Hydro One – Essay

Hydro one helps it to analyze the risks and opportunities in an integrated manner to improve the allocation of resources. It also enables it to prepare for the changing corporate governance requirements, deregulation of markets and future risks Like OLL spill etc. The process of ERM at Hydro one involves the identification of 50-70 business risks which are then reduced to ten most significant risks through interviews and focus groups.

Voting is accomplished using the Delphi Method to quickly identify and prioritize risks based on the ignited and probability in order to focus on major risks. Five point risk tolerance scale from Minor to worst case Is used to estimate the Impact of a risk on the corporate objectives and five point probability rating scale is used to estimate the probability of the risk materializing. Each investment program is evaluated in terms of the cost and severity of the risk It attempts to mitigate.

Capital expenditures are allocated to the prioritize investment projects according to the greatest overall risk reduction per dollar spent (Bang for the buck index). Overall risk score is assigned to each combination of impact and probability assessment. It is a rational and better- coordinated process for allocating capital as: 1 . It improves the capital expenditure process and can help the firm select an optimal portfolio of projects. 2. It enables the firm to delegate the responsibility to manage the risk to the risk owner while making risk awareness an indispensable part of company culture. . The company credit rating given by S&P, Moody improved resulting in lower credit costs for the many as the company exhibited Improvements in efficiency. 4. The process takes Into account the benefits of risk reduction In a wide gamut of risk categories (regulatory, financial, reliability, safety, reputation) and assesses the qualitative impact of various risks also. 5. It helps the company achieve an optimum balance between business risks and returns.

Thus, the ERM implementation process makes use of a variety of tools and techniques, including the “Delphi Method,” risk trends, risk maps, risk tolerances, risk refills, and risk rankings etc. It has succeeded In overcoming most of the issues as follows: * The use of Delphi method facilitates open discussions and causes managers to shed their rigid views and develop a common understanding of the risks. They are able to concur on the corporate plan for proportioning action and the resources to manage such risks. The attention of top management is secured by espousing that risk management Is everyone’s responsibility, from the Board of Directors to individual employees. The classification of risks enables the managerial attention to be concentrated on high risk factors. * As risks are continuously evolving and the magnitude and probability of a certain risk is affected by the Internal controls (mitigation efforts In the past) as well as the external changes In the environment. Thus, monitoring and reporting are fundamental to effective management of business risks.

Hydro one engaged in extensive reviews and 1 OFF Incorporated outside views In ten corporate rills prattle Walt ten Nell AT attaches room other sources like workshops, media scans along with structured interviews with the top 40 to 50 executives together. * Regulatory compliance is ensured through a separate classification of regulatory risks and potential loss of credibility. Thus, the risk based investment planning system has yielded many benefits for the firm, but as the risks faced by the firm are changing, the company continuously needs to incorporate those risks in its ERM system in order to succeed in achieving its strategy.

Read more

EBI Special Order Analysis

This case study focuses on a business opportunity that has recently been offered to the Earth Baby Inc. (EBB). It concerns a business proposal that will increase the company’s sales dimensions while also adding integral quality to its value chain through an alliance with a retail discount business, I. E. Great Deal Inc. (GUI).

This analysis will take into consideration one or more strategic measures that should perhaps be taken by EBB in order to assist in identifying and mainlining risk and in order to insure that the proposed business agreement is in the best interest of the company. Aside from the more familiar decisional strategy which has always proven to be reliably effective, e. G. , a SOOT Analysis, an examination of the possible benefits arising from the use of an available heuristic approach that utilizes-foresight and hindsight Judgment parameters’-will be discussed.

Keywords: EBB, GUI, SOOT, availability heuristic, hindsight bias, foresight knowledge The proposed opportunity that has presented itself to EBB entails increasing the company’s market share of baby food products through Geld’s distribution chain and there resources. The proposed venture will offer EBB an increased profit percentage only if the company agrees to alter its current food processing formulas as well as turn-over a substantial portion of its branding rights to GUI.

It is in the best interest of EBB at this time to conduct a comprehensive risk analysis with regards to the changes that will be made concerning the impact upon Bi’s new product formula, new business environment and customer base along with branding techniques, marketing strategies and supply chain activities. Risk Analysis Conducting a thorough SOOT analysis would be advisable at first in order to assess Bi’s internal strengths and weaknesses and how they will measure up against the- opportunities which may inadvertently turn into threats-with respects to the changes that will occur within Bi’s newly adopted business environment.

EBB will be challenged to weigh those resources that make up the force behind its competitive advantage(s) because it will be risking the success of its current business strategies against the sum of those changes that will impact it, should the company accept Geld’s proposal (Bateman & Snell, 2009). Bi’s management might consider backing up the information it garnered from a SOOT analysis with another method that examines the potential of risk involved with regard to opting for a reconfigured or otherwise entirely new and untried business strategy.

A method that undertakes the available heuristic approach has been shown to provide business decisions makers with unique way -if optimal results are obtained- of incorporating intuitive Judgment-, referred to as-‘hindsight bias’- and integrating the more positive properties of this mind set with more quantifiable intellectual data referred to as -foresight knowledge’- with respects to formulating new strategies under the constraints of various risks.

This method gauges the two schools of thought by measuring and matching up- and then mapping and mathematically analyzing -the positive relationships between probable outcomes of certain risk factors, as in this case-they may pertain to and/or have- significant bearing on a number of business decisions, their outcomes, and their consequences based primarily upon their -perceived and qualitative’- susceptibility to risks.

Conclusion Although at this Juncture, Bi’s decision to employ the use of the availability heuristic may seem precarious, however the opportunity to identify and neutralize the risks of he proposal while also discovering some new and innovative strategies does present itself. A safer strategic analysis could be provided through the use of one or more of the conventionally known analytical tools, e. G.

SOOT or Porters Five Forces. In any event it would be within Bi’s very best interest to thoroughly investigate all the avenues of risks as well as opportunities before making a final decision to accept Geld’s business proposal.

Read more

Enterprise Risk Management

Operational Risk Management IT  is a relatively new discipline that focuses on identifying, analyzing, monitoring, and controlling all major risk classes (e. g. , credit, market, liquidity, operational risk classes). Operational risk management (ORM) is a subset of ERM that focuses on identifying, analyzing, monitoring, and controlling operational risk.

The purpose of this paper is to explain what enterprise risk management is and how operational risk management fits into the ERM framework. In our conclusion, we discuss what is likely to happen in the ERM / ORM environment over the next 5 years. Introduction As the Internet has come of age, companies have been rethinking their business models, core strategies, and target customer bases. “Getting wired,” provides businesses with new opportunities, but brings new risks and uncertainty into the equation. Mismanagement of risk can carry an enormous cost.

In recent years, business has experienced numerous, related risk reversals that have resulted in considerable financial loss, decrease in shareholder value, damage to company reputations, dismissals of senior management, and, in some cases, the very dissolution of the business. This increasingly risky environment, in which risk mismanagement can have dire consequences, mandates that management adopt a new more proactive perspective on risk management. What is Enterprise / Operational Risk Management? Clearly, there is a correlation between effective risk management and a well-managed business.

Over time, a business that cannot manage risk effectively will not prosper and, perhaps fail. A disastrous product recall could be the company’s last. Rogue traders lacking oversight and adequate controls have destroyed old well-established institutions in a very short time. But, historically, risk management in even the most successful businesses has tended to be in “silos”—the insurance risk, the technology risk, the financial risk, the environmental risk, all managed independently in separate compartments.

Coordination of risk management has usually been non-existent, and identification of emerging risks has been sluggish. This paper espouses a recent concept—enterprise-wide risk management—in which the management of risks is integrated and coordinated across the entire organization. A culture of risk awareness is created. Companies across a wide crosssection of industries are beginning to implement this effective new methodology. 1 Enterprise / Operational Risk Management At first glimpse, there is much similarity between operational risk management and other classes of risk (e. . , credit, market, liquidity risk, etc. ) and the tools and techniques applied to them. In fact, the principles applied are nearly identical. Both ORM and ERM must identify, measure, mitigate and monitor risk. However, at a more detailed level, there are numerous differences, ranging from the risk classes themselves to the skills needed to work with operational risk. Operational risk management is just beginning to define the next phase of evolution of corporate risk management.

Should firms be able to develop successful ORM programs, the next step will be for these firms to integrate ORM with all other classes of risks into truly enterprise-wide risk management frameworks. See Exhibit 1 for an example of an ERM / ORM organizational structure representative of the banking industry: ERM Organization Chart CEO Group Risk Director (ERM) Economic Capital (Planning) & Risk Transfer Group Risk Executive Committee Change Program Credit Risk * Market Risk* Operational Risk (ORM)* Corporate Compliance

IT Security and Business Continuity Corporate Risk Evaluation (Audit) • Note – the major categories of risk to which financial services firms expose themselves are credit risk, market risk and operational risk. Not surprisingly, financial services firms’ largest risk concentrations—credit risk and market risk are most effectively managed. Exhibit 1 2 Why Enterprise / Operational Risk Management? There are many reasons ERM / ORM functions are being established within corporations. following are a few of the reasons these functions are being established.

Organizational Oversight Two groups have recently emphasized the importance of risk management at the organization’s highest levels. In October 1999, the National Association of Corporate Directors released its Report of the Blue Ribbon Commission on Audit Committees, which recommends that audit committees “define and use timely, focused information that is responsive to important performance measures and to the key risks they oversee. ” The report states that the chair of the audit committee should develop an agenda that includes “a periodic review of risk by each significant business unit. In January 2000, the Financial Executives Institute released the results of a survey on audit committee effectiveness. Respondents, primarily chief financial officers and corporate controllers, ranked “key areas of business and financial risk” as most important for audit committee oversight. In light of events surrounding recent corporate scandals (e. g. , Enron, etc. ), and the increasing executive and regulatory focus on risk management, the percentage of companies with formal ERM methods is increasing and audit committees are becoming more involved in corporate oversight.

The UK and Canada have set forth specific legal requirements for audit committee oversight of risk evaluation, mitigation, and management which are widely accepted as best practices in the U. S. Magnitude of Problem The magnitude of loss and impact of operational risk and losses to date is difficult to ignore. Based on years of industry loss record-keeping from public sources, large operational risk-related financial services losses have averaged well in excess of $15 billion annually for the past 20 years, but this only reflects the large public and visible losses.

The manager of the Imasato branch forged 19 deposit certificates, which were used to raise money for stock deals. Former employees plead guilty to conspiring to arrange $5 billion in unauthorized loans to Iraq. Loss due to unauthorized trading by an employee. This catastrophic loss has become a benchmark for operational risk. Losses due to lack of dual control and checks and balances. Huge market losses due to inadequate model management and inadequate controls at Long Term Capital Management. Pennzoil sued Texaco alleging that Texaco “wrongfully interfered” in its merger deal with Getty.

Largest and longest-running accounting fraud in history. Former executives conspired to inflate earnings. The company agreed to pay settlements to 18 women who indicated breast implants made them ill. Insurance fraud case in which Martin Frankel allegedly stole as much as $2 billion from this foundation. Loss due to liquidation of oil supply contracts. Settlement of asbestos-related claims. Largest people risk class case in financial history. Largest investment loss ever registered by a municipality. Settlement of North Slope oil royalties dispute with Alaska. Disguised losses on FX forward contracts.

Major oil refiner in Japan faced losses from forward currency contracts. Settled charges of securities fraud with state and federal regulators. Former employees filed a class action suit charging the company with fraud, breach of duty and negligence. Heavy losses suffered due to 3 strikes. A former president of the firm defrauded in an embezzlement scheme. Exhibit 2 Source: Hoffman; Managing Operational Risk 4 Increasing Business Risks With the increasing speed of change for all companies in this new era, senior management must deal with many complex risks that have substantial consequences for the organization.

A few forces currently creating uncertainty are: Technology and the Internet Increased worldwide competition Free trade and investment worldwide Complex financial instruments Deregulation of key industries Changes in organizational structures from downsizing, reengineering, and mergers Increasing customer expectations for products and services More and larger mergers Collectively, these forces are stimulating considerable change and creating an increasing risk in the business environment.

Regulatory The international regulators clearly intend to encourage banks to develop their own proprietary risk measurement models to assess regulatory, as well as economic, capital. The advantage for banks should be a substantial reduction in regulatory capital, and a more accurate allocation of capital vis-a-vis the actual risk confronted. In December 2001, the Basel Committee on Banking Supervision submitted a paper “Sound Practices for the Management and Supervision of Operational Risk” for comment by the banking industry.

In developing these sound practices the Committee recommended that banks have risk management systems in place to identify, measure, monitor and control operational risks. While the guidance in this paper is intended to apply to internationally active banks, plans are to eventually apply this guidance to those banks deemed significant on the basis of size, complexity, or systemic importance and to smaller, less complex banks. Regulators will eventually conduct regular independent evaluations of a bank’s strategies, policies, procedures and practices addressing operational risks.

The paper indicates an independent evaluation of operational risk will incorporate a review of the following six bank areas:2  Process for assessing overall capital adequacy for operational risk in relation to its risk profile and its internal capital targets; Risk management process and overall control environment effectiveness with respect to operational risk exposures; 2 Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, (Basel, Switzerland: Basel Committee on Banking Supervision, 2001), p. 1. 5 Systems for monitoring and reporting operational risk exposures and other data quality considerations; Procedures for timely and effective resolution of operational risk exposures and events; Process of internal controls, reviews and audit to ensure integrity of the overall risk management process; and Effectiveness of operational risk mitigation efforts. Market Factors Market factors also play an important role in motivating organizations to consider ERM / ORM. Comprehensive shareholder value management and ERM / ORM are very much linked.

Today’s financial markets place substantial premiums for consistently meeting earnings expectations. Not meeting expectations can result in severe and rapid decline in shareholder value. Research conducted by Tillinghast-Towers Perrin found that with all else being equal, organizations that achieved more consistent earnings than their peers were rewarded with materially higher market valuations.

Therefore, for corporate executives, managing key risks to earnings is an important element of shareholder value management. The traditional view of risk management has often focused on property and iability related issues or internal controls. However, “traditional” risk events such as lawsuits and natural disasters may have little or no impact on destroying shareholder value compared to other strategic and operational exposures—such as customer demand shortfall, competitive pressures, and cost overruns. One explanation for this is that traditional risk hazards are relatively well understood and managed today—not that they don’t matter. Managers now have the opportunity to apply tools and techniques for traditional risks to all risks that affect the strategic and financial objectives of the organization.

For non-publicly traded organizations, ERM / ORM is valuable for many of the same reasons. Rather than from the perspective of shareholder value, ERM / ORM would provide managers with a comprehensive overview of other important items such as cash flow risks or stakeholder risks. Regardless of the organizational form, ERM / ORM can be an important management tool. Corporate Governance Defense against operational risk and losses flows from the highest level of the organization—the board of directors and executive management. The board, the management team that they hire, and the policies that they develop, all set the tone for a company.

As guardians of shareholder value, boards of directors must be acutely attuned to market reaction to negative news. In fact, they can find themselves castigated by the public if the reaction is severe enough. As representatives of the shareholders, boards of directors are responsible for policy 3 Tillinghast-Towers Perrin, Enterprise Risk Management: Trends and Emerging Practices. (The Institute of Internal Auditors Research Foundation, 2001), p. xxvi. 6 matters relative to corporate governance, including but not limited to setting the stage for the framework and foundation for enterprise risk management.

Right now, operational risk management is a “hot topic” of discussion for regulators and in boardrooms across the US. In the wake of the 2001 releases from the Basel Risk Management Committee, banks now have further insight as to the regulatory position on the need for regulatory capital for operational risk. Meanwhile, shareholders are aware that there are means to identify, measure, manage, and mitigate operational risk that add up to billions of dollars every year and include frequent, low-level losses and also infrequent but catastrophic losses that have actually wiped out firms, such as Barings, and others.

Regulators and shareholders have already signaled that they will hold directors and executives accountable for managing operational risk. Best-Practice Senior managers need to encourage the development of integrated systems that aggregate various market, credit, liquidity, operational and other risks generated by business units in a consistent framework across the institution. Consistency may become a necessary condition to regulatory approval of internal risk management models.

An environment where each business unit calculates their risk separately with different rules will not provide a meaningful oversight of firm-wide risk. The increasing complexity of products, linkages between markets, and potential benefits offered by overall portfolio effects are pushing organizations toward standardizing and integrating risk management. Conclusion It seems clear that ERM / ORM is more than another management fad or academic theory. We believe that ERM / ORM will become part of the management process for organizations in the future.

Had ERM / ORM processes been in place during the past two decades, a number of the operational risk debacles that took place may not have occurred or would have been of lesser magnitude. Companies are beginning to see the benefit of protecting themselves from all types of potential risk exposures. By identifying and mapping risk exposures throughout the organization, a company can concentrate on mitigating those exposures that can do the most damage. With an understanding of risks, their severity, and their frequency, a company can turn to solutions; be it retaining, transferring, sharing, or avoiding a particular risk.

Our thoughts on what will happen in the ERM / ORM environment in the next 5 years are: In the next 5 years, it is likely that companies will no longer view risk management as a specialized and isolated activity: the management of insurance or foreign exchange risks, for instance. The new approach will 7 keep managers and employees at all levels sensitized to and concerned about risk management. Risk management will be coordinated with senior management oversight and everyone in the organization will view risk management as part of his or her job. The risk management process will be continuous and broadly focused.

All business risks and opportunities will be covered. In the next 5 years, the use of bottom-up risk assessments will be a standard process used to identify risks throughout the organization. The self-assessment process will involve everyone in the company and require individual units to focus and report on the threats to their individual business objectives. Through the selfassessment process, the organization will be able to understand loss potential and risk control by business, by profit center and by product. The individual line manager will begin to understand the loss potential in his or her own processing system.

In the next 5 years, the use of top-down scenario analysis will be another standard method used to identify risks throughout the organization. Top down scenario analysis will determine the risk potential for the entire firm, the entire business, organization, or portfolio of business. By its very nature, it is a high-level representation and cannot get into the bottom-up transaction-by-transaction risk analysis. For example, because Microsoft has a campus of more than 50 buildings in the Seattle area, earthquakes are a risk. 4 In the past, Microsoft looked at silos of risk.

For example, they would have looked at property insurance when they considered the risks of an earthquake and thought about protecting equipment and buildings. However, using scenario analysis they are now taking a more holistic perspective in considering the risk of an earthquake. The Microsoft risk management group has analyzed this disaster scenario with its advisors and has attempted to quantify its real cost, taking into account how risks are correlated. In the process, the group identified risks in addition to property damage, such as the following:

4Director and officer liability if some people think management was not properly prepared. Key personnel risk Capital market risk because of the firm’s inability to trade. Worker compensation or employee benefit risk. Supplier risk for those in the area of the earthquake. Risk related to loss of market share because the business is interrupted. Michel Crouhy, Dan Galai, and Robert Mark, Making Enterprise Risk Management Payoff (New York: McGraw-Hill, 2001), pp 132-133. 8

Research and development risks because those activities are interrupted and product delays occur.

Product support risks because the company cannot respond to customer inquiries. By using scenario analysis, management has identified a number of risks that it might not have otherwise and Microsoft is now in a better position to manage these risks. The future ERM / ORM tools such as risk assessment and scenario analysis will assist companies in identifying and mitigating the majority of these risks. In the next 5 years, companies will be using internal and external loss databases to capture occurrences that may cause losses to the company and the actual losses themselves.

This data will be used in quantitative models that will project the potential losses from the various risk exposures. This data will be used to manage the amount of risk a company may be willing to take. In the next 5 years, companies will allocate capital to individual business units based on operational risk. By linking operational risk capital charges to the sources of that risk, individuals with risk optimizing behavior will be rewarded and those without proper risk practices will be penalized.

In the next 5 years, internal audit will become even more focused on how risks are managed and controlled throughout the company on a continuous basis. Internal audit will be responsible for reporting on integrity, accuracy, and reasonableness of the company’s entire risk management process. In addition, Internal Audit will be involved in ensuring the appropriateness of the company’s capital assessment and allocation processes. Furthermore, audit will influence continual improvement of risk management and controls through the sharing of best practices.

In the next 5 years, management will be looking for individuals who are skilled in risk management. Professional designations such as the Bank Administration Institute’s Certified Risk Professional (CRP) and the Information and Audit and Control Association’s Certified Information Security Manager (CISM) will demonstrate proficiency in the risk management area and will be in demand. In the next 5 years, external auditors will be required to report on the efficiency and effectiveness of a company’s risk management program.

These companies will be required to disclose the scope and nature of risk reporting and/or measurement systems in their annual reports. Overall, companies will be better positioned in the next 5 years to deal with the broad scope of enterprise-wide risks. By implementing the ERM / ORM process now, companies will begin to maximize their overall risk profile for competitive advantage.

References

Barton, Thomas L. ; Shenkir, William G. ; Walker, Paul L. Making Enterprise Risk Management Pay Off. New Jersey: Financial Times / Prentice Hall, 2002. Basel II Mandates a Nest http://web2. infotrac. galegroup. co Egg for Banks” US Banker. (July 1, 2002) 48. July 2002. BITS. BITS Technology Risk Transfer Gap Analysis Tool. Washington, D. C. : BITS, 2002. Bock, Jerome T. , The Strategic Role of “Economic Capital” in Bank Management, Wimbledon, London: MidasKapiti International, 2000. Business Banking Board. RAROC and Operating Risk. Washington, D. C. : Corporate Executive Board, 2001. Business Banking Board. Risk Management Structure. Washington, D. C. : Corporate Executive Board, 2001. Consultative Document Operational Risk. 2001.

Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http://www. bis. org/publ/bcbsa07. pdf Crouhy, Michel; Galai, Dan; Mark, Robert, Risk Management. New York: McGraw-Hill, 2001. “Elements of a Successful IT Risk Management Program”. Gartner. (May 2002. ) 9. July 2002. http://www. gartner. com/gc/webletter/bindview/issue1/ggarticle1. html Ernst & Young, Integrated Risk Management Practices. Unpublished PowerPoint slides, Ernst & Young: 2000. Hively, Kevin; Merkley, Brian W. ; Miccolis, Jerry A. Enterprise Risk Management: Trends and Emerging Practices.

Florida: The Institute of Internal Auditors Foundation, 2001. Hoffman, Douglas G. Managing Operational Risk. New York: John Wiley & Sons, Inc. , 2002. “In Brief: Ferguson Urges Investing in Risk Control”. American Banker. (March 5, 2002) 1. July 2002. http://0proquest. umi. com. opac. library. csupomona. edu James, Christopher, RAROC Based Capital Budgeting and Performance Evaluation: A Case Study of Bank Capital Allocation. Pennsylvania: The Wharton School, 1996. Jameson, Rob; Walsh, John, “The Leading Contenders,” Risk Magazine, (November 2000). 6. July 2002. http://www. financewise. om/public/edit/riskm/oprisk/opr-soft00. htm Insurance Industry – Participating companies: Allianz, AXA, Chubb, Mitsui Sumitomo, Munich Re, Swiss Re, Tokio Marine and Fire, Xl, Yasuda Fire and Marine and Zurich. Insurance of Operational Risk Under the New Basel Accord. Insurance Industry, 2001. Lam, James, “Top Ten Requirements for Operational Risk Management” Risk Management (November 2001) July 2002. http://0-proquest. umi. com. opac. library. csupomona. edu Marks, Norman, “The New Age of Internal Auditing” The Internal Auditor (December 2001) 5. July 2002. http://0-proquest. mi. com. opac. library. csupomona. ed McNamee, David; Selim, George M. Risk Management: Changing the Internal Auditor’s Paradigm. Florida: The Institute of Internal Auditors Research Foundation, 1998. National Association of Financial Services Auditors. “Enterprise Risk Management,” National Association of Financial Services Auditors. Spring 2002. 12-13. netForensics is a Web site that discusses those regulations that govern information security in financial services, healthcare and government. http://www. netforensics. com/verticals. html 10 Ong, Michael; “Why bother? Risk Magazine, (November 2000). 6. July 2002. http://www. financewise. com/public/edit/riskm/oprisk/oprcommentary00. htm Practice Advisory 2100-3: Internal Audit’s Role in the Risk Management Process. March 2001. The Institute of Internal Auditors. July 2002. http://www. theiia. org/ecm/guide-frame. cfm? doc_id=73 Santomero, Anthony M. , Commercial Bank Risk Management: an Analysis of the Process. Wharton School, 1997. Pennsylvania: The Sound Practices for the Management and Supervision of Operational Risk. 2002. Bank for International Settlements and Basel Committee on Banking Supervision.

July 2002. http://www. bis. org/publ/bcbs86. htm The Financial Services Roundtable, Guiding Principles in Risk Management for U. S. Commercial Banks. Washington D. C. : The Financial Services Roundtable, 1999. Verschoor, Curtis C. Audit Committee Briefing – 2001: Facilitating New Audit Committee Responsibilities. Florida: The Institute of Internal Auditors, 2001. Working Paper on the Regulatory Treatment of Operational Risk. 2001. Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http://www. bis. org/publ/bcbs_wp8. pdf 11

Read more

Chapter Risk Management

Why is identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C. I. A. Triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness.

When an organization depends on IT-based systems to remain able, information security and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information systems controls and the benefits realized from the operation of secured, available systems.  According to Sun Thus, what two key understandings must you achieve to be successful? Know Yourself and Know the Enemy.

Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? The resources used when undertaking information asset risk management is usually provided by all three communities: Information Security, Information Technology and General Management. In risk management strategies, why must periodic review be a part of the process? Periodic reviews must be a part of the risk management strategies because threats are constantly changing for a company.

Also once any specific vulnerability is completely managed by an existing control it no longer needs to be considered for additional controls. Why do networking components need more examination from an information security perspective than from a systems development perspective? Networking components need more examination from an information security perspective than from a systems development perspective because networking subsystems are often the focal point of attacks against the system.

What value does an automated asset inventory system have for the risk identification process? An automated asset inventory system would be valuable to the risk identification process because all hardware components are already identified – models, make and actions – thus management can review for the most critical items and assess the values. What information attributes is often of great value for networking equipment when DDCD is not used? IP Address. Which is more important to the systems components classification scheme, that the list be comprehensive or mutually exclusive?

It is more important that the list be comprehensive than mutually exclusive. It would be far better to have a component assessed in an incorrect category rather than to have it go completely unrecognized during a risk assessment. What’s the difference between an asset’s ability to generate revenue and its ability to generate profit? The main difference between a revenue-generating asset and a profit-generating asset is that the revenue-generating asset produces a cash flow that is linked directly to the asset. If the asset were sold, the cash flow would stop. A pronto-generating asset, ten linkage Is not so alert . I en asset does not produce cash directly, but influences consumer and competitor behavior with the intention of producing more revenues. What are vulnerabilities and how do you identify them? A vulnerability is a weak spot in your network that might be exploited by a security threat. Risks are the potential consequences and impacts of unaddressed vulnerabilities. Vulnerability assessment tools or scanners are used to identify vulnerabilities within the network.

The vulnerabilities identified by most of these tools extend beyond software defects (which are fixed by patching) to include other easily exploitable vulnerabilities, such as unsecured accounts, misconstructions and even back doors. There are several types of assessment tools available. Although these tools have general similarities, they can vary in the methods and processes they employ to identify vulnerabilities. As a best practice, you shouldn’t rely on a single assessment tool but should use different tools to gain a broader perspective of their exposure to vulnerabilities.

Open-source or shareware assessment tools are available online and can be used to supplement commercial scanners . What is competitive disadvantage? Why has it emerged as a factor? Competitive disadvantage is the state of falling behind the competition. It has emerged as a factor cause business which do not stay on the cutting edge of IT can quickly fall behind the competition, given the current fast pace of technological advances. What are the strategies from controlling risk as described in this chapter? The four risk control strategies are avoidance, transference, mitigation and acceptance. Describe the “defend” strategy.

List and describe the three common methods. The strategy of avoidance involves applying controls that eliminate or reduce the remaining uncontrolled risks. Application of policy, Training and education, and Applying genealogy . Describe the “transfer” strategy. Describe how outsourcing can be used for this purpose. The strategy of transference involves shifting risks to other areas or outside entities. Outsourcing can be used for risk transference by outsourcing security-sensitive areas which are not central to the organization’s purpose and letting the outsourcing firm accept the risk. Describe the “mitigate” strategy.

What three planning approaches are discussed in the text as opportunities to mitigate risk? The strategy of mitigation involves reducing the impact would an attacker successfully exploit the vulnerability. Incident response plan (RIP), Disaster recovery plan (DRP), Business continuity plan (BCC) . How is an incident response plan different from a disaster recovery plan? Incident response plan (RIP) focuses on immediate response to an incident. Disaster recovery plan (DRP) focuses on restoring operations at the primary site after disasters occur. What is risk appetite? Explain why risk appetite varies from organization to organization?  What is a Cost Benefit Analysis? Cost-benefit analysis (CAB), sometimes called benefit-cost analysis (BCC), is a systematic process for calculating and comparing benefits and costs of a project, decision or government policy.  What is the definition of single loss expectancy? What is annual loss expectancy?

Single Loss Expectancy (ISLE) is the amount of loss expected for any single successful threat attack on any given asset. This is a monetary value that describes how much the incident will cost in terms of lost asset value  estimates ten annual loss resulting from an incident. 0. What is residual risk? Residual risk: risk that has not been impolitely removed, shifted, or planned for. Exercise: If an organization has three information assets to evaluate for risk management as shown in the accompanying data, which vulnerability should be evaluated for additional controls first? Which one should be evaluated last? An evaluation of the provided asset vulnerabilities results in: This is a switch that has two vulnerabilities. The first involves a hardware failure likelihood of 0. 2 and the second involves a buffer attack likelihood of 0. 1. The switch has an impact rating of 90.

The company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many ways. Protecting the server could also keep the organization safe from other threats and attacks. I would evaluate the control console that monitors operations in the server room last because the likelihood of misuse is low and it has the lowest impact value and poses the least amount of risk to the organization.

Read more

Draft Risk Management Plan

The top three security threats that Aim Higher College faces are the following:

  • Mobile devices connecting to the network
  • Social Medal
  • Compromised routers intercepting sensitive information

These threats are the most common that any college faces. The threats have remained at the top of the list every year for a variety of reasons. This list of threats Is also unique to college campuses. I will discuss each of the threats in this report.

Students, especially college students, are consistently on some type of social media tie or on a mobile device that gains them that type of access. There are many varieties of devices such as tablets, smartness, laptops, and now even checkmates. Devices such as these are connecting to wireless networks whether it’s from a service provider or campus. With these connections many aren’t just using them for social media, but also for checking grades, schedules, or relevant news. The devices depend on connecting to networks but also need to do so in a secure fashion.

Each device has to be checked for viruses, spare, and other types of mallard while still maintaining the GIG-A triad. A balance must be found between usability and security. Each time a remote device is connected to the network there is a possibility that the network can be compromised by one these devices. Every device should be authenticated, scanned, and identified. Many are unaware of the risks that can come from connecting to networks, especially wireless access. The use of social media has increased in recent years and according to this chart we can see according to age groups how many are connecting to social media.

Students and teachers both use things like Faceable, Misplace, Linked, Mainstream and many ore. These applications have the potential to transmit mallard every time they are used on the campus network. Mallard can be embedded in everything from videos to comments. Any time a student or teacher clicks on a video viruses, keystroke loggers, or worms can be installed and start destroying or intercepting data. The Infected devices must be Identified quickly and the mallard removed while still allowing others to access the websites.

Another challenge unique to social media is the fact that not only Is there a potential network impact, but students may be caught or violations to campus policy on their own time. Social media Is being scrutinized on a massive scale and students and teachers both must watch the types of posts they posting on these sites. Posting personal beliefs that could be construed as hate or Ignorance. Posts against faculty or staff could cause a person to be expelled or fired depending on the situation. People posting pictures or videos of themselves in lewd or mischievous acts could be reprimanded for their actions.

Most believe these toy 2 making it public especially when sharing with others. The last threat in the list is a improvised router intercepting sensitive information. As the core routing system for the Internet, BGP defines the most efficient route for Internet data to be transmitted around the world, deciding which “links” carry Internet data. Think of it as the Internet’s navigation system, providing turn-by-turn directions for all Internet connections. By hijacking the BGP translations, attackers can drive unsuspecting surfers and/or students, faculty and staff attempting to access the university network to malicious sites.

Read more

Possible Limitations Of The Research Essay

? Reading through the questionnaires and interviews carefully and coding them after the event in relation to the types of answers, themes and issues, and then categorizing of response (keeping a note of what the codes refer to). ? Then by asking some questions like what are the answers that keep repeating, what are the deviations from these answers, and Are there themes emerging? Contradictions? Then it would be possible to draw some relative generalizations.

The data will be gathered and analyzed using statistical information, correlation and noting possible linear regression models to define the factors effecting the foreign exchange and interest rate risk management. The research study and statistical implications will then be developed for the final research document arrangement.

LACK OF LITERATURE DONE SO FAR CONCERNING THE DISCLOSURE OF RISK IN ANNUAL REPORTS MIGHT REPRESENTS A MAJOR OBSTACLE. ? Another limitation might be lack of time. The researcher will follow a hybrid approach in data collection which will include interviews and questionnaires.

Collecting data through these methods, analyzing and demonstrating them is time consuming and the researcher does not have much time. ? There might be challenges in convincing to gain access to the relevant information required within the companies I intend to research. Confidentiality has been a barrier before researchers. It is required to reassure the firm that all data and information collected will be treated in the strictest confidence. ? When attempting to send questionnaires to shareholders, it might be difficult to access companies’ shareholders databases in order to send them these questionnaires.

STUDY TIME TABLE: ? The study will be undertaken according to the following Gantt Chart Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Introduction Literature Review Methodology Interviews Data Interpretation Results Compilation Results and Conclusion References: ? Day, J. 1986. The use of annual reports by UK Investment Analysts. Accounting and Business Research, 16 (64): 295-307. ? Dominowski, R, L, 1980. Research Methods. Prentice-Hall ? Easterby-Smith M. , Thorpe R. & Lowe A. , 1997, Management Research: an Introduction, London, Sage Publications. ? Elias, R. (1986).

The politics of victimization: Victims, victimology and human rights. New York: Oxford University Press. ? Hertz, D B. & Thomas, H. 1984. Practical Risk Analysis: and Approach through Case Histories. John Wiley and Sons. Chichester, UK: taken from Edwards, P and Bowen, P (1999) ? Hussey R. , Collis J. , Business Research, 2nd Ed. 2003, Palgrave Macmillan ? ISO/TMB Risk Management Terminology Paper, 1999. Third Draft, 12 December. ? Institute of Charted Accountants in England and Wales (ICAEW). , (2002). No surprises: the case for better risk reporting, ICAEW, London. ? International Organization of Securities Commissions.

(1995). Disclosure of risk a discussion paper. Available from: http://riskinstitute. ch/135610. htm ? Jennings, N. R. , (2001). An agent-based approach for building complex software systems. Communications of the ACM, 44 (4) 35–41. ? Keane, S. 1977. Examining the Problems of Understandability. Accountancy, June, 88 (1006): 82-84 ? Kerlinger, F, N, 1970. Foundations of behavioral research. New York: Holt, Rinehart and Winston. ? Lee, T. A. and Tweedie, D. P. 1975. Accounting Information: An Investigation of Private Shareholder Usage. Accounting and Business Research, 5(20): 280-291. ? McNamara, C, 1999.

Information available from: www. mapnp. org/library/research/overview. htm ? Report to NASD Regulation, Inc. 1997. Shareholder Assessment of Bond Fund Risk Ratings, available from <http://www. icinet. net/issues/dis/arc-risk/97_nasd_volatility_rtgs1_com. html> ? Research solutions, 2005. Information available from: www. researchsolutions. co. nz/in_depth_interviews. htm ? Saunders M, Lewis P, & Thornhill A, 2000.

Research Methods for Business Students, 2nd Ed. Pearson Education Limited. ? Saunders M. , Lewis P. & Thornhill A. , Research Methods for Business Students, 2nd Ed. 2000, Pearson Education Limited ? Schrand, C. M., and Elliott, J. A. , (1997). , Risk and financial reporting: A summary of the discussion at the 1997 AAA/FASB Conference. Accounting Horizons.

12 (3) 271-283. ? Smith, M. and Taffler, J. 1995. The Incremental Effect of Narrative Accounting Information in Corporate Annual Reports. Journal of Business Finance & Accounting 22 (8): 1195-1210 ? Smith, M. and Taffler, J. 1995. The Incremental Effect of Narrative Accounting Information in Corporate Annual Reports. Journal of Business Finance & Accounting 22 (8): 1195-1210 ? Tauringana, V and Chong, G. 2004. Neutrality of narrative discussion in annual reports of UK listed companies.

Journal of Applied Accounting Research 7(1): 74-107. ? Uganda bureau of statistics, 2005. Information available from: www. ubos. org ? Van Horne, James C. , & Wachowicz John M. , (2001). Fundamentals of Financial Management, Eleventh Edition. ? Veal, A, J, 1997. Research Methods for Leisure and Tourism: A Practical Guide. Chatham, Kent, Pearson Education Limited. Questionnaire Is there a risk management department in your company? Yes No Is there an Interest & Foreign Exchange risk management department in your company? Yes No Do you intend to establish an Interest & Foreign Exchange risk management department in your company?

Yes No Do you feel that shareholders have a right to be conveyed about potential risks? Yes No Do you feel that shareholders have a right to be conveyed about potential Interest & Foreign Exchange risks? Yes No How do you rate the benefits of risk management in a company from 1-10 scale? How do you rate the benefits of Interest & Foreign Exchange risk management in a company from 1-10 scale? Do you see any negative impact of Interest & Foreign Exchange risk management? Yes No Interview Questions How would you define potential rewards of your company? How would you define potential associated risks of your company?

What are the potential rewards of your company? What are the potential associated risks of your company? How do you view the aspect of managing Financial Risk? What are your views on Interest & Foreign Exchange Risk Management? What are your views on Risk Management in general? How are you planning to implement Risk Management techniques in your company? What are your views on a successful Interest & Foreign Exchange Risk Management schedule? What are your opinions regarding shareholders in the context of Risk Management? What are your opinions regarding shareholders in the context of Interest & Foreign Exchange Risk Management?

Read more

Riordan Enterprise Risk Management Plan

Riordan Manufacturing is a Fortune 1000 company that specializes in the plastic injection molding industry. They are an international company with facilities in California, Georgia, Michigan, and China. Their products include beverage containers, plastic fan parts, and custom plastic parts. Riordan prides themselves on their industry leading research and development (University of Phoenix, 2009). The following Enterprise Risk Management (ERM) plan was developed for Riordan Industries, Inc. and its subsidiaries.

The goal of this plan is to help mitigate any legal liability on the part of Riordan by implementing the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (Jennings, 2006). Alternative Dispute Resolution Alternative Dispute Resolution is a way of resolving differences outside of the courtroom. This includes anything from informal negotiations, to formal written arbitration (Jennings, 2006). Currently, Riordan keeps an attorney on retainer but does not have a dispute resolution in process, thus if a conflict were to escalate, they would not have a resolution plan in process.

It is in Riordan’s best interest to have a mediation process in place to help settle disputes. The reasoning is mediation is cheaper than other dispute resolution methods, especially litigation, and it protects the confidentiality of the parties involved (Peters and Mastin, 2007). Riordan’s internal legal council will work directly with the law firm on retainer to develop a mediation process with varying levels of triggers based on levels of risk. In doing so, Riordan should set up a process for which their internal legal department can handle the brunt of the load to further reduce costs.

Enterprise Liability Enterprise Liability suggests that those who profit from a risk should also bear the cost of accidents that arise from that risk (Keating, 2001). With manufacturing plants in several locations, including internationally, there is significant risk of an accident, of which Riordan would be liable for. Riordan provides employees with basic training and an employee manual outlining relevant laws (University of Phoenix, 2009). However, there currently is not a monitoring system or a proactive detection system in place to detect any transgressions.

In the employee manual, Riordan outlines a rigorous discipline system. However, when looking through employee records, there is no record of any discipline associated with employees who violated the attendance policy (University of Phoenix, 2009). This leads to speculation that Riordan does not follow any of their discipline policies. If these records were obtained in a legal dispute it would leave Riordan extremely vulnerable. Employee records should be centralized and controlled area where they can be properly maintained. Product Liability

Product Liability is defined as, “Legal responsibility of the manufacturers, wholesellers, retailers to the buyers or users of the damages or injuries caused by the use of defective products” (Legal-Explainations. com, n. d. ). With several manufacturing locations, Riordan focuses on quality and the elimination of defects in its manufacturing process by applying ISO 9000, and the Six Sigma standards for production, shipping, and quality control (University of Phoenix, 2009). However, they have no company-wide standards in place for dealing with quality control.

For example, the Pontiac site has internal memos discussing quality control issues, yet no one took accountability to take action. Riordan will assume a significant amount of risk if it is discovered that they were aware of the quality control issues, yet took no action. Riordan should immediately implement a whistle-blower policy to encourage employees to report any compliance or quality control issues. In addition, Riordan should set up a team of individuals to work with an independent third party to handle these reports. International Law

Riordan’s China location is a joint venture with their Chinese partners handling everything from labor, capital, regulations, and hazardous waste cleanup. The officers and directors of Riordan have no real authority over their Chinese partners, nor do they have any legal counsel there for support (University of Phoenix, 2009). Riordan should extend their internal legal department to include staff with expertise in Chinese regulatory compliance. Tangible Property Tangible Property is defined as the type of property we can see and touch (Jennings, 2006). At each of Riordan’s locations, they maintain a variety of angible property, such as: general office equipment, transportation equipment, and information technology equipment. Riordan must develop a better system to track the purchase, and use of this equipment, including management of leases, maintenance, and general accounting guidelines. Riordan also maintains a supply of raw materials at each location. However, there is not currently a process in place of investigating any missing material (University of Phoenix, 2009). It is recommended that Riordan develop a process for documenting the full inventory process from delivery to use in order to assist any investigation into missing materials.

In addition, Riordan needs to develop a much more robust security and emergency plan to protect these assets from theft or other damages. Intellectual Property Intellectual Property or Intangible property is defined as bundles of rights with respect to goodwill, trade names, copyrights, patents, trade dress, trade secrets (Jennings, 2006). Riordan maintains various trademarks, patents, copyrights, software, and trade secrets. The protection of these assets is imperative to their future.

Riordan needs to develop a system to identify their existing intellectual property and how to protect that property, such as: restricted areas to store data, encryption, and conduct background checks on employees – especially those with access to sensitive materials, and the use of non-disclosure agreements. In additions, copyrights, patents and trademarks must be registered and maintained (Jennings, 2006). Legal Forms of Business Riordan is a corporation with, “unlimited duration, free transferability of interest, limited liability for shareholders/owners, continuity, and centralized management,” (Jennings, 2006).

This eliminates personal liability from officers, directors, and shareholders with the exception of negligence (Jennings, 2006). However, they are expected to act in the best interest of the company. This includes following all applicable tax laws and regulations. Riordan must address the varying finance and accounting systems that each location currently uses. The existing process is slow and because of the manual data entry increases the chance of error. Riordan should implement one accounting system for the entire company to use.

While expensive upfront, this system will cut down on the amount of manual work that is needed and over time will significantly reduce cost. In addition, Riordan is a publicly traded company, which means it must comply with the Sarbanes-Oxley Act (SOX) of 2002 (Jennings, 2006). With Riordan’s current finance and accounting systems, this would be extremely difficult. Governance Corporate governance is defined as a way in which a company protects itself with a framework of rules and practices by which the Board of Directors ensure accountability, fairness, and transparency (BusinessDictionary. com, n. d. ).

Riordan needs to elect a Board of Directors to oversee the management of the company; in addition they will provide guidance for the senior management and any external auditors. As Riordan implements the ERM framework, the board should be consulted to make updates for the amount of risk they want to assume and adjust policy as they see fit. ? References BusinessDictionary. com. (n. d. ). BusinessDictionary. com. Retrieved from http://www. businessdictionary. com/definition/corporate-governance. html Jennings, M. M. (n. d. ). Business: It’s Legal, Ethical, and Global Environment (7th ed. ). Keating, G. C. (2001).

The Theory of Enterprise Liability. Vanderbuilt Law Review. Retrieved from http://law. vanderbilt. edu/publications/vanderbilt-law-review/archive/volume-54-number-3-april-2001/download. aspx? id=2846 Legal-Explainations. com. (n. d. ). Legal-Explainations. com. Retrieved from http://www. legal-explanations. com/definitions/product-liability. htm Peters, R. J. , and Mastin, D. B. (2007, May – July). To mediate or not to mediate: That is the question. Dispute Resolution Journal, 62(2), 14-21. University of Phoenix. (2004). Riordan Manufacturing [Computer Software]. Retrieved from University of Phoenix, Simulation, Law 531 website.

Read more
OUR GIFT TO YOU
15% OFF your first order
Use a coupon FIRST15 and enjoy expert help with any task at the most affordable price.
Claim my 15% OFF Order in Chat
Close

Sometimes it is hard to do all the work on your own

Let us help you get a good grade on your paper. Get professional help and free up your time for more important courses. Let us handle your;

  • Dissertations and Thesis
  • Essays
  • All Assignments

  • Research papers
  • Terms Papers
  • Online Classes
Live ChatWhatsApp