a) Built on processes developed by others.
b) Established single corporate focal point.
c) Ensured that decisions were consensus-based.
d) Focused on specific scenarios.
Multinational Company has a wide range of operations in 30 countries with varying levels of risk. Security and safety concerns are critical factors in conducting business, and risk Assessments is a key component for addressing those concerns. It is failure to comply with organizational risk assessment policy requires significant justification on the part of the business owner.
At the time of our overview, the company employed a relatively streamlined, mainly qualitative methodology to assess information security risk. Risk management coordinator, responsible for security risk assessments, was the focal point for the risk assessment program. 11 Additional time was required for the business unit to develop an action platform responding to recommendations resulting from the risk assessment.
The key steps of the process are shown in the following diagram and discussed in greater
Initiating a Risk Assessment:
The company guideline directed the manager of a project, facility, or segment of operations to notify his or her respective regional security coordinator of the need for a risk Assessment.
The regional coordination announces the organization’s central security risk management coordinator in writing of the upcoming assessment. Business organization is attentive to the need and significance of conducting risk assessments due largely to the strong support given by the organization’s senior Executives. The business manager is primarily responsible for initiating risk Assessments, the central coordinator routinely reviews internal budget and project documents to identify operational segments that may require a risk assessment ).
Planning and Preparation
After declaration of an impending risk assessment, the central coordinator, in Conjunction with senior managers in the business unit, develops a risk assessment Execution plan. This plan covers assessment objectives and methodology, and information requirements for conducting the assessment. Developing the plan is an iterative process between the central coordinator and business unit management.
Team members are usually employees; however, on occasion, the team includes outside Consultants. Senior managers of the business unit select the team with approval from either the regional or central coordinator. For this reason, identifying knowledgeable individuals to be interviewed and developing interview questions are critical parts of the planning process that require careful attention and close coordination between the business unit Manager and the regional and central coordinators.
Team Risk Assessment Activities:
The focus of this phase is collecting and analyzing data on threats and potential vulnerabilities and recommending corrective actions 13. This phase usually takes about 5 days to complete-3 days for data collection and another 2 days for data analysis.
The risk assessment teams consider how current organizational procedures or technical applications may compromise the organization’s information resources and ultimately damage the company.
The consideration of information to unauthorized individuals and organizations, loss of information, and inability to access company information due to computer malfunction or loss of Communications. The team considers the baseline threat statement; to which specific local threat data have been added.
The team recommends the most appropriate corrective actions based on (1) the effectiveness of the control in reducing either the probability or severity of a potential scenario and (2) cost. To show the effect of the recommended corrective actions, the risk assessment team recalculates the new level of risk that would exist if the corrective actions were implemented.
Management does not need to approve the business owner’s alternative solution if the impact is limited to the unit in question, or if the risk is at either level 3 or 4 The action plan for recommendations and new alternatives is to identify actions planned, responsible personnel for each action, and a schedule for anticipated completion dates. Senior business unit managers document approval of the plan in writing and send copies to both the central and regional coordinators.
- Considering the Literature Review of Emmanuel, Otley & Merchant (1990). Accounting for Management Control, 2nd edition, Chapman Hall,
- Otley, Broadbent & Berry (2005), research in *management control: An overview of its Development, British Journal of Management ~,
- Otley, Broadbent & Berry Management Control Theories, Issues and Performance, 2nd Edition, (2005), Palgrave Macmillan.
- W. Frank & S. Alan, Business Accounting 2, 7th edition, Pitman Publishing.