Risk Management as an Essential Part of Project Planning - Essay Example

Title: Risk management is an essential part of project planning. Why doesn’t it work? Name of student: Instructor: Course Code and Name: Date Submitted: Introduction Risk management is a very important function in today’s corporate world that is heavily reliant on information systems. However, in most case, this function does not seem to work. Management of information systems can never be successful if risks that come with these systems are not properly assessed and managed. Companies, organizations and institutions often come up with projects that are based on information systems. This makes it necessary for elements of Project Management Information Systems to be incorporated into the planning process. The main reason why risk management function does not seem work is that there are very many variables to be considered, most of which are beyond the capacity of the risk managers. In order to determine why risk management often ends up in failure, it is important to for attention to be put on both qualitative and quantitative risk assessment methods. Quantitative risk assessment methods, owing to their inaccuracy are often shunned by many risk managers, who prefer to use qualitative methods. The risk assessment process presents information system managers with information on different courses of action. The manner in which different risk management courses of action are implemented determines whether the information system security will be enhanced or not. Mitigation is more effective than transference. Transferring risks to a different company, mostly an insurance company, often increases overhead costs significantly. Most importantly, risk managers have to be keen on cost-effectiveness. Where the cost of addressing risks is very higher than the value of the data being protected, the acceptance strategy is adopted. When this happens, it is considered to be a sign of breakdown on the part of the risk managers (Senn 1998 p. 314). Information Systems Information systems comprise of all electronic, written or graphical methods that are used to communicate information. Information systems are the basis of information sharing and processing. Computers and telecommunication systems are very important components of information systems. In general terms, people use the term “information system” to refer to the information technology that makes it possible for an individual or organizational objective to be accomplished. The technology used makes it easy for information to be gathered, processed, stored, and disseminated. Users of information systems require specialized training in order to utilize information technology most effectively. Information technology comprises use of computer technology as well as data communications technology. Computers make it possible for data to be stored, processed and shared with people who are in remote locations, mainly through different types of networks. Use of information systems in the corporate settings has been made possible by recent technological advancement in computer software, hardware, networks. Personal computers have revolutionized the world of computing because they are widely used by companies, organizations, educational institutions as well as individuals in order for computing, communication and information sharing purposes. The popularity of modern personal computers, laptops, palmtops and personal digital assistants has been spurred by the development of the internet. Computer software comprises of a set of programs as well as associated data that are meant to guide the computer in doing a certain activity. All functions of computers, including arithmetic calculations, printing documents, copying data and sending email messages are guided by computer software. Computer networks make it possible for information to be shared by people who are in geographically remote locations. Examples of computer networks are local area network and wide area networks. Information Systems Management Information systems management refers to the process of exchanging academic research, insights and best practices that are based on managerial experience in matters relating to sharing, storage, and organization of data using modern information and communication technology. Information systems management relates to matters of IT governance, IT security, strategic IT alignment and capabilities, portfolio management, e-business technologies, management of complex IT projects, selection and delivery of application solutions. Information systems management is very important for security reasons as well as to ensure that all departments have access to relevant information. In addition, many managers of information systems have to monitor sales, oversee email responses to clients, send real-time messages to clients as well provide technological support to other companies that make use of the company’s services (Chapman & Ward 1996, p. 301). In order to achieve these goals, the managers need a solid grounding in the latest developments on information systems. The management of information systems also entails setting up of computer networks, overseeing their efficiency and ensuring that backup strategies are in place in case of system failure. Sometimes, managers have to make phone calls to get technical support or search online for technical information. The day-to-day information management tasks include setting up and troubleshooting computer networks, offering technical supports to uses of information systems, responding to questions relating to the capabilities of different current technology systems, as well as making recommendations on system upgrades for increased efficiency. Project Management of Information Systems Project Management Information Systems (PMIS) are simply tools and techniques that facilitate efficient delivery of information during the process of managing projects. These tools and techniques make it possible for tasks such as collection, combination and distribution of information to be done easily through the use of electronic or manual strategies. The participants involved in upper management use Project management information systems to communicate with those in the lower management and vice versa. These systems facilitate the intricate tasks of planning through coordination of budget frameworks that make it easy for costs to be accurately estimated. The systems also facilitate the creation of specific schedules that define the scope of the ongoing project phase. Through PMIS, the baseline of each activity can be compared to actual accomplishments. Additionally, materials can be managed properly and financial data can be collected and proper records kept for purposes of reporting. When a project is about to be closed, PMIS make it possible for goals to be reviewed such that it is easy to determine whether all tasks have been accomplished or not. Such an analysis makes the process of writing a final report very easy. When a company experiences loss of control as a result of the systematic analysis of all the information that has been gathered, it is important for a PMIS to be implemented. A PMIS can also be implemented when no system is available for use in tasks such as integration of time, scope, cost, and quality of objectives. Definition of Risk With regard to information systems, risk refers to the potential harm which may arise within the current process or as a result of a future event. Every aspect of our lives is prone to risk. Therefore, it is important for risk to be considered as it applies in a specific discipline. Risks that are in the world of information technology may lead to loss of data, system capabilities, loss of important client information and corruption of sensitive financial information. One of the greatest worries of managers of information systems is a scenario where the company’s sensitive information gets into the hands of unauthorized persons. In most cases, the information stored in these systems is worth much more than the systems themselves. If important company information lands in the hands of a competitor, this would give the competitor an upper hand in developing competition strategies. Risk management From the point of view of IT security, risk management is the process through which factors that may lead to failure in integrity, confidentiality or availability of an important information system are responded to. The risk may be occasioned by a purposeful or accidental event which negatively impacts the information system management process. The best risk management process is one whereby all threats are properly understood and the necessary cautionary measures are in place to counter any risks that may be triggered by these threats. A threat is understood as the potential for a specific threat source to intentionally exploit or accidentally trigger a specific vulnerability (Parsons and Oja 1998, p. 191). The threat source in question may be a situation which accidentally triggers vulnerability; or an intention and method that is aimed at exploiting vulnerability. Threats are merely potential sources that may bring about a particular vulnerability. Threats become dangerous when they are coupled with threat-sources. This makes it possible for a distinction to be made between risk management and risk assessment. In risk management, focus is put not only on threats but on threat sources as well. Threats alone may be a misleading element of risk management since different threat sources may contribute to the risk. It may be beyond the scope of the existing risk management program to ensure that all threats are managed without corresponding threat sources being identified and targeted (Oz 1998, p 84). The main aim of risk management is to ensure that the mission and assets of an organization are adequately protected. This makes risk management to be considered a management function and not a technical function. For risks to be appropriately managed, they primarily have to be properly understood. When specific risks are properly understood, the system owner is able to prioritize information system protection activities depending on the value of each system to the organization. Understanding risks is the first step towards prioritization. Risks can never be eliminated completely. Priorities have to be made in order for scarce resources to be used cost-effectively. Risk assessment, therefore, is the first step towards risk management. This is done through identification of threats and vulnerabilities. Unfortunately, risk assessment is a very complex undertaking that requires use of imperfect information. For this reason, many methodologies have been developed in an effort to assess risks as accurately as possible. Generally, quantitative risk assessment is the most commonly used approach. It entails the use of methodologies that insurance companies and financial institutions use. Once values have been assigned to business processes, systems, information and recovery costs, their impact, and by extension risk, is measured and quantified as direct and indirect costs. However, risk managers face a problem of difficulties in assigning value to different assets, leave alone identifying these assets. Secondly, there is lack of statistical information that would make it easy for frequency to be determined. It is for these reasons that risks in modern information systems are assessed through measurement of qualitative risk (Laudon & Laudon 1996, p. 143). The Importance of Risk Management Without risk management, it is difficult for information systems to be relied on by organizations and businesses. Without IT security, e-commerce cannot thrive. Since it is not possible to conceptualize a modern business world where there are no information systems and corresponding threat and vulnerabilities, risk management is an indispensable function that ensures that all systems are protected according to the right priorities. Risk management practices are also necessary for all companies that feel the need to protect information as well as various business processes commensurate with their estimated value. When risk management processes are repeatable, verifiable and consistent, it becomes easy for business operators to venture into risky businesses whose operations are almost entirely dependent on information systems. The best IT information protection program is one that is founded on the best principles of quantitative and qualitative risk assessment. Once risks have been properly assessed, it is easy to manage them. Additionally, risk management paves way for different activities of the organization to be coordinated through information systems under the supervision of a risk officer, to whom all risks are reported. How Risk is Assessed In order for risk to be assessed, the current threat environment has to be considered vis-à-vis the existing controls. When the assessment is being done, the system has to be in operation. Planned controls should never be put into consideration. A simple three-matrix risk determination system can be used. In this case, one of the variables to consider is impact; it may be low, moderate or high. The other variable is likelihood; likewise, the likelihood of a risk occurring may be low, moderate or high. Risk assessment may be done qualitatively or quantitatively. Qualitative risk assessment risk is assessed without any reference to any measures of quantity, meaning that no numbers are involved. Rather than use numbers, senior-level risk managers make decisions on the basis of the best available information, which may not necessarily be grounded well in past occurrences that have been documented. The decisions that these managers make relate to resource allocation in an effort to protect the organization information systems. Quantitative assessment of risk is often considered accurate because the measurements that result in the numbers used in the assessment work may not be accurate in the first place. Therefore, it becomes very difficult to get results that are more accurate than those that were derived from the source data. In order for qualitative assessment procedures to be accurate, the rating levels of both impact and likelihood need to be concisely defined. Whereas some companies choose to use a three-matrix rating system, others prefer a four-matrix system. In order for an accurate assessment to be made, what matters more is an understanding of individual likelihood and matrix levels rather than the number of levels. Problems of Risk Management: Why doesn't it work? Risk management fails to work for various reasons. One of these reasons is that there are so many variables to be put into consideration. Threats have to be matched with threat sources and vulnerabilities have to be carefully assessed. Additionally, risk assessment has to be done when the information systems are ongoing. Therefore, it is difficult to offer complete protection to a company’s data and information since the risk management function does not begin until this data has been exposed to significant risk. Risk management, being a management rather than a technical function, tends to be ineffective because of the bureaucratic channels that risk managers have to contend with on a daily basis. The risk managers may lack the expertise to supervise the work of mitigating risks. Moreover, some of the strategies used to manage risks such as acceptance and transference do not address the problems of mitigating immediate threats sources. Risk management tackles problems associated with risks, threats and vulnerabilities. Many variables contribute to the extent to which a company’s information system is exposed to risk. Such variables include effectiveness of the existing information and communication technology, the cost of information systems and availability of technical assistance and support. In most cases, the furthest that risk managers can do is recommend measures that are beyond the capability of the company. Where there is not technology to address different vulnerabilities, risk management will not work. When there are not resources to mitigate risks, risk managers will not be successful in their work. All these challenges make risk management a very complicated undertaking that ends up in failure most of the time. Conclusion In summary, risk management is a very important component of project planning. However, it fails to work for many reasons. The fear of failure by risk managers pities them against many complicated issues relating to the technicalities of the information system, the need to prioritize areas of risk management and risk assessment. When risks are not properly assessed, the risk management function that operates on the basis of such an assessment ends up in failure as well. References Chapman, C. & Ward, S. 1996, Project Risk Management: Processes, Techniques and Insights John Wiley, Chichester. Laudon, KC & Laudon, JP. 1996, Management Information Systems: Organization and Technology, 4th ed. Prentice-Hall, Upper Saddle River, NJ. Oz, E. 1998, Management Information Systems. Course Technology, Cambridge, MA. Parsons, J.J & Oja, D. 1998, Computer Concepts —Comprehensive, 3rd ed, Course Technology. Cambridge, MA. Senn, JA. 1998, Information Technology in Business: Principles, Practices, and Opportunities, 2nd ed. Prentice-Hall, Upper Saddle River, NJ. Read More