Readings
- What is the difference between risk appetite and tolerance?
- What three types of IT risk are there? Can you give an example of each?
- In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
- How can an organization respond to any IT risk?
The All World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
Rich
Vince Kelly says
1. What is the difference between risk appetite and tolerance?
The Risk IT Framework defines Risk Appetite as: “The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision)”
The framework also defines Risk Tolerance as: “The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to measure the related objective).”
In other words, Risk Appetite is how much exposure to loss, danger or harm an organization is willing to take on in order to achieve its objectives, goals, mission and/or vision.
Risk Tolerance on the other hand is how much that same organization is willing to deviate from the risk that it has decided to expose itself to.
Risk and reward is the very essence of business – all businesses must expose themselves to at least some risk,(this is their risk appetite). Once the decision is made to take on that risk, the business must also decide at what point to abandon its objective, goal, mission or vision either because the risk has increased beyond a level that was expected and acceptable or because the risk has decreased below what was expected in order to gain an appropriate level of return/reward
Michelangelo C. Collura says
Well stated. Your point about going from risk appetite as a decision to take on risk to the point where firms determine how far they’ll let it fluctuate, if you will, as the risk tolerance, is very well structured. It gives a sort of granular sense, which seems to make sense when discussing the two.
Donald Hoxhaj says
Hi Vince,
Thanks for letting us know your thoughts on this. In fact, I have to acknowledge the fact that organizations should have the muscle to take risks in order for them to be competitive in the market. A Risk Planning as you said should start right from the moment when the Risk Appetite and Tolerance levels are being decided. This will enable an organization to prepare for unforeseen events and abandon risks that can impact business operations. If we would have to plot this line for management use, it would ideally look as if the Risk Tolerance is the Best Fit Line and the Risk Appetite as the deviations from the best fit line.
Vince Kelly says
4. How can an organization respond to any IT risk?
Risk can be dealt with in four ways:
1. Accept the risk
2. Avoid the risk: i.e., don’t engage in the activity because risk outweighs the benefits
3. Transfer/share risk: For example; purchase insurance, enter into a partner agreement of shared risk, etc.
4. Mitigate the likelihood or impact of risk by creating controls. Mitigating risk creates residual risk that is less than the organizations risk tolerance. The three types of controls that can be applied in order to mitigate risk are:
1. Preventative controls: Lessen the likelihood, for example, deploying a firewall or leveraging encryption
2. Detective controls: For example, deploying an IDS
3. Corrective controls Controls aimed at speeding/improving recovery time,and quality For example, DR/backup and recovery
Donald Hoxhaj says
Vince – I feel that the Risk Response strategies of an organization to any IT Risk would largely depend on the nature of the Risk and Severity. While many organizations have a sequential process of adopting Risk Response strategies of Accept, Avoid, Transfer, and mitigate, it is completely dependent on the nature of the business and the protocols already in place. This enables an organization to use the least amount of resources and least amount of time to respond back to a threat. The 3 Types of Risk Mitigation strategies that you mentioned is impressive and In fact, I feel that Prevention is the most optimum and a long-term strategy that organizations should possess.
Donald Hoxhaj says
1. What is the difference between risk appetite and tolerance?
Risk appetite is basically the amount of risk an organization can take to achieve its business goals and strategies. Different organizations have different appetite of risk taking abilities based on their financial muscle, vision, and strategic objectives. A Risk appetite in true sense of differentiation is a higher level risk that the management of the company feels is acceptable or worth taking. Whereas on the other hand, Risk tolerance is a granular level of risk i.e. much narrower and decides the variation in risk from the objectives. Example, an organization’s Risk appetite statement would be like ‘We would like to enter into new markets and have a strong supply chain for the new set of customers’. An organizations Risk tolerance would look like ‘We would like to invest only in XYZ cities because of low demand in others that could significantly impact our revenues by more than 10%’.
Heiang Cheung says
Good example on risk appetite and risk tolerance. From the eaxample I got risk tolerance is how much your willing to risk and risk appetite is what you want to risk.
Richard Flanagan says
Heiang – keep in mind that they are a two different levels; appetite is cumulative at the organizational level, tolerance at the initiative level.
Donald Hoxhaj says
2. What three types of IT risk are there? Can you give an example of each?
The 3 types of IT risk are:
• IT Value Enablement Risk: These risks are prevalent when an organization fails to adopt a new technology for improving the efficiency of its processes or services. They are missed opportunities that ultimately cost the company on its business growth. IT Value Enablement acts as enablers for business growth and new initiatives.
• IT Project Delivery and Programme Risk: IT Project Delivery risk deals with lost opportunities of leveraging technology for improving its project deliverables or programmes. The IT enablement in Project Delivery acts as an enabler of business growth and new and improved project solutions
• IT Operations / Service Delivery Risk: IT Operations or Service Delivery risk deals with all aspects of the day to day operations of a business that can potentially slow down or impact business operations.
Patrick DeStefano (tuc50677) says
Donald,
I like your explanation of Value Enablement Risk. This type of risk is realized all the time in virtually every business out there. It can be very simple things such as failure to realize or know how to automate data entry via an Excel macro or testing scripts for software.
When it comes to your explanation of IT Project Delivery Risk, I hadn’t thought about what you mentioned related to leveraging new technologies to improve project deliverables, but i completely agree with you on this. I had mostly only thought of it as relating to things like missed deadlines and budget overruns.
Donald Hoxhaj says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
In the whole IT Risk Framework, the 3 IT Risks i.e. IT Benefit/Value Enablement, IT Programme and Project Delivery, and IT Operations and Service Delivery act as enablers for business growth. IT Benefit/Value Enablement act as technology enablers for helping the organization in their Strategic Risks. IT Programme and Project Delivery oversees all projects in the IT space right from Project Quality, Project Overrun, and Project Relevance. It acts as quality enablers for the projects so that projects stick to Scope, Time, Quality, and Cost. The IT Operations and Service Delivery Risk focuses on the security aspects of a project from Compliance, Security Vulnerabilities, and Service Interruptions i.e. they focus purely in the Operational side of the IT projects and ensure that there are no service interruptions and that projects run smoothly. As part of the IT Risk Hierarchy, the IT Operations and Service Delivery Risk oversee the Operational Risk and Compliance Risk. Each of these risks work hand in hand to ensure maximum efficiency of the projects and minimum loss to the organization so that they achieve business outcomes with ease.
Richard Flanagan says
Vince – I read their definition of risk tolerance slightly differently. I see it as how much risk can a business tolerate on any individual objective, whether or not they pursue it. Thus they may decide not to pursue an objective because it is beyond what they can tolerate. If they find a way to mitigate the risk that drives residual risk below their tolerance, then they will likely go ahead.
As an example, my company made all the key ingredients of lip stick. Investors often pushed us to enter that business because of our cost advantage. We never would because we were at heart a chemical company and saw the risks of entering a personal care market as just too high to tackle.
Vince Kelly says
…well, obviously you would definitely know Professor – I probably just need a little more clarity on the difference. In the example:
“As an example, my company made all the key ingredients of lip stick. Investors often pushed us to enter that business because of our cost advantage. We never would because we were at heart a chemical company and saw the risks of entering a personal care market as just too high to tackle.”
I would have thought that the example above would be an example of the company not having the appetite/not being hungry enough to enter the market because of profitability concerns before it went into the market.
Wouldn’t a potential example of risk tolerance be (again, I’m probably misunderstanding here), a case where the company was hungry to enter the market, (*DID* have the appetite), based on what it’s expectations were about the cost variables going into that opportunity – i.e., its cost models for the raw materials and individual ingredients that go into lip stick. But after entering the market, the company realized that the business could never turn a profit because of an unexpected event – e.g., the sudden and permanent rise in the price of the commodity raw materials that went into making the lip stick or the loss of the only distribution center in the US that handles lip stick because of fire?
Again, I’m probably mistaken but that’s the way I’ve usually heard it expressed – but it wouldn’t be the first time I’ve heard (and misused) terms.
Richard Flanagan says
Vince – looking around I have found examples both ways. Here’s a good article that shares several perspectives:
https://normanmarks.wordpress.com/2011/04/14/just-what-is-risk-appetite-and-how-does-it-differ-from-risk-tolerance/
I like the EY definitions:
“Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives.
Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk.”
In my example I see the new venture as being possible within the company’s overall, broad, risk appetite, but too much risk to concentrate in any one initiative (tolerance).
While the specific definitions may be cloudy, I want everyone to understand that appetite is a broad measure at the corporate level and tolerance is much more focused.
Paul Needle says
I still favor the Martini example.
Richard Flanagan says
Donald – those are the three type of IT risk, what about the three risk processes that all organizations should use to manage risk?
Donald Hoxhaj says
Hello Professor Flanagan,
Thanks for pointing out. There are 3 Risk Processes, each of which contains 3 sub-processes. The three risk processes as I see are the following:
Risk Governance: The Risk Governance process acts as an umbrella process for organizations ensuring that the IT Risk Management Practices are implemented by organizations. It enables an organization to make Risk aware business decisions by ensuring that the IT Risk practices are implemented in an organization’s ERM systems.
Risk Evaluation: The Risk Evaluation process ensures that it timely identifies the various IT Risks, Looks for opportunities for mitigation, and presents it for business purpose and consideration. It further comprises of 3 sub-processes including Collection of data, Analysing of Data, and Maintaining Risk profile.
Risk Response: Risk Response process ensures that an organization is able to act upon the identified IT Risks in a cost effective and efficient manner. The 3 sub-processes in the Risk Response process includes Articulating a Risk, Managing a Risk, and Reacting to events.
Donald Hoxhaj says
4. How can an organization respond to any IT risk?
IT Risks in an organization can be responded effectively by having strong IT Risk Management Principles. There are 4 options that organizations have to respond to any IT Risk i.e. Accept, Avoid, Share or Transfer, and Reduce or Mitigate. If a risk is within the acceptable risk level of an organization, then it is better to accept them. If a risk is potentially harmful or is outside the acceptable levels of an organization’s risk taking ability, Avoid it i.e. do not do anything with it. If the risk identified is beyond the acceptable levels and is also a business threat, then mitigation is the best strategy where an organization can implement controls, countermeasures, and fixes to eliminate the unwanted risks. And finally, an organisation can Transfer the risk to outsourced vendors or third party service providers so that it can focus on primary business activities.
Richard Flanagan says
Donald – Avoid is not don’t do anything with the risk, avoid is cease the activities that give rise to the risk. As a trivial example, if you were worried about getting hit by a car on Broad Streey at Temple you could avoid the risk by never crossing it.
Donald Hoxhaj says
Thanks for letting me know Professor Flanagan. In fact, I wanted to mean that only.
Pascal Allison says
What is the difference between risk appetite and tolerance?
The difference is that risk appetite is the level and type of risk suitable or the risk that the institution is willing to take in pursuit of its (business & IT) goals while risk tolerance is how much of that risk the organization can absorb or handle and sanity.
Risk appetite detection and acceptance of risk
Risk Tolerance level of risk the business can cope with
There is a difference between, “this is how much risk we can take and the risk that is taken and resisted or have provision for.”
Richard Flanagan says
Pascal – Risk appetite is the organizations willing to take on risk in the aggregate, ie we are an aggressive startup, like Uber, and are willing to take a lot of risk to get our business started. Risk tolerance is about the risk associated with one goal or initiative, ie Uber decides not to enter Syria because it deems it too dangerous and therefore there is a significant risk of losing their investment.
Michelangelo C. Collura says
I think of the risk tolerance as the standard deviation for a firm’s risk appetite. We know they will accept the risk, but we don’t know what the boundaries (i.e. the upper and lower limits) of that risk might be. That is where risk tolerance enters.
Vince Kelly says
absolutely agree with your analogy Michelangelo – it should be thought of in terms of deviance from the mean.
1+ deviation out = “OK, not quite the profitability we expected, but we can hang on”.
2+ out = “OUCH! we need an exit plan!”
3+ or more? = “whats the number of that bankruptcy lawyer again?” 🙂
Richard Flanagan says
Michelangelo – I like your thinking but it doesn’t address the different foci of appetite and tolerance. One is corporate wide, the other much more focused. A company will have many risks and a cumulative appetite for only so much risk. Each effort initiative comes with some degree of risk (expected value and STD). There is a certain limit on the negative return that will be acceptable with each initiative. That point may be surpassed by the expected value with no variation, in which case the initiative would probably not be funded. Or it may seem OK when funded, only to have a wide variation in reality which would drive the conversation Vince suggests.
Michelangelo C. Collura says
These were both very useful insights, thanks. In the specific project or task, this would make sense and be a feasible thing to measure. With the overall risk appetite, that’s not the same but rather corporate-wide as you say. I guess it’s more broad stroke at that level?
Michael Gibbons says
I attended COSO training last year and they have some good information on risk appetite vs risk tolerance.
https://www.coso.org/Documents/ERM-Understanding-and-Communicating-Risk-Appetite.pdf
COSO’s Enterprise Risk Management — Integrated
Framework defines risk appetite as follows:
The amount of risk, on a broad level, an entity is willing
to accept in pursuit of value. It reflects the entity’s risk
management philosophy, and in turn influences the
entity’s culture and operating style. … Risk appetite
guides resource allocation. … Risk appetite [assists the
organization] in aligning the organization, people, and
processes in [designing the] infrastructure necessary to
effectively respond to and monitor risks.1
Pascal Allison says
What three types of IT risk are there? Can you give an example of each?
The three types of IT risks are:
• IT benefit/value enablement risk – this exists when there a chance to use technology improve business
processes or start business initiatives and that chance is unnoticed or disregarded.
Example – the decision to have an inefficient or irrelevant IT project
(product) for business improvement or initiatives.
• IT Program and Project Delivery Risk – all business needs IT for one or the other reasons (initiatives or
solution). The reason for which IT is needed, the IT input(s) comes with a risk. These inputs are usually
facilitated in the form of program or project which are classified as deliverables. From the initiation
stage to the finish line, there are risks.
Example – program and project should focus on the target or goal. Thus, risks analysis should focus on
target risks and not just the current risk. If the focus is on the current risk and not the target risk
when there is a change in the current risk as a result of the target risk, a change in the
deliverable is required or a need for adjustment which could affect timing.
• IT operations and service delivery risk – no operation is risks free. IT has its share of the pie. When
performing IT operations, there are impacts, possible impact, or things that could affect IT that will
impact the business as IT is a part of the business.
The risks could be natural (earthquake), criminal (hacking), or general (system malfunction).
Michelangelo C. Collura says
That’s a good general example for IT benefit/value enablement. I imagine those pie-in-the-sky projects taken due to management interest would be such a thing, where the IT crowd are aware that it is not a good project choice, but management pushes it. I myself have not personally had this happen, but I’ve heard some stories from others.
Pascal Allison says
How can an organization respond to any IT risk?
An organization can take any of these actions to deal with risk avoid the risk, transfer the risk, accept the risk, or mitigate the risk. To derive at the action needed, the organization must understand, talk, evaluate which threat is significant, and then act. The organization could minimize the likelihood of occurrence and impact should they occur. IT risk response should be based on tolerance and business strategies.
Richard Flanagan says
Pascal – be sure you can define the four responses accurately, its not enough to just know them.
Pascal Allison says
Once the organization have evaluated the risk, any of the following action will be appropriate, but the action must be based on the outcome of the evaluation, business goal, and risk solvency:
Avoid the risk – eliminate the risk
Transfer the risk – shift the risk from the organization to another organization
(Insurance).
Accept the risk – if the cost of avoidance is higher than the cost to manage the
risk, the organization allows the risk to exist. When the cost is
manageable because the risk level or potential damage is
insufficient.
Mitigate the risk – there is an impact, but the impact is reduced or lessened.
Action or strategy to diminish opposing effect
Richard Flanagan says
Pascal – Good, two quibbles. Avoid the risk means that you eliminate by stopping the behavior that gives rise to the risk (ie major consequences). Mitigate can reduce impact as you suggest but also the probability of the risk. For example, strong passwords do nothing for impact but theoretically lessen the probability of breach.
Pascal Allison says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Risk Governance – how an organization looks at risk. The oversight and decision of risk which covers the organization, policy, and the mechanism by which decisions are made and implemented about risks.
Risk Management – setting risk appetite, tolerance, eliminating, and monitoring
Strategies. Do we avoid, reduce, transfer, accept, or ignore
the risk?
Risk Evaluation – understanding the risk that the organization is accepting is key. Do we accept, avoid, eliminate, or reduce the risk? Any answer is great, but the action taken will affect the business. Thus, a comparison needs to be done for adequate decision.
Richard Flanagan says
Pascal – you’ve separated management and governance which ISASA does not do and missed the third of the risk processes, what is it?
Pascal Allison says
I was a little confused about governance and management been separated, but could not disconnect IT management . Thanks for the highlight.
Risk Response – after risks are evaluated, the must be strategies or actions to deal with the outcome regarding the risks. The response could be to reduce, mitigate, transfer, or accept the risk. Any action is acceptable, but must be based on the outcome of the evaluation, risk appetite and tolerance.
Michelangelo C. Collura says
What is the difference between risk appetite and tolerance?
Appetite is the broad-based amount of risk a firm will accept in pursuing its objectives. Tolerance is the acceptable variance when pursuing a given objective. This means that appetite is a broader term, encompassing all possible risk, while tolerance is more a statistical calculation a firm might make in a given objective, helping to determine what level of under- or over-stepping they will accept to get to the end goal. It can best be described as a firm’s risk standard deviation on a particular project or objective.
Michelangelo C. Collura says
What three types of IT risk are there? Can you give an example of each?
The three are IT benefit/value enablement, IT Program and Project Delivery, and IT Operations and Service Delivery. A risk from #1 could be the adoption of a new mobile app for greatly increasing customer direct purchases – presenting a possible hit to the brand if development was rushed and the app is buggy. #2 might be overrun on the integration of an acquisition’s applications into the firm’s enterprise architecture – potentially leading to significant losses in productivity and profit. #3 could be one of many common issues, but security problems, such as a company hypothetically ignoring an intrusion detection system’s red flags during a concerted attack against company servers, are very common indeed.
Michelangelo C. Collura says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
In Risk Governance, the necessary oversight and design of administrative controls to mitigate risk occurs. This acts as a foundation for the other processes, giving direction and managerial assessment of what constitutes risk or the appropriate amount of it. In Risk Evaluation, efforts are made to identify risk and the data necessary for accurate assessment of that risk. It takes the guidance of Governance and applies analytical tools to fulfill the business IT objectives in risk management. In Risk Response, efforts are taken to information about those risks is collected and provided to the relevant personnel – ensuring accuracy and timeliness in the process. This means that risks are not simply identified and left to fester; rather, they are provided to the right people at the right time to mitigate or entirely avoid the risks.
Michael Gibbons says
Michelangelo,
I like how you tie the 3 processes together as being dependent on each other. I think this is where an organization gets the most value when they can complete the process with all comprehensive steps included.
Michelangelo C. Collura says
How can an organization respond to any IT risk?
It depends on many factors, but there are four main methods they can use. If possible, they can avoid the risk, thereby completely removing the risk from the firm’s concern. This could involve significant reshuffling of company operations, perhaps choosing to forego a particular project to avoid an associated risk. They can also transfer the risk, usually through some outsourcing arrangement. This is very common, with many firms outsourcing non-core competencies to reduce potential risk and allow the firm to focus on what they do best. They can also mitigate the risk – arguably the most common method. While outsourcing is often done, mitigation is for when risk needs to be dealt with, so a firm tries to lessen the blow to the firm from its negative impact. Plans like a disaster recovery plan would fit into this, though transfer may occur in the DRP as well. Finally, a firm can simply accept the risk, meaning that it needs to be dealt with, come what may. This would likely occur for a low impact risk that the firm can handle with minimal to no damage to operations.
Richard Flanagan says
Michelangelo – Avoid, by definition, means that you cease the activity that gives rise to the risk. Anything short of that would be a mitigation.
Michelangelo C. Collura says
That makes sense, thank you.
Duy Nguyen says
1. What is the difference between risk appetite and tolerance?
• Based on various readings risk appetite is the total amount of risk an organization can absorb or bear in perusing business goals and objectives. Risk tolerance is the acceptable difference between risk appetite and business objectives. Both are tools for an organization to access their level of risks and how much needs to be mitigated. Risk appetite to me is a higher-level assessment of total risk an organization is willing to take on to achieve its goals given the risk profile and tolerance is a detailed assessment of risk per objective compared to the appetite levels.
Vince Kelly says
I think your right Duy. It’s like driving down a highway – you’re risk appetite is that you decide to go faster than the posted speed limit in order to get home sooner, (and everyone else around you is driving faster than the posted speed limit anyway).
Risk tolerance is how much faster you are willing to go above the speed limit and everyone else on the highway as well – do you want to risk doing 80 if everyone else is doing 75 or are you just willing to do the same (illegal) 75mph that everyone else is?
Michael Gibbons says
Great example. One I have heard of many times is related to parking tickets. Your appetite is parking wherever you want when the sign says no parking 1st and 3rd Friday between 11am and 3pm. Your tolerance would be knowing how much the parking ticket is going to be and doing it anyways.
Duy Nguyen says
2. What three types of IT risk are there? Can you give an example of each?
• IT benefits/value enablement risk: Risks associated with missed opportunities for technological improvements in business. An example is implementing different platforms/applications for organizational functions when one centralized enterprise application is feasible for the organization.
• IT program and project delivery risk: risks associated with new functionality brought on by IT implementation. An example is IT implementation of new business functionalities and users are not trained on these new systems.
• IT operation and service delivery risk: risks associated with the performance of IT systems, which can have negative effects on organizational value. An example is a risk of IT systems outages.
Duy Nguyen says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
• Risk Governance RG (Establish and Maintain a common risk view, Integrate with ERM, make risk-aware business decisions): is governance of risk pertaining to the identification, assessment, management, and communication of risk in an organization.
• Risk Evaluation RE (Collect data, analyze risk, maintain risk profile): is the process of identifying, analyzing, and prioritizing risks through methodologies such as qualitative and/or quantitative.
• Risk Response RR (Articulate risk, manage risk, react to events): is the process of communicating and determining action towards risks weather acceptance, transfer, mitigate or avoid.
Duy Nguyen says
4. How can an organization respond to any IT risk?
• Risk avoidance: Risk is deemed to be uncontrollable and the organization will avoid the activity or condition of risks based on risks deemed not cost-effective to reduce the frequency and magnitude to be defined risk appetite, cannot be shared or transferred, and risk is unacceptable by management.
• Risk reduction/mitigation: actions taken to detect and reduce the frequency and impact of risk.
• Risk sharing/transfer: actions have been taken to reduce the frequency or impact with common methods such as insurance or outsourcing.
• Risk acceptance: no action is taken in relation to risk, any lost pertaining to risk has been deemed acceptable with risk properly documented.
Patrick DeStefano (tuc50677) says
I like your explanations, here is some context for IT software development.
Risk Avoidance – Say, for example, that you are on a software development team and it’s a week before the production implementation of your project. UAT has just found a significant defect which was missed in QA testing and after analysis it is realized that this defect will create a negative customer experience for thousands. Risk avoidance would be pulling your project from the release and not go to production so you can effectively fix the issue.
Risk Reduction/Mitigation: Let’s go with the same scenario as before, but instead of pulling the project from the release, someone realizes that there is a workaround which will enable you to reduce the customers impacted from thousands to only a few dozen. Depending on the risk tolerance, this may give the production implantation a Go with the new plan.
Risk Acceptance: Same scenario, but let’s say the defect is a minor cosmetic issue on a webpage. Still thousands of customers will experience this minor cosmetic issue, but the project can still go live as the business has accepted the risk and will implement a fix at a later date.
Vince Kelly says
What three types of IT risk are there? Can you give an example of each?
According to the IT Risk framework, the three types of risk include:
1. IT benefit/value enablement risk – Associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or as an enabler for new business initiatives. One very common example of this is when a company tries to cut costs by not renewing its software/hardware support contracts – i.e. the ‘penny wise but pound foolish’ management approach. In the short term they do save a little money but don’t keep up with the rapid pace of technology. As a result after a while the technology advances to the point where their platforms are so obsolete that they can only maintain the existing environment as it is, not as they need it to be – i.e., they can’t take advantage of new cost saving technologies (e.g., voice and collaboration tools)
.
2. IT program and project delivery risk – Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs. This ties to investment portfolio management (as described in the Val IT framework). One very common example of this is project ‘scope creep’ – ESPECIALLY in the software development world. A project goes through all of the appropriate lifecycle development steps until users or others come to understand the projects value and real potential during the prototype phase for example. It’s not uncommon at that point for more features and capabilities to be requested that the system doesn’t even remotely resemble what it was originally intended to do and takes twice as long to complete.
3. IT operations and service delivery risk – Associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the enterprise. One example here would be the failure to adequately backup critical systems.
Vince Kelly says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
The three IT Risk domains are:
1. Risk Governance: This is where IT management supports the business strategy, goals and objectives by aligning its own capabilities with that of the business, by properly allocating and making the most efficient use of resources, by providing performance management. In other words, this is where everyone is ‘in the same business boat’, has all the tools needed and are all ‘rowing in the same direction’
2. Risk Evaluation: This involves identifying and collecting the kind of data that’s needed to identify, analyze and report on IT risk in a way that’s understandable to non-technical people.
3. Risk Response: Is essentially the ‘consumer’ of the Risk Evaluation – i.e., ‘where the rubber meets the road’ so to speak. It where the risk assessment is dealt with by the most appropriate people, at the most appropriate time and in the most appropriate and cost efficient way possible.
Pascal Allison says
The All-World Airlines Case
Focus your analysis on identifying all the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
The risks are listed as per the areas of specification:
Reputational Risks:
• Defaced of company image – layoff
• Non-compliance – SOX, PCI-DSS, and other standards
• Reduced customers satisfaction and potential customers interest
• Decrease revenue (decease shareholder investment or dividend)
• Loss Moral
IT Risks:
• Losing applications and its components developed in house
• Inadequate staff for application management
• Transferred program (COBOL) maintenance and functionalities
• Non-compliance with regulatory laws (SOX & PCIDSS)
Human Resource Risks:
• Lawsuit risk (European work rule)
• Inadequate staffing
Competitive Risks:
• Solutions developed in house will be lost
• Staff Moral
Financial Risks:
• Outsourcing and non-compliance cost
• System development and maintenance cost
• Staff Enrichment training, & Agreement costs
As per the various area described above and the potential risks associated with each area, if the question is clear cut regarding outsourcing, my answer is NO. I could not recommend AWA to continue with the plan of outsourcing its ALCS. The risk and cost associated with the risk are too high compare to hosting internally. The cost could be financial and reputational which could lead to lawsuit, bankruptcy, devaluation, or closure.
Vince Kelly says
interesting point Pascal, putting morale in with reputational risk, (and its one that I agree with completely).
People usually associate reputation risk with *customers* and not employees. But employees can be just as detrimental to a company’s reputation as any customer.
Demoralized, unhappy employees go to family barbecues and complain about how much they hate their boss or how bad the company is to a group of people who then circulate that perception in an ever widening circle of influence.
In many cases a disgruntled employee can be MORE destructive than customers because the reputational damage occurs with the customers that they serve as well as with their family members.
In the case of a disgruntled customer, other people may take their criticisms with a grain of salt – perhaps they just have an axe to grind or are just over reacting.
A disgruntled employee on the other hand, is in some cases an almost irrefutable source of truth to a family member and so the employee becomes the judge, jury and executioner of the company’s reputation.
Vince Kelly says
The All World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
The five areas and their associated risks identified include:
1. IT risks: There is a need to provide governance for operational processes to ensure satisfactory performance of key project deliverables. Don has not performed risk assessments before and is unfamiliar with the issues that should be considered. All applications were developed internally and some have very specific requirements that are only available with internally developed solutions.
2. Financial risks: The equipment and data center facilities are currently leased. The CFO’s concerns about compliance with SOX and PCI are financial because of the fines and penalties involved
3. Human resources risk: European work rules have long lead times for the elimination of jobs
4. Competitive risk: The COBOL programmer resource pool is declining and are commanding competitive salaries (probably being recruited by competitors who also need them).
5. Reputational risk: US programmers and operations are located in an economically depressed area; workers with eliminated positions will have problems finding new jobs.
I would recommend that AWA continue with the outsourcing but with a *very* extended timeline. Clearly if the CFO and CEO have determined that “the costs of internal development and IT operations have become too expensive to justify continued support”, then they don’t really have an alternative.
But that being said, it’s also clear that they are not ready to hand over everything to an MSP at this point – if for no other reason than,(as far as I could tell from the article), they hadn’t even identified or established a relationship with a service provider yet.
There are just too many issues and risks that need to be addressed. These include IT risks like customized legacy applications, the lack of a plan or process for governance of key project deliverables, processes and systems availability, HR risks like dealing with European work rules and reputational risks like laying off operations and programming personnel in an economically depressed area, etc., etc., etc.
So unless the company is bleeding money or in dire straights, they need to take a step back, complete the risk assessment, assign a cross-organizational task force with the objective of developing plans and road maps for outsourcing while at the same time begin to migrate and rearchitect the legacy platforms into more manageable and open, cross-architecture based ones.
Pascal Allison says
Vince,
great point (recommendation). The should be room for improvement. Keeping the ALCS internally is costly, if the way out is outsourcing, re-evaluation is great.
Vince Kelly says
Agreed Pascal. I think there’s a big picture element that’s missing here and that is – what’s the condition of the company? The entire industry is getting hit but what’s the level of pain that *this* company is experiencing?
if they are hemorrhaging profitability then this is a crisis that demands immediate action. If on the other hand they are hurting but ‘basically surviving’ or simply looking to increase profit margins or improve their competitive posture then they’ve already got some assets that they’d be silly to get rid of – the mainframes for example can actually provide a massive cost to scale ratio which THEY might be able to sell/outsource to other airlines.
So the point is that it might be cheaper just to call in some consultants to refactor/re-engineer the COBOL stuff while they figure out a better turn around plan.
Actually, in thinking about it, I take back the recommendation to continue with the out sourcing. The paper states that the CFO and CEO have determined that IT is too costly – well, Duh! what CFO or CEO in the WORLD doesn’t feel that way? 🙂
The paper also states that the CIO has no clue about how to do a risk assessment – well Duh! if your lacking the skills needed to figure out the *amount* of risk that the company is exposed to then you better go out and get someone who can.
I hereby officially revise the first recommendation to the following:
– Stop what you’re doing
– Keep the out sourcing thing as ONE of multiple options
– Get someone in there who can do an outside, impartial, independent evaluation before going any further.
😉
Michael Gibbons says
1. What is the difference between risk appetite and tolerance?
The difference between risk appetite and risk tolerance is that risk appetite is higher level objectives or wishes of the organization as to what is ok to meet the organizations goals. You need the risk appetite to know your risk tolerance. The risk tolerance is how far you can go in a positive or negative direction to meet the organizations goals for a particular process/project/task without going outside the organizations risk appetite. In other words, the risk appetite sets the boundaries for the activity and risk tolerance is the actions must stay within those defined boundaries.
Paul Needle says
Professor uses the Martini example which is an excellent example. I’m going to use the Hot Dog Example. Once summer roles around I want a hot dog at every meal particularly if I’m at a Phillies game. After the second (third if I’m being honest) my tolerance goes down. A fourth hot dog would be out of the question. While my appetite is large my tolerance quickly goes down. Theory of Marginal Retuns may apply here as well.
Michael Gibbons says
What three types of IT risk are there? Can you give an example of each?
Risk Governance – ensuring that IT Risk Management practices are embedded in the enterprise enabling the enterprise to secure optimal risk-adjusted return.
Risk Evaluation – ensure that IT related risks and opportunities are identified, analyzed, and presented in business terms.
Risk Response – ensure that IT enabled risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities.
An example of Risk Governance would include setting risk appetite and risk tolerance for the organization with an IT element.
An example of Risk Evaluation would be periodic risk assessment processes (i.e. vulnerability scanning to identify existing vulnerabilities. Once identified, if the remediation is going to require money, resources, etc., this can be communicated and prioritized by the organization to fit the defined risk tolerance. This would be an example of Risk Response.
Michael Gibbons says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
In each of the three processes included in the IT Risk Framework, I would say there is a plan, do, check, act cycle that occurs. Each of the independent processes are dependent on each other and the cycle is continuous.
IT Governance – the organization defines IT risk appetite and IT risk tolerance. This is monitored and adjusted as necessary as the environment changes.
Risk Evaluation – Based on organization objectives, the organization decides to move some critical applications to the cloud after looking at the opportunities and savings that are possible by not having to manage the hardware and software in house.
Risk Response – Now that we are in the cloud, what happens if we lose our data? If the data isn’t important, no big deal, we accept that risk. If we can’t trust the vendor and feel we can do a better job, we don’t move to the cloud and we protect our data (avoidance). We can take out a big insurance policy to cover us in case of a breach out of our controls. We can also include some strong verbiage with our cloud vendor to share the risk of a breach and/or implement stronger controls to help mitigate any risks we identify.
Michael Gibbons says
4. How can an organization respond to any IT risk?
An organization can accept the risk (keep going doing what they are doing). An organization can avoid the risk (stop doing what they were doing or thinking of doing). They can share/transfer the risk by purchasing insurance or through a partner agreement. Lastly, they can try to mitigate the risk by implementing controls that bring the residual risk to a level within their risk tolerance.
Jonathan Duani says
Michael,
I like the idea you used to buy insurance to mitigate a risk. However, is this really solving the issue of the risk. The risk is still there within the company and it can still cause a problem to the company. However, this is just like a safety net just in case something bad would happen. I feel like it is more of a work around then actually fixing the risk the first time cause after something would happen and you would need to use the insurance, the problem would still exist and you will need to fix it anyway.
Michael Gibbons says
Jonathan,
I totally agree that insurance is not solving the risk. My understanding of insurance from any standpoint is to lower the impact of an adverse event. When I have participated in risk assessments, we identify risks related to a certain objective, then we assess the impact and likelihood with controls in place of that risk preventing us from meeting the objective. Insurance is usually listed as a control to decrease the financial impact of an event if it were to happen. That being said, if I were on the other side of this with the insurance company, I would want to see these risk assessments to see if the company is really implementing any controls that would be required for a valid claim against the policy.
Michael Gibbons says
Another piece to consider is when you evaluate controls to put in place, is the cost of the control vs the exposure of the risk you are trying to mitigate. In some cases, it doesn’t make sense to spend the extra money on a control when the risk is low impact and low exposure.
Duy Nguyen says
The All-World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog
IT risks:
• All applications are developed internally:
• All systems were written in COBOL
• Flights and crew scheduling have some special requirement that are only available with internal developers
• Transferring of programming to low-cost locations such as India
• Equipment and data center facilities are leased
• Operational processes will require Governance to ensure satisfactory performance of key projects deliverables, key process and systems availability
Financial risks
• High cost with available developers
• European work rules have long lead times for elimination of jobs
• Transferring of programming to low-cost locations such as India
• Cost on internal development and IT operations
Human resources risks
• Many programmers are retiring
• US programmers and operations are located in an economically depressed area
• Workers with eliminated positions will have problems finding new jobs
• Transferring of programming to low-cost locations such as India
Competitive skills
• Reservations application are fairly standard and could be easily outsourced
• Unfamiliar with issues that needs to be consider for Risk analysis
Reputational risks
• Noncompliance with US Sarbanes-Oxley Act of 2002 and Payment Card Industry Data Security Standards (PCI DSS)
Heiang Cheung says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the type of risk a company is willing to accept for example starting a business you’re willing to accept a lot of risk because it takes a lot to start a new venture.
Risk tolerance is how much risk your willing to take and knowing the limit when taking on new ventures. For example a company would decide weather or not to get into a new venture depending on amount of risk that is tolerable.
Another example of the two is going to school and the risk of being burden with debt and no job. Risk tolerance is deciding on what field of study you want to get into? going for Liberal arts or something in the STEM field because different majors have different amount of risk of being unemployed after school.
Richard Flanagan says
Heiang – I hope I didn’t mislead you with my previous example with Vince. Tolerance is associated with a particular initiative, but that initiative could be big or small. It doesn’t need to be a new venture, it could be as small as a simple software update. I would change your school example in the following way:
Does that help?
Heiang Cheung says
Definitely helps better
Thanks
Heiang Cheung says
2. What three types of IT risk are there? Can you give an example of each?
IT benefits/value enablement risk are risk associated with missed opportunities for technological improvement in business. An example of this would a company decide to sell their product online, which would benefit them because they could reach more potential customers.
IT program and delivery risk are risk associated with new functionality brought on by IT implementation. From the the example above selling the product online could potentially hurt their customers credit if their site get hacked and it would ruin the company reputation.
IT operations and service delivery risk are risk associated with the performance of IT systems, which can have negative effects on organizational value. Example of this would be the site going down or crashes because it can’t handle the the traffic
Heiang Cheung says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Risk governance is the risk associated with how the IT aligns with the business. The management and communication within the organization. The policies and procedures that are put in place.
Risk evaluations is the process of identifying and collects data to evaluate risk.
Risk response is how the risk is going be be handled. For example if we’re going to avoid it completely or take a insurance policy to transfer the risk.
Heiang Cheung says
4. How can an organization respond to any IT risk?
An organization could respond to IT risk by avoiding risk. They could completely avoid doing business a certain way just to avoid the risk attached to the business. They could have risk sharing for example insurance which would help transfer the risk to the insurance company. Risk reduction having policies in place and auditors to detect and reduce the frequency and impact of risk. Last an organization could accept risk, which means they will accept all the risk associated with the business. This is most likely low risk stuff that sort of like us getting on airplanes even though we know airplanes could crash.
Richard Flanagan says
Heing – another way to share the risk would be choosing to work with a vendors new product but sharing the cost of the project and the costs of any downside. For instance, we owe you nothing if this implementation doesn’t meet these SLA’s.
Heiang Cheung says
Yeah your right having agreements in contracts with vendors to mitigate risk.
Thanks
Jonathan Duani says
1. What is the difference between risk appetite and tolerance?
There is a subtle difference that I found between risk appetite and risk tolerance. Risk appetite is defined as the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. This means how much risk a company is willing to actually take. On the flip side there is risk tolerance which is defined as the willingness of some person or some organization to accept or avoid risk. Basically, the way I understood it is risk appetite is the risk that the company is willing to take, where risk tolerance is the risk they can actually handle. You want to make sure that the tolerance is higher than the appetite or you may not succeed in whatever risks you were taking.
Jonathan Duani says
2. What three types of IT risk are there? Can you give an example of each?
There are 3 different types of IT risk. They include IT benefit/value enablement, IT program and project delivery, and IT Operations and Service Delivery. IT benefit/value enablement can be seen when a new time card system is integrated into the environment however, the integration was not smooth and it is not talking to the payroll system properly and people are not getting paid the correct amount. You could see an example of the IT program and project delivery risk when you have a project that is upgrading a network closet with new equipment. They people doing the upgrade mess up and do not reconnect everything correctly causing half a floor to go out and a loss of productivity to happen. Finally, you would see IT Operations and Service Delivery risk if you are ignoring patches that are coming out for a device. After a while the device is now venerable and has ransomware on it.
Jonathan Duani says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
First, you have Risk Governance. In Risk Governance is where you incorporate the design aspect for the administrative control that will alleviate risk occurrences. This is the bases for the rest of the frame work. If you have a good basis with good controls the rest will fall into place. The next process is Risk Evaluation. This is to take each risk as it arises and will assess it based of specific criteria. In this evaluation process it will be clear what needs to be addressed immediately and what can wait a little bit. Finally, the third process is Risk Response. In Risk Response, the company will actually react to the risk that are currently active in the environment. This could be as simple as running a patch on a system or it could be much more involved depending on the nature of the risk and how the evaluation process went.
Jonathan Duani says
4. How can an organization respond to any IT risk?
With every decisions there are two obvious options. The first being do nothing. If the company can accept the risk at face value and does not see this risk as posing a problem moving forward in the organization a company can just ignore it or accept the risk. The other option would be to be reactive with the risk and do something to mitigate it. This could be done by completing a process that would take care of the risk like completing a patch or updating a policy within the company. If they are taking care of the risk they are trying to complete it with as little impact on the company as possible so that the risk does not turn into a huge problem.
Jonathan Duani says
The All World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
I think based on the information that was given in the case the company should hold off on its plan to outsource the IT of the company. The reason I say this is because the person making the decision, Don, has no completed a risk assessment before and does not know what he is looking for. Since this is the case, you cannot be positive that the information that they gave was the best information that was put forth. I would bring in a proper company to do a full risk analysis first and then they weigh the pros and cons. I think the CEO and CFO do not fully understand everything that IT takes care of for the company, like a proprietary reservation system for staff which was made in house. I think a lot more research and investigating can be done before they could move forward with their plan. At this point I would not continue with the outsource plan of ALCS.
Mohammed Syed says
What is the difference between risk appetite and tolerance?
By the definition found in Risk IT framework, “The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision)”. Which basically amounts to the type of risk an organization is willing to take to make sure their business needs and goals are met. Various types of risk can include loss of profit, property damage, product liability to name a few. Risk tolerance on the other hand is the amount of risk an organization will handle or can handle. For example, having trained staff can help mitigate risk in a better way, vs untrained staff.
Mohammed Syed says
IT Benefit/Value enabler:
Opportunities that are missed due to the lack of update in technology infrastructure and software. Example: Organization’s not updating security software can result in huge security risk.
IT Programme/Project delivery
Risks management of IT related projects that enables or improve business: Example: Not completing the project in a timely manner can result in huge financial losses.
IT Operation and Service Delivery
Risks that deal with business operations and service delivery of IT.
Example: Not completing the project in a timely manner can result in huge financial losses. But also can bring issues, and inefficiency to the business operations of an organization.
Mohammed Syed says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Risk governance relates to business and IT alignment. Risk governance mostly deals with communication, management, assessment and evaluation of the organization.
Risk evaluations on the other hand focus on classifying data and evaluation of data by estimating risk Risk response deals with stratagems that are in place that enables the handling of risks.
Mohammed Syed says
How can an organization respond to any IT risk?
By using created policies and strategies that are held in place to deal with IT risk.
Jason M Mays says
Q4. The four general methods to deal with risk are to:
1. Accept risk. You assume there is nothing to do or you can do and accept the consequences.
2. Avoid the risk. You decide to not engage in the activity because the risk is costlier than the rewards.
3. Transfer risk: You have another party accept the risk on your behalf. Usually in exchange for some form of capital.
4. Mitigate the risk. Use controls to manage risk to an acceptable tolerance of the organization.
In IT you can implement control strategies to mitigate or transfer risk. This is done mainly by implementing preventative and detective controls.
Jason M Mays says
Q3. To me, the 3 phases of IT risk start at the top of the organization and work its way down to individual business owners. Benefit and value are intertwined with the vision and mission. You need to understand where you want to go and what IT solutions can help get you there. Program and project delivery are the execution of the choice you made. In this step, you are looking execute the choice efficiently and effectively. Operations and service delivery is the continuous maintenance of your IT infrastructure. It’s the easiest to understand out of the 3. It can also be greatly affected by the first 2.
Jason M Mays says
Q2. The 3 types of IT risk according to the IT Risk framework are;
IT benefit/value enablement risk: Associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or as an enabler for new business initiatives. An example would be if a department resisted acquiring a program that could streamline workflow, but they fear the program may replace them instead of understanding they can do their job more efficiently.
IT program and project delivery risk: Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs. This ties to investment portfolio management (as described in the Val IT framework). An example can be the acquirement of a program by an executive that was not properly vetted by the IT dept. While the program may be useful in general, It could be incompatible with the companies IT infrastructure and be rendered useless and a big cost expense.
IT operations and service delivery risk – Associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the enterprise. An example could be an organization that was not prepared to handle a breach. They would lose confidentiality and possibly integrity and accessibility of their data.
Jason M Mays says
Q1. Risk appetite represents the amount of risk a company is willing to accept. It is decided at the executive level and is often a reflection of what the company is willing to do to achieve its goals. Risk tolerance is the amount of additional risk it is willing to accept. Risk tolerance is a decision made on the ground. It relates to the specific occurrence as opposed to an overall vision.
BIlaal Williams says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the standard an organization uses to decide what constitutes acceptable and unacceptable risk.
Risk tolerance depends on the standard set by the risk appetite of the organization, and is defined as the tolerable deviation from the acceptable levels of risk defined by the risk appetite of the organization.
Tamekia P. says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk an organization is willing to accept in pursuing the organization’s objectives. Risk tolerance is amount of deviation acceptable in pursuing these objectives. Of these concepts, I️ find risk tolerance to be the more abstract concept. An organization can determine that a risk exists in completing an objective but the cost or time needed to mitigate this risk is more than the organization is willing to take on. This would indicate that the organization’s risk tolerance for this objective is high.
Tamekia P. says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk are IT benefit/value enablement risk – (missed) opportunities to use technology to improve efficiency/effectiveness of business processes. An example would be not utilizing a program the organization has heavily invested in to its full benefit. Instead of using software across the organization consistently, inefficiencies are created by using several versions and modules.
The second risk is IT programme and project delivery risk. It is the contribution of IT to new or improved business solutions. An example would be the risk of selecting the wrong projects or having weak portfolio management. For every project pursued, there is an alternative that could have also been selected.
The last risk is IT operations and service delivery – aspects of the performance of IT systems and services. An example of this would be the risk of downtime for organization’s systems or servers. There are some systems were any downtime could create significant impacts to the organization.
Tamekia P. says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Risk Governance – the governance of risk. Similar to IT governance to ensure risk is included in organization’s goals. Tone at the top – how is risk being considered within organization. Is it a focal point?
Risk Evaluation – Determining where the risk lies in the organization. How are these risks defined and categorized?
Risk Response – Prioritizing the risks. Weighing cost benefit along with organizational priorities.
Tamekia P. says
4. How can an organization respond to any IT risk?
An organization can respond to any IT risk by a. Avoid b. Reduce/mitigate c. Share/transfer d. Acceptance. Essentially each of these come down to a decision for the business.
Acceptance meaning doing nothing additional to reduce possibility of risk occurring.
Share/transfer means either obtaining insurance coverage to reduce risk or outsourcing services. This is a risk management technique.
Reduce/mitigate requires organization to take action to reduce risk. This could include increasing preventive or detective controls.
Lastly, avoid which means removing risk from organization. This includes not to pursuing a opportunity or stopping project currently underway.
Tamekia P. says
The All World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
IT Risks
– Specific requirements only available with internal software for flight and crew scheduling and sensitivity analysis
– Programs written in COBOL and expertise is dwindling
– Governance necessary to ensure availability and success of deliverables
Financial Risks
– Expense of programmers that know how to use COBOL
– Non-compliance with SOX could potentially subject the company to risk of material financial misstatement
– Existing leases subject to predetermined expiration date
– CIO does not perform adequate risk assessment and prioritizes incorrect risks
Human resource risk
– Displaced workers will have issues finding jobs and when they do, it is likely they would not chose to return
– Long lead times necessary to eliminate jobs in Europe
Competitiveness risk
– Potential to transfer jobs to India. Could reduce responsiveness
Reputational Risks
– Displaced workers will have issues finding jobs
– Risk of non-compliance with SOX and PCI DSS
Given the above risk assessment, I feel that AWA should not continue with their plans to outsource to ALCS at this time. They need to spend more time identifying compatible software for flight/crew scheduling. In addition, they plan the transition when they have had more time to assess their leasing arrangement and lead time required to reduce the jobs in Europe. In the meantime, AWA should work on figuring out KPIs for future service level agreement.
BIlaal Williams says
2. What three types of IT risk are there? Can you give an example of each?
:
1. IT benefit/value enablement risk – is the risk associated with missed opportunities to use technology to improve efficiency or effectiveness of business processes, or as an enabler for new business initiatives. An example of this are IT services within an organization that fail to add value to an enterprise or improve the efficiency of the organization. An example could be a legacy billing application for an insurance company which is inefficient, and missed opportunities by the organization to replace the application with more efficient options.
2. IT program and project delivery risk – is associated with the contribution of IT to new or improved business solutions, usually in the form of portfolio or project management. An example of this would be poor project management which causes missed deadlines and incomplete projects.
3. IT operations and service delivery risk – is the risk associated with system services involving performance and availability. This is the operational risk related to IT in the organization. Examples include risk associated with system failure, system intrusion, or loss of proprietary data.
BIlaal Williams says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Three processes in IT Risk Framework are:
1. Risk Governance – ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
It involves integrating risk management with ERM. This ensures that IT-related risk is enterprise risk, and a common risk view is developed between IT and the enterprise. This involves determining the organizations risk appetite and risk tolerance, communicating risk throughout the organization to ensure risk awareness. This process defines the risk culture of the organization, using risk management to help the enterprise respond properly to risk related events, and take more risk to increase return.
2. Risk Evaluation – ensure that IT risks and opportunities are identified, analyzed and presented in business terms.
It involves how to translate and express IT-related risks in business terms. Methods such as the Balance Scorecard and CobIT information criteria can be used to evaluate risk management and ensure all stakeholders can understand how IT related risk can affect business objectives. Risk scenarios are used in this process to evaluate how well the organization will handle these events and how the business will be impacted.
3. Risk Response – ensure that IT risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.
It involves establishing key risk indicators (KRI) that can show when an enterprise is being subject to a risk that exceeds their defined risk appetite threshold. These indicators should be balanced across the enterprise, including performance indicators and trends that will drill down to the root cause of the risk events. The enterprise will then select an appropriate response to the event according to how the risk has been prioritized.
BIlaal Williams says
4. How can an organization respond to any IT risk?
AN IT organization can respond to any risk by managing risk in a strategic way through governance, evaluation and response. Prioritizing each risk relating to the enterprise and choosing the appropriate response based on its priority allows the enterprise to define response options that will be appropriate for the event. Response options are based on the cost of the response, importance of the risk addressed by the response, the enterprises capability to implement the response, effectiveness of the response, and the efficiency of the response.
Proper risk management will ensure that residual risk is reduced to the acceptable levels defined by the organization, and processes are in place to deal with any unforeseen risks in the future.
Patrick DeStefano (tuc50677) says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk or uncertainty the entity is willing to deal with in order to achieve the end goal. For instance, if a person or company decides to go into business flipping houses, their risk appetite in turning a profit means that they are willing to proceed with their venture even though there is a level of risk that they will lose money on some houses and profit from others. They are planning for these profits to overcome the risks of losses overall.
Risk tolerance is more along the lines of the entity’s tolerance/acceptance of deviations outside of the appetite range. For instance, their risk appetite was to accept the risk of losses as long as the loss event did not exceed $25,000.
BIlaal Williams says
The All World Airlines Case
IT related risks
• System availability
• Sensitive information (crew scheduling, sensitivity analysis) will be handled by third-party
• Compliance and regulatory issues with system
• Proper governance of operational processes
Financial risks
• Facilities (lease penalties?)
• Inaccurate risk assessment causing inaccurate financial estimates for the outsourcing
• Damaged reputation (due to layoffs, outsourcing) will cause decrease in profits
Human Resource risks
• Disgruntled employees (due to layoffs)
• Third party vendors (are there administrative controls (background screening etc.) aligned with AWA’s policies?
• European work rules long lead times for eliminating jobs
Competitive risks
• Loss of proprietary systems
• System disruption during transition to third party
• Loss of reputation due to layoffs
Reputational risks
• Non-compliance with regulations
• Layoffs
• System disruption during transition
• Outsourcing
It seems that this change may be inevitable, since the CFO and CEO have determined that IT operations are too expensive in its current state, and the system is relying on programmers whose salaries are steadily increasing, AWA may be forced to outsource to remain competitive in the long run. The organization will have to ensure the proper strategy is used to implement the change. I would suggest getting an idea of how long the IT operations can remain in its current state, then choosing a proper timeline to transition the system. The organization should also have a third party perform a risk assessment since the CIO is inexperienced, and the ALCS is obviously a critical system to the organization.
Paul Needle says
1. What is the difference between risk appetite and tolerance?
Risk appetite and risk tolerance are very similar by nature however there is a distinction. Risk appetite is a broad-based approach. It’s acknowledging that there are a specific set of risks that can affect your ability to achieve desired results. Risk appetite is the amount and type of risk a company is willing to accept. Risk tolerance is how much of any one individual risk would you be willing to accept. It’s the specific amount and variation of risk that an organization is willing to accept form each risk.
Paul Needle says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT Risk can be categorized in three ways. The first is IT benefit / value enablement risk. This is the opportunity cost of technology. It’s missed opportunities because you didn’t use technology. Examples would include technology enabler for new business initiatives and technology enabler for efficient operations. The next is IT Program and Project Delivery. This would be contribution of IT to new or improved business solutions. Examples would be project quality, project relevance or project overrun. This takes a holistic view of the IT portfolio. Finally, IT operations and service deliver risk is associated with all aspects of the IT performance that could have a negative effect on a business. Examples would be IT service interruptions, security problems or compliance issues.
Paul Needle says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
The three processes included in the IT Risk framework are risk governance, risk evaluation, and risk response.
– Risk Governance
o Ensure that IT Risk management practices are embedded in the enterprise, enabling it to secure optimal risk -adjusted return.
o How they look at the risk
– Risk evaluation
o Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.
o Understanding the risks for your organization
– Top down or bottom up approach
o Actor causes an event over some period of time.
o Collect Data, maintain risk profile, analyze risk
– Risk response.
o Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.
o Risk transfer
o Mitigate the likelihood or impact
– Create controls – preventative, detective, corrective
Paul Needle says
4. How can an organization respond to any IT risk?
There are four ways to address any IT Risk. These are Risk avoidance, Risk mitigation or reduction, risk transfer or sharing and risk acceptance. Risk avoidance would try and remove any activity or condition that might give risk to risk. Risk mitigation is an action taken to detect risk and then reduce the exposure through policies or procedures. Risk transfer would be outsourcing or insuring the risk. Finally Risk acceptance is no action taken relative to a risk.
Paul Needle says
All World
IF they are going to address the CFO’s required risk assessments then we need to consider IT Risk, Financial Risk, HR Risk, Competitive Risk, Reputational Risk. IT Risk is a large one in this case. Considering most of the applications were developed internally it will difficult to translate them into a new outsourced system. The key with the IT risk is to determine if the IT functions directly support the business strategy. Financial risk in my opinion is low. Many competitors are outsourcing which leads me to believe that the unknown first mover risks have been addressed. Keeping the additional staff, which require higher than normal salary’s is a going to reduce profit margins. They can get scale by outsourcing at a lower cost. HR Risk is a concern when laying off any staff. Morale can have a serious effect on culture. Not to mention litigation from wrongful termination. It needs to be addressed upfront and sensitivity analysis should be considered. Finally, Reputational risk is large. They want to develop a strong marketing campaign to address. Overall, I think there is enough support outsource however a lot of work and analysis in each risk category should be performed.
Patrick DeStefano (tuc50677) says
2. What three types of IT risk are there? Can you give an example of each?
-IT Benefit/Value Enablement Risk is whenever there was a mis or shortcoming where technology could have been used to help the business be more effective or efficient. This could be something as simple as not realizing that data being manually entered into an Excel spreadsheet could have been easily automated by using a macro.
-IT Program & Project Delivery Risk is more along the lines of IT project risks such as budget overages, missed deadlines, or poor quality. These can be caused by any number of reasons from unskilled workers, to poor project management, to environment variables or unforeseen obstacles to completion.
-IT Operations & Service Delivery Risk is related to the RTE daily operations of an organization. For instance, the risk of a hardware malfunction or a security breach bringing down the network to the point where delivery of service or operations to customers or end users are affected.
Paul Needle says
There was another article posted to this week readings regarding Columbia Casualty and Cottage Healthcare that I would like to comment on. I work for C.N.A. and we own the insuring paper called Columbia Casualty. I use the form frequently to insure cyber liability for insurance companies. We received a lot of bad press on this because it was the first time a claim had been denied based off the answers on an application. It’s a major fear because a risk manager likely doesn’t know how to answer the application and the IT team doesn’t always want to be involved with the insurance. This was not one of my insureds (thank the heavens) but I quickly learned a lot so that I could field questions of which there many. The feedback I received is that there was absolute gross negligence by the insured with full intent to deceive.
The point I want to make is that C.N.A., along with many other carriers, provides excellent resources to help strengthen policies and procedures. Leverage this resource and request audits (which are free!) and ask for materials that would contribute to the control environment. Make the carrier work for you as they have the data and experience to know what works. Make it a proactive team effort with a cyber carrier rather a confrontational relationship like Cottage.
Michael Gibbons says
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
IT Risks, Financial Risks, Human Resources Risks, Competitive Risks, Reputational Risks
Based on the information in this reading, similar to the Globshop case study from the outsourcing section, I would say to take the Globshop approach and look for quick wins to get a comfort with the outsourcing strategy and continue the discussion on the items that may require additional work and controls to get the company comfortable with moving these processes out. All internal systems were written in COBOL, this would not be the first organization to work on upgrading or migrating off of this type of platform to a more current platform so the migration services do exist.
Brandan Mackowsky says
1. What is the difference between risk appetite and tolerance?
Risk appetite differs from risk tolerance in that risk appetite shows how much risk an organization is willing to take on during its business operations while risk tolerance explains how much risk an organization is truly able to handle in a single event. Risk appetite is a great assessment of how much a business is willing to stake in order to grow and succeed while risk tolerance is a truer assessment of what the business can truly handle. While an organization may hold a large risk appetite, that same organization may have a small risk tolerance which could be catastrophic if an event occurred that the business was willing to take on but could not truly handle.
Patrick DeStefano (tuc50677) says
I like your explanation here. I can clearly visualize this scenario explained in your last sentence. Perhaps a small startup in the heavily regulated financial industry took on a large mortgage project with a lot of risk. As almost any startup in todays world, you almost have to have a large risk appetite. However one single mistake in a line of code for their project was able to affect thousands of Military Veterans mortgages. The government then fines the startup $20 Million. This would most likely be a catastrophic event outside of the startup’s risk tolerance.
Brandan Mackowsky says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT Risks that exist in an organization are as follows:
Risk Governance: An organization’s risk governance process serves as a foundational process for the business to ensure that it follows the set guidance for the business to succeed. The governance process is used to identify key risks that the organization faces and what it can do to generate controls and ensure that the organization complies with the foundation to keep the business safe. An example would be developing a password reset control to ensure all accounts are adjusted to prevent unauthorized access of user accounts.
Risk Evaluation: An organization’s risk evaluation process allows a business to examine the risks involved in its particular line of business and assess the severity and likelihood of each to occur. Through this process, the business defines how it wants to address or avoid the risk and can determine factors in which it can mitigate the risk to the organization. An example would be determining whether or not to purchase newer equipment for the datacenter to prevent breaches and failures but with an added expense.
Risk Response: An organization’s risk response process determines how well or poorly it responds to a risk associated event as it occurs. This process allows a business to respond to a particular risk by taking action against it to prevent it or finding a way to work it into the organizational structure. An example would be a business electing to use SharePoint as a file storage platform for collaboration while understanding that a Microsoft breach would release their data.
Brandan Mackowsky says
*Response for question #3
Brandan Mackowsky says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT Risks that exist in an organization are as follows:
IT Benefit/Value Enablement Risk: A business experiences this risk when a new and innovative option or technology is introduced that can be used to enhance the organization’s operations and model, however, this specific ability to improve goes unnoticed and the business misses out on the opportunity.
IT Program and Project Delivery Risk: A business experiences this risk when a new function of IT is introduced to the business model and employees of the organization are both unfamiliar and untrained on the new material. This could result in delays and failures.
IT Operation/Service Delivery Risk: A business experiences this risk when it deals with its current systems and ensuring that they are running at their expected performance. When they are not running accordingly, a business will experience crashes and failures that impact operations and cause poor servicing.
Patrick DeStefano (tuc50677) says
The All World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
IT Risks:
-Outsourced solutions might not be as customizable as internally developed
-Current systems written in COBOL which has few remaining developers who demand a premium salary
Financial Risks:
-Risks of any fines related to regulator compliance issues with
-Potential penalties for ending leases of facilities and equipment early
-Don is not experienced in Risk Assessments
HR Risks:
-European rules requiring long lead time to end positions may pose some risks related to offboarding resources
-Training risks for moving resources to India
Competitive Risks:
-If they keep in-house develpment, competition may have better margins since they have already outsourced
Reputation Risks:
-Reputation loss from laying off resources in an economically depressed area
-Reputation loss from moving jobs to India
Without knowing the financials, I would recommend continuing with the plan, however dive deeper into the specifics and build a plan to assist with mitigating the risks listed above. For instance, ensure that the companies you would be outsourcing to are competitively priced and are able to customize a solution to your needs. Time the plan so that you won’t need to pay any penalties for ending leases early. This may also give you time to resolve any regulatory concerns as well as pleasing the EU with their labor laws regarding offboarding. Additionaly, possibly offer some compensation package to laid off employees to assist with retraining for another career or relocating to a less economically depressed area.
I would not recommend outsourcing if they do not attempt to mitigate any of the risks associated, however if properly mitigated, this plan could work out in a very positive way for all parties involved.
Brandan Mackowsky says
4. How can an organization respond to any IT risk?
An organization is able to respond to a risk in 4 ways:
Accept the risk: An organization will choose to accept the risk if the probability of the specific risk is expected to be sufficiently low and is essentially negligible.
Avoid risk: An organization will choose to avoid the risk if it feels that it should not engage in activity that causes the risk. This is typically determined via a cost benefit analysis where the risk is noted to be too high for benefit that would be received.
Share or transfer risk: An organization will choose to share or transfer the risk when the risk itself seems high but can be mitigated through a service. This is typically seen when a business will buy insurance to delay the cost of an event as it occurs or share risk with vendor to not be 100% liable as an event occurs.
Mitigate likelihood or impact of risk: An organization will choose to mitigate the likelihood or severity of a risk when structuring its general business procedures. This is seen as an organization creates preventative, detective, or corrective controls to prevent the likelihood of a risk occurring, minimize its severity, or recover quickly through something like a backup process.
Heiang Cheung says
The All World Airlines Case
Focus your analysis on identifying all of the risks in the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
The five area of risk identified by the CFO are below
IT risk:
• There need to some type of governance for IT processes.
• Crucial information is being handled by outside vendor.
• IT expertise is shrinking in COBOL
• All application developed internally that requires internally develop solutions
Financial risk;
• Cost of COBOL developer high salaries
• Cost of lease equipment and data center facilities
• Cost of potential fines.
Human resource risk:
• Could potentially lower moral of employees in the company
• Dealing with outside consultants
Competitive risk
• Prices could be be higher, which could make them raise prices and be less competitive to other airlines.
Reputation risk;
• Layoffs
• Potential non-compliance with regulations
Heiang Cheung says
I think AWA need to outsource their ALCS system to stay competitive and be able to cut cost. If other Airlines are already doing it there shouldn’t be any issues with reputation. They could probably get out of their leases for the data center facilities. Airlines need to stay competitive in prices so if they can’t raise prices they need to cut cost to be able to make a profit.