Data center experiences a tornado that causes a massive power outage impacting the ability to complete processing and managing of customer accounts Unlikely: 11-40% Accounting Creating billing invoices Description Justification for probability of Occurance - Why did you select this? The probability of this occurrence is unlikely due to redundancy Data Center has backup power. Impact Intensity High High Justification for Impact Intensity why did you classify as you did (high, medium or low?) Existing Measures Mitigation Strategy Justification for selecting your mitigation strategy. Why? The intensity if such an event would occur would do significant damage to several sites The plan is strong on Disaster Recovery for situations such as fire and other disasters of that nature. Exact details of the recovery plan are not mentioned. Risk Limitation Backups are provided Customer payment records could not be processed. Plan was strong on Disaster Recovery for situations such as that at Host Point, it was almost silent on Business Continuity Backups are provided Risk limitation Additional Measures A backup data center should be identified in the event that the Headquarters servers are damaged. Contingency Plan Establish operation control procedures in the event that any of the company sites cannot continue operations. Notify all company members of all changes of control. Once the incident is no longer a problem, give back control to the original site. MANAGING CAPITAL INVESTMENTS AT THE INDIAN HEALTH SERVICE A “ H O W- TO ” G U I D E TO R I S K M A N A G E M E N T JULY 2007 ACKNOWLEDGEMENT The Indian Health Service gratefully acknowledges the assistance of the National Institutes of Health, Office of the Deputy Chief Information Officer, in the preparation of this document. i Contents PURPOSE .................................................................................................................... 1 THE BASICS ................................................................................................................. 2 What Is Risk? ....................................................................................................... 2 What Is Risk Management?.................................................................................. 2 How Do You Manage Risk?.................................................................................. 2 DRAFT A RISK MANAGEMENT PLAN ................................................................................ 3 ASSESS YOUR RISK...................................................................................................... 4 TRACK AND REPORT PROGRESS.................................................................................... 5 Executing Risk Management Activities................................................................. 5 Reporting Risk Management Progress................................................................. 6 Reevaluating Project Risk .................................................................................... 6 RISK MANAGEMENT ROLES AND RESPONSIBILITIES ......................................................... 7 APPENDIX A. RISK MANAGEMENT PLAN TEMPLATE ......................................................A-1 APPENDIX B. CONDUCTING AN OPEN AND COMPREHENSIVE RISK REVIEW ....................B-1 APPENDIX C. SAMPLE RISK INVENTORY AND ASSESSMENT .......................................... C-1 APPENDIX D. TRACKING AND REPORTING RISK AND RISK MANAGEMENT ...................... D-1 Figures Figure 1. Steps of Risk Management......................................................................... 1 Figure 2. The Risk Management Process.................................................................. 3 ii A “How-To” Guide to Risk Management PURPOSE This guide is intended to be used by project managers and project team members to manage the risks associated with their projects. 1 The purpose of this guide is to provide a basic, easy, step-wise method for managing the risks associated with a project; a method that is consistent with federal and Indian Health Service (IHS) requirements. A Guide to the Project Management Body of Knowledge (PMBOK Guide), ANSI/PMI 99-001-2004 published by the Project Management Institute can provide a more comprehensive reference guide. All information technology projects have risk. Risk management provides a means to identify the potential problems before they occur. Activities addressing these problems are planned and executed, as needed, across the life of the project to mitigate adverse impacts on achieving the project’s objectives. To ensure the lowest possible risk in the performance of project efforts, the established goals for risk management should be to: • Identify and analyze risks early and determine their relative importance. • Provide a tracking system to document, monitor, and update risks systematically. • Manage risks by handling them appropriately. • Make timely and appropriate decisions based on risk assessment and monitoring. This guide first presents the basics of risk management, defining the terms and then going into a step-by-step approach to managing risks, following the steps shown in Figure 1. Figure 1. Overview of Risk Management Step 1: Draft a Risk Management Plan Step 2: Assess Your Risk Step 3: Track and Report Progress See Appendix A See Appendices B & C See Appendix D 1 OMB uses the term “investment” to incorporate the projects, programs, systems, etc., that fall under the purview of the Capital Planning and Investment Control (CPIC) process. Because this guide supports the CPIC process, in this document, this document uses the term “project” to be synonymous with the term “investment.” 1 Appendix A contains a template for a draft risk management plan. Appendix B tells how to conduct a comprehensive risk review and Appendix C contains an example of a comprehensive risk review. Appendix D shows how to report and track progress in mitigating the risks. THE BASICS What Is Risk? A risk is an uncertain event or condition that, if it occurs, has a positive or negative affect on a project objective, such as time, cost, scope, or quality (i.e., where the project time objective is to deliver in accordance with the agreed-upon schedule; where the project cost objective is to deliver within the agreed-upon cost, etc. A risk may have one or more causes and one or more impacts. 2 For reasons of simplicity, we are only considering risks with negative outcomes. What Is Risk Management? Risk management is an organized method of identifying, prioritizing, and measuring the impact of project risks and developing, selecting, and managing options for handling those risks—not necessarily to eliminate them entirely, but to minimize their impact on the project. Managing project risk is a key component of good project management. Risks that are managed are minimized. Understanding and communicating risks help manage the expectations of senior management and other stakeholders. One such stakeholder, the Office of Management and Budget (OMB), requires a formal risk management plan for major projects and has in the past required annual reporting of risks and risk mitigation progress before approving requested project funding. 3 How Do You Manage Risk? The appropriate level of risk management for any project depends on many factors (e.g., size, complexity, life-cycle phase, and stability) and determining that level requires candid management judgment. For example, a stable, straightforward application using established technology in the maintenance phase of its life cycle needs a far less extensive risk management program than a large, complex agency-wide system just beginning the development phase. 2 A Guide to the Project Management Body of Knowledge, Third Edition (PMBOK Guide), ANSI/PMI 99-001-2004, Project Management Institute, Inc, Newton Square, PA, 2004. 3 OMB does not specify a risk management plan format or content, but the previous reporting requirements of the Exhibit 300 imply obvious plan elements. One question in the latest Exhibit 300 asks if there is a risk management plan for each project, whether in the development, modernization or enhancement phase, or in steady state operations phase. Another question asks for the date of each project’s risk management plan. 2 No one risk management approach is appropriate for all projects. Managers of smaller projects can profitably use elements of these risk management guidelines without the administrative burden of reporting risks to OMB. Those subject to OMB or HHS oversight must satisfy OMB requirements; risk status and mitigation must be well documented to be assured that the project manager is managing risks sufficiently well that project success is probable. Guidance for tracking and reporting risk management activities is contained in Appendix D. DRAFT A RISK MANAGEMENT PLAN The risk management planning process begins with the selection of a risk management process model. One such model is shown in Figure 2. The risk management process model in Figure 2 is straightforward, and its elements are readily adaptable to the range of projects at IHS. The first four activities of the risk management process model depicted in the figure, designated as the planning phase and presented in the top row, specify the actions required to complete Step 2 of Figure 1, Assess Your Risk. The second four activities of the risk management process model, designated as the execution phase and presented in the bottom row of the figure, specify the actions required to complete Step 3 of Figure 1, Track and Report Progress. Figure 2. The Risk Management Process 3 To draft a plan for your project, you will have to consider what level of detail is required to identify risks, what methods are appropriate for evaluating the risks, who will be responsible for developing strategies to manage the risks, and how risk management actions will be developed, monitored, and reported. The level of funding, impact, or complexity of a project will determine how fully and detailed risks are identified, managed, and tracked. When completed, the risk management plan for your project should be dated and published. It should be made available to all project personnel, oversight and audit personnel, project sponsors, and other interested parties. A template for a risk management plan is presented in Appendix A. ASSESS YOUR RISK The planning phase of the risk management process model provides an assessment of project risks, including understanding the nature, likelihood, and potential impact of risk. It has four discrete elements: Step 2: Assess Your Risk See Appendices B & C • Identify risks. The risks inherent in your project should be defined in two ways: (1) they should be part of a continuous, ongoing part of project management so that risks are managed as risks arise; and (2) there should be a periodic, independent, comprehensive assessment of potential risks to assure that potential new risks are fully identified and managed. • Evaluate risks. Each risk should be rated in terms of (1) the likelihood that the risk will occur and (2) its potential impact on the project if it does occur. This rating can be expressed as high, medium, or low for both probability of occurrence and for the potential impact. Then, a level of magnitude can be computed by assigning a numerical score to each risk by multiplying the numerical score of the risk’s likelihood of occurrence by its potential impact score. By formally evaluating the risks in this way, the project team can determine how each risk should be managed, depending on its magnitude. Risks with a high magnitude should receive greater management attention than those with a low magnitude. • Develop risk management strategy. The most appropriate strategy for managing each risk should be determined. If a negative risk can be avoided (e.g., changing the project plan), if it is transferred (e.g., though the use of a firm fixed- price contract), or if it is accepted (e.g., there is no other suitable response strategy), it need no longer be part of the on-going risk management strategy, although it should be identified and the action taken on documented. The remaining risk management strategy for a negative risk should be to develop a mitigation strategy, which is what you do to try to keep the risk from occurring in the first place. For a positive 4 risk (i.e., an opportunity), the risk management strategy may include exploiting it by insuring that the opportunity will definitely happen; sharing or transferring it to another organization that can best take advantage of it; or enhancing it or increasing the probability of the opportunity occurring. Regardless of whether the risk is positive or negative, if it is of medium or of high magnitude, you should also develop a risk response or contingency plan, which is what you plan to do if the risk occurs. The risk management strategy is expressed in a short statement that describes the approach to managing the risk. For a risk with a high magnitude, a specific risk owner may be assigned to manage the risk and its mitigation activities. For negative risks that cannot be mitigated or which are too expensive to mitigate, a risk response or contingency plan should be developed. • Identify risk management activities. The project manager, or risk owner if one is assigned, should develop an approach and action plan to implement the risk management strategy. A guide for conducting an open and comprehensive risk review is presented in Appendix B and an example of a comprehensive risk review is contained in Appendix C. TRACK AND REPORT PROGRESS The execution phase of the risk management Step 3: Track and process model provides a periodic review of the Report Progress status of risk management activities. Tracking and reporting progress on the actions taken to See Appendix D manage the risks include both monitoring the progress toward mitigating the risk and periodically reassessing risk. A guide for reporting on risk management and risk management progress that follows the guidance that OMB required for reporting in the Exhibit 300 is presented in Appendix D. It includes a checklist to ensure complete compliance with OMB reporting requirements. Executing Risk Management Activities Overa ...
Purchase answer to see full attachment

Tutor Answer

ProfDwayne01
School: Duke University

Hello, please check the risk assessment excel .Note that some of the processes are similar and have been repeated Thank you for your time

RISK ASSESSMENT FORM
Project Name
Prepared By
Date

Business Area

10/20/2018

Business processes associated
with area (identify four or more
processes associated with the
business area)

Employee recquitment and hiring
process

The web server are due damanged
by fire

Employee training and development

The data center are damaged by
fire

Description

Probability of Occurrence

Justification for probability of
Occurance - Why did you select this?

Impact Intensity

11-40%

Its unlikeyl bacause there exist back ups

High

Unlikely:

11-40%

simialrly, its unlikely as there exist some
backups

High

Very unlikely to occur: 0-10%

The plan is strong on Disaster Recovery for situations such as fire
and other disasters of that nature. Exact details of the recovery
plan are not mentioned.
The plan is strong on Disaster Recovery for situations such as fire
and other disasters of that nature. Exact details of the recovery
plan are not mentioned.
The plan is strong on Disaster Recovery for situations such as fire
and other disasters of that nature. Exact details of the recovery
plan are not mentioned.
The plan is strong on Disaster Recovery for situations such as fire
and other disasters of that nature. Exact details of the recovery
plan are not mentioned.

Mitigation Strategy

Justification for
selecting your mitigation
strategy. Why?

A back always exists and thus most
unlikely to occur

Medium

The data center are damanged by
fire

All the process of the human resources has to halt if any disaster strike
the main data centre.

Unlikely:

11-40%

As the available system back up would
enable this process to continue

High

Employement promotion

The data centre are damanged by
fire

The employement promotion relies on a data center and the whole
Unlikely:
system in order to make valid decision in regards to promotion. Once the
system are down , then the whole process halts

11-40%

As this is based on the employement
promotion, then , there exist some data
back up to cater for this.

Medium

if it occurs, there would be no more
promotion, that’s a medium impact

Creating billing invoices

The web server are due damanged
by fire

Once the web server are damanged by fire then the whole process of
creating billing invoices.

Unlikely:

11-40%

Its unlikeyl bacause there exist back ups

High

If there is an impact that means no
more employement, which mean high
impact

The plan is strong on Disaster Recovery for situations such as fire
and other disasters of that nature. Exact details of the recovery
plan are not mentioned.

Risk Limitation

Back up provision

Both the data back up and
power back up should be
idenfied

Management company financial
assets

The data center are damaged by
fire or any other disaster

once the company data centre is compromised, then then it is
challenging to manage the company assets

Unlikely:

11-40%

simialrly, its unlikely as there exist some
backups

High

Back up provision

The accounts systems are
download due to the fire outbreak

Unlikely:

11-40%

A back always exists and thus most
unlikely to occur

High

Risk Limitation

Back up provision

Both the data back up and
power back up s...

flag Report DMCA
Review

Anonymous
awesome work thanks

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors