Involved In It Business Processes Finance Essay - Free Essay Example

After finishing my three semesters of masters degree the challenge of completing my study at university continued to draw. This dissertation is my final result of six months research and entails the post graduation project of the Masters of Business Administration. It has been carried out with support of Amity University. All companies are vulnerable to events that could impact their reputation. These events can rise from various factors, such as a companys employment practices, natural disasters, pollution, poor governance, or poor management. Effective risk managers identify the different circumstances and factors that may impact on the reputation of a company, prior to the incident occurring. In order to assist risk managers, this dissertation proposes a structured approach to the management of risks, which would ensure that the impact on the reputation of the company is minimised. The proposed approach was collated and deduced from the actions taken by companies that have suffered attacks against their reputations, but have successfully mitigated the consequences and minimised the damage to their reputations. This approach is highlighted and confirmed by contrasting it to the actions taken by companies that failed to counter the attacks on their reputation. Abstract The management of risks in business processes has a subject of active research in the past few years. Many benefits can potentially be obtained by integrating the two traditionally-separated fields of risks management and business process management, including the ability to minimize risks in business processes (by design) and to mitigate risks at run time. One of the primary concerns in a small business is the problem of risk. Many who begin the start-up process terminate it in less than one year. Of those that survive, many are unable to achieve sustained growth and profits. Small-to-medium business enterprises (SME) have 50% to 90% chance of failure within the first five years. Information Technology (IT) business processes that resulted from the accelerated technological pace of change, will enable a path of growth and long term return on investment (ROI) for organizations. However, embarking on such large scale investments leave little opportunity to turn back, and sound go vernance and management of risks will required to effectively managing unforeseen issues during the life cycle, and if these fail the organizations will be constantly functioning in crisis mode. The absence of risk control and risk management can be destructive towards overall business performance. Management skills are therefore of paramount importance to reduce direct cost of projects and to handle increased challenges derived from improvements on existing IT infrastructures. The need for a robust risk management framework exists, although many industry standard methodologies are available to assist management in the ongoing task of project delivery. The specific research aims of this study include the following: To assess the current situation regarding risks that were common within organizations and how these risks were being effectively managed. There is no specific policy or legislation that is formulated in the management of risks. Regarding public liability, loss or damage, there is minimal consideration for the person affected and compensation takes the forefront. The protection of human beings should be considered. The health and safety of those involved in staging major events is important. Determining various systems and logical approaches that are required for a comprehensive, consistent, reliable and proactive way to ensure safe and successful organizations. To make organizations and students aware of the fact that it is important to manage a risk which is suitable for all minor and major organizations. Governance, as the binding glue for organizations, has been one of the fastest growing elements of risk management. Performance measurement is paramount to IT governance and must be set and monitored by measurable objectives. Various ISO standards can be used in conjunction with these management tools like the ISO 31000 risk management standard to guide management in the effective implementation of risk practices. While there has been an increasing amount of research aimed at delivering such an integrated system, these research efforts vary in terms of their scope, goals, and functionality. Through systematic collection and evaluation of relevant literature, this paper compares and classifies current approaches in the area of risk-aware business process management in order to identify and explain research gaps. The process through which relevant literature is collected, filtered, and evaluated is also detailed. Finally, a set of research agenda is proposed. Acknowledgements As I reach the end of the journey towards my masters, I am filled with gratefulness towards so many whose directions, blessings, guidance and mentorship helped me to accomplish this goal. I would like to take this opportunity to thank from the bottom of my heart everyone who helped me in pursuing this research. I wish to acknowledge several great individuals who have supported me in this endeavour: First very special thanks to my brother and my mentor, Ms. Sakshi Singh, for their undying support, love and guidance. Table of Contents Title Page Preface Abstract Acknowledgement CHAPTER 1 Introduction Background of the Study Problem Statement Objectives of the Study Primary Objective Secondary Objectives Scope of the Study Research Methodology Limitations of the Study Summary CHAPTER 2 Governance IT Governance IT Governance Domains Roles Governance Tools COBIT COBIT Construct Applicability to the Organization Recommended Action Plan SOX SOX Construct Applicability to the Organization Recommended Action Plan ISO 31000 ISO 31000 Construct Applicability to the Organization Recommended Action Plan Summary CHAPTER 3 Risk Introduction What is Risk? Different Types of Risks Market Risk Management of Market Risk Business Risk Management of Business Risk Financial Risk Management of Financial Risk Credit Risk Management of Credit Risk Reputation Risk Management of Reputation Risk Conclusion CHAPTER 4 Governance, Risk Management and Compliance (GRC) Platform Selection General Considerations Functional Requirements Non-functional Requirements Selection Process Walk Through Summary CHAPTER 5 CHAPTER 1 Nature and Scope of the Study Introduction Organizations face many uncertainties in their day-to-day operations (such as IT infrastructure malfunction or share market movement). The effects of these uncertainties on organizational objectives are known as risks, while the applications of relevant principles, framework, and processes to effectively manage risks are known as risk management. The purpose of this study is to propose and define a general reference framework that describes an optimal risk management process plan for information technology processes from various industry types in India. We call a system which allows the reasoning about and management of risks in business processes a risk-aware business process management (R-BPM) system. Many benefits can potentially be obtained by integrating the two traditionally-separated fields of risk management and business process management (BPM), including the ability to analyse risks and incorporate risk mitigation strategies in a business process model during design time, to monitor the emergence of risks and apply risk mitigation actions during run time, as well as to identify risks from logs and other post- execution artifacts. Furthermore, it may also aid businesses to comply with various rules and regulations, such as Sarbanes-Oxley Act. A vast array of academic articles and research focus on risk management practices. However, in this study an attempt will be made to create general reference frameworks that combine various risk management aspects to supply a holistic approach to managing the critical elements of an organizations information technology (IT). Companies must develop the mindset and tools to explore the many dimensions of risk with each activity and opportunity as a passive risk management stance in this dynamic and competitive world will not be sufficient. Background of the Study Growth and profitability are exhilarating words for investors and stakeholders in companies all over the world although they can be illusory and destructive measures of performance in the absence of risk control and risk management. An organization may regard Information Technology (IT) as a necessary evil, something that is needed in order to stay in business, while others may see it as a major source of strategic opportunity, seeking proactively to indentify how IT-based information systems can help them gain a competitive edge. The primary reason of increased IT risks is due to the accelerated technological pace of change. Organizations who fail to conduct an initial business impact assessment of the changes that result from the business process design activity will lead to project cost and schedule overruns. Organizations typically contain large number of information that must not only be secured but also transformed into value for management to assist in the decision mak ing process and the positioning of the organizations competitive stance. Strategies must be developed to manage this information as a resource and to share existing knowledge within an organization to boost performance. With IT at the core of most 21st century businesses, and with todays focus on compliance and risk management as a result of legislation like can Sarbanes Oxley, organizations can no longer afford to have IT governance by default or bad IT governance by design. IT governance at its most basic is the process of making decisions about IT. By this simple definition, every organization has some form of IT governance. Good IT governance ensures that IT investments are optimized, aligned with business strategy, and delivering value within acceptable risk boundaries taking into account culture, organizational structure, maturity, and strategy. Problem Statement Recent years have seen increased concern and focus on risk management, and it became evident that a need exists for a robust framework to effectively identify, assess, and manage risk. Risks are unavoidable in any project, particularly IT projects, and if project managers do not apply sound risk management principles, the project manager may be constantly in crisis mode. For any risk program to be successful, sound risk-based decision-making is crucial to drive the enterprise toward the formalization of risk management processes with the required accountability, transparency, and measurability. Risk management is the assessment of potential reasons for failure of projects and developing strategies to reduce risks. Information project risk management must be carefully evaluated and aligned with the general organizations strategy as a new IT project has an enormous impact on core business functions. Risk identification can get very complex and organizations can fail to understa nd their level of exposure. Organizations have two ways to address risk: the wrong way or the right way. The wrong way is to assume that people can understand all the vast amount of risk exposures. This is however not possible and risks and opportunities must be organised and accepted at various levels by risk owners. In order to gain competitive advantage, top management must ensure that information management is executed as an essential asset and that IT projects are not only the IT departments responsibility, but the organization as a whole. An effective IT risk management process provides executives with the required information to implement smart business decisions with confidence in order to reduce, avoid, transfer or live with IT risk. Governance has been one of the fastest growing elements of risk management, with the separation of risk governance from all IT governance and the layering of risk governance entities that emerged as best practices. From the above it is clear that a need exists for a robust risk framework to assist management in the execution of projects; assurance towards shareholders; alignment with business strategies; and required governance practices; as these risks are unavoidable in the IT environment. Objectives of the Study The research objectives are divided into general and specific objectives: Primary Objective: The primary objective of this research study is to the theory for managing IT related risks from an integrated governance perspective by researching literature, expert visions, executive cases and current frameworks methods and approaches. Comparing these frameworks and methods provide a comprehensive overview exposing possible gaps and flaws. Secondary Objectives: The secondary objectives of this research are: Analysis of risk, and IT management and all the relevant process phases. Governance as part of the organizational strategic layout. Evaluation of existing methodologies and frameworks to assist and guide management. Using the theoretical concepts, a possible approach for risk management processes will be devised to assist in the IT industry. Scope of the Study The study will evaluate best practices for business processes from a risk perspective but the underlying implementation and legislation will focus on the Indian IT industry. Research Methodology Chapter 2 GOVERNANCE To govern means to control the actions or behaviour of. In organizations, governance (or the act of governing) is becoming a widespread term. Programmes and projects are now governed by a programme or project board, or by a steering committee. Governance is provided by internal audit, and operational governance ensures for the day-to-day activities of the organization are implemented and followed. Corporate Governance Corporate governance can be defined as the set of processes, customs, policies, laws and institutions affecting the way a company is directed, administered or controlled. Although corporate governance is designed for the protection of its external funders, it also applies to government, not-for-profit and other membership organizations. In this context, the external funders become stakeholders who could, for example, be members of the public, or special interest groups to the whom to whom the body is accountable. Corporate governance is the glue that blinds organizations together in the continuous pursuit of its objectives, while risk management provides the resilience. Linked with corporate governance is the design and implementation of IT governance that needs to be a cohesive, integrated process. IT Governance IT governance integrates and institutionalises good practices to ensure that alignment exist between the organizations IT and the general business objectives of the organization as a whole. The key elements of enterprise governance include the following:- Assurance of the value of IT. Management of IT-related risks. Increased requirements for control over information with value, risk and control as the core drivers of IT governance. Performance measurement is paramount for IT governance that must be set and monitored by measurable objectives of what the IT processes need to deliver (process outcome) and how to deliver it (process capability and performance). Although additional regulatory compliance adds more operational weight to an organization, improved performance and growth will result from the alignment of IT with business to further enable processes and drive innovation. IT Governance Domains IT governance domains includes Strategic alignment- alignment between business and IT objectives. Value Delivery- executing the value proposition throughout the delivery cycle and also to ensure that IT meets its promised return on investment. Resource management- focus on the key issues of knowledge and infrastructure. Risk management- require risk awareness by senior corporate officers, a clear understanding of the enterprise of the enterprise appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. Performance Management- tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balance scorecards that translate strategy into action. Roles Corporate boards and executives perceive risk management as a strategic discipline for improving business performance. They are under more pressure implement risk management with their auditors, regulators and credit-rating agencies, which calls for effective risk management programs. It is the executives and the Board of directors to ensure that IT governance is implemented and monitored with the needed leadership, organizational structures and processes to ensure that the organizational IT objectives sustain and extend the overall strategy and objectives of an organization. Board Overall responsibility for IT governance. Provide a balance between risk and control investment in an often unpredictable environment. Senior Management Provide ongoing assurance and the security and control measures of the IT services. The contemporary IT risk manager is likely to work on an overall enterprise governance structure. A lack of Board oversight of IT activities can p ut an organization in as much risk as a lack of underlying controls ensuring the quality of financial. Top management involvement in IT risk on the other hand can be improved by implementing an effective IT risk reporting framework that is closely linked to key IT processes. The critical success factors required for the implementation of such a framework consist of the following: Close involvement by all parties and the understanding in the identification and assessment of the risks and their relation to the Corporate Technology (CT) process portfolio. Allow for customization in the reporting in order to improve management ownership levels improving the risk management process. Mutual IT process portfolio derived from a combination of sources such as ISO 31000 and COBIT. The study will now look at the literature that supports these governance tools and techniques that can assist managers in IT risks. Governance Tools COBIT SOX ISO 31000 ITIL CHAPTER 3 Risk Introduction Risk is an important component of a companys investment strategy. It is, thus, important to know the source of the risk, as well as to identify and evaluate factors contributing to risk. The relationship between the different types of risk is evaluated in this chapter, and the definition of risk, as well as the management thereof, is given and explained. Reputation risk is introduced, and different indicators, whereby reputation risk can increase, are identified. Risk managers have a crucial part to play in responding to and preparing for reputational events. Extensive risk management procedures have to be integrated. Managers can only respond to reputation risk once they have identified traditional risks, and then worked out events that could impact reputation. What is Risk? ISO 31000 define, risk is the effect of the uncertainty of an outcome. A company is vulnerable to all types of risk. Risk is inherent in business, not only because the organization operates in a risky environment, but also because the business itself is continuously changing. Certain risk relates to variability in returns caused by factors that are unique to the company, such as the type of industry in which the company operates, and the product that it sells. This is often referred to as unsystematic or unique risk. An investor may eliminate this type of risk by diversification. The other risk that remains is the non-diversifiable portion or the market risk. Variability in a shares total returns, which is directly associated with overall movements in the general market or economy, is called systematic risk. Systematic risk directly encompasses interest rate, market and inflation risks, and cannot be avoided through diversification. Different Types of Risks A company is exposed to all kinds of risk; however, the basic types of risk that affect a company are the following: Market risk Operational risk Business Risk Financial risk Credit risk Reputational risk Market Risk Market risk is the risk associated with movements in security prices, especially in share prices. If an individual buys a share and the market as a whole declines, the price of the specific share will probably fall. Conversely, if the market increases, the price of the share will also tend to increase. Essentially, understanding market risk assists in understanding price behaviour. The causes of changes in market price are usually beyond the control of the company. An unexpected war, the end of a war, an election year, political or terrorist activity, speculative activity in the market or the outflow of gold are all tremendous psychological factors in the market. Whatever the reason, the drop in the market is a temporary cyclical swing that causes a temporary drop in the price of the share. For most companies, interest rates and foreign exchange rates are the main market risk exposures. Alternatively, some companies are exposed to commodity and energy prices. Where the corporati on is subject to volatile market risks, or where it uses derivatives to manage its market risk, measures must be adopted in order to control the exposures from the different elements apparent in the market. There are four key Market Risks: ddddddddd ggggg bbbbbb