Elywin Michael Lukeera

Project Risk Management

Risk management is a process in which risks that could potentially affect an organisation are identified, assessed and mitigated.

What is a risk?
A risk can be defined as an event or circumstance that hurts your business/organisation, for example, the risk of having equipment or money stolen as a result of poor security procedures. Types of risk vary from organisation to organisation.

The most common business risk categories are:

  • Strategic: decisions concerning your business’ objectives
  • Compliance: the need to comply with laws, regulations, standards and codes of practice
  • Financial: financial transactions, systems and structure of your business
  • Operational: your operational and administrative procedures
  • Reputational: the character or goodwill of the business.
  • Others include health and safety, project, equipment, security, technology, stakeholder management and service delivery.

Identify the risk

Because of rapid changes in information technology, no list of risks can be exhaustive. Some of the risks and problems an organisation or enterprise may face applies to the activities across the platform.

Strategic Risk

These arise from the decisions made concerning the business. In this case, top management should be patient with the system as it takes time for different stakeholders to adapt and grasp the ins and outs of the system in their different capacities. Many a time top management will pull the plug on a concept too soon before it scales out fully. Which causes losses in time and finances.

Financial Risk

These affect the crucial aspect of the organisation, the money. Financial risks that are transactional, such as delayed, partial or incomplete, incorrect payments have to cost to them. E.g. transferring funds back, bank charges, interest among other charges. For example an E-payment is structured perfectly to be used to carter for large scale transactions yet the business will have smaller customers who buy in retail. There is a handicap with the retail buyers as each of their transactions fetches a charge from their banks which is unfavourable to them.

Operational risk

Operational risk arises from the potential for loss due to significant deficiencies in system reliability or integrity. Operational risk can also arise from customer misuse, and from inadequately designed or implemented systems.

Security risks

  • Fraud, false identity, being hacked. For those that agree to use the system, their first concern is how safe their information and data is from fraudsters who are many more in this day and age. User reassurance is essential.
  • Customers using personal information (e.g., authentication information, credit card numbers or bank account numbers) in a non-secure electronic transmission could allow criminals to gain access to customer accounts.

Systems design, implementation, and maintenance

  • This risk arises from the fact that from time to time there will be downtimes/interruptions so many a time a company is going to outsource their e-payment to mitigate such issue while exposing themselves to reliance on another company if the system it chooses is not compatible with user requirements.
  • The rapid pace of change that characterises information technology presents e-platforms with the risk of systems obsolescence. For example, computer software that facilitates the use of electronic money products by customers will require updating, but channels for distributing software updates pose risks for the business in that criminal or malicious individuals could intercept and modify the software. In addition, rapid technological change can mean that staff may fail to understand fully the nature of new technology employed by the business and this could result in operational problems with the new or updated system.
  • Awareness and culture, our society at this point is rigid to adjust to the changing technology. So getting them to adopt new technologies is a huge risk because some may welcome it while others will be adamant to make the change.
  • Payment conflict as a result of system errors

Customer misuse of products and services

Impulse buying an example of customer misuse, this happens on the user end, it may not occur much in the business however this could be a result of system errors, system novices to curb this we would have to add two-factor authentication

Reputational risk

This is the risk of significant negative public opinion that results in a critical loss of funding or customers. Reputational risk may involve actions that create a lasting negative public image of overall organisation, such that the organisation`s ability to establish and maintain customer relationships is significantly impaired. Reputational risk may also arise if actions by the business cause a major loss of public confidence in the organisation’s ability to perform functions critical to its continued operation.

Compliance risk

This refers to the potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Compliance risk is also known as integrity risk.

Assess the risk

After the potential risks have been identified, the project team then evaluates each risk based on the probability that a risk event will occur and the potential loss associated with it. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation.

Manage the risk

Having made an assessment of risks and its risk tolerance, the project team should take steps to manage and control risks. This phase of a risk management process includes activities such as implementing security policies and measures, coordinating internal communication, evaluating and upgrading products and services. It ensures that risks are controlled and managed, providing disclosures and customer education, and developing contingency plans.

Security policies and measures

Security is the combination of systems, applications, and internal controls used to safeguard the integrity, authenticity, and confidentiality of data and operating processes. Proper security relies on the development and implementation of adequate security policies and security measures for processes within the system, and for communication between the system and external parties.

Security policies and measures can limit the risk of external and internal attacks on systems, as well as the reputational risk arising from security breaches.

A security policy states management support information security and provides an explanation of the business`s security organisation. It also establishes guidelines that define the business’s security risk tolerance. The policy may define responsibilities for designing, implementing, and enforcing information security measures, and it may establish procedures to evaluate policy compliance, enforce disciplinary measures, and report security violations.

Business can choose from a variety of security measures to prevent or mitigate external and internal attacks and misuse of the system. Such measures include, for example, encryption, passwords, firewalls, virus controls, and employee screening.

Evaluating and upgrading

Evaluating products and services before they are introduced on a widespread basis can also help limit operational and reputational risks. Testing validates that equipment and systems function properly and produce the desired results. Pilot programs or prototypes can be helpful in developing new applications. The risk of system slowdowns or disruptions can also be reduced by policies to review the capabilities of existing hardware and software regularly.

Disclosures and customer education

Disclosures and customer education may help the organisation limit legal and reputational risk. Disclosures and programs to educate customers that address how to use new products and services, fees charged for services and products, and problem and error resolution procedures can help organisation comply with customer protection and privacy laws and regulations.

Contingency planning

The business can limit the risk of disruptions in internal processes or in service or product delivery by developing contingency plans that establish its course of action in the event of a disruption in its provision of services. The plan may address data recovery, alternative data-processing capabilities, emergency staffing, and customer service support. Backup systems should be tested periodically to ensure their continuing effectiveness.

Internal communication

Aspects of operational, reputational, legal, and other risks can be managed and controlled if senior management communicates to key staff how the system is intended to support the overall goals of the business. At the same time, technical staff should clearly communicate to senior management how systems are designed to work, as well as the strengths and weaknesses of systems. Such procedures can reduce operational risks of poor systems design, including incompatibility of different systems software, data integrity problems, reputational risk associated with customer dissatisfaction that systems did not work as expected.

Monitor and review

For example an E-platform or E-business activities, monitoring is particularly important both because the nature of the activities are likely to change rapidly as innovations occur, and because of the reliance of the system on the use of open networks such as the Internet.

System testing and surveillance

Testing of systems operations can help detect unusual activity patterns and avert major system problems, disruptions, and attacks. Penetration testing focuses upon the identification, isolation, and confirmation of flaws in the design and implementation of security mechanisms through controlled attempts to penetrate a system outside normal procedures. Surveillance is a form of monitoring in which software and audit applications are used to track activity focusing on monitoring routine operations, investigating anomalies, and making ongoing judgements regarding the effectiveness of security.

Reference:
risk-management