Question 2 (350 marks)
Overview Question 2 allows you to demonstrate your understanding of risk management principles and their application to real-world situations. It also the opportunity for you to demonstrate your written communication skills. There are two parts to this assessment:
1. Written report (300 marks)
2. Written communication and presentation (50 marks) The marking sheet for this assignment contains more a more detailed breakdown of marks.
Your task is to develop a risk management proposal for a specific organisation, nominated by you. This organisation can be one in which you are currently working or an organisation of your interest. The organisation can produce products or provide a service. It can be a utility company, a government authority, a construction/civil firm, IT provider, an educational institution, or any other engineering or technological company or organisation in which you have a specific interest in or work for.
As an employee of the organisation and in a supervisory role (for example, project manager, process engineering, asset manager) you have been asked to provide a proposal for a Risk Management strategy for a new project, product, or service. The proposal is to be presented to the Organisation’s Board, at its monthly meeting on 09 October 2018. It is to be no more than 4,000 words in length, including appendices.
The aim of the report is to provide a risk management details for the organisation Global IT Solutions. In the following sections of the report, there are information about the organisational background, business case, risk identification, risk evaluation, risk analysis, overall risk management proposal, list of risk management documents and reflection of the business.
Global IT solution is a large IT solution provider with the HQ in the Sydney, Australia. The organisation has business units at many other locations within the Australia. There are 5 business units and more than 1000 employees working at those business units. Most of them are IT developers. The organisation provides IT services like software development, consultancy services to small to large enterprises from other industries across the globe.
They are reputable in their domain and offers quality services to the clients. Security and privacy are two important requirements for the business. They need to keep sensitive data of their customers for delivering them with the IT services. So, the organisation keeps those information safely (Gibson 2010).
The organisation has its own cloud computing infrastructure and allows employees BYOD or Bring Your Own Devices at offices. Some of its employees are remote workers. There is a VPN connecting the business units and the remote employees. The private cloud is deployed over the VPN and it allows access to the sensitive and protected company information, client and project details etc. There are the CTO of Chief Technical Officer. Then there are two levels of IT managers.
The sensor IT managers are responsible in making strategic decisions, participation in administrative decision making, communicating between the lower level of IT managers and the CTO. The CTO communicates with the CEO and board of directors. The lower level of management is responsible at operational decision making and communicating with the IT team leaders and the upper level of management. The team leaders communicates with the IT developers and IT staffs. They convey the messages and instructions from the upper levels to the staffs at the lower levels.
The IT staffs and developers work under the IT team leaders. When a project comes and it is a large project, it is first allocated to a lower level of IT manager, the IT manager then appoints different team leaders and distributes the tasks of the project. The team leaders then gets their project team mates and it is their job to get the tasks done by the IT staffs and the IT developers.
The hierarchy given above shows the structure of the organisation.
Coming to the technological infrastructure, the organisation has support for cutting edge technologies. It has its own data center and some of the data centers subscribed from cloud service vendors. All applications and services are deployed for the clients on the cloud computing infrastructure. There are dedicated PaaS platforms and servers for the application development tasks.
Information security is an important domain in the business. So, there is a project team formed for the risk analysis of the business from the perspective of information security. The investigation outcomes will be used in an information security audit in the following phases of the project.
SCOPE OF THE PROJECT
The scope of the project is limited within the IT department of the organisation. It will cover the business operations of the IT department headed by the CTO. And it is focused on the information security infrastructure for the business. The project will assess different aspect of the organisation and its technical infrastructure to gauge the extent of information security solutions deployed in the business. It will help to understand where the business is and what the security loopholes are that are needed to be corrected and to correct the information security issues (Kouns & Minoli 2011). HIRE WRITERS ONLINE.
Other business operations not related to the IT operations and IT department are out of the scope of the business, so, the report won’t be focused on the profitability of the business and other administrative aspects.
The primary objectives of the project are,
- Conducting a detailed risk analysis process for the business covering the IT operations and related operations that can cause some information security issues
- Developing a detailed risk analysis report that will help in information security audit in future.
- Delivering a long term risk management proposal for the management. Based on the document the policies and procedures may be updated to keep it aligned with the risk management processes.
The feasibility study covers the scope, effort, time and economic feasibility of the project. The schedule of the project is given below.
|WBS||Task Name||Duration||Start||Finish||WBS Predecessors|
|1||Global IT Solution Risk Analysis Project||143 days||Mon 08-10-18||Wed 24-04-19|
|1.1|| Project Initialization||12 days||Mon 08-10-18||Tue 23-10-18|
|1.1.1|| Feasibility Study ||5 days||Mon 08-10-18||Fri 12-10-18|
|1.1.2|| Preparing the Initial Project Plan ||5 days||Mon 15-10-18||Fri 19-10-18||1.1.1|
|1.1.3|| Signing off the project plan||2 days||Mon 22-10-18||Tue 23-10-18||1.1.2|
|1.2|| Requirement Analysis ||50 days||Wed 24-10-18||Tue 01-01-19|
|1.2.1|| Collecting Requirements Information||20 days||Wed 24-10-18||Tue 20-11-18||1.1.3|
|1.2.2|| Analysis of the Requirements||20 days||Wed 21-11-18||Tue 18-12-18||1.2.1|
|1.2.3|| Preparing the Requirement specification Document||10 days||Wed 19-12-18||Tue 01-01-19||1.2.2|
|1.3|| Risk Identification||25 days||Wed 02-01-19||Tue 05-02-19|
|1.3.1|| Identify the Risks||20 days||Wed 02-01-19||Tue 29-01-19||1.2.3|
|1.3.2|| Prepare Risk Register||5 days||Wed 30-01-19||Tue 05-02-19||1.3.1|
|1.4|| Risk Analysis||20 days||Wed 06-02-19||Tue 05-03-19||1.3.2|
|1.5|| Risk Evaluation||20 days||Wed 06-03-19||Tue 02-04-19||1.4|
|1.6|| Risk Management||12 days||Wed 03-04-19||Thu 18-04-19|
|1.6.1|| Planning||5 days||Wed 03-04-19||Tue 09-04-19||1.5|
|1.6.2|| Implementation||7 days||Wed 10-04-19||Thu 18-04-19||1.6.1|
|1.7|| Project Closure||4 days||Fri 19-04-19||Wed 24-04-19|
|1.7.1|| Submission of all Documents ||2 days||Fri 19-04-19||Mon 22-04-19||1.6.2|
|1.7.2|| Release of Resources||2 days||Tue 23-04-19||Wed 24-04-19||1.6.2,1.7.1|
The senior management is not directly involved in the project. But they have high level of interest and influence on the project. They will be in communication with the project manager and the risk analyst. The lower level of management is directly participating in the project. The success or failure of the project is significantly dependent on the risk analyst (Kouns & Minoli 2011).
The project will he carried out with the help of in-house staffs, so they all will have commitment to the project. It is also their part of the job. The people who will work in the information security risk analysis project, will not be allocated to other projects of the organization and the clients. The administration needs the project to be carried out with utmost dedication and commitment.
The project also needs contributions from other stakeholders who are the employees of the organization and from different departments. The administration has instructed all employees to help the project whenever needed.
Hence, the project has good score for the organizational feasibility. So, it can be undertaken from the organizational point of view.
The cost of the project has been calculated as,
|WBS||Task Name||Duration||Resource Names||Cost|
|1||Global IT Solution Risk Analysis Project||143 days||$108,920.00|
|1.1|| Project Initialization||12 days||$4,800.00|
|1.1.1|| Feasibility Study ||5 days||Project Manager ||$2,000.00|
|1.1.2|| Preparing the Initial Project Plan ||5 days||Project Manager ||$2,000.00|
|1.1.3|| Signing off the project plan||2 days||Project Manager ||$800.00|
|1.2|| Requirement Analysis ||50 days||$41,000.00|
|1.2.1|| Collecting Requirements Information||20 days||Other Resources,Risk Analyst ||$19,400.00|
|1.2.2|| Analysis of the Requirements||20 days||Risk Analyst ||$14,400.00|
|1.2.3|| Preparing the Requirement specification Document||10 days||Risk Analyst ||$7,200.00|
|1.3|| Risk Identification||25 days||$24,000.00|
|1.3.1|| Identify the Risks||20 days||Project team members ,Risk Analyst ||$19,200.00|
|1.3.2|| Prepare Risk Register||5 days||Project team members ,Risk Analyst ||$4,800.00|
|1.4|| Risk Analysis||20 days||Risk Analyst ||$14,400.00|
|1.5|| Risk Evaluation||20 days||Risk Analyst ||$14,400.00|
|1.6|| Risk Management||12 days||$8,720.00|
|1.6.1|| Planning||5 days||Project Manager ||$2,000.00|
|1.6.2|| Implementation||7 days||Project team members ,Risk Analyst ||$6,720.00|
|1.7|| Project Closure||4 days||$1,600.00|
|1.7.1|| Submission of all Documents ||2 days||Project Manager ||$800.00|
|1.7.2|| Release of Resources||2 days||Project Manager ||$800.00|
So, the total cost of the project has been calculated as $108,920.00. The project cost will be borne by the project sponsor that is the Global IT Solution. They are the project sponsor and the project owner.
The final calculation of the project budget is,
The benefits from the project are,
The Global IT solution is ready to fund the project. Hence, the project is economically feasible.
It is the process of validating the assumptions made on the technological requirements, design, and architecture of the project (Loosemore et al. 2012). The details of the technical feasibility of the project are summarized in the following table.
|Concept ||First, there must be a proof of the concept of the approach. The document is available and this is the risk management proposal. It includes all details of the approach to be taken for the project. |
|Infrastructure ||The required information and communication technology infrastructure is already available with the company. As it is a large IT company. So, all IT resources are already there. |
|Facilities ||The organization have made a commitment to provide all required help and information required for the project. They have arranged all facilities also. It has also asked its employees to co-operate the risk management project team as and when they would ask for. |
|Data ||All relevant data will be collected from the system logs, network logs, and equipment and so on. |
|Compliance ||It already complies with many laws and regulation. The risk management project will check whether it comply with all required laws and regulations or not. |
|Platforms ||The required platforms like operating systems, APIs etc. are already available. |
|Component ||The components for testing and prototyping are already available. |
|Tools ||Some of the tools are already available. Some tools will be procured. |
|Integration ||The process will be integrated with the current business processes. |
|Information security||There will be a detailed evaluation of the information security infrastructure, design, architecture, components and products. |
So, the project has passed the technical feasibility checklist. It is ready to be undertaken.
TERMS OF REFERENCE FOR THE PROPOSAL
The risk management process will follow a structured approach. The steps are given and described below.
- At first, there will be the feasibility study. It will help to understand whether, it is feasible to undertake the project or not. Once. The feasibility study is completed successfully, then the project initiation document will be created. The project initiation document must be signed off to kick-start the project (Jordan 2013).
- Once the project is started, the project manager will be selected and the project team will be created by the project manager and for assisting the project manager.
- Then the risk management architecture will be selected and the risk management planning will be done accordingly.
- When the risk management architecture is selected, then the risk identification, analysis, and evaluation will be done.
- Once the risk management project is finished, then the detailed proposal for the risk management process. The proposal will be submitted directly to the system owner and sponsor of the project.
- Once the proposal is submitted, the company can work on updating their current policies, procedures and business operations to match with the proposal. However, the implementation of the proposal is out of the scope of the report and the project.
The project will be carried out by an internal project team having ten employees. One lower level IT manager has been appointed as the project manager. He has some background in information system security and have experienced in carrying out such projects for the customers. He is also a part of the information security testing filed that is responsible for checking the information security implementations for the clients (Loosemore et al. 2012).
The roles and responsibilities of the project team members are given below.
|Sl No.||Designation||Role in the Project||Responsibilities|
|1||Lower IT Manager||Risk Analyst||Analysis of the information security risks related to the project Communication with the project manager and the top level management. |
|2||Team Leader ||Project Manager||Performing project management activitiesLeadership and team management activities Planning for the project Communication with the other stakeholders of the project using some predefined communication plan. |
|3||IT Staffs ||Project team members ||Following the instructions of the project manager|